By rssfeeds-admin The PCAP files with the analyzed network traffic can be downloaded from malware-traffic-analysis.net.
CyberChef recipe to decode the reverse shell traffic to 103.27.157.146:4444:
XOR({‘option’:’Hex’,’string’:’62’},’Standard’,false)
Find_/_Replace({‘option’:’Regex’,’string’:’\r’},”,true,false,true,false)
From_HTML_Entity()
Decoded data from first “key007” reverse shell session to 103.27.157.146:4444:
Authentication successful
furtheringthemagic.com
net group “domain computers” /domain
The request will be processed at a domain controller for domain furtheringthemagic.com.
Group name Domain Computers
Comment All workstations and servers joined to the domain
Members
——-——–——-——–——-—————-———-——–——–
DESKTOP-G71S4PF$
The command completed successfully.
CyberChef recipe to decode obfuscated PowerShell payload from malicious finger service on 64.190.113.206:79:
Pad_lines(‘End’,5,’,6044′)
Subtract(‘Comma’)
From_Charcode(‘Space’,10)
IOC List
- 103.27.157.146:4444 (unknown “key007” reverse shell)
- 64.190.113.206:79 (finger)
- checkifhuman[.]top (finger)
- ey267te[.]top (PowerShell)
- 64.52.80.153:80 (PowerShell)
- 173.232.146.62:25658 (AsyncRAT)
- 08kcbghk807qtl9[.]fun:25658 (AsyncRAT)
Network Forensics Training
Check out our network forensic trainings if you want to learn more about decoding malware C2 traffic.
We have a Network Forensics for Incident Response class on February 23-26.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.