Resubmissions

16-12-2023 06:43

231216-hhfe9scbh4 10

16-12-2023 05:16

231216-fyd62acae9 10

General

  • Target

    http://185.74.222.145:64

  • Sample

    231216-hhfe9scbh4

Malware Config

Extracted

Family

cobaltstrike

C2

http://185.74.222.145:676/PPDy

http://185.74.222.145:676/y6Dj

Attributes
  • user_agent

    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko

Extracted

Family

connectback

C2

185.74.222.145:957

95.216.40.153:957

Targets

    • Cobaltstrike

      Detected malicious payload which is part of Cobaltstrike.

    • ConnectBack

      A small Linux reverse shell that establishes a connection back to the attacker.

    • Renames multiple (55) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Downloads MZ/PE file

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Registers COM server for autorun

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks