Home / Labs / C2 /

Command & Control (often shortened to C&C or C2) is an umbrella term used to refer to servers involved in the control and/or distribution of malware. This includes, but is not limited to, any servers that host malware payloads, issue commands to infected systems, or receive exfiltrated data.

C2s pose a unique challenge for malware analysts, because while the malware code may be available to reverse engineer, the C2 code typically is not. As such, it is not always clear how the C2 infrastructure works, or what it does.

Some threat actors will leverage the fact that C2 code is not public to implement server-side anti-analysis. One example of this could be uploading a list of running processes, then not providing the 2nd stage payload if any malware analysis related tools are detected.

These examples all communicated with a C2 server hosted by MalwareTech Labs, so you don’t have to worry about opsec. With that said, it’s still recommended to always perform any analysis inside a virtual machine for safety.

Command & Control 1

Lab Type:
Static Analysis
Languages:
x86_64
Platform:
Windows 64-bit
Difficulty:
A simple beginner-friendly example which obtains the flag from the C2 server. While this is a static analysis challenge, you'll still need to interact with the C2 server.

Command & Control 2

Lab Type:
Static Analysis
Languages:
x86_64
Platform:
Windows 64-bit
Difficulty:
It's not uncommon for malware to require new infections to register with the C2 before receiving commands. See if you can figure out the protocol and obtain the flag.

Command & Control 3

Lab Type:
Static Analysis
Languages:
x86_64
Platform:
Windows 64-bit
Difficulty:
Advanced malware often uses a droppers, which are small payloads designed to download the next stage of the malware from the C2. You'll have to reverse engineer the first stage to get the next.