General
-
Target
8307b7961483dbf57866eb3a58ee1645dc060319e3781ff5487babd28f7b13f4
-
Size
1.4MB
-
Sample
220106-dy7r8sbcem
-
MD5
5bda122840962b4fa884a5259064ed74
-
SHA1
baf9c557f397be3b58a9a8f56b8ff224ac231fec
-
SHA256
8307b7961483dbf57866eb3a58ee1645dc060319e3781ff5487babd28f7b13f4
-
SHA512
4992c44c5b67d47a92964b3ceb7cfa70b079e3f18912104279998766e21acde6fc37834688a3d6270cb4a1081687eb153475cc9b2f5d11f43f4487a014429ba8
Malware Config
Extracted
metasploit
windows/download_exec
http://www.ctfwiki.workers.dev:443/_static/jquery-3.3.1.min.js
Extracted
cobaltstrike
305419896
http://qianx1n.xyz:443/jquery.min.js
-
access_type
512
-
beacon_type
2048
-
dns_idle
1.908702538e+09
-
host
qianx1n.xyz,/jquery.min.js
-
http_header1
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAgUmVmZXJlcjogaHR0cDovL2NvZGUuanF1ZXJ5LmNvbS8AAAAKAAAAHkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQAAAAcAAAAAAAAADQAAAAIAAAAJX19jZmR1aWQ9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAgUmVmZXJlcjogaHR0cDovL2NvZGUuanF1ZXJ5LmNvbS8AAAAKAAAAHkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQAAAAcAAAAAAAAADQAAAAUAAAAIX19jZmR1aWQAAAAHAAAAAQAAAAMAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
jitter
9472
-
maxdns
255
-
polling_time
45000
-
port_number
443
-
sc_process32
%windir%\syswow64\dllhost.exe
-
sc_process64
%windir%\sysnative\dllhost.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDyvfJWs++715HoMi9tlSZSgCf/o1NKJcRyCt2fTA4//I0nzqtcA1ePMsVi1OFNl2UlIXhJdeJXyZ+3km9g0VU6Lli+SRreeue/EolQNu6YmItro9iipWpHHpBxJvHPffpj0aivjN83hgY2CISRln6KsnXMspQpkSBBKYBL7Kv9kwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4.184478976e+09
-
unknown2
AAAABAAAAAEAAAXyAAAAAgAAAFQAAAACAAAPWwAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/jquery.js
-
user_agent
Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko
-
watermark
305419896
Targets
-
-
Target
8307b7961483dbf57866eb3a58ee1645dc060319e3781ff5487babd28f7b13f4
-
Size
1.4MB
-
MD5
5bda122840962b4fa884a5259064ed74
-
SHA1
baf9c557f397be3b58a9a8f56b8ff224ac231fec
-
SHA256
8307b7961483dbf57866eb3a58ee1645dc060319e3781ff5487babd28f7b13f4
-
SHA512
4992c44c5b67d47a92964b3ceb7cfa70b079e3f18912104279998766e21acde6fc37834688a3d6270cb4a1081687eb153475cc9b2f5d11f43f4487a014429ba8
Score10/10-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
suricata: ET MALWARE Cobalt Strike Malleable C2 JQuery Custom Profile Response
suricata: ET MALWARE Cobalt Strike Malleable C2 JQuery Custom Profile Response
-
Blocklisted process makes network request
-
Loads dropped DLL
-
Adds Run key to start application
-