cobaltstrike

General

Target

062908c49b7c86b8b3cdebd5f0a93457ff5552f833186ffa99137a6de59f79e2
Size

32KB
Sample

221106-l8xzsafah2
MD5

0a73c1d827160a8278511c33366e4230
SHA1

cf0292b38cb10e9667e84c6806d98a875df1831a
SHA256

062908c49b7c86b8b3cdebd5f0a93457ff5552f833186ffa99137a6de59f79e2
SHA512

36aeb664ee2f9c72ed5f1b7496e394185ad4f2eab2abcf9876a7d9f8c948f01c5d356b8ee3628d992cddf6f05d48aa1bb627cb8937706010d0fe1ce73134225e
SSDEEP

768:rh1WbPH59kgi2fKACIaFleZQWTGBxMLfb41CYR/9m:r/WbZltfjCHwQWT/81L

Score

10^/10

Malware Config

Extracted

Family

joker

C2

http://mmtie.oss-cn-hangzhou.aliyuncs.com

Targets

- Target
  
  062908c49b7c86b8b3cdebd5f0a93457ff5552f833186ffa99137a6de59f79e2
- Size
  
  32KB
- MD5
  
  0a73c1d827160a8278511c33366e4230
- SHA1
  
  cf0292b38cb10e9667e84c6806d98a875df1831a
- SHA256
  
  062908c49b7c86b8b3cdebd5f0a93457ff5552f833186ffa99137a6de59f79e2
- SHA512
  
  36aeb664ee2f9c72ed5f1b7496e394185ad4f2eab2abcf9876a7d9f8c948f01c5d356b8ee3628d992cddf6f05d48aa1bb627cb8937706010d0fe1ce73134225e
- SSDEEP
  
  768:rh1WbPH59kgi2fKACIaFleZQWTGBxMLfb41CYR/9m:r/WbZltfjCHwQWT/81L
Score

10^/10

joker bootkit discovery infostealer persistence trojan upx cobaltstrike backdoor
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
- joker
  Joker is an Android malware that targets billing and SMS fraud.
  infostealer trojan joker
- Downloads MZ/PE file
- Drops file in Drivers directory
- Executes dropped EXE
- Registers COM server for autorun
  persistence
- Sets file execution options in registry
  persistence
- Sets service image path in registry
  persistence
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Drops desktop.ini file(s)
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

1

T1067

Registry Run Keys / Startup Folder

4

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

joker

Downloads MZ/PE file

Drops file in Drivers directory

Executes dropped EXE

Registers COM server for autorun

Sets file execution options in registry

Sets service image path in registry

UPX packed file

Checks computer location settings

Deletes itself

Loads dropped DLL

Adds Run key to start application

Checks installed software on the system

Drops desktop.ini file(s)

Writes to the Master Boot Record (MBR)

Drops file in System32 directory

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2