Overview

overview

10

Static

static

gls.js

windows7_x64

7

gls.js

windows10_x64

10

Analysis

  • max time kernel
    145s
  • max time network
    146s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    21-10-2021 17:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    gls.js

  • Size

    4.1MB

  • MD5

    2103be68824b34dfb74873364d23f74b

  • SHA1

    ebcc88331a1cbc3b73098c2245a8a81840703b0e

  • SHA256

    3015444a70483b5abccb2d4f11a2de348dd6bb00614300b0058c761c0993d818

  • SHA512

    5e47ef58756a739df8edf694efb672eea94abcae2c14ff306c7328b0ce2679a8ec10290d76b1586b1dd60337062270262d5b088f233ba2e82497311ff7b5545a

Score
10/10
cobaltstrike651348195backdoortrojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

651348195

C2

http://glsllc.365updates.workers.dev:443/safebrowsing/fp/aTwivgcwHXjqy4NYQq2E

Attributes
  • access_type

    512

  • beacon_type

    2048

  • host

    glsllc.365updates.workers.dev,/safebrowsing/fp/aTwivgcwHXjqy4NYQq2E

  • http_header1

    AAAACgAAABZYLUN1c3RvbS1QU0s6IFJlZGlyZWN0AAAAEAAAACNIb3N0OiBnbHNsbGMuMzY1dXBkYXRlcy53b3JrZXJzLmRldgAAAAoAAABHQWNjZXB0OiB0ZXh0L2h0bWwsYXBwbGljYXRpb24veGh0bWwreG1sLGFwcGxpY2F0aW9uL3htbDtxPTAuOSwqLyo7cT0wLjgAAAAKAAAAH0FjY2VwdC1MYW5ndWFnZTogZW4tVVMsZW47cT0wLjUAAAAHAAAAAAAAAAgAAAACAAAAB1JFRj1JRD0AAAAGAAAABkNvb2tpZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_header2

    AAAACgAAABZYLUN1c3RvbS1QU0s6IFJlZGlyZWN0AAAAEAAAACNIb3N0OiBnbHNsbGMuMzY1dXBkYXRlcy53b3JrZXJzLmRldgAAAAoAAABHQWNjZXB0OiB0ZXh0L2h0bWwsYXBwbGljYXRpb24veGh0bWwreG1sLGFwcGxpY2F0aW9uL3htbDtxPTAuOSwqLyo7cT0wLjgAAAAKAAAAH0FjY2VwdC1MYW5ndWFnZTogZW4tVVMsZW47cT0wLjUAAAAHAAAAAAAAAAgAAAACAAAAC1U9MTkzdTgxMTQxAAAAAgAAAAdSRUY9SUQ9AAAABgAAAAZDb29raWUAAAAHAAAAAQAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_method1

    GET

  • http_method2

    POST

  • jitter

    3072

  • polling_time

    11000

  • port_number

    443

  • sc_process32

    %windir%\syswow64\gpupdate.exe

  • sc_process64

    %windir%\sysnative\gpupdate.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCklx/5IbNxgw3DRlfvPGUMcyNsfswv9wTzv7fQz2kiQNoQNRNRd+g+cZ2TGh73dFDTBQB9QCejuHNGHgm9H90yJ2/FHM4VxE3IfUCpelyGnekC8A33Szkjqt9ltmaWqBfwLNlPa8/32FPuKrFNr4BDfbKSZN5x8Ejcnt6zsRNu+QIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4096

  • unknown2

    AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /safebrowsing/fp/ebVBJhc6PlHSKNZI1Ojpt69M23VxN

  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 11_2_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.82 Safari/537.36

  • watermark

    651348195

Signatures

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

    trojanbackdoorcobaltstrike
  • Blocklisted process makes network request 14 IoCs
  • Loads dropped DLL 1 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\gls.js
    1⤵
    • Blocklisted process makes network request
    • Loads dropped DLL
    PID:2700

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\btpanui.dll
    MD5

    9420a61d40ef65b845c426388644b97c

    SHA1

    16ac747bd0f37395c64d16ee860bb8799b567b5a

    SHA256

    0e2024c362a053bbe27680b867efd2528c3f3a877c85360a18920d7f7a954f93

    SHA512

    ea3964a6eb927c71ec2bed1b22f84b2ed07437822ee52580867bb1218179a6b1ba200c5dd35c3bebba1090db8e5a64f07ffe2e311636f69743b9e7d4423a9e4b

    Download Submit
  • memory/2700-118-0x00007FF856B90000-0x00007FF856C3E000-memory.dmp
    Filesize

    696KB

    Download
  • memory/2700-119-0x00007FF854770000-0x00007FF8549B9000-memory.dmp
    Filesize

    2.3MB

    Download
  • memory/2700-120-0x00007FF8574D0000-0x00007FF8576AB000-memory.dmp
    Filesize

    1.9MB

    Download
  • memory/2700-122-0x000001DB95790000-0x000001DB957DE000-memory.dmp
    Filesize

    312KB

    Download
  • memory/2700-121-0x000001DB95740000-0x000001DB95781000-memory.dmp
    Filesize

    260KB

    Download