Home She sells C# shells by the C2shore
Post
Cancel

She sells C# shells by the C2shore

Challenge Information

  • Advent of Cyber Day 9
  • THM link here

Explanation

Today’s challenge is actually related to previous day by analyzing the executable. This challenge will be focusing on dnSpy to perform malware analysis.

Question 1: What HTTP User-Agent was used by the malware for its connection requests to the C2 server?

To get the HTTP User-Agent, we will need to search for the code that has been decompiled in dnSpy. Inside JuicyTomatoy > JuicyTomatoy.exe > JuicyTomatoy > Program, there is a main code that written alot of information, including the HTTP User-Agent.

Question 2: What is the HTTP method used to submit the command execution output?

In the same image that I have screenshot, it already stated the HTTP method, which is POST.

Question 3: What key is used by the malware to encrypt or decrypt the C2 data?

To get the key, we could look into decrypt or encrypt function which the key is written in it.

Question 4: What is the first HTTP URL used by the malware?

To get the first HTTP URL used by malware, the first thing to do is to go and have a look from top of the code as they first URL that appear will be the answer. In this case, it is slightly tricky as the URL http://mcgreedysecret2.thm but it is not the correct answer. If we look carefully, the URL is adding with /reg. The correct answer is http://mcgreedysecret2.thm/reg

Question 5: How many seconds is the hardcoded value used by the sleep function?

To get the seconds, we will first need to get the sleep function. After getting the sleep function, it seems to redirect us to count variable which is 15000. Since it is in miliseconds, converting to seconds will be 15 seconds.

Question 6: What is the C2 command the attacker uses to execute commands via cmd.exe?

To know what is the C2 command, look into the main function which basically let us know what type of C2 command there is. The answer for this is shell as that commands allow us to execute commands.

Question 7: What is the domain used by the malware to download another binary?

To get the domain, search for the url where malware is downloaded. Since it request for domain only, remove the file name and http

Things I learned from the challenge

  • How to use dnSpy
This post is licensed under CC BY 4.0 by the author.

Have a Holly, Jolly Byte!

Inject the Halls with EXEC Queries