cobaltstrike | 3d98abe8a8429aff34af70e1c0e339a1c7ee52ba1370eaf1d1856076d470ea17

General

Target

rODyUVpxfY.exe
Size

1.3MB
MD5

5d8edb411af48165a5c7ad86b66470c3
SHA1

2cd2fa06855a98d8d4ad5c75cef9f7c58fbc32aa
SHA256

3d98abe8a8429aff34af70e1c0e339a1c7ee52ba1370eaf1d1856076d470ea17
SHA512

9c3f9b59f27945b4ea374498cf5dc93ddb06556353bb62abf24dfd47b12434d3b5c73254eb3b78803e110fe61f7ef913f8e8ab4f28b50c9f580302f89994c584
SSDEEP

24576:KQwobX+5icdw3Mz+NZ7frSegXSOAvqBknl+t:KWq5C3ye2QqBknl+t

Score

10^/10

cobaltstrike 100000 backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

C2

http://62.234.14.38:1443/ajax/jquery/jquery-3.6.4.min.js

Attributes

user_agent
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.9 Accept-Encoding: gzip, deflate Referer: http://mp.weixin.qq.com/ User-Agent: WeChat/8.0.5.32 CFNetwork/1237 Darwin/20.4.0

Extracted

Family

cobaltstrike

Botnet

100000

C2

http://62.234.14.38:1443/mp/getapp/msgext

Attributes

access_type
512
host
62.234.14.38,/mp/getapp/msgext
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAfQWNjZXB0LUxhbmd1YWdlOiB6aC1DTix6aDtxPTAuOQAAAAoAAAAeQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlAAAACgAAACFSZWZlcmVyOiBodHRwOi8vbXAud2VpeGluLnFxLmNvbS8AAAAHAAAAAAAAAAMAAAACAAAABU1ZTXp6AAAABgAAAAxYLVdlY2hhdC1VaW4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAAI9BY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LGltYWdlL2F2aWYsaW1hZ2Uvd2VicCxpbWFnZS9hcG5nLCovKjtxPTAuOCxhcHBsaWNhdGlvbi9zaWduZWQtZXhjaGFuZ2U7dj1iMztxPTAuOQAAAAoAAAAfQWNjZXB0LUxhbmd1YWdlOiB6aC1DTix6aDtxPTAuOQAAAAoAAAAeQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlAAAACgAAAC9Db250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL3gtd3d3LWZvcm0tdXJsZW5jb2RlZAAAAAoAAAAhUmVmZXJlcjogaHR0cDovL21wLndlaXhpbi5xcS5jb20vAAAABwAAAAAAAAADAAAAAgAAAAVNWU16egAAAAYAAAAMWC1XZWNoYXQtVWluAAAABwAAAAEAAAADAAAAAgAAAAhNTWRhdGE9QQAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
jitter
9472
polling_time
5000
port_number
1443
sc_process32
%windir%\syswow64\gpupdate.exe
sc_process64
%windir%\sysnative\gpupdate.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDCHFQjnAnUbEXD+c5GiuPpC/L5pH2AnHxcutfvep6LOO4ik5oTdUI5q7KAsEzt7oUQI06rl0seBjlfZlXoAbwfbSbtvYJDKZMeDPvaY6QJRM9SYTgD+nlUiAR0qeMpbvhj68n3khnS1Cu2IS9GJpCMa7kRYn7ylraIWKBIArzaEQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
1.532302592e+09
unknown2
AAAABAAAAAIAAAADAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/mp/wapcommon/report
user_agent
WeChat/8.0.5.32 CFNetwork/1237 Darwin/20.4.0
watermark
100000

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Drops file in System32 directory 1 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{F32B4FA1-E90E-4C09-8A22-89E1328E3A2A}.catalogItem	svchost.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	svchost.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	svchost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
PID:4920

C:\Users\Admin\AppData\Local\Temp\rODyUVpxfY.exe
"C:\Users\Admin\AppData\Local\Temp\rODyUVpxfY.exe"
1⤵
PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2792-0-0x000001D6B6A80000-0x000001D6B6A81000-memory.dmp

Filesize
4KB

Download
memory/2792-3-0x000001D6B8770000-0x000001D6B8B70000-memory.dmp

Filesize
4.0MB

Download
memory/2792-2-0x000001D6B8B70000-0x000001D6B8FE2000-memory.dmp

Filesize
4.4MB

Download
memory/2792-10-0x000001D6B8770000-0x000001D6B8B70000-memory.dmp

Filesize
4.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads