We've noticed unusual network traffic in our network. Unfortunately, AV software permanently deleted the malware sample, so we have only few PCAP files from that incident. But hey, it seems that C&C server still works! Malware analysts say that C&C is going to drop next stage, but we need to pass some environment checks?
Could you recreate the client and get the second-stage sample? Good luck!
C&C is now located on:
ecsc18.hack.cert.pl:10014.PCAP file with malware traffic: traffic.pcapng.
Hint: Do not run commands received from C&C on your host. If you need to, use dedicated virtual machine to prevent accidental damage or data loss.
Format flagi:
ecsc{litery_cyfry_i_znaki_specjalne}.