General

  • Target

    Coll.CozyBear.zip

  • Size

    13.0MB

  • Sample

    210306-dv26adly7x

  • MD5

    e049fd6d80d9285d156cdf5785a6e28e

  • SHA1

    24752be3d70d5a36280da5b7ecf5b5b77039ac8e

  • SHA256

    300c090861a547a4c211b15b9f45d6dcb976128c21b78b6c38d1cf4c5d998e12

  • SHA512

    31915051a03611c7b00b0c25225cb905322e777c9aa3ebc600206c5bc6665cd407d61a66925b4d5c82ec350d503b7f0c99df2c3d62411e226ebcc73c3aceea56

Malware Config

Extracted

Family

cobaltstrike

C2

http://pandorasong.com:443/access/

Attributes
  • access_type

    512

  • beacon_type

    2048

  • host

    pandorasong.com,/access/

  • http_header1

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAeR2V0Q29udGVudEZlYXR1cmVzLkRMTkEuT1JHOiAxAAAACgAAABVIb3N0OiBwYW5kb3Jhc29uZy5jb20AAAAKAAAASENvb2tpZTogIF9fdXRtYT0zMTAwNjY3MzMuMjg4NDUzNDQ0MC4xNDMzMjAxNDYyLjE0MDMyMDQzNzIuMTM4NTIwMjQ5OC43OwAAAAkAAAAJdmVyc2lvbj00AAAACQAAAA5saWQ9MTU4MjUwMjcyNAAAAAcAAAAAAAAACAAAAAUAAAAFdG9rZW4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • http_header2

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFUhvc3Q6IHBhbmRvcmFzb25nLmNvbQAAAAcAAAAAAAAABQAAAANyaWQAAAAJAAAADmxpZD0xNjgzNTAzNzM1AAAACQAAAB9tZXRob2Q9Z2V0U2VhcmNoUmVjb21tZW5kYXRpb25zAAAABwAAAAEAAAADAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • http_method1

    GET

  • http_method2

    POST

  • jitter

    4352

  • maxdns

    255

  • pipe_name

    \\%s\pipe\msagent_%x

  • polling_time

    300000

  • port_number

    443

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCN7UFLcBHjvme4lLXoOKMyNrF46j4Xi87J4ilrNPDQxLOq2KHaCXP+0FsWYs7JFqLXGmqOIfALpPLIyGgnRuC60ZXaSKmCENE2O88Z0BxDkRxSaKEbgv3ETo/Ra7cF8JNr3szy0sNBVyi9dhS2WhXRIU923X2ZQxbpSyUNi5Q//wIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    7.382016e+08

  • unknown2

    AAAABAAAAAIAAAAQAAAAAgAAABAAAAACAAAADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /radio/xmlrpc/v45

  • user_agent

    Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko

Targets

    • Target

      APT29miniduke.bin

    • Size

      140KB

    • MD5

      f08ef840f59cbd4c4695e36ef3eaa9d7

    • SHA1

      68d3673953dc1e3b6273931572f425402c0ecb1c

    • SHA256

      dd215d76bcfd72ebcfb50ccfeb9fb1703af4bbf4821de225009f43fc4e08e432

    • SHA512

      9b00ed01389965266ba957109ec46e01f039103986a479c447ad7ab898349f4fe6453204e3813031e276e2da1953a91e9a27dda88402dcaf90ddc201ee0c7718

    Score
    3/10
    • Target

      CozyBearImplant.bin

    • Size

      3.0MB

    • MD5

      ce227ae503e166b77bf46b6c8f5ee4da

    • SHA1

      cb872edd1f532c10d0167c99530a65c4d4532a1e

    • SHA256

      b101cd29e18a515753409ae86ce68a4cedbe0d640d385eb24b9bbb69cf8186ae

    • SHA512

      529a7c357ba6588482dff00d6d8c245e4c8b97c23ad1f48e1542406c24c6a72f3e1f02752e2ed3cbb904880f3f7dfbab66d9d50ec24ecc3373aba4c334e397b8

    Score
    1/10
    • Target

      ImplantCozy.bin

    • Size

      3.0MB

    • MD5

      004b55a66b3a86a1ce0a0b9b69b95976

    • SHA1

      e2b98c594961aae731b0ccee5f9607080ec57197

    • SHA256

      6c1bce76f4d2358656132b6b1d471571820688ccdbaca0d86d0ca082b9390536

    • SHA512

      30ad634e6491bed01cdb7ca448d03094c568a99f786e1d82702d304df041a76b8c062248840c9d7d5572a44a4d47d2a6024a35ff528ad56302273baf2627d308

    Score
    1/10
    • Target

      MinidukeAPT29.bin

    • Size

      140KB

    • MD5

      887489b27f6e7053ec2702dc8ba51af7

    • SHA1

      79176c5ad3aeca542f9043657bacf55368a63106

    • SHA256

      c485cbcd5b21db8029654bd47879f086feed41492aebed33a9afe9d73f5069e7

    • SHA512

      2a5961a14851ada815319f16af0f44d27c35dfdee041a73e7da985a085964a1fb5cae08e8f40c41436800a137f284d945a3e5bfd04a46c37703daec3820988a1

