cobaltstrike

General

Target

2fa89e3595694b92ea5022373a190ce7943b0261fb4eb3deed5351c54b3334bd
Size

26KB
Sample

221107-gst6qsbfc7
MD5

0d613686086de68f5cc925132dad3a70
SHA1

d26aa6a04330ca5611b8980d444be5d1e05e788a
SHA256

2fa89e3595694b92ea5022373a190ce7943b0261fb4eb3deed5351c54b3334bd
SHA512

d1634098b21b722c9b0b10afcccacca67b2bf656d5230d9ca39e9060b9be85897f3b0c4801627b6449652d0a056e0bae431a9c4bee39c8742253a02b1a44244c
SSDEEP

384:rG5Iu0DOSiBuMAjo/BNxf+yOhmwnh2ej0eohDTkVOhvF27z/FUxiWtBlwmRz:rG5JAyg9oNVo2eC9yoYf

Score

10^/10

Malware Config

Extracted

Family

joker

C2

http://mmtie.oss-cn-hangzhou.aliyuncs.com

Targets

- Target
  
  2fa89e3595694b92ea5022373a190ce7943b0261fb4eb3deed5351c54b3334bd
- Size
  
  26KB
- MD5
  
  0d613686086de68f5cc925132dad3a70
- SHA1
  
  d26aa6a04330ca5611b8980d444be5d1e05e788a
- SHA256
  
  2fa89e3595694b92ea5022373a190ce7943b0261fb4eb3deed5351c54b3334bd
- SHA512
  
  d1634098b21b722c9b0b10afcccacca67b2bf656d5230d9ca39e9060b9be85897f3b0c4801627b6449652d0a056e0bae431a9c4bee39c8742253a02b1a44244c
- SSDEEP
  
  384:rG5Iu0DOSiBuMAjo/BNxf+yOhmwnh2ej0eohDTkVOhvF27z/FUxiWtBlwmRz:rG5JAyg9oNVo2eC9yoYf
Score

10^/10

joker bootkit discovery infostealer persistence trojan upx cobaltstrike backdoor
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
- joker
  Joker is an Android malware that targets billing and SMS fraud.
  infostealer trojan joker
- Downloads MZ/PE file
- Drops file in Drivers directory
- Executes dropped EXE
- Registers COM server for autorun
  persistence
- Sets file execution options in registry
  persistence
- Sets service image path in registry
  persistence
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Drops desktop.ini file(s)
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

1

T1067

Registry Run Keys / Startup Folder

4

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

joker

Downloads MZ/PE file

Drops file in Drivers directory

Executes dropped EXE

Registers COM server for autorun

Sets file execution options in registry

Sets service image path in registry

UPX packed file

Checks computer location settings

Deletes itself

Loads dropped DLL

Adds Run key to start application

Checks installed software on the system

Drops desktop.ini file(s)

Writes to the Master Boot Record (MBR)

Drops file in System32 directory

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2