cobaltstrike | fa1cb9e8442f38561ad5c44aeacc45339bad2589ad0ccd83991cfc09ad409a8f

General

Target

fa1cb9e8442f38561ad5c44aeacc45339bad2589ad0ccd83991cfc09ad409a8f.exe
Size

904KB
MD5

4bfad4cb9222e22214d002be79a0df7e
SHA1

44533522afbaf6b66a354e8b9f846117760e1320
SHA256

fa1cb9e8442f38561ad5c44aeacc45339bad2589ad0ccd83991cfc09ad409a8f
SHA512

725d8333c266a587cb2be983bc8c7957232049f76668c9e937a97952f09ec8b76f069ffabc6ca423b94e7760d4726ae4fa33f4ed1c3a15bd243a6f1614dfa90f
SSDEEP

24576:dGHCm8uPdJddrD7pIZ2GRaRkhiZ8fAivsP5+l8w:kuWzKZ2GRrKIkPw

Score

10^/10

cobaltstrike joker 0 backdoor infostealer trojan

Malware Config

Extracted

Family

cobaltstrike

C2

http://124.220.0.89:7777/l5Si

Attributes

user_agent
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727)

Extracted

Family

cobaltstrike

Botnet

0

Attributes

watermark
0

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
joker
Joker is an Android malware that targets billing and SMS fraud.
infostealer trojan joker

Executes dropped EXE 2 IoCs

pid	Process
2440	Java.exe
4804	Javaw.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	fa1cb9e8442f38561ad5c44aeacc45339bad2589ad0ccd83991cfc09ad409a8f.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Javaw	fa1cb9e8442f38561ad5c44aeacc45339bad2589ad0ccd83991cfc09ad409a8f.exe
File created	C:\Program Files\Javaw\__tmp_rar_sfx_access_check_240559671	fa1cb9e8442f38561ad5c44aeacc45339bad2589ad0ccd83991cfc09ad409a8f.exe
File created	C:\Program Files\Javaw\Java.exe	fa1cb9e8442f38561ad5c44aeacc45339bad2589ad0ccd83991cfc09ad409a8f.exe
File opened for modification	C:\Program Files\Javaw\Java.exe	fa1cb9e8442f38561ad5c44aeacc45339bad2589ad0ccd83991cfc09ad409a8f.exe
File created	C:\Program Files\Javaw\Javaw.exe	fa1cb9e8442f38561ad5c44aeacc45339bad2589ad0ccd83991cfc09ad409a8f.exe
File opened for modification	C:\Program Files\Javaw\Javaw.exe	fa1cb9e8442f38561ad5c44aeacc45339bad2589ad0ccd83991cfc09ad409a8f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4804	Javaw.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1456 wrote to memory of 2440	1456	fa1cb9e8442f38561ad5c44aeacc45339bad2589ad0ccd83991cfc09ad409a8f.exe	80
PID 1456 wrote to memory of 2440	1456	fa1cb9e8442f38561ad5c44aeacc45339bad2589ad0ccd83991cfc09ad409a8f.exe	80
PID 1456 wrote to memory of 4804	1456	fa1cb9e8442f38561ad5c44aeacc45339bad2589ad0ccd83991cfc09ad409a8f.exe	83
PID 1456 wrote to memory of 4804	1456	fa1cb9e8442f38561ad5c44aeacc45339bad2589ad0ccd83991cfc09ad409a8f.exe	83
PID 1456 wrote to memory of 4804	1456	fa1cb9e8442f38561ad5c44aeacc45339bad2589ad0ccd83991cfc09ad409a8f.exe	83
PID 2440 wrote to memory of 3100	2440	Java.exe	87
PID 2440 wrote to memory of 3100	2440	Java.exe	87
PID 2440 wrote to memory of 3100	2440	Java.exe	87
PID 2440 wrote to memory of 3100	2440	Java.exe	87

C:\Users\Admin\AppData\Local\Temp\fa1cb9e8442f38561ad5c44aeacc45339bad2589ad0ccd83991cfc09ad409a8f.exe
"C:\Users\Admin\AppData\Local\Temp\fa1cb9e8442f38561ad5c44aeacc45339bad2589ad0ccd83991cfc09ad409a8f.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1456
- C:\Program Files\Javaw\Java.exe
  "C:\Program Files\Javaw\Java.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2440
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    PID:3100
- C:\Program Files\Javaw\Javaw.exe
  "C:\Program Files\Javaw\Javaw.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4804

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Javaw\Java.exe

Filesize
1.5MB

MD5
f3e6e7a0f42b650b73730776b2a01b51

SHA1
230b84903e9a151043b8a782ecdce187ac8a90e9

SHA256
d68f70c06f6080e972dabb889f06e535b993e26c5866c2aa05369a44913a22c7

SHA512
1d4c2832888f67d61af7b6ab9ad8c0fe61808e65dc994686f7670fc49593fa2e461a0e79f517a4603b70f508bf88d1b5f063b40f5008e8f69926976a1f429566

Download Submit
C:\Program Files\Javaw\Java.exe

Filesize
1.5MB

MD5
f3e6e7a0f42b650b73730776b2a01b51

SHA1
230b84903e9a151043b8a782ecdce187ac8a90e9

SHA256
d68f70c06f6080e972dabb889f06e535b993e26c5866c2aa05369a44913a22c7

SHA512
1d4c2832888f67d61af7b6ab9ad8c0fe61808e65dc994686f7670fc49593fa2e461a0e79f517a4603b70f508bf88d1b5f063b40f5008e8f69926976a1f429566

Download Submit
C:\Program Files\Javaw\Javaw.exe

Filesize
129KB

MD5
0571a337c8d462f811d9479df0b9181b

SHA1
54da33f954c4e0a8b9c48a18eabd09dbe41c213c

SHA256
dde6b9580a9efd141aac0c934b64dca7d0dd7e9525748347269660654df37a30

SHA512
30a263b405b0bc172509454bd40154bfa63ea571e5e4559cd00aabe73c26b35d984f55013dbb84905af359db4b26105252388f0c4ef59eca9ee3e92f638a1fbe

Download Submit
C:\Program Files\Javaw\Javaw.exe

Filesize
129KB

MD5
0571a337c8d462f811d9479df0b9181b

SHA1
54da33f954c4e0a8b9c48a18eabd09dbe41c213c

SHA256
dde6b9580a9efd141aac0c934b64dca7d0dd7e9525748347269660654df37a30

SHA512
30a263b405b0bc172509454bd40154bfa63ea571e5e4559cd00aabe73c26b35d984f55013dbb84905af359db4b26105252388f0c4ef59eca9ee3e92f638a1fbe

Download Submit
memory/3100-145-0x00000233D3FE0000-0x00000233D3FE1000-memory.dmp

Filesize
4KB

Download
memory/3100-149-0x00000233D5A80000-0x00000233D5ACE000-memory.dmp

Filesize
312KB

Download
memory/3100-148-0x00000233D5A80000-0x00000233D5ACE000-memory.dmp

Filesize
312KB

Download
memory/3100-147-0x00000233D5EC0000-0x00000233D62C0000-memory.dmp

Filesize
4.0MB

Download
memory/4804-140-0x0000000004C20000-0x0000000004CB2000-memory.dmp

Filesize
584KB

Download
memory/4804-143-0x0000000008D50000-0x0000000008F12000-memory.dmp

Filesize
1.8MB

Download
memory/4804-144-0x0000000009450000-0x000000000997C000-memory.dmp

Filesize
5.2MB

Download
memory/4804-142-0x00000000051A0000-0x00000000051AA000-memory.dmp

Filesize
40KB

Download
memory/4804-141-0x0000000004F30000-0x0000000004F96000-memory.dmp

Filesize
408KB

Download
memory/4804-139-0x00000000051D0000-0x0000000005774000-memory.dmp

Filesize
5.6MB

Download
memory/4804-138-0x0000000000200000-0x0000000000226000-memory.dmp

Filesize
152KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads