NETRESEC Network Security Blog

NETRESEC Network Security Blog - Tag : video

Erik Hjelmvik

Tuesday, 20 January 2026 12:10:00 (UTC/GMT)

Decoding malware C2 with CyberChef

This video tutorial demonstrates how malware C2 traffic can be decoded with CyberChef.

The PCAP files with the analyzed network traffic can be downloaded from malware-traffic-analysis.net.

CyberChef recipe to decode the reverse shell traffic to 103.27.157.146:4444:

From_Hex('Auto')
XOR({'option':'Hex','string':'62'},'Standard',false)
Find_/_Replace({'option':'Regex','string':'\\r'},'',true,false,true,false)
From_HTML_Entity()

Decoded data from first "key007" reverse shell session to 103.27.157.146:4444:

				key007

				Authentication successful

				furtheringthemagic.com

				net group "domain computers" /domain

				The request will be processed at a domain controller for domain furtheringthemagic.com.

				Group name     Domain Computers

				Comment        All workstations and servers joined to the domain

				Members

				-------​--------​-------​--------​-------​---------​-------​----------​--------​--------

				DESKTOP-G71S4PF$

				The command completed successfully.

CyberChef recipe to decode obfuscated PowerShell payload from malicious finger service on 64.190.113.206:79:

Fork(',','',false)
Pad_lines('End',5,',6044')
Subtract('Comma')
From_Charcode('Space',10)

Update 2026-01-21

Our classification of the final payload has been updated from AsyncRAT to GhostWeaver thanks to feedback from Don Pasci. Don referenced a writeup by Recorded Future's Insikt Group, called Uncovering MintsLoader With Recorded Future Malware Intelligence Hunting, which states the following:

GhostWeaver has periodically been misclassified as AsyncRAT. [...] GhostWeaver and AsyncRAT share certain characteristics within their self-signed X.509 certificates, such as identical expiration dates and serial number lengths; however, these similarities may simply reflect common certificate-generation methods rather than meaningful operational overlap.

We also believe that some of the PowerShell related traffic was caused by MintsLoader.

IOC List

103.27.157.146:4444 (unknown "key007" reverse shell)
64.190.113.206:79 (finger)
checkifhuman[.]top (finger)
ey267te[.]top (MintsLoader)
64.52.80.153:80 (MintsLoader)
173.232.146.62:25658 (~~AsyncRAT~~ GhostWeaver)
08kcbghk807qtl9[.]fun:25658 (~~AsyncRAT~~ GhostWeaver)

Network Forensics Training

Check out our network forensic trainings if you want to learn more about decoding malware C2 traffic. I'm teaching a live online Network Forensics for Incident Response class on February 23-26.

Posted by Erik Hjelmvik on Tuesday, 20 January 2026 12:10:00 (UTC/GMT)

Tags: #Netresec #CyberChef #XOR #PCAP #CapLoader #PowerShell #Video #videotutorial

Short URL: https://netresec.com/?b=261f535

Erik Hjelmvik

Monday, 28 April 2025 06:00:00 (UTC/GMT)

Decoding njRAT traffic with NetworkMiner

I investigate network traffic from a Triage sandbox execution of njRAT in this video. The analysis is performed using NetworkMiner in Linux (REMnux to be specific).

About njRAT / Bladabindi

njRAT is a Remote Access Trojan (RAT) that can be used to remotely control a hacked computer. It has been around since 2013, but despite being over 10 years old it still remains one of the most popular backdoors used by malicious actors. Anti virus vendors usually refer to njRAT as Bladabindi.

njRAT Artefacts Extracted by NetworkMiner

NetworkMiner has a built-in parser for the njRAT Command-and-Control (C2) protocol. This njRAT parser kicks in whenever there is traffic to a well-known njRAT port, such as TCP 1177 or 5552, plus a few extra ports (like TCP 14817 that was used by the analysed sample). You’ll need NetworkMiner Professional to decode njRAT traffic to other ports, since it comes with a port-independent-protocol-identification (PIPI) feature that automatically detects the protocol regardless which port the server runs on.

As demonstrated in the video, NetworkMiner can extract the following types of artefacts from njRAT network traffic:

Screenshots of victim computer
Transferred files
Commands from C2 server
Replies from bot
Stolen credentials/passwords
Keylog data

Covered njRAT Commands and Plugins

These njRAT commands and plugins are mentioned in the video:

CAP = Screen Capture
ret = Get Passwords
inv = Invoke Plugin
PLG = Plugin Delivery
kl = Key Logger
Ex = Execute Plugin
Ex proc = Process List
Ex fm = File Manager

IOC List

Sample (a.exe): cca1e0b65d759f4c58ce760f94039a0a
C2 server: 5.tcp.eu.ngrok[.]io:14817
njRAT inv (dll): 2d65bc3bff4a5d31b59f5bdf6e6311d7
njRAT PLG (dll): c179e212316f26ce9325a8d80d936666
njRAT ret (dll): ac43720c43dcf90b2d57d746464ad574
Splitter: Y262SUCZ4UJJ

Posted by Erik Hjelmvik on Monday, 28 April 2025 06:00:00 (UTC/GMT)

Tags: #njRAT #NetworkMiner #REMnux #Video #videotutorial

Short URL: https://netresec.com/?b=2541a39

Erik Hjelmvik

Friday, 04 October 2024 06:20:00 (UTC/GMT)

VoIP tab in NetworkMiner Professional

The VoIP tab is a unique feature only available in NetworkMiner Professional. The analyzed PcapNG file comes from a blog post by Johannes Weber titled VoIP Captures.

See our NetworkMiner Professional tutorial videos for more tips and hints.

Posted by Erik Hjelmvik on Friday, 04 October 2024 06:20:00 (UTC/GMT)

Tags: #NetworkMiner Professional #Video #Tutorial #VoIP

Short URL: https://netresec.com/?b=24A65d3

Erik Hjelmvik

Thursday, 03 October 2024 09:10:00 (UTC/GMT)

Browsers tab in NetworkMiner Professional

The Browsers tab is a unique feature only available in NetworkMiner Professional. The PCAP files analyzed in this video are pwned-se_150312_outgoing.pcap and pwned-se_150312_incoming.pcap, which are snippets of the 4.4 GB Hands-on Network Forensics dataset from FIRST 2015 (slides).

More information about NetworkMiner Professional's Browsers tab can be found in our blog post Analyzing Web Browsing Activity.

See our NetworkMiner Professional tutorial videos for additional tips and hints.

Posted by Erik Hjelmvik on Thursday, 03 October 2024 09:10:00 (UTC/GMT)

Tags: #NetworkMiner Professional #Video #Tutorial

Short URL: https://netresec.com/?b=24Abf1c

Erik Hjelmvik

Wednesday, 02 October 2024 07:10:00 (UTC/GMT)

Files tab in NetworkMiner Professional

The PCAP file analyzed in this video is pwned-se_150312_outgoing.pcap, which is a snippet of the 4.4 GB Hands-on Network Forensics dataset from FIRST 2015 (slides).

See our NetworkMiner Professional tutorial videos for more tips and hints.

Posted by Erik Hjelmvik on Wednesday, 02 October 2024 07:10:00 (UTC/GMT)

Tags: #NetworkMiner Professional #Video #Tutorial

Short URL: https://netresec.com/?b=24Ad5ad

Erik Hjelmvik

Tuesday, 01 October 2024 08:25:00 (UTC/GMT)

Hosts tab in NetworkMiner Professional

The PCAP file analyzed in this video is MD_2015-07-22_112601.pcap, which is a snippet of the training data used in our network forensics classes from 2015 to 2019.

Techniques, tools and databases mentioned in the tutorial:

Check out our Passive OS Fingerprinting blog post for more details on how to identify operating systems using TCP/IP headers and browser user-agents.

See our NetworkMiner Professional tutorial videos for more tips and hints.

Posted by Erik Hjelmvik on Tuesday, 01 October 2024 08:25:00 (UTC/GMT)

Tags: #NetworkMiner Professional #Video #Tutorial

Short URL: https://netresec.com/?b=24A71a9

Erik Hjelmvik

Monday, 30 September 2024 12:50:00 (UTC/GMT)