metasploit | e79a99f73671a482680fff448f5c4679_JaffaCakes118

Sharing

Copy URL Twitter E-mail

General

Target

e79a99f73671a482680fff448f5c4679_JaffaCakes118
Size

267KB
MD5

e79a99f73671a482680fff448f5c4679
SHA1

2cad67d58d97828eecd101bc00a46db530b0401e
SHA256

006afddc2fdfb5d1dc10f6b3ab6036e6ccfad055ac0713d5bb4091d0bec96c5f
SHA512

bea74d3dcc78d3e7389f3c7a0cd205efa7696dbcb5f659d7f9de17f050108ba38319857cf37bab3c7c6726213aea40450211edaf43cf0215cb9abc00aa4c42b8
SSDEEP

6144:I0F1zuDj5wjr3udZ+DPk3GzSoMI2jRwUIK3JudTJ5Iay1jY:j6/5cjub+DPkyFcVwUtJud15Im

Score

10^/10

0 metasploit cobaltstrike

Malware Config

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Extracted

Family

cobaltstrike

Botnet

http://185.225.19.100:443/viwwwsogou

http://sjbingdu.info:443/viwwwsogou

Attributes

access_type
512
beacon_type
2048
host
185.225.19.100,/viwwwsogou,sjbingdu.info,/viwwwsogou
http_header1
AAAACgAAABNIb3N0OiB3d3cuc29nb3UuY29tAAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAfQWNjZXB0LUxhbmd1YWdlOiBlbi1VUyxlbjtxPTAuNQAAAAoAAAAiQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlLCBicgAAAAkAAAAEb3A9OQAAAAkAAAAtcXVlcnk9JUU3JUEyJThGJUU1JUJCJUJBJTA5JUU5JUJFJTk2JUU4JUIwJUE5AAAABwAAAAAAAAAPAAAAAwAAAAIAAAALSlNFU1NJT05JRD0AAAAGAAAABkNvb2tpZQAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAABZIb3N0OiB3d3cuc29nb3VjZG4uY29tAAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAfQWNjZXB0LUxhbmd1YWdlOiBlbi1VUyxlbjtxPTAuNQAAAAcAAAAAAAAADwAAAA0AAAAFAAAABmFwcF9pZAAAAAcAAAABAAAADwAAAAIAAAA1eyJ2ZXJzaW9uIjoiMC4wLjIiLCJzZXJ2aWNlTmFtZSI6ImZ1d3UiLCJwYXJhbUFyZ3MiOnsAAAABAAAAL30sImFjdGlvbk5hbWUiOiwiYWN0aW9uUG9zaXRpb24iOiJob21lLWJhbm5lciJ9AAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
jitter
5888
maxdns
240
polling_time
5300
port_number
443
sc_process32
%windir%\syswow64\gpupdate.exe
sc_process64
%windir%\sysnative\gpupdate.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCTlanI8X1WJGDnxRmFi/fGlDPmu7pmCC6vPbMU7WQm9+U5A14hHmwkfrctVx0KIqDKgQpuVTSEhcNR6kcTAOSodlp8PGncQttJxejki/dgPvoustnwEXj+syR3/sbzbcJH+GYsMCae6WXDTjh3zpss8OD75mSGUQY7Gl7GF82E4wIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
3.528922368e+09
unknown2
AAAABAAAAAEAAAGPAAAAAgAAAOgAAAANAAAADwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/p
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0
watermark
0

Signatures

Cobaltstrike family
cobaltstrike
Metasploit family
metasploit

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
e79a99f73671a482680fff448f5c4679_JaffaCakes118

Files

e79a99f73671a482680fff448f5c4679_JaffaCakes118
.dll windows:5 windows x86 arch:x86

e9cbd722d7abb2d075780bf4624051c4

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

shlwapi

PathStripPathW
StrCmpIW

kernel32

GetCurrentProcess
CreateFileW
WriteConsoleW
GetModuleHandleW
GetModuleFileNameW
ExitProcess
CreateMutexW
Sleep
GetLastError
VirtualAlloc
VirtualProtect
CloseHandle
GetCommandLineA
GetCurrentThreadId
IsDebuggerPresent
IsProcessorFeaturePresent
SetLastError
InterlockedIncrement
InterlockedDecrement
EncodePointer
DecodePointer
GetModuleHandleExW
GetProcAddress
MultiByteToWideChar
GetProcessHeap
GetStdHandle
GetFileType
InitializeCriticalSectionAndSpinCount
DeleteCriticalSection
GetStartupInfoW
GetModuleFileNameA
HeapFree
QueryPerformanceCounter
GetCurrentProcessId
GetSystemTimeAsFileTime
GetEnvironmentStringsW
FreeEnvironmentStringsW
WideCharToMultiByte
UnhandledExceptionFilter
SetUnhandledExceptionFilter
TerminateProcess
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
EnterCriticalSection
LeaveCriticalSection
IsValidCodePage
GetACP
GetOEMCP
GetCPInfo
WriteFile
LoadLibraryExW
RtlUnwind
HeapAlloc
HeapReAlloc
GetStringTypeW
OutputDebugStringW
LoadLibraryW
HeapSize
LCMapStringW
FlushFileBuffers
GetConsoleCP
GetConsoleMode
SetStdHandle
SetFilePointerEx

Exports

Exports

DeleteOfficeData
GetOfficeData

Sections

.text
Size: 25KB - Virtual size: 25KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 18KB - Virtual size: 17KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 212KB - Virtual size: 219KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 648B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 9KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Files

e9cbd722d7abb2d075780bf4624051c4

Headers

DLL Characteristics

File Characteristics

Imports

shlwapi

kernel32

Exports

Exports

Sections

.text Size: 25KB - Virtual size: 25KB

.rdata Size: 18KB - Virtual size: 17KB

.data Size: 212KB - Virtual size: 219KB

.rsrc Size: 1024B - Virtual size: 648B

.reloc Size: 9KB - Virtual size: 8KB

.text
Size: 25KB - Virtual size: 25KB

.rdata
Size: 18KB - Virtual size: 17KB

.data
Size: 212KB - Virtual size: 219KB

.rsrc
Size: 1024B - Virtual size: 648B

.reloc
Size: 9KB - Virtual size: 8KB