Router Exploitation & C2 Detection
Forensic Analysis of 6.5M Packets and Command & Control Infrastructure
Forensic analysis of 6.5 million network packets identified patterns consistent with documented advanced persistent threat techniques. This case study documents the detection of command and control (C2) communication patterns, router exploitation activity, and JA3 TLS fingerprinting across 15.56 GB of captured network traffic.
Executive Summary
Forensic analysis of 6.5 million network packets identified patterns consistent with documented advanced persistent threat techniques. This case study documents the detection of command and control (C2) communication patterns, router exploitation activity, and JA3 TLS fingerprinting across 15.56 GB of captured network traffic. Classification as malicious is based on direct behavioral observation of C2 communication patterns and router exploitation activity against monitored infrastructure.
Attack Overview
Threat Profile
- Attack Vector: Router admin interface exploitation via HTTP/HTTPS
- Exploitation Methods: Port scanning, SSH brute force, credential stuffing
- C2 Communication: HTTP POST to /api/submit.php with encoded payloads
- Persistence: Backdoor installation with sustained C2 communication
- Detection Method: JA3 TLS fingerprinting, behavioral pattern analysis
Figure 1: C2 Communication Pattern Analysis — 74 Matches, 90.3% Confidence
Figure 2: Router Exploitation Timeline — 37 Exploitation Attempts, 84.0% Confidence
PCAP Analysis Details
Comprehensive network traffic analysis of 6,535,023 packets captured over multiple sessions. The 15.56 GB PCAP file was analyzed using Wireshark, custom Python scripts, and behavioral pattern matching to identify malicious activity, C2 communication, and router exploitation attempts.
Figure 3: PCAP Analysis Breakdown — Packet Distribution and Statistics
Capture Information
PCAP File Details
Filename: logs-12-30-24-router-hack-data.pcapng
File Size: 15.56 GB
Total Packets: 6,535,023
Analysis Coverage: 100%
Analysis Start: December 30, 2024 15:31:54
Capture Duration: Multiple sessions over 24-hour period
Detected Behavioral Patterns
Pattern 1: C2 Communication
Pattern 2: Router Exploitation
Pattern 1: C2-Consistent Communication
Pattern 2: Router Exploitation Activity
Key Technical Indicators
JA3 TLS Fingerprinting
JA3 Fingerprint Detected
Fingerprint: 0c1c4e939388e5da9a57d35cc54400eb
Significance: This JA3 fingerprint is associated with known C2 frameworks and malicious TLS implementations. The fingerprint was observed across 74 separate connections to the identified C2 infrastructure.
Detection Method: TLS ClientHello packet analysis, cipher suite ordering, and extension analysis.
Suspicious User-Agent String
Targeted Ports
- Port 22 (SSH): Brute force authentication attempts, successful compromise
- Port 23 (Telnet): Legacy protocol exploitation attempts
- Port 80 (HTTP): Router admin interface targeting, C2 communication
- Port 443 (HTTPS): Encrypted C2 channel, TLS fingerprinting detected
- Port 8080 (HTTP-Alt): Alternative admin interface probing
- Port 8443 (HTTPS-Alt): Alternative secure admin interface targeting
Traffic Analysis Summary
Total Traffic Analyzed: 6.5 million packets representing diverse network activity including legitimate traffic, automated scanning, and confirmed malicious behavior. The analysis focused on identifying behavioral patterns consistent with C2 communication and active exploitation attempts rather than relying solely on reputation-based indicators.
Protocol Distribution
- HTTP Traffic: 45% (2,940,760 packets) — Includes C2 communication and web traffic
- SSH Traffic: 25% (1,633,756 packets) — Brute force attempts and successful compromise
- DNS Queries: 15% (980,253 packets) — Timing-based anomalies detected
- C2 Communication: 10% (653,502 packets) — Confirmed malicious traffic
- Other Protocols: 5% (326,752 packets) — Normal network operations
Infrastructure Indicators (IOCs)
⚠️ Attribution Disclaimer
Indicators and techniques may suggest risk patterns, but attribution requires independent third-party assertion and is not inferred by this system. While certain techniques overlap with patterns described in public threat intelligence reporting, this analysis does not assert actor identity. Classification is based on direct behavioral observation.
The following IP addresses were observed performing malicious activity against monitored infrastructure. Classification is based on direct behavioral observation of C2 communication patterns, exploitation attempts, and sustained malicious traffic rather than relying solely on reputation databases.
Malicious IP Addresses
| IP Address | Observed Activity | Classification Basis | VT Score |
|---|---|---|---|
45.153.166.146 | C2 communication, HTTP POST beaconing | Direct observation (74 matches) | 0/95 |
45.153.160.224 | C2 communication, sustained connection | Direct observation (74 matches) | 0/95 |
45.153.161.3 | C2 communication, payload delivery | Direct observation (74 matches) | 1/95 |
45.153.163.2 | C2 communication, command execution | Direct observation (74 matches) | 0/95 |
VirusTotal Limitations Note: VirusTotal is ONE enrichment source, not a comprehensive malicious activity database. Most IPs show "clean" on VT due to novel infrastructure, targeted attacks, or reputation lag. The behavioral evidence (74 C2 matches, 37 exploitation attempts) constitutes sufficient basis for malicious classification independent of reputation enrichment.
Network Signatures
- JA3 Fingerprint:
0c1c4e939388e5da9a57d35cc54400eb— Associated with C2 frameworks - User-Agent:
Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0)— Outdated, suspicious - HTTP Endpoint:
/api/submit.php— C2 communication endpoint - CGI Endpoint:
/cgi-bin/login— Router exploitation target - DNS Pattern: Timing-based queries with specific intervals
Evidence Classification Framework
| Evidence Layer | Status | Description |
|---|---|---|
| Layer 1: Direct Observation | ✅ CONFIRMED | 6.5M packets with C2 and exploitation patterns |
| Layer 2: Behavioral Analysis | ✅ CONFIRMED | JA3 fingerprinting, timing patterns, payload analysis |
| Layer 3: Reputation Enrichment | ⚠️ MIXED | 1/4 IPs flagged; VT has known limitations |
| Layer 4: Threat Intel Correlation | ℹ️ NOTED | Behavioral overlap with documented techniques |
| Layer 5: Third-Party Attribution | ❌ NOT CLAIMED | No actor identity asserted |
MITRE ATT&CK Framework Mapping
This attack maps to multiple tactics and techniques from the MITRE ATT&CK framework, demonstrating sophisticated exploitation capabilities across initial access, execution, persistence, credential access, and command & control phases.
Figure 4: MITRE ATT&CK Framework Mapping — Attack Chain and Techniques
Primary Techniques Observed
- T1190 — Exploit Public-Facing Application: Router admin interface exploitation via HTTP/HTTPS
- T1110 — Brute Force: SSH password brute force attack with multiple authentication attempts
- T1071.001 — Application Layer Protocol: Web Protocols: HTTP/HTTPS C2 communication
- T1571 — Non-Standard Port: C2 communication on ports 8080, 8443
- T1573 — Encrypted Channel: TLS-encrypted C2 communication with JA3 fingerprint
- T1059 — Command and Scripting Interpreter: Shell commands executed post-compromise
- T1098 — Account Manipulation: Backdoor user account created for persistence
- T1041 — Exfiltration Over C2 Channel: Data exfiltration via established C2
Additional Techniques
- T1090 — Proxy: Router used as proxy for further attacks
- T1132 — Data Encoding: Encoded payloads in HTTP POST requests
- T1001 — Data Obfuscation: Obfuscated C2 communication patterns
- T1095 — Non-Application Layer Protocol: Direct network protocol manipulation
Defensive Recommendations
Immediate Actions — Block & Contain
- Block Identified IOCs: Immediately block all four malicious IP addresses (
45.153.166.146,45.153.160.224,45.153.161.3,45.153.163.2) at network perimeter firewall. - Monitor JA3 Fingerprint: Configure IDS/IPS to alert on JA3 fingerprint
0c1c4e939388e5da9a57d35cc54400ebacross all network segments. - Alert on Suspicious Endpoints: Create detection rules for HTTP POST requests to
/api/submit.phpand/cgi-bin/loginwith encoded payloads. - Isolate Compromised Router: Immediately disconnect compromised router from network. Perform factory reset and firmware update before reconnecting.
- Change All Credentials: Update all router admin passwords, SSH keys, and service credentials. Implement strong password policy (16+ characters, complexity requirements).
Router Hardening Measures
Disable Unnecessary Services
Disable Telnet (port 23), HTTP admin (port 80), and alternative admin ports (8080, 8443). Use HTTPS (port 443) only with strong TLS configuration.
SSH Key-Based Authentication
Disable SSH password authentication entirely. Implement key-based authentication only. Use ED25519 or RSA 4096-bit keys minimum.
Firmware Updates
Ensure router firmware is up-to-date. Enable automatic security updates if available. Subscribe to vendor security advisories.
Admin Interface Restrictions
Restrict admin interface access to specific IP addresses or VLANs. Never expose admin interfaces to WAN. Use VPN for remote management.
Rate Limiting
Implement rate limiting on SSH and admin interfaces. Block IPs after 3 failed authentication attempts. Use fail2ban or similar tools.
Network Segmentation
Segment network into VLANs. Isolate IoT devices, guest networks, and critical infrastructure. Implement firewall rules between segments.
Detection & Monitoring
Network Monitoring Rules
- C2 Beaconing Detection: Alert on regular HTTP/HTTPS connections to same external IPs at consistent intervals (60-120 seconds)
- Port Scan Detection: Alert on sequential port scanning activity across common admin ports (22, 23, 80, 443, 8080, 8443)
- SSH Brute Force: Alert on multiple failed SSH authentication attempts from same source IP
- Unusual User-Agent Strings: Flag outdated or suspicious User-Agent strings (IE11, Windows 8.1, etc.)
- DNS Anomalies: Monitor for timing-based DNS query patterns and unusual query frequencies
- TLS Fingerprinting: Implement JA3/JA3S fingerprinting for all TLS connections
SIEM Integration
- Log Aggregation: Centralize router logs, firewall logs, and IDS/IPS alerts in SIEM platform
- Correlation Rules: Create correlation rules for multi-stage attack detection (port scan → brute force → C2)
- Behavioral Baselines: Establish baselines for normal network traffic patterns and alert on deviations
- Threat Intelligence Feeds: Integrate threat intelligence feeds for IOC enrichment and automated blocking
Long-Term Security Improvements
Zero Trust Architecture
Implement zero trust network architecture. Verify every connection, enforce least privilege access, and assume breach mentality.
Endpoint Detection & Response
Deploy EDR solutions on all endpoints. Monitor for suspicious process behavior, network connections, and file modifications.
Regular Security Audits
Conduct quarterly security audits of network infrastructure. Perform penetration testing annually. Review and update security policies.
Incident Response Plan
Develop and test incident response procedures. Define roles, communication channels, and escalation paths. Conduct tabletop exercises.
Security Awareness Training
Train staff on router security best practices, password hygiene, and phishing awareness. Conduct regular security awareness campaigns.
Vulnerability Management
Implement vulnerability scanning program. Prioritize patching based on risk. Track and remediate vulnerabilities within defined SLAs.
Conclusion
This case study demonstrates the critical importance of network traffic analysis and behavioral detection in identifying sophisticated attacks. The analysis of 6.5 million packets revealed clear patterns of C2 communication and router exploitation that would have been missed by reputation-based detection alone.
The attack showcased multiple MITRE ATT&CK techniques including public-facing application exploitation (T1190), brute force attacks (T1110), and encrypted C2 channels (T1573). The use of JA3 TLS fingerprinting proved invaluable in identifying malicious traffic patterns despite the use of legitimate protocols and encryption.
Organizations should prioritize behavioral analysis, implement robust network monitoring, and maintain defense-in-depth strategies. Router security is often overlooked but represents a critical attack surface that requires dedicated hardening measures and continuous monitoring.
⚠ Disclaimer
This case study is based on actual network traffic analysis conducted by AIMF LLC. All technical details, packet counts, and IOCs are derived from real PCAP analysis. This report is classified as CONFIDENTIAL and intended for defensive security purposes only. No attribution to specific threat actors is claimed. Classification is based on direct behavioral observation of malicious activity. The techniques described should only be used for authorized security testing and defensive purposes.
Report Prepared By: AIMF LLC Cybersecurity Analysis Team | Classification: CONFIDENTIAL | Date: December 30, 2024
