Advent of Cyber 2023 - [Day 9] She sells C# shells by the C2shore - Tryhackme

Advent of Cyber 2023 - [Day 9] She sells C# shells by the C2shore

Day - 9 Questions and Answers: ✅

1. What HTTP User-Agent was used by the malware for its connection requests to the C2 server?
Ans: Mozilla/5.0 (Macintosh; Intel Mac OS X 14_0) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.0 Safari/605.1.15

2. What is the HTTP method used to submit the command execution output?
Ans: POST

3. What key is used by the malware to encrypt or decrypt the C2 data?
Ans: youcanthackthissupersecurec2keys

4. What is the first HTTP URL used by the malware?
Ans: http://mcgreedysecretc2.thm/reg

5. How many seconds is the hardcoded value used by the sleep function?
Ans: 15

6. What is the C2 command the attacker uses to execute commands via cmd.exe?
Ans: Shell

7. What is the domain used by the malware to download another binary?
Ans: stash.mcgreedy.thm

Check out the Malware Analysis module in the SOC Level 2 Path if you enjoyed analysing malware.

Link: https://tryhackme.com/room/adventofcyber2023

Support me: If you like to support me, buy me a cup of Coffee☕

Follow me: Medium | LinkedIn | Twitter