DEADROP C2

Overview

A PCAP containing DNS traffic. Buried among normal corporate lookups is a stream of queries to *.deadrop-c2.com, data exfiltrated by encoding it as hex characters in the subdomain labels.

Solution

Filter to queries targeting the C2 domain:

dns && frame contains "deadrop-c2.com"

The subdomain labels follow the pattern {seq:04x}{hex_data}, for example:

0000726f6f74203a78203030202e...deadrop-c2.com
0001...deadrop-c2.com

The first query uses ffff as the sequence prefix and encodes the total chunk count. All subsequent queries carry 16 bytes of file data each.

Extract and reassemble:

import dpkt, base64

C2_DOMAIN = 'deadrop-c2.com'
CHUNK_BYTES = 16
chunks = {}

with open('dns_exfil.pcap', 'rb') as f:
    for ts, raw in dpkt.pcap.Reader(f):
        eth = dpkt.ethernet.Ethernet(raw)
        if not isinstance(eth.data, dpkt.ip.IP): continue
        udp = eth.data.data
        if not isinstance(udp, dpkt.udp.UDP) or udp.dport != 53: continue
        try:
            dns = dpkt.dns.DNS(udp.data)
            for q in dns.qd:
                name = q.name
                if not name.endswith('.' + C2_DOMAIN): continue
                label = name[:-(len(C2_DOMAIN)+1)]
                if label.startswith('ffff'): continue   # beacon, skip
                seq = int(label[:4], 16)
                chunks[seq] = bytes.fromhex(label[4:])
        except Exception:
            pass

memo = b''.join(chunks[k] for k in sorted(chunks))
print(memo.decode())

The reassembled document is a memo from the budget office noting that the agency's coffee spending has exceeded satellite surveillance for the third consecutive quarter. The flag is embedded at the bottom as a verification token.

Flag: DEADROP{dns_exfil_hidden_in_plain_sight}

Key Takeaway

DNS is a commonly overlooked exfiltration channel, it bypasses many firewall rules since DNS is usually permitted outbound. The pattern of many queries to an unusual domain with hex-looking subdomains is a reliable detection signal.