General
-
Target
f8ccff73406a3b6acad964a6376b2ae9_JaffaCakes118
-
Size
373KB
-
Sample
240418-1g3taafe84
-
MD5
f8ccff73406a3b6acad964a6376b2ae9
-
SHA1
fbabadf32b4dabadf18f0d959bc40f112af5549b
-
SHA256
bbb84b90e0a90e614b2a46542b576f213caf4d4f32f34eddfffe7d5be1e3a3ba
-
SHA512
a636a25f10763d163470c9f12c35445b00ae172b08ff58909688b98f65ad0f32ba3f238fd2d1b345bed63822b23da94743e77691c0f75a08e65fb34dece3f027
-
SSDEEP
6144:F4PhIJ0YQ4p/bSdbMFP0wkUmtPAGDnWAOqmJHRwOMFNmvUEqre3R+IdmK7ipbplR:F4JG0Y7zwMawkUmtY2pmlRnMFNm8E5+3
Malware Config
Extracted
metasploit
encoder/shikata_ga_nai
Extracted
cobaltstrike
0
http://chart.expocasheuro.com:443/fromdefault
http://94.237.81.57:443/fromdefault
-
access_type
512
-
beacon_type
2048
-
host
chart.expocasheuro.com,/fromdefault,94.237.81.57,/fromdefault
-
http_header1
AAAACgAAABBIb3N0OiB3d3cucXEuY29tAAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAfQWNjZXB0LUxhbmd1YWdlOiBlbi1VUyxlbjtxPTAuNQAAAAoAAAAZQWNjZXB0LUVuY29kaW5nOiBnemlwLCBicgAAAAcAAAAAAAAADwAAAAMAAAACAAAACmNtX2Nvb2tpZT0AAAAGAAAABkNvb2tpZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAABBIb3N0OiB3d3cucXEuY29tAAAACgAAAClBY2NlcHQ6IGFwcGxpY2F0aW9uL2pzb24sIHRleHQvcGxhaW4sICovKgAAAAoAAAAVQWNjZXB0LUVuY29kaW5nOiBnemlwAAAABwAAAAAAAAAPAAAAAwAAAAIAAAAKY21fY29va2llPQAAAAYAAAAGQ29va2llAAAABwAAAAEAAAAPAAAAAwAAAAIAAAAQeyJwYWdlIjoyLCJ1aW4iOgAAAAEAAAAOLCJwYWdlU2l6ZSI6M30AAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
jitter
6656
-
maxdns
244
-
polling_time
7300
-
port_number
443
-
sc_process32
%windir%\syswow64\taskeng.exe
-
sc_process64
%windir%\sysnative\taskeng.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCgKUlf3RLWKgNJ9S8y26ebK2mGsFDDooTj9uq8fjMrU1OIjQ74FBmAQLpksIts/EPd5KL9KW5KpmrHRqoFWsWWylAQBegxuqj4h2Tyw5fi9fAWRBXMhY9lmo9tjYSbFuLMCFCu4kdLRishHaVfQ0uw6TGHr9q2slEMrom+ypPcvwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
1.001138688e+09
-
unknown2
AAAABAAAAAEAAACOAAAAAgAAAPUAAAADAAAACAAAAA8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/app
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:50.0) Gecko/20100101 Firefox/50.0
-
watermark
0
Targets
-
-
Target
2/JudianService.dll
-
Size
283KB
-
MD5
943cb4b5ffb69926803d7f9c3dd1bc7c
-
SHA1
2459b3ee3761e20439494ab11a7bd5aa96f3913c
-
SHA256
8ccd9591e9438a313a21958c7f8edce4b238bbb147e8284ec4a2b7b488b920ca
-
SHA512
c983494abcee03d98c6daa6e26b6a4afc639d1ffeaafc8ca2a0f0dd27bdcae21926fa4896dcf21fe92d829d959a8c36a6457024acf5c4526a1f5fc412ece3096
-
SSDEEP
6144:UZC4MTZhJZa5u+/c/xDbUkQFXzF7goI1WtkBTkoLOhSo:UUj7Za5a+RF7aTNLOh3
Score10/10-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Blocklisted process makes network request
-
-
-
Target
2/cbappendix.exe
-
Size
250KB
-
MD5
9f410ba2b2ec1e1a9fadc1e03d97d649
-
SHA1
22e1595f67c305af6499571b7a4fcbdfee4e2c63
-
SHA256
88fae154d211c1fadc2593225b75c3ca773e8a8c3a1ae6bf50aa4a1cdfd534d6
-
SHA512
a138a61eb0ad4477899f0d5ce04bcb1b3c2e7e33688745166931cad4ee680ed34656fc1f193cd9360caf8a5adc94b09a85b511b110ef3ca5406720352f2e49ba
-
SSDEEP
3072:e73/xkvPVkoeSJLyy2B9mU2kOkFCbGMPM6f+GfgBGBVdtITSHRtrEp:ezOnVk2WH9mqOsCbGkuoVvPn2
Score10/10-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-