This walkthrough guides you through the forensic analysis of a sophisticated attack featuring EtherRAT, a Remote Access Trojan that leverages blockchain technology for Command and Control (C2) infrastructure. The investigation begins with the compromise of an AWS EC2 instance through CVE-2025-55182, a critical Remote Code Execution vulnerability in Next.js applications.
What makes EtherRAT particularly interesting is its use of Ethereum smart contracts to dynamically resolve C2 server addresses—a technique that makes traditional takedown efforts exceptionally difficult. Throughout this analysis, we'll trace the complete attack lifecycle using the provided PCAP file with TLS session keys for decryption.
Before beginning, configure Wireshark for TLS decryption:
sslkeys.logmaromalix_capture.pcap
With TLS decryption configured, HTTPS traffic will now appear as decrypted HTTP in Wireshark, allowing us to inspect request and response bodies.
Also we will be using cmder (which is pinned to taskbar) along with tshark so make sure you are in the correct directory
cd "/c/Users/Administrator/Desktop/Start Here/Artifacts"