~/portfolio / write-ups / masquerade
TryHackMe Network Forensics & Traffic Analysis Medium Apr '26

Masquerade

Analyzed a spearphishing attack where a Finance employee executed a malicious script posing as a system admin update. Traced RC4-decrypted payload delivery via PowerShell, identified C2 traffic hidden inside Google HTTP responses, and decrypted double-encrypted AES GUID commands to recover the flag.

Medium
Difficulty
100%
Completion
TryHackMe
Platform
TOOLS USED
Wireshark
Event Viewer
ILSpy
CyberChef
sha256sum
01
Scoping the Traffic

let's get a feel on the scope first. 44 packets for HTTP, DNS has 168 packets. let's check both protocols for unusual queries.

Wireshark protocol statistics overview

there's a recurring msn.com with different subdomains. let's check the HTTP statistics to see if this is where the user made requests.

HTTP statistics showing requests to 34.174.57.99 and api.edgecloud.xyz

multiple HTTP requests with different files for 34.174.57.99 aside from api.edgecloud.xyz. let's cross reference this IP with the conversation statistics.

Conversation statistics showing notable IPs including 34.174.57.99

a few notable IPs stand out. 34.174.57.99 shows up in the HTTP requests. there's also a one-way connection from 172.172.255.216 (every connection was refused) and back and forth from 13.89.179.14. not much on 172.172.255.216 since all connections were refused. moving on to 34.174.57.99 — this is where we see a lot of juice. the connection happened right after a request to download AMD.bin.

HTTP GET request for AMD.bin from 34.174.57.99
02
Event Viewer Analysis

let's cross check the packet analysis with the Event Viewer. we're inspecting Event ID 4104 — that's where PowerShell script block logging lives.

Event Viewer showing Event ID 4104 entries Event ID 4104 PowerShell script content confirming AMD.bin download saved as amdfedrsr.exe

that confirms what we saw in the packets. there was an HTTP GET to download AMD.bin and it was saved as amdfedrsr.exe. the script block also shows the RC4 decryption key used to unpack the binary.

03
C2 Traffic Analysis

going back to Wireshark, there's a lot of HTTP noise. if we follow the streams it's just traffic directed to Google — generated to blend in.

Wireshark showing HTTP noise traffic to Google

basing on the HTTP request statistics from earlier, let's add that to the filter and cut through the noise.

Filtered traffic down to 4 packets using api.edgecloud.xyz filter

now we're down to 4 packets. looking at the GUIDs in these — they look like encoded strings rather than random gibberish.

GUID values in the filtered packets that look like encoded strings

still looks gibberish though. let's deconstruct the exe first to understand how it actually works. inspecting the whole function shows that the malware routes traffic through Google to look clean, and hides the actual commands inside CSS responses.

Deconstructed executable showing C2 commands hidden in CSS responses
04
Decrypting C2 Traffic

now we know the mechanism. let's crack those GUIDs. we first get the SHA256 of the cipher to use as the AES decryption key.

SHA256 of cipher used as AES decryption key AES decryption key derived from SHA256

the GUID string S is double encrypted. to decrypt it we reverse the process step by step.

Double encrypted GUID structure identified First decryption step — reversing the outer layer

first step done. now we take 16 bytes and decode using the key.

AES decode step taking 16 bytes with the derived key

first GUID decrypted. we use the same process for the rest.

Second GUID decrypted — checking for privileges

this one is checking for privileges.

Third GUID decrypted — connection check

this one is for connections.

Fourth GUID decrypted — contains the flag

the last GUID contains the flag.

05
Q&A
Q1. What external domain was contacted during script execution?

from the decrypted PowerShell execution we saw in the Event Viewer.

Answer: api-edgecloud.xyz
Q2. What encryption algorithm was used by the script?

the PowerShell script used RC4 to decode the binary before saving the executable.

Answer: RC4
Q3. What key was used to decrypt the second-stage payload?

visible in the PowerShell script as the $k variable.

Answer: X9vT3pL2QwE8xR6ZkYhC4s
Q4. What was the timestamp of the server response containing the payload?

following the HTTP stream on the AMD.bin request gives us the server response timestamp.

HTTP stream showing server response timestamp for AMD.bin
Answer: Fri, 10 Apr 2026 05:28:23 GMT
Q5. What is the SHA-256 hash of the extracted and decrypted payload?

run sha256sum against the exe file, not the binary. the value will be consistent regardless of what the file is named.

sha256sum output for amdfedrsr.exe
Answer: e3d39d42df63c6874780737244370ba517820f598fd2443e47ff6580f10c17cb
Q6. What remote URL did the client use to communicate with the victim machine?

from the conversation stats and HTTP analysis, the C2 server is clearly 34.174.57.99.

Answer: hxxp://34.174.57.99
Q7. Which encryption key and algorithm does the client use?

AES to encrypt the traffic, with the key found in the malware binary.

Answer: M4squ3r4d3Th3P4ck3tSt34lthM0d31337, AES
Q8. Decrypt the commands and submit the flag.

from the last GUID decryption — the final command and the flag.

Answer: THM{m45k3d_tr4ff1c_0v3r_c0v3rt_ch4nn3lz}
overall this is a really great room. i enjoyed the whole decryption thing and the investigation of the malicious file. the most interesting part was figuring out that the C2 traffic was hiding inside what looked like normal Google traffic. good lesson in not trusting familiar domains blindly and always looking at what is actually inside the packets.
Key Takeaways
  • traffic masquerading works by blending into trusted destinations. the malware routed C2 through Google and hid commands inside CSS responses. familiar domains in your traffic are not automatically clean — what's inside the packets matters just as much as where they go
  • multi-layer encryption requires understanding the flow before you can reverse it. getting the AES key from the binary, then following the double-encryption steps in order was the only way through. methodology before tools
  • Event ID 4104 was the key to confirming what happened on the host. script block logging caught the full PowerShell execution including the RC4 decryption and the AMD.bin download. worth having enabled in any environment you monitor
  • static analysis was enough to fully understand this attack without running anything. deconstructing the exe, reading the PowerShell logs, and following HTTP streams in Wireshark covered the whole picture
  • file names alone mean nothing. amdfedrsr.exe is designed to look like a legitimate AMD driver process. hash verification and behavioral analysis are what actually tell you what something is
← Prev ItsyBitsy Back → All Write-ups