Back to Details

analyzing-command-and-control-communication

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Analyzing Command-and-Control Communication

命令与控制(C2)通信分析

When to Use

适用场景

  • Reverse engineering a malware sample has revealed network communication that needs protocol analysis
  • Building network-level detection signatures for a specific C2 framework (Cobalt Strike, Metasploit, Sliver)
  • Mapping C2 infrastructure including primary servers, fallback domains, and dead drops
  • Analyzing encrypted or encoded C2 traffic to understand the command set and data format
  • Attributing malware to a threat actor based on C2 infrastructure patterns and tooling
Do not use for general network anomaly detection; this is specifically for understanding known or suspected C2 protocols from malware analysis.
  • 逆向工程恶意软件样本时,发现需要分析的网络通信内容
  • 为特定C2框架(Cobalt Strike、Metasploit、Sliver)构建网络层面的检测特征
  • 测绘C2基础设施,包括主服务器、备用域名和死信投递点
  • 分析加密或编码的C2流量,以理解命令集和数据格式
  • 基于C2基础设施模式和工具链,将恶意软件归因于特定威胁 actor
不适用场景:通用网络异常检测;本内容专门用于从恶意软件分析角度理解已知或疑似的C2协议。

Prerequisites

前置条件

  • PCAP capture of malware network traffic (from sandbox, network tap, or full packet capture)
  • Wireshark/tshark for packet-level analysis
  • Reverse engineering tools (Ghidra, dnSpy) for understanding C2 code in the malware binary
  • Python 3.8+ with 
    scapy
    , 
    dpkt
    , and 
    requests
    for protocol analysis and replay
  • Threat intelligence databases for C2 infrastructure correlation (VirusTotal, Shodan, Censys)
  • JA3/JA3S fingerprint databases for TLS-based C2 identification
  • 恶意软件网络流量的PCAP捕获文件(来自沙箱、网络分流器或全数据包捕获)
  • Wireshark/tshark:用于数据包层面的分析
  • 逆向工程工具(Ghidra、dnSpy):用于理解恶意软件二进制文件中的C2代码
  • Python 3.8+ 及 
    scapy
    dpkt
    requests
    库:用于协议分析和流量复现
  • 威胁情报数据库:用于关联C2基础设施(VirusTotal、Shodan、Censys)
  • JA3/JA3S指纹数据库:用于识别基于TLS的C2框架

Workflow

工作流程

Step 1: Identify the C2 Channel

步骤1:识别C2通信通道

Determine the protocol and transport used for C2 communication:
C2 Communication Channels:
━━━━━━━━━━━━━━━━━━━━━━━━━
HTTP/HTTPS:     Most common; uses standard web traffic to blend in
                Indicators: Regular POST/GET requests, specific URI patterns, custom headers

DNS:            Tunneling data through DNS queries and responses
                Indicators: High-volume TXT queries, long subdomain names, high entropy

Custom TCP/UDP: Proprietary binary protocol on non-standard port
                Indicators: Non-HTTP traffic on high ports, unknown protocol

ICMP:           Data encoded in ICMP echo/reply payloads
                Indicators: ICMP packets with large or non-standard payloads

WebSocket:      Persistent bidirectional connection for real-time C2
                Indicators: WebSocket upgrade followed by binary frames

Cloud Services: Using legitimate APIs (Telegram, Discord, Slack, GitHub)
                Indicators: API calls to cloud services from unexpected processes

Email:          SMTP/IMAP for C2 commands and data exfiltration
                Indicators: Automated email operations from non-email processes
确定C2通信使用的协议和传输方式:
C2 Communication Channels:
━━━━━━━━━━━━━━━━━━━━━━━━━
HTTP/HTTPS:     Most common; uses standard web traffic to blend in
                Indicators: Regular POST/GET requests, specific URI patterns, custom headers

DNS:            Tunneling data through DNS queries and responses
                Indicators: High-volume TXT queries, long subdomain names, high entropy

Custom TCP/UDP: Proprietary binary protocol on non-standard port
                Indicators: Non-HTTP traffic on high ports, unknown protocol

ICMP:           Data encoded in ICMP echo/reply payloads
                Indicators: ICMP packets with large or non-standard payloads

WebSocket:      Persistent bidirectional connection for real-time C2
                Indicators: WebSocket upgrade followed by binary frames

Cloud Services: Using legitimate APIs (Telegram, Discord, Slack, GitHub)
                Indicators: API calls to cloud services from unexpected processes

Email:          SMTP/IMAP for C2 commands and data exfiltration
                Indicators: Automated email operations from non-email processes

Step 2: Analyze Beacon Pattern

步骤2:分析Beacon模式

Characterize the periodic communication pattern:
python
from scapy.all import rdpcap, IP, TCP
from collections import defaultdict
import statistics
import json

packets = rdpcap("c2_traffic.pcap")
描述周期性通信模式:
python
from scapy.all import rdpcap, IP, TCP
from collections import defaultdict
import statistics
import json

packets = rdpcap("c2_traffic.pcap")

Group TCP SYN packets by destination

Group TCP SYN packets by destination

connections = defaultdict(list) for pkt in packets: if IP in pkt and TCP in pkt and (pkt[TCP].flags & 0x02): key = f"{pkt[IP].dst}:{pkt[TCP].dport}" connections[key].append(float(pkt.time))
connections = defaultdict(list) for pkt in packets: if IP in pkt and TCP in pkt and (pkt[TCP].flags & 0x02): key = f"{pkt[IP].dst}:{pkt[TCP].dport}" connections[key].append(float(pkt.time))

Analyze each destination for beaconing

Analyze each destination for beaconing

for dst, times in sorted(connections.items()): if len(times) < 3: continue
intervals = [times[i+1] - times[i] for i in range(len(times)-1)]
avg_interval = statistics.mean(intervals)
stdev = statistics.stdev(intervals) if len(intervals) > 1 else 0
jitter_pct = (stdev / avg_interval * 100) if avg_interval > 0 else 0
duration = times[-1] - times[0]

beacon_data = {
    "destination": dst,
    "connections": len(times),
    "duration_seconds": round(duration, 1),
    "avg_interval_seconds": round(avg_interval, 1),
    "stdev_seconds": round(stdev, 1),
    "jitter_percent": round(jitter_pct, 1),
    "is_beacon": 5 < avg_interval < 7200 and jitter_pct < 25,
}

if beacon_data["is_beacon"]:
    print(f"[!] BEACON DETECTED: {dst}")
    print(f"    Interval: {avg_interval:.0f}s +/- {stdev:.0f}s ({jitter_pct:.0f}% jitter)")
    print(f"    Sessions: {len(times)} over {duration:.0f}s")
undefined
for dst, times in sorted(connections.items()): if len(times) < 3: continue
intervals = [times[i+1] - times[i] for i in range(len(times)-1)]
avg_interval = statistics.mean(intervals)
stdev = statistics.stdev(intervals) if len(intervals) > 1 else 0
jitter_pct = (stdev / avg_interval * 100) if avg_interval > 0 else 0
duration = times[-1] - times[0]

beacon_data = {
    "destination": dst,
    "connections": len(times),
    "duration_seconds": round(duration, 1),
    "avg_interval_seconds": round(avg_interval, 1),
    "stdev_seconds": round(stdev, 1),
    "jitter_percent": round(jitter_pct, 1),
    "is_beacon": 5 < avg_interval < 7200 and jitter_pct < 25,
}

if beacon_data["is_beacon"]:
    print(f"[!] BEACON DETECTED: {dst}")
    print(f"    Interval: {avg_interval:.0f}s +/- {stdev:.0f}s ({jitter_pct:.0f}% jitter)")
    print(f"    Sessions: {len(times)} over {duration:.0f}s")
undefined

Step 3: Decode C2 Protocol Structure

步骤3:解码C2协议结构

Reverse engineer the message format from captured traffic:
python
undefined
从捕获的流量中逆向工程消息格式:
python
undefined

HTTP-based C2 protocol analysis

HTTP-based C2 protocol analysis

import dpkt import base64
with open("c2_traffic.pcap", "rb") as f: pcap = dpkt.pcap.Reader(f)
for ts, buf in pcap: eth = dpkt.ethernet.Ethernet(buf) if not isinstance(eth.data, dpkt.ip.IP): continue ip = eth.data if not isinstance(ip.data, dpkt.tcp.TCP): continue tcp = ip.data
if tcp.dport == 80 or tcp.dport == 443:
    if len(tcp.data) > 0:
        try:
            http = dpkt.http.Request(tcp.data)
            print(f"\n--- C2 REQUEST ---")
            print(f"Method: {http.method}")
            print(f"URI: {http.uri}")
            print(f"Headers: {dict(http.headers)}")
            if http.body:
                print(f"Body ({len(http.body)} bytes):")
                # Try Base64 decode
                try:
                    decoded = base64.b64decode(http.body)
                    print(f"  Decoded: {decoded[:200]}")
                except:
                    print(f"  Raw: {http.body[:200]}")
        except:
            pass
undefined
import dpkt import base64
with open("c2_traffic.pcap", "rb") as f: pcap = dpkt.pcap.Reader(f)
for ts, buf in pcap: eth = dpkt.ethernet.Ethernet(buf) if not isinstance(eth.data, dpkt.ip.IP): continue ip = eth.data if not isinstance(ip.data, dpkt.tcp.TCP): continue tcp = ip.data
if tcp.dport == 80 or tcp.dport == 443:
    if len(tcp.data) > 0:
        try:
            http = dpkt.http.Request(tcp.data)
            print(f"\n--- C2 REQUEST ---")
            print(f"Method: {http.method}")
            print(f"URI: {http.uri}")
            print(f"Headers: {dict(http.headers)}")
            if http.body:
                print(f"Body ({len(http.body)} bytes):")
                # Try Base64 decode
                try:
                    decoded = base64.b64decode(http.body)
                    print(f"  Decoded: {decoded[:200]}")
                except:
                    print(f"  Raw: {http.body[:200]}")
        except:
            pass
undefined

Step 4: Identify C2 Framework

步骤4:识别C2框架

Match observed patterns to known C2 frameworks:
Known C2 Framework Signatures:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Cobalt Strike:
  - Default URIs: /pixel, /submit.php, /___utm.gif, /ca, /dpixel
  - Malleable C2 profiles customize all traffic characteristics
  - JA3: varies by profile, catalog at ja3er.com
  - Watermark in beacon config (unique per license)
  - Config extraction: use CobaltStrikeParser or 1768.py

Metasploit/Meterpreter:
  - Default staging URI patterns: random 4-char checksum
  - Reverse HTTP(S) handler patterns
  - Meterpreter TLV (Type-Length-Value) protocol structure

Sliver:
  - mTLS, HTTP, DNS, WireGuard transport options
  - Protobuf-encoded messages
  - Unique implant ID in communication

Covenant:
  - .NET-based C2 framework
  - HTTP with customizable profiles
  - Task-based command execution

PoshC2:
  - PowerShell/C# based
  - HTTP with encrypted payloads
  - Cookie-based session management
bash
undefined
将观察到的模式与已知C2框架匹配:
Known C2 Framework Signatures:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Cobalt Strike:
  - Default URIs: /pixel, /submit.php, /___utm.gif, /ca, /dpixel
  - Malleable C2 profiles customize all traffic characteristics
  - JA3: varies by profile, catalog at ja3er.com
  - Watermark in beacon config (unique per license)
  - Config extraction: use CobaltStrikeParser or 1768.py

