Overview

overview

10

Static

static

3

绩效考�...me.dll

windows7-x64

9

绩效考�...me.dll

windows10-2004-x64

9

绩效考�...ds.exe

windows7-x64

10

绩效考�...ds.exe

windows10-2004-x64

10

绩效考�...��.exe

windows7-x64

绩效考�...��.exe

windows10-2004-x64

1

绩效考�...cx.lnk

windows7-x64

10

绩效考�...cx.lnk

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    53e261a0864645574be944e7530dee005c6a38dd22d8595aab52959e783385fe

  • Size

    6.8MB

  • Sample

    231008-n1hagaeb42

  • MD5

    2105587a46cd03b82c3504ab774c59e6

  • SHA1

    c45af97056562799482fc1b20a971a3e908e8f10

  • SHA256

    53e261a0864645574be944e7530dee005c6a38dd22d8595aab52959e783385fe

  • SHA512

    fd72ec43014d67046d002815c070936e825a4a6a357db15e0aa81d79f6f5cdeaed6a3aac6a09d1948284cc4b679bf6a1720e039b406ff0f8bbc80e65bd886a91

  • SSDEEP

    196608:UEUXwmG4lmsJ+uRKcPE64OPEALyjZuyZOji4:lSTlm+vVPE64O8ALmdZOB

Score
10/10
cobaltstrike100000backdoorbootkitevasionpersistencetrojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

100000

C2

http://home.firefoxchina.cn:80/audiencemanager.js

Attributes
  • access_type

    512

  • host

    home.firefoxchina.cn,/audiencemanager.js

  • http_header1

    AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAABAAAAAaSG9zdDogc3RhdGljLm1pY3Jvc29mdC5jb20AAAAKAAAAJlJlZmVyZXI6IGh0dHBzOi8vc3RhdGljLm1pY3Jvc29mdC5jb20vAAAACgAAAB5BY2NlcHQtRW5jb2Rpbmc6IGd6aXAsIGRlZmxhdGUAAAAHAAAAAAAAAA0AAAACAAAACF9fbXMtY3Y9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_header2

    AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAABAAAAAVSG9zdDogY2RuLmJvb3Rjc3MuY29tAAAACgAAACBSZWZlcmVyOiBodHRwOi8vY2RuLmJvb3Rjc3MuY29tLwAAAAoAAAAeQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlAAAABwAAAAAAAAANAAAABQAAAAdfX21zLWN2AAAABwAAAAEAAAANAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_method1

    GET

  • http_method2

    POST

  • jitter

    9472

  • polling_time

    30000

  • port_number

    80

  • sc_process32

    %windir%\syswow64\runonce.exe

  • sc_process64

    %windir%\sysnative\runonce.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCTgtebe0cm7Pcf5k+pJW3oVOtEFdoncgt1GOki7jIZvJzh8gS6c2+z7OnS8tKIifIFd5/wXKn6x8l+/8edmBrk9bAeXpGOAJROS9Vcndwj6au5cO1RsbDAXpv39Pd4XPNRxFGinglpSmd8/s+FiTomD2du2byaq7Ngsd/a+taTcwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    1.435374848e+09

  • unknown2

    AAAABAAAAAEAAAf+AAAAAgAAIUwAAAACAAAPtQAAAA0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /audiencemanager-v2.js

  • user_agent

    Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4044.62 Safari/537.36

  • watermark

    100000

Targets

    • Target

      绩效考核整改意见/其他信息/.__MACOS__/.__MACOS__/._MACOS_/Uxtheme.dll

    • Size

      4.3MB

    • MD5

      579403a0a0407119b01dafb2f9cf0229

    • SHA1

      884a0b4246e8a83bf2f17bdf3dd5ca20979eeffc

    • SHA256

      e8f6d96d0fba3b08651c8e2cfd160401d287901a44ab06770e02946a1b490dca

    • SHA512

      78955598bec3017322087dbdbeeb5c8d3503dc21b294e36aca00f821b67b1e761e9afefb66f3ce9be70a3e404ea48e8e5285642d22afe71b1fe173bc855fc6a4

    • SSDEEP

      98304:laAFQE1zBmdoSsaqTbXMqqijkFNjX1GOSzU8:laeQ4zsdiaioNLwz

    Score
    9/10
    bootkitevasionpersistencetrojan

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks whether UAC is enabled

      evasiontrojan

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

    • Target

      绩效考核整改意见/其他信息/.__MACOS__/.__MACOS__/._MACOS_/ds.exe

    • Size

      6.6MB

    • MD5

      512f4350aee7eb50adf509008a3ad3ce

    • SHA1

      b9eb9c56289e835739447925a0c085a9849a8f53

    • SHA256

      64f7a36c01e79cd4b041e8a8607dff06d5b606d36e3dff9cfb5fffa22d14d34c

    • SHA512

      9f8fc1871545abb446e76990c02ea648f3a588e1245f9140e86199a834b49d7410907925d471a4cb255f01176dc56d9099920db8f645938c32c66810cc14f649

    • SSDEEP

      49152:hfvxdjdBT6fQ88jYf89GdJufo0HNoWzSMWPQYH09RU39h6b/tQxFezMZoRZXtSHj:bb4zEsqaMWEr8gQLACJir2wFXk/mol

    Score
    10/10
    cobaltstrike100000backdoorbootkitevasionpersistencetrojan

    • Cobaltstrike

      Detected malicious payload which is part of Cobaltstrike.

      trojanbackdoorcobaltstrike

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks whether UAC is enabled

      evasiontrojan

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral3behavioral4

    • Target

      绩效考核整改意见/其他信息/其他信息.docx

    • Size

      44KB

    • MD5

      2f82623f9523c0d167862cad0eff6806

    • SHA1

      5d77804b87735e66d7d1e263c31c4ef010f16153

    • SHA256

      9c2c8a8588fe6db09c09337e78437cb056cd557db1bcf5240112cbfb7b600efb

    • SHA512

      7fe8285e52355f2e53650dc4176f62299b8185ed7188850e0a566ddef7e77e1e88511bdcf6f478c938acef3d61d8b269e218970134e1ffc5581f8c7be750c330

    • SSDEEP

      384:OtF1XO9GxgL7ol+WSvYWCiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiLiiiiiriM:QOOgL7E4r

    Score
    1/10
    behavioral5behavioral6

    • Target

      绩效考核整改意见/绩效考核整改意见.docx.lnk

    • Size

      809B

    • MD5

      2cec819246244026af2dd3fdcee0b02d

    • SHA1

      0ae1cce41ecd481a97450de5628c1bba0785b94e

    • SHA256

      550c62c18cc9ec6dbd12d1d81e0c5b15b9b3c46d93da23ed518af1e237389364

    • SHA512

      4614d0a99680f414f87ad0a9625b4f901ab961f203d5782b8753389a82f4886a2de73ca45007ee7ad970dd203c1c1ccdf09219963f58ae8558a6f31bee2ca7c0

    Score
    10/10
    cobaltstrike100000backdoorbootkitevasionpersistencetrojan

    • Cobaltstrike

      Detected malicious payload which is part of Cobaltstrike.

      trojanbackdoorcobaltstrike

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral7behavioral8

MITRE ATT&CK Enterprise v15

Tasks