What is the domain used by the post-infection traffic over HTTPS?
Use the file from An Evil Christmas Carol.
I had already analyzed the PCAP with Zeek in the previous challenge, An Evil Christmas Carol 1 so this was a simple task of reviewing the events in the ssl.log. After filtering out a handful of sessions to Microsoft domains i was left with 14 sessions to the same domain, vlcafxbdjtlvlcduwhga.com:
$ grep -vi microsoft ssl.log | egrep -v "^#" 1595634801.339610 Cn3A9J3XsuEPyebMb4 10.0.0.163 49697 22.214.171.124 443 TLSv12 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 x25519 vlcafxbdjtlvlcduwhga.com F - -T FjRzIw3C1jS9SYTy5 (empty) CN=*,OU=1,O=1,L=1,ST=1,C=XX CN=*,OU=1,O=1,L=1,ST=1,C=XX - -
The complete flag was: