General
-
Target
14d376dfa0f24a09634603c5edd08737974924c59e762fb9d1eb31da7079449a
-
Size
378KB
-
Sample
231201-jtsemsgb3s
-
MD5
d04eaf025dfec65b50d1ce1960e00583
-
SHA1
f042cea0283ecb5e487cb69e5790edec221e9c50
-
SHA256
14d376dfa0f24a09634603c5edd08737974924c59e762fb9d1eb31da7079449a
-
SHA512
951fbe9210ee7e9564149e16df00d42f9742b671e3d2624b749faca7fbe0f354178b81bd5827ef3ca802dce3dedd7f541949bb1927f7d01dd57624eb0923f46f
-
SSDEEP
6144:hdUEUGjKMw8rzAf7KWu1EcTUQROENqP5m3nCWkV7kfL/uJMdzY2BiT2wnfq:hdkMwtlcTUQquXkV7kfLmGdzYr2wnfq
Malware Config
Extracted
cobaltstrike
100000
http://106.75.230.14:8443/static/js/jquery-v3.2.0.min.js
-
access_type
512
-
beacon_type
2048
-
host
106.75.230.14,/static/js/jquery-v3.2.0.min.js
-
http_header1
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAfUmVmZXJlcjogaHR0cDovL3RpLnFpYW54aW4uY29tLwAAAAoAAAAeQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlAAAABwAAAAAAAAANAAAAAgAAAAlfX2NmZHVpZD0AAAAGAAAABkNvb2tpZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAfUmVmZXJlcjogaHR0cDovL3RpLnFpYW54aW4uY29tLwAAAAoAAAAeQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlAAAABwAAAAAAAAAPAAAADQAAAAUAAAAIX19jZmR1aWQAAAAHAAAAAQAAAA8AAAANAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
9472
-
polling_time
300000
-
port_number
8443
-
sc_process32
%windir%\syswow64\dllhost.exe
-
sc_process64
%windir%\sysnative\dllhost.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCV0crClNlojga1ZUpQePu6yayzfvakcqdlSlnr7I5KDk9dctuhdMuEkf/guDBT3KjCO5FZqP4tHTjnfUoL1E0SKa386QMeXARo+D1lFp5lB5EGoHmTMysDRTx/QDSfGcx0Ni/HO7L2izqdtjFr322yto5WXf6Kwj2P+5EbSqQapwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4.234810624e+09
-
unknown2
AAAABAAAAAEAAAXyAAAAAgAAAFQAAAACAAAPWwAAAA0AAAAPAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/static/js/jquery-v3.2.2.min.js
-
user_agent
Mozilla/9.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko
-
watermark
100000
Targets
-
-
Target
14d376dfa0f24a09634603c5edd08737974924c59e762fb9d1eb31da7079449a
-
Size
378KB
-
MD5
d04eaf025dfec65b50d1ce1960e00583
-
SHA1
f042cea0283ecb5e487cb69e5790edec221e9c50
-
SHA256
14d376dfa0f24a09634603c5edd08737974924c59e762fb9d1eb31da7079449a
-
SHA512
951fbe9210ee7e9564149e16df00d42f9742b671e3d2624b749faca7fbe0f354178b81bd5827ef3ca802dce3dedd7f541949bb1927f7d01dd57624eb0923f46f
-
SSDEEP
6144:hdUEUGjKMw8rzAf7KWu1EcTUQROENqP5m3nCWkV7kfL/uJMdzY2BiT2wnfq:hdkMwtlcTUQquXkV7kfLmGdzYr2wnfq
Score10/10-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-