Sliver C2 Implant Analysis

Sliver C2 Implant Analysis

C2 server

Intro

In this short blog, I will analyse a sample of Sliver that I was able to identify while scanning my adversaries’ infrastructure. I will start with a static analysis with PEStudio, a dynamic analysis with ProcMon and Wireshark. I will perform some basic reverse engineering with IDA and finally analyse the Threat Actor infrastructure.

Basic information about the malware

File information

PE32+ executable (GUI) x86–64 (stripped to external PDB), for MS Windows

File size 15.53 MB (16283648 bytes)

Hashes/IoC

• MD5: 54129cad2a0de88cd94440e7663fdffb
• SHA-1: 194c402c0d3bb285cc32eb4a6f23519081c8815e
• SHA-256: 44e38bf97ce3f5cc22886a54e1e7144e2c6fbdb9515b9a8f26f025ce3eac56e4

VT Analysis

VirusTotal

VT Analysis

VT Analysis

Static Analysis

These strings show some capabilities of the malware such as:

• can create new services
• open existing service
• getting the system information
• getting the root directory path of the current user
• it contains the functions that are used to play with sockets as creating a socket connection, closing a connection, etc.