Decoding malware C2 with CyberChef

This video tutorial demonstrates how malware C2 traffic can be decoded with CyberChef.

The PCAP files with the analyzed network traffic can be downloaded from malware-traffic-analysis.net.

CyberChef recipe to decode the reverse shell traffic to 103.27.157.146:4444:

From_Hex(‘Auto’)
XOR({‘option’:’Hex’,’string’:’62’},’Standard’,false)
Find_/_Replace({‘option’:’Regex’,’string’:’\r’},”,true,false,true,false)
From_HTML_Entity()

Decoded data from first “key007” reverse shell session to 103.27.157.146:4444:

key007
Authentication successful
furtheringthemagic.com
net group “domain computers” /domain
The request will be processed at a domain controller for domain furtheringthemagic.com.

Group name Domain Computers
Comment All workstations and servers joined to the domain

Members

——-——–——-——–——-—————-———-——–——–
DESKTOP-G71S4PF$
The command completed successfully.

CyberChef recipe to decode obfuscated PowerShell payload from malicious finger service on 64.190.113.206:79:

Fork(‘,’,”,false)
Pad_lines(‘End’,5,’,6044′)
Subtract(‘Comma’)
From_Charcode(‘Space’,10)

IOC List

103.27.157.146:4444 (unknown “key007” reverse shell)
64.190.113.206:79 (finger)
checkifhuman[.]top (finger)
ey267te[.]top (PowerShell)
64.52.80.153:80 (PowerShell)
173.232.146.62:25658 (AsyncRAT)
08kcbghk807qtl9[.]fun:25658 (AsyncRAT)

Network Forensics Training

Check out our network forensic trainings if you want to learn more about decoding malware C2 traffic.
We have a Network Forensics for Incident Response class on February 23-26.

New Multi-stage JS#SMUGGLER Malware Attack Delivers ‘NetSupport RAT’ to Gain Full System Control

A new malware campaign using multiple attack stages has been discovered that delivers NetSupport RAT through hidden web-based redirects and obfuscated code. The attack unfolds in three stages, starting with a JavaScript loader injected into compromised websites. This first stage downloads a stealthy HTA file that runs encrypted PowerShell commands…

December 9, 2025

In "Cyber Security News"

LummaStealer Abuses Windows Tool to Execute Remote Code Masquerading as .mp4 File

The Cybereason GSOC team have uncovered a sophisticated attack campaign leveraging the LummaStealer malware, now abusing the legitimate Windows utility mshta.exe to execute remote code under the guise of an .mp4 file. This new initial payload method further enhances LummaStealer’s evasion capabilities, enabling attackers to sidestep host-based detection and escalate…

April 18, 2025

In "Cyber Security News"

SharkStealer Implements EtherHiding to Manage and Hide C2 Channel Traffic

October 22, 2025

In "Cyber Security News"

rssfeeds-admin

Next Xbox Game Pass Is Set to Close Out January 2026 With a Bolt From the Grim Darkness of the Far Future: Warhammer 40,000: Space Marine 2 »

Previous « A Look Back, Jan. 20

Published by

rssfeeds-admin

3 months ago

Disney Reportedly Expects Star Wars: The Mandalorian and Grogu Box Office Opening Lower Than Solo: A Star Wars Story

Disney has reportedly tempered expectations for Star Wars: The Mandalorian and Grogu, which is currently…

13 minutes ago

The Outer Worlds Is Getting Grenades, Nearly 7 Years After It Came Out

Surprise! Seven years after it launched — and almost six months after its sequel was…

14 minutes ago

TV News Check

CPI Media Deploys QuickLink StudioCall

The post CPI Media Deploys QuickLink StudioCall appeared first on TV News Check.

24 minutes ago

TV News Check

Sports Streamer DAZN Makes $100 Million Bet On Technology Company ViewLift

The post Sports Streamer DAZN Makes $100 Million Bet On Technology Company ViewLift appeared first…

24 minutes ago

TV News Check

Harmonic Unveils AI-Powered Ops Intelligence, Resilient Remote OLTs At Fiber Connect 2026

Harmonic will showcase an AI-powered network operations intelligence platform, new remote OLT hardware and a…

25 minutes ago

TV News Check

Studio Technologies Boosts Jacksonville State Division I Broadcasts With Dante-Based Comms Backbone

Jacksonville State University has overhauled its athletics broadcast communications with a Dante-based system from Studio…

25 minutes ago

This website uses cookies.

Decoding malware C2 with CyberChef

Related

New Multi-stage JS#SMUGGLER Malware Attack Delivers ‘NetSupport RAT’ to Gain Full System Control

LummaStealer Abuses Windows Tool to Execute Remote Code Masquerading as .mp4 File

SharkStealer Implements EtherHiding to Manage and Hide C2 Channel Traffic

Recent Posts

Disney Reportedly Expects Star Wars: The Mandalorian and Grogu Box Office Opening Lower Than Solo: A Star Wars Story

The Outer Worlds Is Getting Grenades, Nearly 7 Years After It Came Out

CPI Media Deploys QuickLink StudioCall

Sports Streamer DAZN Makes $100 Million Bet On Technology Company ViewLift

Harmonic Unveils AI-Powered Ops Intelligence, Resilient Remote OLTs At Fiber Connect 2026

Studio Technologies Boosts Jacksonville State Division I Broadcasts With Dante-Based Comms Backbone

Decoding malware C2 with CyberChef

Related

Related Post

Recent Posts