How did this machine establish an encrypted connection with a server with just a TCP handshake?

Question

beginner here.

I am currently looking at some C&C traffic from an infected machine and have come across some interesting TCP segments within the PCAP file. Most of the traffic is just regular HTTPS traffic where I could see the TLS handshake occur - however, there is one connection between this machine and a C2 host where there was only a three-way TCP handshake followed by an encrypted connection. No exchange of cipher suites, etc. like with TLS. It was just a handshake and then immediately encrypted traffic with nothing else. How does this occur? I feel like this is a stupid question to ask but can't seem to find any information on Google relating to this.

One of my assumptions is that the machine and server already know which keys to use for encrypting/decrypting data as multiple pairs are dropped onto the machine when the infection occurs.

Handshake followed by encrypted traffic: Payload:

I would appreciate any help! Thank you.

Answer 1

The traffic is not necessarily encrypted, all we see is a hexadecimal Data exchange - it can be only encoded as well.

There is no hard requirement to use any higher layer application protocols such as HTTPS with TLS etc. TCP is already standing for Transmission Control Protocol, so you can transmit data with it.

And yes, malware can ship the keys, but then you have a good chance to retrieve and decode the communication after reverse engineering.

You only need to open a listening and a sender TCP socket and can send any data of your choice. Maybe read a bit about and play with TCP sockets from here.