Hunting Malicious Infrastructure using JARM and HTTP Response

Hunting QBot C2 and Brute Ratel C4 Infrastructure

In this blog, I will explain my hunting methodology with two practical examples.

• QBot C2
• Brute Ratel C4

I choose these two because despite the difference between Brute Ratel C4 and QBot this methodology (JARM and HTTP Response hash) is applicable to both examples and provides great results.

Process

My process starts always looking for the first node in phase one, analyzing and pivoting in phase two, and results in phase three.

process flow

Process Flow

Step by step my approach to hunting malicious infrastructure.

Process Flow

Hunting QBot C2 Infrastructure (step-by-step guideline)

Looking for the first Node

This is our starting point where we should look for our first malicious C2. I recommend three options VirusTotal, Threat Fox…