General
-
Target
8c39362ece9dec1ea1ce5d62cf7bf4bd_JaffaCakes118
-
Size
344KB
-
Sample
240402-pcc7aahh24
-
MD5
8c39362ece9dec1ea1ce5d62cf7bf4bd
-
SHA1
1ad02ecca0301c06798917c115ccd2bbed6d6f6e
-
SHA256
a2d712e4513a22a85fe64a3e8358110dd08953123b3da6792fa7b7283aa01e80
-
SHA512
ea6423c9048b62b7267e10d400063dcbfec1c3a8bdad4e099329a5c49c1d0d31a0d888399fa26012248011b329b43e0f1c8677a428b35cb8805d3e7fd99f7ee7
-
SSDEEP
6144:msvbJiNS2kwXSo3vz3UgQnEfhAoe14mFGmGSh2lruZyiOFWnUH:DMNWwCkbgChAoy4QGmtArN
Malware Config
Extracted
cobaltstrike
1359593325
http://31.210.20.136:443/jquery-3.3.1.min.js
-
access_type
512
-
beacon_type
2048
-
host
31.210.20.136,/jquery-3.3.1.min.js
-
http_header1
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAgUmVmZXJlcjogaHR0cDovL2NvZGUuanF1ZXJ5LmNvbS8AAAAKAAAAHkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQAAAAcAAAAAAAAADQAAAAIAAAAJX19jZmR1aWQ9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAgUmVmZXJlcjogaHR0cDovL2NvZGUuanF1ZXJ5LmNvbS8AAAAKAAAAHkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQAAAAcAAAAAAAAADwAAAA0AAAAFAAAACF9fY2ZkdWlkAAAABwAAAAEAAAAPAAAADQAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
9472
-
polling_time
45000
-
port_number
443
-
sc_process32
%windir%\syswow64\dllhost.exe
-
sc_process64
C:\Program Files\SABnzbd\SABnzbd.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCDFX2KslNnoE9lmf8o39MlFmtqLSIu8ldMgwihK9MbNZZLjO/ArM3shMfIx4SY3XmCHpPmAS3z8M1/CdbDuD3MKVPPBMAfoWD0ln8ut5n2/gE7ghDBdFgJ9umvhKjVyyL6GQPBjschC3dTgELOF6piKhTjbmBcf4AQMu3F0qQ03wIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4.234810624e+09
-
unknown2
AAAABAAAAAEAAAXyAAAAAgAAAFQAAAACAAAPWwAAAA0AAAAPAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/jquery-3.3.2.min.js
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36
-
watermark
1359593325
Targets
-
-
Target
8c39362ece9dec1ea1ce5d62cf7bf4bd_JaffaCakes118
-
Size
344KB
-
MD5
8c39362ece9dec1ea1ce5d62cf7bf4bd
-
SHA1
1ad02ecca0301c06798917c115ccd2bbed6d6f6e
-
SHA256
a2d712e4513a22a85fe64a3e8358110dd08953123b3da6792fa7b7283aa01e80
-
SHA512
ea6423c9048b62b7267e10d400063dcbfec1c3a8bdad4e099329a5c49c1d0d31a0d888399fa26012248011b329b43e0f1c8677a428b35cb8805d3e7fd99f7ee7
-
SSDEEP
6144:msvbJiNS2kwXSo3vz3UgQnEfhAoe14mFGmGSh2lruZyiOFWnUH:DMNWwCkbgChAoy4QGmtArN
Score10/10-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-