Remotely Administrated Evil 2


What MYDDNS domain is used for the post-infection traffic in RATPack.pcap?

Use the file from Remotely Administrated Evil.


Using the Zeek logs from the analysis during Remotely Administrated Evil 1 I begin by searching dns.log to see if there is a high volume of "MYDDNS" domains that will need to be analyzed.

$ grep -i myddns dns.log

1595623886.331180	CvccLd3EJneUzKWBZj	51115	53	udp	46768	0.170532	1	C_INTERNET	1	A	0	NOERROR	F	F	TT	0	5.000000	F

Fortunately, there is only one subdomain that was queried, making the completed flag flag{}.



Leave a comment