An Evil Christmas Carol 2

Challenge:

What is the domain used by the post-infection traffic over HTTPS?

Use the file from An Evil Christmas Carol.

Solution:

I had already analyzed the PCAP with Zeek in the previous challenge, An Evil Christmas Carol 1 so this was a simple task of reviewing the events in the ssl.log. After filtering out a handful of sessions to Microsoft domains i was left with 14 sessions to the same domain, vlcafxbdjtlvlcduwhga.com:

$ grep -vi microsoft ssl.log | egrep -v "^#"

1595634801.339610	Cn3A9J3XsuEPyebMb4	10.0.0.163	49697	84.38.181.206	443	TLSv12	TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384	x25519	vlcafxbdjtlvlcduwhga.com	F	-	-T	FjRzIw3C1jS9SYTy5	(empty)	CN=*,OU=1,O=1,L=1,ST=1,C=XX	CN=*,OU=1,O=1,L=1,ST=1,C=XX	-	-

The complete flag was: flag{vlcafxbdjtlvlcduwhga.com}