Day 9

Malware analysis She sells C# shells by the C2shore

Learning Objectives

  • The foundations of analysing malware samples safely

  • The fundamentals of .NET binaries

  • The dnSpy tool for decompiling malware samples written in .NET

  • Building an essential methodology for analysing malware source code

What HTTP User-Agent was used by the malware for its connection requests to the C2 server?
Answer can be found in Getit function
[REDACTED]
What is the HTTP method used to submit the command execution output?
Answer can be found in the Postit function
[REDACTED]
What key is used by the malware to encrypt or decrypt the C2 data?
Answer can be found in either the Encryptor or Decryptor function
[REDACTED]
What is the first HTTP URL used by the malware?
Answer can be found in the Main function
[REDACTED]
How many seconds is the hardcoded value used by the sleep function?
Answer can be found in the main function
[REDACTED]
What is the C2 command the attacker uses to execute commands via cmd.exe?
Answer can be found in the main function
[REDACTED]
What is the domain used by the malware to download another binary?
Answer can be found in the main function
[REDACTED]

Last updated