Advent Of Cyber 2023 — Day 9

What HTTP User-Agent was used by the malware for its connection requests to the C2 server?

open dnSPY > File > Open > go to the Desktop & choose juicyTOmatoyedefang > expand JuicyTomaToy.exe and inspect the program

all other answers will be from this file too

Ans: Mozilla/5.0 (Macintosh; Intel Mac OS X 14_0) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.0 Safari/605.1.15

What is the HTTP method used to submit the command execution output?

POST

What key is used by the malware to encrypt or decrypt the C2 data?

youcanthackthissupersecurec2keys

What is the first HTTP URL used by the malware?

http://mcgreedysecretc2.thm/reg

How many seconds is the hardcoded value used by the sleep function?

15

What is the C2 command the attacker uses to execute commands via cmd.exe?

shell

What is the domain used by the malware to download another binary?

tash.mcgreedy.thm

That’s it | Visit mansoorbarri.com for other hacking & IT related articles.