Remotely Administrated Evil 2

Challenge:

What MYDDNS domain is used for the post-infection traffic in RATPack.pcap?

Use the file from Remotely Administrated Evil.

Solution:

Using the Zeek logs from the analysis during Remotely Administrated Evil 1 I begin by searching dns.log to see if there is a high volume of “MYDDNS” domains that will need to be analyzed.

$ grep -i myddns dns.log

1595623886.331180	CvccLd3EJneUzKWBZj	172.16.1.219	51115	172.16.1.1	53	udp	46768	0.170532	solution.myddns.me	1	C_INTERNET	1	A	0	NOERROR	F	F	TT	0	185.165.153.158	5.000000	F

Fortunately, there is only one subdomain that was queried, making the completed flag flag{solution.myddns.me}.

Published:

Updated:

Leave a comment