After the machine is up.
Open dnSPy from the desktop.
Once the tool is open, we will load the malware sample by navigating to File > Open located on the upper-left side of the application.
When you get the prompt, click the following to navigate to the malware's location: This PC > Desktop > artefacts.
Now that you are inside the malware sample folder, you first need to change the file type to "All Files" to see the defanged version of the binary. Next, double-click the malware sample to load it into the application.
Questions:
- What HTTP User-Agent was used by the malware for its connection requests to the C2 server?
Answer
Mozilla/5.0 (Macintosh; Intel Mac OS X 14_0) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.0 Safari/605.1.15
- What is the HTTP method used to submit the command execution output?
Answer
POST
- What key is used by the malware to encrypt or decrypt the C2 data?
Answer
youcanthackthissupersecurec2keys
- What is the first HTTP URL used by the malware?
Answer
http://mcgreedysecretc2.thm/reg
- How many seconds is the hardcoded value used by the sleep function?
Answer
15
- What is the C2 command the attacker uses to execute commands via cmd.exe?
Answer
shell
- What is the domain used by the malware to download another binary?
Answer
stash.mcgreedy.thm
