Having retrieved the deleted version of the malware that allows Tracy McGreedy to control elves remotely, Forensic McBlue and his team have started investigating to stop the mind control incident. They are now planning to take revenge by analyzing the C2’s back-end infrastructure based on the malware’s source code.

Note: Check the Intro to Malware Analysis room as a refresher for static analysis concepts.

Introduction to .NET Compiled Binaries

• .NET binaries are compiled files containing code written in languages compatible with the .NET framework, such as C#, VB.NET, F#, or managed C++. These binaries are executable files (with the .exe extension) or dynamic link libraries (DLLs with the .dll extension). They can also be assemblies that contain multiple types and resources.
• Compared to other programming languages like C or C++, languages that use .NET, such as C#, don’t directly translate the code into machine code after compilation. Instead, they use an intermediate language (IL), like a pseudocode, and translate it into native machine code during runtime via a Common Language Runtime (CLR) environment.
• This may be a bit overwhelming. In simple terms, it’s only possible to analyse a C or C++ compiled binary by reading its assembly instructions (low-level). Meanwhile, a C# binary can be decompiled and its source code retrieved since the intermediate language contains metadata that can be reconverted to its source code form.

C2 Primer

• According to Forensic McBlue, the retrieved malware sample is presumed to be related to the organisation’s remote mind control (over C2) incident. So, to build the right mindset in solving this case, let’s look at the run-through below about malware with C2 capabilities.
• C2, or command and control, refers to a centralised system or infrastructure that malicious actors use to remotely manage and control compromised devices or systems. It serves as a channel through which attackers issue commands to compromised entities, enabling them to carry out various activities, such as data theft, surveillance, or further malware propagation.

Seeing C2 traffic means that malware has already been executed inside the victim machine, as detailed in the diagram above. In terms of cyber kill chain stages, the attacker has successfully crafted and delivered the malware to the target and potentially moves laterally inside the network to achieve its objectives.

To expound further, malware with C2 capabilities typically exhibits the following behaviours:

1. HTTP requests: C2 servers often communicate with compromised assets using HTTP(s) requests. These requests can be used to send commands or receive data.
2. Command execution: This behaviour is the most common, allowing attackers to execute OS commands inside the machine.
3. Sleep or delay: To evade detection and maintain stealth, threat actors typically instruct the running malware to enter a sleep or delay for a specific period. During this time, the malware won’t do anything; it will only connect back to the C2 server once the timer completes.

We will try to find these functionalities in the following section.

Decompiling Malware Samples With dnSpy

Now that we’ve tackled the theoretical concepts to build our technical skills, let’s start playing with fire (malware)!

Since we already assume that the malware sample is written in C#, we will use dnSpy to decompile the binary and review its source code.

dnSpy is an open-source .NET assembly (C#) debugger and editor. It is typically used for reverse engineering .NET applications and analysing their code and is primarily designed for examining and modifying .NET assemblies in a user-friendly, interactive way. It’s also capable of modifying the retrieved source code (editing), setting breakpoints, or running through the code one step at a time (debugging).

Pre-Requisites

1. Start the TryHackMe’s VPN or Attack box
2. Start the Machine
3. Connect to the Remote machine using the Credentials. In windows Remote Desktop Connection. Use rdpclient for Linux

1. What HTTP User-Agent was used by the malware for its connection requests to the C2 server?

1. Open dnSpy → File → Open → Navigate to the desktop, Click all files at the bottom, and choose the juicyTomatoydefang
2. Now click and expand juicytomatoy and JuicyTomaToy.exe and inspect the program

Ans: Mozilla/5.0 (Macintosh; Intel Mac OS X 14_0) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.0 Safari/605.1.15

2. What is the HTTP method used to submit the command execution output?

Inspect the Code or use the below video reference

Ans: POST

3. What key is used by the malware to encrypt or decrypt the C2 data?

Inspect the Code or use the below video reference

Ans: youcanthackthissupersecurec2keys

4. What is the first HTTP URL used by the malware?

Inspect the Code or use the below video reference

Ans: http://mcgreedysecretc2.thm/reg

5. How many seconds is the hardcoded value used by the sleep function?

Inspect the Code or use the below video reference

Use your skills to find the Answer for this Question

If you are unble to find, use the below video to find the answer

6. What is the C2 command the attacker uses to execute commands via cmd.exe?

Inspect the Code or use the below video reference

Ans: shell

7. What is the domain used by the malware to download another binary?

Inspect the Code or use the below video reference

Ans: stash.mcgreedy.thm