-
Under what conditions can you get the binary to delete itself?
A:
unknown.exe
deletes itself:- If the binary can't connect to
h[tt]p://update. ec12-4-109-278-3-ubuntu20-04.local
- If the binary is interrupted interrupted when is sending data to
h[tt]p://cdn.altimiter.local
- If the binary finishes of sending data
- If the binary can't connect to
-
Does the binary persist? If so, how?
A: No. The binary deletes itself.
-
Under what conditions can you get the binary to exfiltrate data?
A: If the binary connects to the first url. It sends
cosmos.jpeg
encrypted and the password is stored inC:\Users\Public\passwrd.txt
Proof:
-
What is the exfiltration domain?
A:
http://cdn.altimiter.local
.
-
What URI is used to exfiltrate data?
A: The URI used is
http://cdn.altimiter.local/feed?post=
Proof:
-
What type of data is exfiltrated (the file is cosmo.jpeg, but how exactly is the file's data transmitted?)
A:
cosmo.jpeg
is encrypted using as key the content ofpasswrd.txt
.Proof:
-
What key is used to encrypt the data?
A:
SikoMode
.