Hunting Malicious Infrastructure using JARM and HTTP Response

Hunting QBot C2 and Brute Ratel C4 Infrastructure

In this blog, I will explain my hunting methodology with two practical examples.

• QBot C2
• Brute Ratel C4

I choose these two because despite the difference between Brute Ratel C4 and QBot this methodology (JARM and HTTP Response hash) is applicable to both examples and provides great results.

Process

My process starts always looking for the first node in phase one, analyzing and pivoting in phase two, and results in phase three.

process flow

Process Flow

Step by step my approach to hunting malicious infrastructure.

Process Flow

Hunting QBot C2 Infrastructure (step-by-step guideline)

Looking for the first Node

This is our starting point where we should look for our first malicious C2. I recommend three options VirusTotal, Threat Fox, and Twitter where I usually look for the first node.

This is our starting point 173.18.122.24 (I grabbed this IP from Twitter) and our goal is to escalate from one malicious C2 to identify hundreds or sometimes thousands of them.

When analyzing our first node I recommend always paying attention to the patterns for example certificates, ports, and HTTP Response.

Analysis

It is important to identify JARM for the implemented certificates.

JARM

All that information is required to understand how the threat actors build malicious infrastructure and based on that how we…