Analysis
-
max time kernel
142s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
18-04-2024 21:38
Behavioral task
behavioral1
Sample
2/JudianService.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2/JudianService.dll
Resource
win10v2004-20240412-en
Behavioral task
behavioral3
Sample
2/cbappendix.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
2/cbappendix.exe
Resource
win10v2004-20240412-en
General
-
Target
2/cbappendix.exe
-
Size
250KB
-
MD5
9f410ba2b2ec1e1a9fadc1e03d97d649
-
SHA1
22e1595f67c305af6499571b7a4fcbdfee4e2c63
-
SHA256
88fae154d211c1fadc2593225b75c3ca773e8a8c3a1ae6bf50aa4a1cdfd534d6
-
SHA512
a138a61eb0ad4477899f0d5ce04bcb1b3c2e7e33688745166931cad4ee680ed34656fc1f193cd9360caf8a5adc94b09a85b511b110ef3ca5406720352f2e49ba
-
SSDEEP
3072:e73/xkvPVkoeSJLyy2B9mU2kOkFCbGMPM6f+GfgBGBVdtITSHRtrEp:ezOnVk2WH9mqOsCbGkuoVvPn2
Malware Config
Extracted
metasploit
encoder/shikata_ga_nai
Extracted
cobaltstrike
0
http://chart.expocasheuro.com:443/fromdefault
http://94.237.81.57:443/fromdefault
-
access_type
512
-
beacon_type
2048
-
host
chart.expocasheuro.com,/fromdefault,94.237.81.57,/fromdefault
-
http_header1
AAAACgAAABBIb3N0OiB3d3cucXEuY29tAAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAfQWNjZXB0LUxhbmd1YWdlOiBlbi1VUyxlbjtxPTAuNQAAAAoAAAAZQWNjZXB0LUVuY29kaW5nOiBnemlwLCBicgAAAAcAAAAAAAAADwAAAAMAAAACAAAACmNtX2Nvb2tpZT0AAAAGAAAABkNvb2tpZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAABBIb3N0OiB3d3cucXEuY29tAAAACgAAAClBY2NlcHQ6IGFwcGxpY2F0aW9uL2pzb24sIHRleHQvcGxhaW4sICovKgAAAAoAAAAVQWNjZXB0LUVuY29kaW5nOiBnemlwAAAABwAAAAAAAAAPAAAAAwAAAAIAAAAKY21fY29va2llPQAAAAYAAAAGQ29va2llAAAABwAAAAEAAAAPAAAAAwAAAAIAAAAQeyJwYWdlIjoyLCJ1aW4iOgAAAAEAAAAOLCJwYWdlU2l6ZSI6M30AAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
jitter
6656
-
maxdns
244
-
polling_time
7300
-
port_number
443
-
sc_process32
%windir%\syswow64\taskeng.exe
-
sc_process64
%windir%\sysnative\taskeng.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCgKUlf3RLWKgNJ9S8y26ebK2mGsFDDooTj9uq8fjMrU1OIjQ74FBmAQLpksIts/EPd5KL9KW5KpmrHRqoFWsWWylAQBegxuqj4h2Tyw5fi9fAWRBXMhY9lmo9tjYSbFuLMCFCu4kdLRishHaVfQ0uw6TGHr9q2slEMrom+ypPcvwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
1.001138688e+09
-
unknown2
AAAABAAAAAEAAACOAAAAAgAAAPUAAAADAAAACAAAAA8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/app
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:50.0) Gecko/20100101 Firefox/50.0
-
watermark
0
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2944 cbappendix.exe 2944 cbappendix.exe