Day 9
Malware analysis She sells C# shells by the C2shore
Learning Objectives
The foundations of analysing malware samples safely
The fundamentals of .NET binaries
The dnSpy tool for decompiling malware samples written in .NET
Building an essential methodology for analysing malware source code
What HTTP User-Agent was used by the malware for its connection requests to the C2 server?
Answer can be found in Getit function
[REDACTED]
What is the HTTP method used to submit the command execution output?
Answer can be found in the Postit function
[REDACTED]
What key is used by the malware to encrypt or decrypt the C2 data?
Answer can be found in either the Encryptor or Decryptor function
[REDACTED]
What is the first HTTP URL used by the malware?
Answer can be found in the Main function
[REDACTED]
How many seconds is the hardcoded value used by the sleep function?
Answer can be found in the main function
[REDACTED]
What is the C2 command the attacker uses to execute commands via cmd.exe?
Answer can be found in the main function
[REDACTED]
What is the domain used by the malware to download another binary?
Answer can be found in the main function
[REDACTED]
Last updated
Was this helpful?