What MYDDNS domain is used for the post-infection traffic in RATPack.pcap?
Use the file from Remotely Administrated Evil.
Using the Zeek logs from the analysis during Remotely Administrated Evil 1 I begin by searching dns.log to see if there is a high volume of “MYDDNS” domains that will need to be analyzed.
$ grep -i myddns dns.log 1595623886.331180 CvccLd3EJneUzKWBZj 172.16.1.219 51115 172.16.1.1 53 udp 46768 0.170532 solution.myddns.me 1 C_INTERNET 1 A 0 NOERROR F F TT 0 188.8.131.52 5.000000 F
Fortunately, there is only one subdomain that was queried, making the completed flag