cobaltstrike | 02f8a34310c1e29f05e95be43338bb7bc0cdceae47462a10a3801ed2eab93d27

Analysis

max time kernel
147s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
29-03-2024 08:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1de06b5e12c970e8541adf5fe65b0097_JaffaCakes118.exe
Size

19.3MB
MD5

1de06b5e12c970e8541adf5fe65b0097
SHA1

44457eac460c24e0ca2c0252ee2d2eefc8727af9
SHA256

02f8a34310c1e29f05e95be43338bb7bc0cdceae47462a10a3801ed2eab93d27
SHA512

9eb3d5e1fb77edd70360d1f51cfcf793206bfbe458391ad577f52e85266fec15acaae82d818c1d26f1845ec99ceba22495576fe6d480a5fbd4281c9bccc30171
SSDEEP

49152:rtqD5h7V9LYGvZ2wSKhZpPam66qK7YrI3rc1jduXEsu:rtSh7V9sVMpPam66tEMI

Score

10^/10

cobaltstrike backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

http://apt.freelinuxupdate.tk:2053/bootstrap-2.min.js

Attributes

user_agent
User-Agent: Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/5.0)

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Executes dropped EXE 3 IoCs

Processes:

go-memexec-562350551.exego-memexec-870809735.exego-memexec-016121755.exe

pid process

3452 go-memexec-562350551.exe
3572 go-memexec-870809735.exe
5060 go-memexec-016121755.exe

pid	process
3452	go-memexec-562350551.exe
3572	go-memexec-870809735.exe
5060	go-memexec-016121755.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

1de06b5e12c970e8541adf5fe65b0097_JaffaCakes118.exego-memexec-562350551.exego-memexec-870809735.exe

description	pid	process	target process
PID 1632 wrote to memory of 3452	1632	1de06b5e12c970e8541adf5fe65b0097_JaffaCakes118.exe	go-memexec-562350551.exe
PID 1632 wrote to memory of 3452	1632	1de06b5e12c970e8541adf5fe65b0097_JaffaCakes118.exe	go-memexec-562350551.exe
PID 1632 wrote to memory of 3452	1632	1de06b5e12c970e8541adf5fe65b0097_JaffaCakes118.exe	go-memexec-562350551.exe
PID 3452 wrote to memory of 3572	3452	go-memexec-562350551.exe	go-memexec-870809735.exe
PID 3452 wrote to memory of 3572	3452	go-memexec-562350551.exe	go-memexec-870809735.exe
PID 3572 wrote to memory of 5060	3572	go-memexec-870809735.exe	go-memexec-016121755.exe
PID 3572 wrote to memory of 5060	3572	go-memexec-870809735.exe	go-memexec-016121755.exe

C:\Users\Admin\AppData\Local\Temp\1de06b5e12c970e8541adf5fe65b0097_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1de06b5e12c970e8541adf5fe65b0097_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1632

C:\Users\Admin\AppData\Local\Temp\go-memexec-562350551.exe
C:\Users\Admin\AppData\Local\Temp\go-memexec-562350551.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3452

C:\Users\Admin\AppData\Local\Temp\go-memexec-870809735.exe
C:\Users\Admin\AppData\Local\Temp\go-memexec-870809735.exe
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3572

C:\Users\Admin\AppData\Local\Temp\go-memexec-016121755.exe
C:\Users\Admin\AppData\Local\Temp\go-memexec-016121755.exe
4⤵
- Executes dropped EXE
PID:5060

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\go-memexec-016121755.exe
Filesize
328KB

MD5
58336a3811207c8d3f57709317b172e9

SHA1
221f507292989dbd52c3a26df4d3fb9f1d80af7a

SHA256
a3afb74b961f0b9b6e484166d61b92eb8ab2a41f0a88cc11f02c6b316ebee74f

SHA512
99b0ccc043f20339d82bcdd5634dfa4ea863fb466121c67c663c12247d1f442cc0868b4cdd06aba64e3684015aa364af9d2ffc8567f14b585efa79d97cd43b80

Download Submit
C:\Users\Admin\AppData\Local\Temp\go-memexec-562350551.exe
Filesize
8.5MB

MD5
786ec6298fecaf3917d8cdd971e4ca6c

SHA1
6a97ab8f62dd82e3f7a90d569dd938e83f7a9039

SHA256
7689d79518ea5d74a374c882fcd3c85624c026c858319a3403cf513cc0013705

SHA512
ba3c772bc3cc062a878b5dfa141fae18cb574420ce4a9a9f9d0d4188ae3ede4aa2caa3229073acbbcdc5b9aab4b4790c873f4a1c01477cd86c04b382a35dc322

Download Submit
C:\Users\Admin\AppData\Local\Temp\go-memexec-870809735.exe
Filesize
3.2MB

MD5
1e1735bff2d3c91b471c36ea563014b8

SHA1
5eb30dfa2fdc41d34c0a52da384aa531331c6343

SHA256
84c8bb6a84391404ae1ab0dc9760d87a35253bb4638b20156eb3dc1aeccb8e99

SHA512
964251a36457435095fea7b674d2eb30ea6fcb9ef66fa1ccfa6dc884beac6d577fdd26b0d45e2855d3ab77707db4d9b39410749fd61b395cf71a30c35d5cfaf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
8.5MB

MD5
b624e5dc1f9b132fc5304634ccf683f4

SHA1
3f540b1284cd4cd2efac7fcc145ba16950499481

SHA256
5f77ad6e4d3e83d7875ee3895c7ce4860a01a7e99928a4e2e19e7adcbae25862

SHA512
b99ec80e1f328445f4bd632b0e9e052567d31cf1dc81bb248a72076f6f26df664021ab8111fe6025b313a810bbde1672a3e94d0472fc60f172b24da2246fa05b

Download Submit
memory/5060-11-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/5060-12-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download