    Score
    3/10
    • Target

      Nov2018New!/AudioSes.dll

    • Size

      287KB

    • MD5

      16bbc967a8b6a365871a05c74a4f345b

    • SHA1

      9858d5cb2a6614be3c48e33911bf9f7978b441bf

    • SHA256

      b77ff307ea74a3ab41c92036aea4a049b3c2e69b12a857d26910e535544dfb05

    • SHA512

      68c75c95ee27fd704088dcf381378a2cd32b396a2e405be4e4f8058cf099d88c9f22c9b9a14eaec45880a2b7ae02226f1277020470aadbc153e8dd3168711f99

    • Target

      ds7002.lnk

    • Size

      392KB

    • MD5

      6ed0020b0851fb71d5b0076f4ee95f3c

    • SHA1

      e431261c63f94a174a1308defccc674dabbe3609

    • SHA256

      2cea2a1f53dac3f4fff156eacc2ecc8e98b1a64f0f5b5ee1c42c69d9a226c55c

    • SHA512

      2a0b04791ab102b6d1760c5f0940969318562f444a5864ebf270f568cc8f6283630ca76377a9fc75691b67e7c459ab10782a2deb439fa9981a2f94bb208232f3

    • Target

      Nov2018New!/ds7002.bin

    • Size

      392KB

    • MD5

      6ed0020b0851fb71d5b0076f4ee95f3c

    • SHA1

      e431261c63f94a174a1308defccc674dabbe3609

    • SHA256

      2cea2a1f53dac3f4fff156eacc2ecc8e98b1a64f0f5b5ee1c42c69d9a226c55c

    • SHA512

      2a0b04791ab102b6d1760c5f0940969318562f444a5864ebf270f568cc8f6283630ca76377a9fc75691b67e7c459ab10782a2deb439fa9981a2f94bb208232f3

    Score
    3/10
    • Target

      ds7002.pdf

    • Size

      85KB

    • MD5

      313f4808aa2a2073005d219bc68971cd

    • SHA1

      053fb60530e884851eb8b6aebbec4570ec788d4a

    • SHA256

      b1c811d3f0e930b0096a9e785f730ba4d92458bd6dcfbdff4cf7a1e247ef20d1

    • SHA512

      1d983f3c659eb3dfac3fe280e7cb3c6e25264752c11ff7d2ab232ffbf30b659a3d61bdf3773ec32caa09de716a3c439dea0d77dab5cb9e07d0e6ec43a0b1a68d

    Score
    1/10
    • Target

      SeaDaddyImplant (2).bin

    • Size

      3.0MB

    • MD5

      004b55a66b3a86a1ce0a0b9b69b95976

    • SHA1

      e2b98c594961aae731b0ccee5f9607080ec57197

    • SHA256

      6c1bce76f4d2358656132b6b1d471571820688ccdbaca0d86d0ca082b9390536

    • SHA512

      30ad634e6491bed01cdb7ca448d03094c568a99f786e1d82702d304df041a76b8c062248840c9d7d5572a44a4d47d2a6024a35ff528ad56302273baf2627d308

    Score
    1/10
    • Target

      SeaDaddyImplant.bin

    • Size

      3.0MB

    • MD5

      ce227ae503e166b77bf46b6c8f5ee4da

    • SHA1

      cb872edd1f532c10d0167c99530a65c4d4532a1e

    • SHA256

      b101cd29e18a515753409ae86ce68a4cedbe0d640d385eb24b9bbb69cf8186ae

    • SHA512

      529a7c357ba6588482dff00d6d8c245e4c8b97c23ad1f48e1542406c24c6a72f3e1f02752e2ed3cbb904880f3f7dfbab66d9d50ec24ecc3373aba4c334e397b8

    Score
    1/10
    • Target

      TrojanCozyBear.bin

    • Size

      330KB

    • MD5

      3d3363598f87c78826c859077606e514

    • SHA1

      8b357ff017df3ed882b278d0dbbdf129235d123d

    • SHA256

      01468b1d3e089985a4ed255b6594d24863cfd94a647329c631e4f4e52759f8a9

    • SHA512

      11a9b8dc666877695a7ea0683c83d057b7539fae7e445250d71fd34fdc557df946b4938bf419ddbdc5f4439f3d828ddb4d83d3a9f7f18cb92454da6fdfd99b24

    Score
    8/10
    • Executes dropped EXE

    • Loads dropped DLL

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Target

      atiagentCozyBear.bin

    • Size

      52KB

    • MD5

      452ee2968ec82c7e30c21c828b330c17

    • SHA1

      00384c359e2931fb922b034fca2707e1b2a25396

    • SHA256

      43cd9ef6904c35c6854bf59d99731a05048af9e870261064a255db0181930fad

    • SHA512

      bef788d69d8d75579cbf6499b4c2aec7c413cc56fea2a51efc4dc7742f52648fff3b64b78b3d8544d81ee473472521d352f931b56564a88031c5116444b65926

    Score
    1/10

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Modify Registry

2
T1112

Discovery

System Information Discovery

4
T1082

Query Registry

3
T1012

Tasks