This is the next section of the pyramid of pain… IP ADDRESSES! Here we are told that Fast Flux is a DNS technique used by botnets to hide phishing, web proxying, malware delivery etc. after reading the Palo Alto networks page on this topic (here, archive) this is a method that takes a domain name and changes the IP address associated with it, the A record also has a short TTL so its addresses are constantly changing. This causes the network admin to but unable to block IP addresses as they are constantly changing.
Here we are given an any.run report. Any.run is a tool that can run a malware sample and show what it does in detail. The questions are to identify first IP address contacted, and the first domain name contacted. Scrolling all the way down we see the Network activity section.
We can see the first IP address contacted is “50.87.136.52” And the first Domain Contacted is “craftingalegacy.com”
Leave a Reply