Collecting C2 commands
Finally we can reimplement the C2 protocol and start communicating with the C2 server. The C2 server will believe that a valid infected machine sent the initial beacon and will start sending C2 commands to execute.
22.214.171.124,80,hex,100 126.96.36.199,30028,hex,30 188.8.131.52,3074,hex,400 184.108.40.206,30028,hex,30 220.127.116.11,3074,hex,400 18.104.22.168,80,hex,120 22.214.171.124,30120,hex,30 126.96.36.199,30028,hex,300 188.8.131.52,27060,hex,45 184.108.40.206,3074,std,120 220.127.116.11,3074,hex,300 18.104.22.168,3074,hex,300 22.214.171.124,3074,hex,400 126.96.36.199,50004,std,10 188.8.131.52,3074,greip,300 184.108.40.206,50004,tcpall,10 220.127.116.11,80,hex,200
The block above shows a chunk of C2 commands, we received over a period of 2 days. As seen above, the hex attack type was issued very often.Continue reading