General
-
Target
e78cf21e556c3092fd4fd69502d5afec_JaffaCakes118
-
Size
172KB
-
Sample
240408-qk8htsaa93
-
MD5
e78cf21e556c3092fd4fd69502d5afec
-
SHA1
6e07a503ed35db15fe4abe554c262b352e65856a
-
SHA256
b228ab1c794a255e2b655e4f559f60d0f727125e33038a1f717fd50dc978c1d1
-
SHA512
09fa20c2527f67a040d8e47e9a7a3c05ab9893e46c749de7232c3bdabfc62ba51fac93f8da9f70f5970aae058f05360aef8f2de52fa4291485fa9bc45812668f
-
SSDEEP
3072:FiHCy8NpD2VLKivsvnzmsJTUFAUFUd+0JgkibU4jLj8VgRCiyz+Qd3yoWZzb:AHCygULKUsbHJTUFOd+0etbrLj8VfrEo
Malware Config
Extracted
cobaltstrike
972041620
http://52.15.212.124:443/telemetry_1
-
access_type
512
-
beacon_type
2048
-
host
52.15.212.124,/telemetry_1
-
http_header1
AAAACgAAADFBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsKi8qLHE9MC44AAAACgAAABlBY2NlcHQtTGFuZ3VhZ2U6IGVuLVVTLGVuAAAACgAAABZDb25uZWN0aW9uOiBrZWVwLWFsaXZlAAAABwAAAAAAAAAPAAAADQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAABdDYWNoZS1jb250cm9sOiBuby1jYWNoZQAAAAoAAAAWQ29udGVudC1FbmNvZGluZzogZ3ppcAAAAAoAAAARQ29ubmVjdGlvbjogY2xvc2UAAAAHAAAAAQAAAAQAAAAHAAAAAAAAAA0AAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
8448
-
polling_time
300000
-
port_number
443
-
sc_process32
%windir%\syswow64\backgroundTaskHost.exe
-
sc_process64
%windir%\sysnative\mobsync.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCXy7bqekll06mHUWMDlxK9wwJZzgn71reF9u1pCbTVBkBDJPWLpN8yrjpaxz9tsvKdAwjuiIi8OpKuFrHOfJey6nFg+KbGTmpO0JoW//BQlPWpfYYmJfnS+kvpZMEg+tKDndK1Klq16qAF/f0eCLlFqxketa5EvbyrIfOnvr5IrQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
1.700074752e+09
-
unknown2
AAAABAAAAAIAAAAJAAAAAwAAAA8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/submit/telemetry/
-
user_agent
Mozilla/5.0 (Windows NT 10.0; WOW64; rv:63.0) Gecko/20100101 Firefox/63.0
-
watermark
972041620
Targets
-
-
Target
e78cf21e556c3092fd4fd69502d5afec_JaffaCakes118
-
Size
172KB
-
MD5
e78cf21e556c3092fd4fd69502d5afec
-
SHA1
6e07a503ed35db15fe4abe554c262b352e65856a
-
SHA256
b228ab1c794a255e2b655e4f559f60d0f727125e33038a1f717fd50dc978c1d1
-
SHA512
09fa20c2527f67a040d8e47e9a7a3c05ab9893e46c749de7232c3bdabfc62ba51fac93f8da9f70f5970aae058f05360aef8f2de52fa4291485fa9bc45812668f
-
SSDEEP
3072:FiHCy8NpD2VLKivsvnzmsJTUFAUFUd+0JgkibU4jLj8VgRCiyz+Qd3yoWZzb:AHCygULKUsbHJTUFOd+0etbrLj8VfrEo
Score10/10-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-