General

  • Target

    3x.zip

  • Size

    12.2MB

  • Sample

    220623-hyv6nacbck

  • MD5

    1b10c66844f5b404d788a0eeb9b64850

  • SHA1

    909dc66eac6ae790fae53570b9294dbc490a7558

  • SHA256

    b0ef97d6bccce1242df4a41e1a02e37588dc39776dbf54c6ad3425c5206e9ff1

  • SHA512

    8333257feeea5bc813ad3f70916c85f9148996ba53fbea544db022c3e1f76d4f39020d5af1925fb5586a155ddb63846d42011488d0ccf09d34fda938cb5bd760

Malware Config

Extracted

Family

cobaltstrike

Botnet

1

C2

http://oa.shfe.tk:2053/download/jquery-3.3.1.slim.min.js/3

Attributes
  • access_type

    512

  • beacon_type

    2048

  • host

    oa.shfe.tk,/download/jquery-3.3.1.slim.min.js/3

  • http_header1

    AAAAEAAAABFIb3N0OiB3d3cuc2hmZS50awAAAAoAAAAgUmVmZXJlcjogaHR0cDovL2NvZGUuanF1ZXJ5LmNvbS8AAAAKAAAAHkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQAAAAoAAABHQWNjZXB0OiB0ZXh0L2h0bWwsYXBwbGljYXRpb24veGh0bWwreG1sLGFwcGxpY2F0aW9uL3htbDtxPTAuOSwqLyo7cT0wLjgAAAAKAAAAH0FjY2VwdC1MYW5ndWFnZTogZW4tVVMsZW47cT0wLjUAAAAHAAAAAAAAAAMAAAAGAAAABkNvb2tpZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_header2

    AAAAEAAAABFIb3N0OiB3d3cuc2hmZS50awAAAAoAAAAgUmVmZXJlcjogaHR0cDovL2NvZGUuanF1ZXJ5LmNvbS8AAAAKAAAAHkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQAAAAoAAABHQWNjZXB0OiB0ZXh0L2h0bWwsYXBwbGljYXRpb24veGh0bWwreG1sLGFwcGxpY2F0aW9uL3htbDtxPTAuOSwqLyo7cT0wLjgAAAAKAAAAH0FjY2VwdC1MYW5ndWFnZTogZW4tVVMsZW47cT0wLjUAAAAHAAAAAAAAAAwAAAAHAAAAAQAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_method1

    GET

  • http_method2

    POST

  • polling_time

    60000

  • port_number

    2053

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDSxvLGOfCLYSdegye7emv/rBkydlvUzd1J9K8kb59Wgs5q0yP/pkDpagevO7rwN5BY6Hei/Dxb6td3ANMzc217zApkp17E6ch/LaFAnP6WaAyOdA2HmziFjZc2YlC8BpyoUd1Fb/X1lmkqDIxx0hxYdtyGxxcssKeDLjI6UWMeVwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    2.702512128e+09

  • unknown2

    AAAABAAAAAEAAAXyAAAAAgAAAFQAAAACAAAPWwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /download/jquery-3.3.1.slim.min.js/4

  • user_agent

    Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36

  • watermark

    1

Targets

    • Target

      188cabb682c69d1e94e610fd2cc5aef967de70616b53f873cbd8963a621a57cd

    • Size

      6.3MB

    • MD5

      a71e66c90588a34a61716db41d93fb06

    • SHA1

      a999f8d520c5805e312101329c6a78c9c998172f

    • SHA256

      188cabb682c69d1e94e610fd2cc5aef967de70616b53f873cbd8963a621a57cd

    • SHA512

      cb45126d6fd2e954a0ed6f1c896dfe860c2c4eaeba4d8fb6b11ff2fff1f7a21092f4617dbc86e647b475eb688a8ba286c4d5042620f11a17fdea6d7c590095af

    • Cobaltstrike

      Detected malicious payload which is part of Cobaltstrike.

    • suricata: ET MALWARE Cobalt Strike Malleable C2 JQuery Custom Profile Response

      suricata: ET MALWARE Cobalt Strike Malleable C2 JQuery Custom Profile Response

    • Loads dropped DLL

    • Target

      280068539e77b8a53794d39494439d38a02b72ebfedae0b105ea8d34ab3af4c9

    • Size

      16.3MB

    • MD5

      54076d2d76ef1c943d39b874400a5642

    • SHA1

      1d519e0d1533c147782511f8db1d04bc0909af20

    • SHA256

      280068539e77b8a53794d39494439d38a02b72ebfedae0b105ea8d34ab3af4c9

    • SHA512

      338ea549e5bc77833c4c1915dd73be460d264aea38486047f35415cec69007907e84b8e2951c49dabbae0baf02bbfffc5b43b7a30c19b3a956f2cbf374502755

    • Cobaltstrike

      Detected malicious payload which is part of Cobaltstrike.

    • suricata: ET MALWARE Cobalt Strike Beacon Observed

      suricata: ET MALWARE Cobalt Strike Beacon Observed

    • Target

      757040a9bc4ea0f1375987839e08b35a31583c5285e184a1d42f437b99d00a90

    • Size

      251KB

    • MD5

      76e4d2e60512c1b29fdf6843c344d1cc

    • SHA1

      216d7ba6e298419201622b0a53bfb02fdc7c6ed2

    • SHA256

      757040a9bc4ea0f1375987839e08b35a31583c5285e184a1d42f437b99d00a90

    • SHA512

      f00b8a9a0f5163e2dcc9b8795b3406b0e81e044ffce43f5ccca7f5edd6b3a8a0c0018df073b8fbb44cc28c684ce59bf710c6802005a2e83a7743000cae6c5e99

    Score
    3/10

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Install Root Certificate

1
T1130

Modify Registry

1
T1112

Tasks