cobaltstrike | fbd7a548c9687bd0a74f905b03cedb8072717c67b04ddd05418f2f9cbb7076ac

General

Target

4bbc7c53d45152aa23d2d3f4322ed490_JaffaCakes118.ps1
Size

194KB
MD5

4bbc7c53d45152aa23d2d3f4322ed490
SHA1

5508b012ff7ef2b34375f3a4b3067dbbfb4a453d
SHA256

fbd7a548c9687bd0a74f905b03cedb8072717c67b04ddd05418f2f9cbb7076ac
SHA512

ffb032a143e14215e6417d8f317958c0e18e4fbf99a940f4a07221590831a9e9d8f3202e4938593f9e2be30ad479cabec6e2fc90e76bc0d93a9d26d8d7a9631a
SSDEEP

3072:xKngySVRgypwBolhfJv0DO/sUy2T9QOcH9cHUD1lv9LGbIVu5kqKtjOt0BZ:xtNnXNXfJv0DWyP9SUhgGhA07

Score

10^/10

cobaltstrike 0 backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

0

C2

http://auditsecuritybusworld.com:443/jquery-3.3.1.min.js

http://213.227.155.246:443/jquery-3.3.1.min.js

Attributes

access_type
512
beacon_type
2048
host
auditsecuritybusworld.com,/jquery-3.3.1.min.js,213.227.155.246,/jquery-3.3.1.min.js
http_header1
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAgUmVmZXJlcjogaHR0cDovL2NvZGUuanF1ZXJ5LmNvbS8AAAAKAAAAHkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQAAAAcAAAAAAAAADQAAAAIAAAAJX19jZmR1aWQ9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAgUmVmZXJlcjogaHR0cDovL2NvZGUuanF1ZXJ5LmNvbS8AAAAKAAAAHkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQAAAAcAAAAAAAAADwAAAA0AAAAFAAAACF9fY2ZkdWlkAAAABwAAAAEAAAAPAAAADQAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
jitter
9472
polling_time
45000
port_number
443
sc_process32
%windir%\syswow64\dllhost.exe
sc_process64
%windir%\sysnative\dllhost.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCnOM3nXx+7HBhkbDd+AwFrFisSunK999w2tM0uTpuuEiBalcJhcL+QgQWtf6S7zPp5hjImG+2YcPl18geU4f5JlSPXHwilbK4DFb/ePWyKFjhrA7emVRqhM21QMlo1ANsn14rY/RO2pzuft8P7TXoIjjI/B2GGVuzYNZX6X4I2EwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4.234810624e+09
unknown2
AAAABAAAAAEAAAXyAAAAAgAAAFQAAAACAAAPWwAAAA0AAAAPAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/jquery-3.3.2.min.js
user_agent
Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

5 1532 powershell.exe
6 1532 powershell.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

2220 powershell.exe
1532 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2220 powershell.exe
Token: SeDebugPrivilege 1532 powershell.exe

flow	pid	process
5	1532	powershell.exe
6	1532	powershell.exe

pid	process
2220	powershell.exe
1532	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2220	powershell.exe
Token: SeDebugPrivilege	1532	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

powershell.exe

description	pid	process	target process
PID 2220 wrote to memory of 1532	2220	powershell.exe	powershell.exe
PID 2220 wrote to memory of 1532	2220	powershell.exe	powershell.exe
PID 2220 wrote to memory of 1532	2220	powershell.exe	powershell.exe
PID 2220 wrote to memory of 1532	2220	powershell.exe	powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\4bbc7c53d45152aa23d2d3f4322ed490_JaffaCakes118.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2220

\??\c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
"c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -s -NoLogo -NoProfile
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1532

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ABULV888I8E4MG888A0A.temp
Filesize
7KB

MD5
0aac5a96ddc822728b8566040338a62c

SHA1
3fcec60503d1456688731c792459c328a98fbf11

SHA256
1f3a192fba23aec57979485ff6cc09f8b0a4a6396c977b89fe3576373713a6cd

SHA512
71deb96b255ccb5e759a0fcacd68b74905a59536141aa7859eaa4df808661369708217d90f106b12ab33ca5732ed2b64034e1ce3e143de912efc71122452d81d

Download Submit
memory/1532-23-0x0000000005430000-0x00000000058A2000-memory.dmp

Filesize
4.4MB

Download
memory/1532-32-0x00000000026D0000-0x0000000002710000-memory.dmp

Filesize
256KB

Download
memory/1532-31-0x00000000026D0000-0x0000000002710000-memory.dmp

Filesize
256KB

Download
memory/1532-30-0x0000000073D90000-0x000000007433B000-memory.dmp

Filesize
5.7MB

Download
memory/1532-29-0x0000000073D90000-0x000000007433B000-memory.dmp

Filesize
5.7MB

Download
memory/1532-18-0x00000000026D0000-0x0000000002710000-memory.dmp

Filesize
256KB

Download
memory/1532-21-0x0000000005320000-0x0000000005354000-memory.dmp

Filesize
208KB

Download
memory/1532-20-0x0000000005430000-0x00000000058A2000-memory.dmp

Filesize
4.4MB

Download
memory/1532-19-0x00000000026D0000-0x0000000002710000-memory.dmp

Filesize
256KB

Download
memory/1532-34-0x0000000005320000-0x0000000005354000-memory.dmp

Filesize
208KB

Download
memory/1532-16-0x0000000073D90000-0x000000007433B000-memory.dmp

Filesize
5.7MB

Download
memory/1532-17-0x0000000073D90000-0x000000007433B000-memory.dmp

Filesize
5.7MB

Download
memory/2220-11-0x0000000002AC0000-0x0000000002B40000-memory.dmp

Filesize
512KB

Download
memory/2220-25-0x000007FEF6530000-0x000007FEF6ECD000-memory.dmp

Filesize
9.6MB

Download
memory/2220-12-0x0000000002AC0000-0x0000000002B40000-memory.dmp

Filesize
512KB

Download
memory/2220-4-0x000000001B330000-0x000000001B612000-memory.dmp

Filesize
2.9MB

Download
memory/2220-22-0x000007FEF6530000-0x000007FEF6ECD000-memory.dmp

Filesize
9.6MB

Download
memory/2220-10-0x000007FEF6530000-0x000007FEF6ECD000-memory.dmp

Filesize
9.6MB

Download
memory/2220-24-0x0000000002AC0000-0x0000000002B40000-memory.dmp

Filesize
512KB

Download
memory/2220-13-0x0000000002AC0000-0x0000000002B40000-memory.dmp

Filesize
512KB

Download
memory/2220-27-0x0000000002AC0000-0x0000000002B40000-memory.dmp

Filesize
512KB

Download
memory/2220-26-0x0000000002AC0000-0x0000000002B40000-memory.dmp

Filesize
512KB

Download
memory/2220-28-0x0000000002AC0000-0x0000000002B40000-memory.dmp

Filesize
512KB

Download
memory/2220-9-0x00000000026E0000-0x0000000002712000-memory.dmp

Filesize
200KB

Download
memory/2220-8-0x00000000026E0000-0x0000000002712000-memory.dmp

Filesize
200KB

Download
memory/2220-7-0x0000000002AC0000-0x0000000002B40000-memory.dmp

Filesize
512KB

Download
memory/2220-6-0x000007FEF6530000-0x000007FEF6ECD000-memory.dmp

Filesize
9.6MB

Download
memory/2220-5-0x0000000001F40000-0x0000000001F48000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing