Decoding malware C2 with CyberChef
This video tutorial demonstrates how malware C2 traffic can be decoded with CyberChef.
The PCAP files with the analyzed network traffic can be downloaded from malware-traffic-analysis.net.
CyberChef recipe to decode the reverse shell traffic to 103.27.157.146:4444:
XOR({'option':'Hex','string':'62'},'Standard',false)
Find_/_Replace({'option':'Regex','string':'\\r'},'',true,false,true,false)
From_HTML_Entity()
Decoded data from first "key007" reverse shell session to 103.27.157.146:4444:
Authentication successful
furtheringthemagic.com
net group "domain computers" /domain
The request will be processed at a domain controller for domain furtheringthemagic.com.
Group name Domain Computers
Comment All workstations and servers joined to the domain
Members
-------------------------------------------------------------------------------
DESKTOP-G71S4PF$
The command completed successfully.
CyberChef recipe to decode obfuscated PowerShell payload from malicious finger service on 64.190.113.206:79:
Pad_lines('End',5,',6044')
Subtract('Comma')
From_Charcode('Space',10)
IOC List
- 103.27.157.146:4444 (unknown "key007" reverse shell)
- 64.190.113.206:79 (finger)
- checkifhuman[.]top (finger)
- ey267te[.]top (PowerShell)
- 64.52.80.153:80 (PowerShell)
- 173.232.146.62:25658 (AsyncRAT)
- 08kcbghk807qtl9[.]fun:25658 (AsyncRAT)
Network Forensics Training
Check out our network forensic trainings if you want to learn more about decoding malware C2 traffic. We have a Network Forensics for Incident Response class on February 23-26.
Posted by Erik Hjelmvik on Tuesday, 20 January 2026 12:10:00 (UTC/GMT)
Tags: #Netresec #CyberChef #XOR #PCAP #CapLoader #PowerShell
