# Day 9 Learning Objectives * The foundations of analysing malware samples safely * The fundamentals of .NET binaries * The dnSpy tool for decompiling malware samples written in .NET * Building an essential methodology for analysing malware source code {% code overflow="wrap" %} ``` What HTTP User-Agent was used by the malware for its connection requests to the C2 server? Answer can be found in Getit function [REDACTED] ``` {% endcode %} ``` What is the HTTP method used to submit the command execution output? Answer can be found in the Postit function [REDACTED] ``` ``` What key is used by the malware to encrypt or decrypt the C2 data? Answer can be found in either the Encryptor or Decryptor function [REDACTED] ``` ``` What is the first HTTP URL used by the malware? Answer can be found in the Main function [REDACTED] ``` ``` How many seconds is the hardcoded value used by the sleep function? Answer can be found in the main function [REDACTED] ``` ``` What is the C2 command the attacker uses to execute commands via cmd.exe? Answer can be found in the main function [REDACTED] ``` ``` What is the domain used by the malware to download another binary? Answer can be found in the main function [REDACTED] ``` *** --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://bunring.gitbook.io/ctf-writeups/try-hack-me/advent-of-cyber-2023/day-9.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.