General

  • Target

    ancoiq2.exe

  • Size

    463KB

  • Sample

    220105-vg2nbsahcj

  • MD5

    d994e2fd303808d11b48f75d494ca8dd

  • SHA1

    0068f47ce0e24d86ec4f717fc6def5f12c780153

  • SHA256

    fff82d0ec3c87081fdd41eece5bf406fbe4543ad8888c64818efcb28777c81ae

  • SHA512

    5bea32731119ee8b90ce563ece9956adac775c21844a1de2eb55c152a265fc675d4944b6ab3b728e380ec81eae73072644646c3bd0999a9d75ac24b30df83225

Malware Config

Extracted

Family

cobaltstrike

Botnet

0

C2

http://juniperengineer.com:778/cr.js

Attributes
  • access_type

    512

  • beacon_type

    2048

  • host

    juniperengineer.com,/cr.js

  • http_header1

    AAAAEAAAABlIb3N0OiBqdW5pcGVyZW5naW5lZXIuY29tAAAACgAAABFDb25uZWN0aW9uOiBjbG9zZQAAAAcAAAAAAAAADwAAAAMAAAACAAAAK3dvcmRwcmVzc181MjIzODU1OGU5MzBmMWVjNjk5ZTRmMTJhYjAxNWE0Zj0AAAAGAAAABkNvb2tpZQAAAAkAAAAKZm5hbWU9dHJ1ZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_header2

    AAAAEAAAABlIb3N0OiBqdW5pcGVyZW5naW5lZXIuY29tAAAACgAAABFDb25uZWN0aW9uOiBjbG9zZQAAAAoAAAA9QWNjZXB0LUxhbmd1YWdlOiBmci1DSCwgZnI7cT0wLjksIGVuO3E9MC44LCBkZTtxPTAuNywgKjtxPTAuNQAAAAoAAAAYQ29udGVudC1UeXBlOiB0ZXh0L3BsYWluAAAABwAAAAEAAAADAAAAAwAAAAQAAAAHAAAAAAAAAAMAAAACAAAADl9fc2Vzc2lvbl9faWQ9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_method1

    GET

  • http_method2

    POST

  • jitter

    9984

  • polling_time

    55131

  • port_number

    778

  • sc_process32

    %windir%\syswow64\runonce.exe

  • sc_process64

    %windir%\sysnative\runonce.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCds2C2/+VG4gj/uvAACl/YQXdnjOEt7yzmsbIFr1xqoM3Yjs3KC5nO97M/up4mKTEPJbVRhSy3WR0l8G6AQ+FVMjL7x4ii9rG9UA85M9iJN7dYyNX/VtlBpUWTPDeTbcay9hp3mmFElyTxqtgJUhFvbnbsUUT+VNjKGrbjxRnCFQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    1.031085056e+09

  • unknown2

    AAAABAAAAAIAAANxAAAAAwAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /br

  • user_agent

    Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0

  • watermark

    0

Targets

    • Target

      ancoiq2.exe

    • Size

      463KB

    • MD5

      d994e2fd303808d11b48f75d494ca8dd

    • SHA1

      0068f47ce0e24d86ec4f717fc6def5f12c780153

    • SHA256

      fff82d0ec3c87081fdd41eece5bf406fbe4543ad8888c64818efcb28777c81ae

    • SHA512

      5bea32731119ee8b90ce563ece9956adac775c21844a1de2eb55c152a265fc675d4944b6ab3b728e380ec81eae73072644646c3bd0999a9d75ac24b30df83225

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Install Root Certificate

1
T1130

Modify Registry

1
T1112

Tasks