Collecting C2 commands
Finally we can reimplement the C2 protocol and start communicating with the C2 server. The C2 server will believe that a valid infected machine sent the initial beacon and will start sending C2 commands to execute.
18.104.22.168,80,hex,100 22.214.171.124,30028,hex,30 126.96.36.199,3074,hex,400 188.8.131.52,30028,hex,30 184.108.40.206,3074,hex,400 220.127.116.11,80,hex,120 18.104.22.168,30120,hex,30 22.214.171.124,30028,hex,300 126.96.36.199,27060,hex,45 188.8.131.52,3074,std,120 184.108.40.206,3074,hex,300 220.127.116.11,3074,hex,300 18.104.22.168,3074,hex,400 22.214.171.124,50004,std,10 126.96.36.199,3074,greip,300 188.8.131.52,50004,tcpall,10 184.108.40.206,80,hex,200
The block above shows a chunk of C2 commands, we received over a period of 2 days. As seen above, the hex attack type was issued very often.Continue reading