General

  • Target

    wsus.exe

  • Size

    3.3MB

  • Sample

    240514-xf5ppsbe25

  • MD5

    b6680e15c4f36e7b75fc6676bc911667

  • SHA1

    ac47aa570a47e035fc72e15573521f5ad93433fa

  • SHA256

    baa50dbdb108e1769c5b0beff7462ea7deb8fd37782a49f0911619bc51d42105

  • SHA512

    b3cedd9502b40014d31c3c47a639dce50fa6132f2c5ef444e2d56eef268d82c39d7251af40f3e3eda9b12fc410bbcc3ba034b6008acb156ff1b02fd4be0b888d

  • SSDEEP

    49152:GR9xkSPZ/KeerFSJvQVdXbqYBNr5BC7+wNBVVp5HKEsHd6q5zF51Ol4P/fROAbRU:TFNrTQTVVoHV5zL3MArU2S

Malware Config

Extracted

Family

cobaltstrike

Botnet

12345

C2

http://zziveastnews.com:443/map.jpgv

Attributes
  • access_type

    512

  • beacon_type

    2048

  • host

    zziveastnews.com,/map.jpgv

  • http_header1

    AAAAEAAAABZIb3N0OiB6eml2ZWFzdG5ld3MuY29tAAAACgAAABFDb25uZWN0aW9uOiBjbG9zZQAAAAoAAAATQWNjZXB0OiBpbWFnZS94LXBuZwAAAAoAAAAYQWNjZXB0LUVuY29kaW5nOiBkZWZsYXRlAAAABwAAAAAAAAAPAAAAAwAAAAIAAAAFdXVpZD0AAAAGAAAABkNvb2tpZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_header2

    AAAAEAAAABZIb3N0OiB6eml2ZWFzdG5ld3MuY29tAAAACgAAABFDb25uZWN0aW9uOiBjbG9zZQAAAAoAAAAYQ29udGVudC1UeXBlOiB0ZXh0L3BsYWluAAAABwAAAAEAAAALAAAAAwAAAAQAAAAHAAAAAAAAAAMAAAACAAAADl9fc2Vzc2lvbl9faWQ9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_method1

    GET

  • http_method2

    POST

  • jitter

    8448

  • polling_time

    43

  • port_number

    443

  • sc_process32

    %windir%\syswow64\gpupdate.exe

  • sc_process64

    %windir%\sysnative\gpupdate.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC2jAl4/r4IQxEmxC1UNgiW6cGfjQcNftIsoCpl7cFEKmif+MAqsBfttyPBjb9dY86R7EXkT1MhJgR7DmvoTw90pLpSkrQUmhWkqRdN9qBwlflgeL8knPqQ+g00HqsU54iTPWSzM8lCjfDeHdPJrI9C/BZ5iDuSj+8wafkJyWPcPwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    7.8457344e+07

  • unknown2

    AAAABAAAAAIAAAJYAAAAAwAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /rapidiously

  • user_agent

    Mozilla/5.0 (Linux; Android 11; SM-A715F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.74 Mobile Safari/537.36

  • watermark

    12345

Targets

    • Target

      wsus.exe

    • Size

      3.3MB

    • MD5

      b6680e15c4f36e7b75fc6676bc911667

    • SHA1

      ac47aa570a47e035fc72e15573521f5ad93433fa

    • SHA256

      baa50dbdb108e1769c5b0beff7462ea7deb8fd37782a49f0911619bc51d42105

    • SHA512

      b3cedd9502b40014d31c3c47a639dce50fa6132f2c5ef444e2d56eef268d82c39d7251af40f3e3eda9b12fc410bbcc3ba034b6008acb156ff1b02fd4be0b888d

    • SSDEEP

      49152:GR9xkSPZ/KeerFSJvQVdXbqYBNr5BC7+wNBVVp5HKEsHd6q5zF51Ol4P/fROAbRU:TFNrTQTVVoHV5zL3MArU2S

MITRE ATT&CK Matrix

Tasks