General

  • Target

    bc37c01615f39bfaa06017a02e71d24c5aa4bb0159604230ff8ab325f29e685e

  • Size

    6.3MB

  • Sample

    220622-fldpqsgeep

  • MD5

    1519311bb7f672fd407d30f8dfa11717

  • SHA1

    4cddd8e4123f28b4acfdad06af3197238b97d3bb

  • SHA256

    bc37c01615f39bfaa06017a02e71d24c5aa4bb0159604230ff8ab325f29e685e

  • SHA512

    403f52efe0cf16408400091997d8354c09c3931829b78822bea7a93e689cff6478790c2828b6d850ee7ce9a2cbcffea045dacfda352329a96dcbe6d3059c1eb0

Malware Config

Extracted

Family

cobaltstrike

Botnet

1

C2

http://oa.shfe.tk:2053/download/jquery-3.3.1.slim.min.js/3

Attributes
  • access_type

    512

  • beacon_type

    2048

  • host

    oa.shfe.tk,/download/jquery-3.3.1.slim.min.js/3

  • http_header1

    AAAAEAAAABFIb3N0OiB3d3cuc2hmZS50awAAAAoAAAAgUmVmZXJlcjogaHR0cDovL2NvZGUuanF1ZXJ5LmNvbS8AAAAKAAAAHkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQAAAAoAAABHQWNjZXB0OiB0ZXh0L2h0bWwsYXBwbGljYXRpb24veGh0bWwreG1sLGFwcGxpY2F0aW9uL3htbDtxPTAuOSwqLyo7cT0wLjgAAAAKAAAAH0FjY2VwdC1MYW5ndWFnZTogZW4tVVMsZW47cT0wLjUAAAAHAAAAAAAAAAMAAAAGAAAABkNvb2tpZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_header2

    AAAAEAAAABFIb3N0OiB3d3cuc2hmZS50awAAAAoAAAAgUmVmZXJlcjogaHR0cDovL2NvZGUuanF1ZXJ5LmNvbS8AAAAKAAAAHkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQAAAAoAAABHQWNjZXB0OiB0ZXh0L2h0bWwsYXBwbGljYXRpb24veGh0bWwreG1sLGFwcGxpY2F0aW9uL3htbDtxPTAuOSwqLyo7cT0wLjgAAAAKAAAAH0FjY2VwdC1MYW5ndWFnZTogZW4tVVMsZW47cT0wLjUAAAAHAAAAAAAAAAwAAAAHAAAAAQAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_method1

    GET

  • http_method2

    POST

  • polling_time

    60000

  • port_number

    2053

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDSxvLGOfCLYSdegye7emv/rBkydlvUzd1J9K8kb59Wgs5q0yP/pkDpagevO7rwN5BY6Hei/Dxb6td3ANMzc217zApkp17E6ch/LaFAnP6WaAyOdA2HmziFjZc2YlC8BpyoUd1Fb/X1lmkqDIxx0hxYdtyGxxcssKeDLjI6UWMeVwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    2.702512128e+09

  • unknown2

    AAAABAAAAAEAAAXyAAAAAgAAAFQAAAACAAAPWwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /download/jquery-3.3.1.slim.min.js/4

  • user_agent

    Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36

  • watermark

    1

Targets

    • Target

      bc37c01615f39bfaa06017a02e71d24c5aa4bb0159604230ff8ab325f29e685e

    • Size

      6.3MB

    • MD5

      1519311bb7f672fd407d30f8dfa11717

    • SHA1

      4cddd8e4123f28b4acfdad06af3197238b97d3bb

    • SHA256

      bc37c01615f39bfaa06017a02e71d24c5aa4bb0159604230ff8ab325f29e685e

    • SHA512

      403f52efe0cf16408400091997d8354c09c3931829b78822bea7a93e689cff6478790c2828b6d850ee7ce9a2cbcffea045dacfda352329a96dcbe6d3059c1eb0

    • Cobaltstrike

      Detected malicious payload which is part of Cobaltstrike.

    • suricata: ET MALWARE Cobalt Strike Malleable C2 JQuery Custom Profile Response

      suricata: ET MALWARE Cobalt Strike Malleable C2 JQuery Custom Profile Response

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Modify Registry

2
T1112

Install Root Certificate

1
T1130

Discovery

Query Registry

3
T1012

System Information Discovery

4
T1082

Tasks