After interacting with the questionable website in Part 1, it’s not really apparent that anything is really off. It might even look like we’re interacting with a static web site that will always display the “Go Away!” message that we saw.
C2 servers can be configured to only communicate if certain conditions are met. If we look through the packet capture, we might be able to find something interesting with blocked request.
There is a single GET request to the suspicious server at 126.96.36.199. After looking at the request headers, it seems like a very specific User-Agent is being passed (MozzzillaMonkey):
This might be what we are looking for. We can craft a http request with a specific User-Agent with command line tools such as curl/wget. Alternatively, a scripting language such as Python or Perl can generate a request as well. Scapy is probably the most robust packet manipulation tool which would be able generate traffic related to many protocols, including http. Since the change we need to make is straightforward, a simple Python script should do.
Here is a script that can be used to interact with the C2 server: script
After crafting the GET request, it looks like we have a drastically different response from the server!
What does it mean though?
Well, the first four characters of the text read “4d5a”, which is the hex representation of “MZ”, the signature for a DOS executable. You can read more about that here.
It would be reasonable to assume that the text that the web server responds with is actually the hex representation of an executable file.
Stay tuned for part 3…