TYS 0x01 - communication in the shadows

This post is part of the Test Your Skills series. You can find an introduction here. And an overview of all TYS’s currently available is over here.

What is going on in our network?!

You are a SOC analyst looking into some weird traffic you spotted on TCP/31337.


One of your fellow SOC buddies already exported some of the weird traffic and prepared a pcap for you: get it here. Can you figure out what is going on? Is it malware c2? Data exfiltration or leakage?
I’ll give you a hint: It’s nothing you know, it’s nothing you can google for, but, looking at the pcap packet by packet should reveal its secrets to you!

Bonus points for the brave analyst who writes a script to automate the analysis and maybe even allow to participate in whats going on.

Have fun hunting, feel free to post your approach / write-up and let me know if you have any questions, feedback or general comments in the respective twitter thread over here:

Verify the files you download with:

md5sum     c91ae8142feb9c63a4e69b91a05377a6                                  cdn/tys/tys_0x01_c2.pcapng
sha1sum    aaee24c061afc193239da0ea2595ae4000eff2f8                          cdn/tys/tys_0x01_c2.pcapng
sha256sum  f75da53a0d33ce917e2ea4ee5ca356c1ca241a2e274d7a9763d24da576e481b4  cdn/tys/tys_0x01_c2.pcapng