Evidence Category · 12 Questions

Encrypted Container and C2

Measures analysis of encrypted configuration and infrastructure evidence.

Questions in This Category

Q019Flag after decrypting KASA.BIN with the memory key?

Q020Passphrase opening KASA.BIN?

Q021Real C2 server address in the encrypted C2 config?

Q022The actual exfiltration target?

Q023How many victim databases does the decrypted C2 config list?

Q024Where did the key decrypting the C2 config leak? (source)

Q102Second victim database in the decrypted C2 config?

Q103Filesystem state of KASA.BIN?

Q104Which system file does WINLOAD.DAT imitate?

Q105Stream cipher type used in the encrypted containers?

Q154Port of the real C2 server?

Q164First victim database listed in the decrypted C2 config?