Metasploit/Meterpreter:
  - Default staging URI patterns: random 4-char checksum
  - Reverse HTTP(S) handler patterns
  - Meterpreter TLV (Type-Length-Value) protocol structure

Sliver:
  - mTLS, HTTP, DNS, WireGuard transport options
  - Protobuf-encoded messages
  - Unique implant ID in communication

Covenant:
  - .NET-based C2 framework
  - HTTP with customizable profiles
  - Task-based command execution

PoshC2:
  - PowerShell/C# based
  - HTTP with encrypted payloads
  - Cookie-based session management
bash
undefined

Extract Cobalt Strike beacon configuration from PCAP or sample

Extract Cobalt Strike beacon configuration from PCAP or sample

python3 << 'PYEOF'
python3 << 'PYEOF'

Using CobaltStrikeParser (pip install cobalt-strike-parser)

Using CobaltStrikeParser (pip install cobalt-strike-parser)

from cobalt_strike_parser import BeaconConfig
try: config = BeaconConfig.from_file("suspect.exe") print("Cobalt Strike Beacon Configuration:") for key, value in config.items(): print(f" {key}: {value}") except Exception as e: print(f"Not a Cobalt Strike beacon or parse error: {e}") PYEOF
undefined
from cobalt_strike_parser import BeaconConfig
try: config = BeaconConfig.from_file("suspect.exe") print("Cobalt Strike Beacon Configuration:") for key, value in config.items(): print(f" {key}: {value}") except Exception as e: print(f"Not a Cobalt Strike beacon or parse error: {e}") PYEOF
undefined

Step 5: Map C2 Infrastructure

步骤5:测绘C2基础设施

Document the full C2 infrastructure and failover mechanisms:
python
undefined
记录完整的C2基础设施和故障转移机制:
python
undefined

Infrastructure mapping

Infrastructure mapping

import requests import json
c2_indicators = { "primary_c2": "185.220.101.42", "domains": ["update.malicious.com", "backup.evil.net"], "ports": [443, 8443], "failover_dns": ["ns1.malicious-dns.com"], }
import requests import json
c2_indicators = { "primary_c2": "185.220.101.42", "domains": ["update.malicious.com", "backup.evil.net"], "ports": [443, 8443], "failover_dns": ["ns1.malicious-dns.com"], }

Enrich with Shodan

Enrich with Shodan

def shodan_lookup(ip, api_key): resp = requests.get(f"https://api.shodan.io/shodan/host/{ip}?key={api_key}") if resp.status_code == 200: data = resp.json() return { "ip": ip, "ports": data.get("ports", []), "os": data.get("os"), "org": data.get("org"), "asn": data.get("asn"), "country": data.get("country_code"), "hostnames": data.get("hostnames", []), "last_update": data.get("last_update"), } return None
def shodan_lookup(ip, api_key): resp = requests.get(f"https://api.shodan.io/shodan/host/{ip}?key={api_key}") if resp.status_code == 200: data = resp.json() return { "ip": ip, "ports": data.get("ports", []), "os": data.get("os"), "org": data.get("org"), "asn": data.get("asn"), "country": data.get("country_code"), "hostnames": data.get("hostnames", []), "last_update": data.get("last_update"), } return None

Enrich with passive DNS

Enrich with passive DNS

def pdns_lookup(domain): # Using VirusTotal passive DNS resp = requests.get( f"https://www.virustotal.com/api/v3/domains/{domain}/resolutions", headers={"x-apikey": VT_API_KEY} ) if resp.status_code == 200: data = resp.json() resolutions = [] for r in data.get("data", []): resolutions.append({ "ip": r["attributes"]["ip_address"], "date": r["attributes"]["date"], }) return resolutions return []
undefined
def pdns_lookup(domain): # Using VirusTotal passive DNS resp = requests.get( f"https://www.virustotal.com/api/v3/domains/{domain}/resolutions", headers={"x-apikey": VT_API_KEY} ) if resp.status_code == 200: data = resp.json() resolutions = [] for r in data.get("data", []): resolutions.append({ "ip": r["attributes"]["ip_address"], "date": r["attributes"]["date"], }) return resolutions return []
undefined

Step 6: Create Network Detection Signatures

步骤6:创建网络检测特征

Build detection rules based on analyzed C2 characteristics:
bash
undefined
基于分析的C2特征构建检测规则:
bash
undefined

Suricata rules for the analyzed C2

Suricata rules for the analyzed C2

cat << 'EOF' > c2_detection.rules
cat << 'EOF' > c2_detection.rules

HTTP beacon pattern

HTTP beacon pattern

alert http $HOME_NET any -> $EXTERNAL_NET any ( msg:"MALWARE MalwareX C2 HTTP Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/gate.php"; startswith; http.header; content:"User-Agent: Mozilla/5.0 (compatible; MSIE 10.0)"; threshold:type threshold, track by_src, count 5, seconds 600; sid:9000010; rev:1; )
alert http $HOME_NET any -> $EXTERNAL_NET any ( msg:"MALWARE MalwareX C2 HTTP Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/gate.php"; startswith; http.header; content:"User-Agent: Mozilla/5.0 (compatible; MSIE 10.0)"; threshold:type threshold, track by_src, count 5, seconds 600; sid:9000010; rev:1; )

JA3 fingerprint match

JA3 fingerprint match

alert tls $HOME_NET any -> $EXTERNAL_NET any ( msg:"MALWARE MalwareX TLS JA3 Fingerprint"; ja3.hash; content:"a0e9f5d64349fb13191bc781f81f42e1"; sid:9000011; rev:1; )
alert tls $HOME_NET any -> $EXTERNAL_NET any ( msg:"MALWARE MalwareX TLS JA3 Fingerprint"; ja3.hash; content:"a0e9f5d64349fb13191bc781f81f42e1"; sid:9000011; rev:1; )

DNS beacon detection (high-entropy subdomain)

DNS beacon detection (high-entropy subdomain)

alert dns $HOME_NET any -> any any ( msg:"MALWARE Suspected DNS C2 Tunneling"; dns.query; pcre:"/^[a-z0-9]{20,}./"; threshold:type threshold, track by_src, count 10, seconds 60; sid:9000012; rev:1; )
alert dns $HOME_NET any -> any any ( msg:"MALWARE Suspected DNS C2 Tunneling"; dns.query; pcre:"/^[a-z0-9]{20,}./"; threshold:type threshold, track by_src, count 10, seconds 60; sid:9000012; rev:1; )

Certificate-based detection

Certificate-based detection

alert tls $HOME_NET any -> $EXTERNAL_NET any ( msg:"MALWARE MalwareX Self-Signed C2 Certificate"; tls.cert_subject; content:"CN=update.malicious.com"; sid:9000013; rev:1; ) EOF
undefined
alert tls $HOME_NET any -> $EXTERNAL_NET any ( msg:"MALWARE MalwareX Self-Signed C2 Certificate"; tls.cert_subject; content:"CN=update.malicious.com"; sid:9000013; rev:1; ) EOF
undefined

Key Concepts

核心概念

TermDefinition
BeaconingPeriodic check-in communication from malware to C2 server at regular intervals, often with jitter to avoid pattern detection
JitterRandomization applied to beacon interval (e.g., 60s +/- 15%) to make the timing pattern less predictable and harder to detect
Malleable C2Cobalt Strike feature allowing operators to customize all aspects of C2 traffic (URIs, headers, encoding) to mimic legitimate services
Dead DropIntermediate location (paste site, cloud storage, social media) where C2 commands are posted for the malware to retrieve
Domain FrontingUsing a trusted CDN domain in the TLS SNI while routing to a different backend, making C2 traffic appear to go to a legitimate service
Fast FluxRapidly changing DNS records for C2 domains to distribute across many IPs and resist takedown efforts
C2 FrameworkSoftware toolkit providing C2 server, implant generator, and operator interface (Cobalt Strike, Metasploit, Sliver, Covenant)
术语定义
Beaconing恶意软件定期向C2服务器发起的签到通信,通常会加入抖动以避免被检测到模式
Jitter为beacon间隔添加的随机化处理(例如60秒±15%),使时间模式更难预测和检测
Malleable C2Cobalt Strike的功能,允许操作者自定义C2流量的所有方面(URI、头信息、编码方式),以模仿合法服务
Dead Drop中间存储位置(粘贴站点、云存储、社交媒体),C2命令会发布在此处供恶意软件获取
Domain Fronting在TLS SNI中使用可信CDN域名,同时路由到不同的后端服务器,使C2流量看起来是发往合法服务
Fast Flux快速更改C2域名的DNS记录,将流量分散到多个IP上,以抵抗封禁措施
C2 Framework提供C2服务器、植入程序生成器和操作者界面的软件工具包(Cobalt Strike、Metasploit、Sliver、Covenant)

Tools & Systems

工具与系统

  • Wireshark: Packet analyzer for detailed C2 protocol analysis at the packet level
  • RITA (Real Intelligence Threat Analytics): Open-source tool analyzing Zeek logs for beacon detection and DNS tunneling
  • CobaltStrikeParser: Tool extracting Cobalt Strike beacon configuration from samples and memory dumps
  • JA3/JA3S: TLS fingerprinting method for identifying C2 frameworks by their TLS implementation characteristics
  • Shodan/Censys: Internet scanning platforms for mapping C2 infrastructure and identifying related servers
  • Wireshark:数据包分析器,用于在数据包层面进行详细的C2协议分析
  • RITA (Real Intelligence Threat Analytics):开源工具,分析Zeek日志以检测beacon和DNS隧道
  • CobaltStrikeParser:从样本和内存转储中提取Cobalt Strike beacon配置的工具
  • JA3/JA3S:TLS指纹识别方法,通过TLS实现特征识别C2框架
  • Shodan/Censys:互联网扫描平台,用于测绘C2基础设施和识别相关服务器

Common Scenarios

常见场景

Scenario: Reverse Engineering a Custom C2 Protocol

场景:逆向工程自定义C2协议

Context: A malware sample communicates with its C2 server using an unknown binary protocol over TCP port 8443. The protocol needs to be decoded to understand the command set and build detection signatures.
Approach:
  1. Filter PCAP for TCP port 8443 conversations and extract the TCP streams
  2. Analyze the first few exchanges to identify the handshake/authentication mechanism
  3. Map the message structure (length prefix, type field, payload encoding)
  4. Cross-reference with Ghidra disassembly of the send/receive functions in the malware
  5. Identify the command dispatcher and document each command code's function
  6. Build a protocol decoder in Python for ongoing traffic analysis
  7. Create Suricata rules matching the protocol handshake or static header bytes
Pitfalls:
  • Assuming the protocol is static; some C2 frameworks negotiate encryption during the handshake
  • Not capturing enough traffic to see all command types (some commands are rare)
  • Missing fallback C2 channels (DNS, ICMP) that activate when the primary channel fails
  • Confusing encrypted payload data with the protocol framing structure
背景:某个恶意软件样本使用TCP 8443端口上的未知二进制协议与C2服务器通信。需要解码该协议以理解命令集并构建检测特征。
方法:
  1. 过滤PCAP中TCP 8443端口的会话,提取TCP流
  2. 分析前几次交互,识别握手/认证机制
  3. 映射消息结构(长度前缀、类型字段、负载编码)
  4. 与Ghidra中恶意软件发送/接收函数的反汇编结果交叉对比
  5. 识别命令调度器,记录每个命令代码的功能
  6. 使用Python编写协议解码器,用于持续的流量分析
  7. 创建匹配协议握手或静态头字节的Suricata规则
常见陷阱:
  • 假设协议是静态的;部分C2框架会在握手阶段协商加密方式
  • 未捕获足够的流量以覆盖所有命令类型(部分命令很少出现)
  • 遗漏故障转移C2通道(DNS、ICMP),这些通道会在主通道失效时激活
  • 将加密的负载数据与协议帧结构混淆

Output Format

输出格式

C2 COMMUNICATION ANALYSIS REPORT
===================================
Sample:           malware.exe (SHA-256: e3b0c44...)
C2 Framework:     Cobalt Strike 4.9

BEACON CONFIGURATION
C2 Server:        hxxps://185.220.101[.]42/updates
Beacon Type:      HTTPS (reverse)
Sleep:            60 seconds
Jitter:           15%
User-Agent:       Mozilla/5.0 (Windows NT 10.0; Win64; x64)
URI (GET):        /dpixel
URI (POST):       /submit.php
Watermark:        1234567890

PROTOCOL ANALYSIS
Transport:        HTTPS (TLS 1.2)
JA3 Hash:         a0e9f5d64349fb13191bc781f81f42e1
Certificate:      CN=Microsoft Update (self-signed)
Encoding:         Base64 with XOR key 0x69
Command Format:   [4B length][4B command_id][payload]

COMMAND SET
0x01 - Sleep          Change beacon interval
0x02 - Shell          Execute cmd.exe command
0x03 - Download       Transfer file from C2
0x04 - Upload         Exfiltrate file to C2
0x05 - Inject         Process injection
0x06 - Keylog         Start keylogger
0x07 - Screenshot     Capture screen

INFRASTRUCTURE
Primary:          185.220.101[.]42 (AS12345, Hosting Co, NL)
Failover:         91.215.85[.]17 (AS67890, VPS Provider, RU)
DNS:              update.malicious[.]com -> 185.220.101[.]42
Registrar:        NameCheap
Registration:     2025-09-01

DETECTION SIGNATURES
SID 9000010:      HTTP beacon pattern
SID 9000011:      JA3 TLS fingerprint
SID 9000013:      C2 certificate match
C2 COMMUNICATION ANALYSIS REPORT
===================================
Sample:           malware.exe (SHA-256: e3b0c44...)
C2 Framework:     Cobalt Strike 4.9

BEACON CONFIGURATION
C2 Server:        hxxps://185.220.101[.]42/updates
Beacon Type:      HTTPS (reverse)
Sleep:            60 seconds
Jitter:           15%
User-Agent:       Mozilla/5.0 (Windows NT 10.0; Win64; x64)
URI (GET):        /dpixel
URI (POST):       /submit.php
Watermark:        1234567890

PROTOCOL ANALYSIS
Transport:        HTTPS (TLS 1.2)
JA3 Hash:         a0e9f5d64349fb13191bc781f81f42e1
Certificate:      CN=Microsoft Update (self-signed)
Encoding:         Base64 with XOR key 0x69
Command Format:   [4B length][4B command_id][payload]

COMMAND SET
0x01 - Sleep          Change beacon interval
0x02 - Shell          Execute cmd.exe command
0x03 - Download       Transfer file from C2
0x04 - Upload         Exfiltrate file to C2
0x05 - Inject         Process injection
0x06 - Keylog         Start keylogger
0x07 - Screenshot     Capture screen

INFRASTRUCTURE
Primary:          185.220.101[.]42 (AS12345, Hosting Co, NL)
Failover:         91.215.85[.]17 (AS67890, VPS Provider, RU)
DNS:              update.malicious[.]com -> 185.220.101[.]42
Registrar:        NameCheap
Registration:     2025-09-01

DETECTION SIGNATURES
SID 9000010:      HTTP beacon pattern
SID 9000011:      JA3 TLS fingerprint
SID 9000013:      C2 certificate match