General

  • Target

    68cee0aa77911b98d7cdf22e177c05d8_JaffaCakes118

  • Size

    1.2MB

  • Sample

    240522-12qz8aaf61

  • MD5

    68cee0aa77911b98d7cdf22e177c05d8

  • SHA1

    d453439358ffdd5944ed65b8fd38381ea77a294f

  • SHA256

    3778737d251d8faff9386d8cf18fcdc25ad392b6f9ea9ed3baaf66bb96d54988

  • SHA512

    010cc6a87bab2186c78795c32105b0ec7d9aa108c247d54ec8cbfa9f1979c475bc4729478f2d9ac2557ee5e42f7184af1d8a8eed684d92e98e03cc7055424e4b

  • SSDEEP

    12288:9amsmGGEPZTRAisny9Zuf3m5yVNtELh8Mz3LRqVlVJGjoGSjkaHdawbyHHfWZt5y:mj+YE8ff2zy

Malware Config

Extracted

Family

cobaltstrike

Botnet

1258440321

C2

http://code.1static-images.com:5353/images/cliparts/c/3/0/7/Plain_Arrow_7.svg.hi.png

http://scripts.1static-images.com:5353/images/cliparts/c/3/0/7/Plain_Arrow_7.svg.hi.png

Attributes
  • access_type

    512

  • beacon_type

    256

  • create_remote_thread

    768

  • day

    7424

  • dns_idle

    1.39598111e+08

  • host

    code.1static-images.com,/images/cliparts/c/3/0/7/Plain_Arrow_7.svg.hi.png,scripts.1static-images.com,/images/cliparts/c/3/0/7/Plain_Arrow_7.svg.hi.png

  • http_header1

    AAAACgAAABlBY2NlcHQ6IGltYWdlL3BuZyxpbWFnZS8qAAAACgAAABlBY2NlcHQtTGFuZ3VhZ2U6IGVuLUdCLGVuAAAACgAAAB5BY2NlcHQtRW5jb2Rpbmc6IGd6aXAsIGRlZmxhdGUAAAAKAAAAEFByYWdtYTogbm8tY2FjaGUAAAAKAAAAF0NhY2hlLUNvbnRyb2w6IG5vLWNhY2hlAAAACgAAABxIb3N0OiB3d3cuMXN0YXRpYy1pbWFnZXMuY29tAAAABwAAAAAAAAADAAAAAgAAAApQSFBTRVNTSUQ9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAA==

  • http_header2

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAcQ29udGVudC1UeXBlOiB0ZXh0L3BsYWludGV4dAAAAAoAAAAcSG9zdDogd3d3LjFzdGF0aWMtaW1hZ2VzLmNvbQAAAAcAAAAAAAAABQAAAAVpbWdpZAAAAAkAAAAKc3o9MTYweDYwMAAAAAcAAAABAAAAAwAAAAIAAAAvMFBORy4uSUhEUi4uc0JJVC58LmQucEhZcy6lVDz+Li4uLjruPC5JREFUJtls1NYAAAABAAAAKTH+RUQ9P6ruRMTXLi7QK+L062X9Jsb42Sv++XMu8S5xPy5JRU5ErkKjAAAABAAAAAAAAA==

  • http_method1

    GET

  • http_method2

    POST

  • jitter

    1280

  • maxdns

    253

  • month

    1536

  • pipe_name

    \\%s\pipe\avagent-%x

  • polling_time

    30000

  • port_number

    5353

  • sc_process32

    %windir%\syswow64\dllhost.exe

  • sc_process64

    %windir%\sysnative\dllhost.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDWoq3qrcZ9G+3vpZwpHmdhv59hL5KDed1yMgOOnRiJlOKrUJREsj1nOKvpTuGTlunKMvdKficLQfCT4NK58Wr2sGJdCE5x7KML9qoP39odmLlhl4Nvv8Ro4+GBQQT1JMGCD4JfGsxiNtBhLFhtVxNRmF0ZstTpGPht5lqiJCTCawIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4.066055424e+09

  • unknown2

    AAAABAAAAAEAAAFcAAAAAgAABT4AAAADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /images/cliparts/c/3/0/update.php

  • user_agent

    Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 7.1; Trident/5.0)

  • watermark

    1258440321

  • year

    57863

Targets

    • Target

      68cee0aa77911b98d7cdf22e177c05d8_JaffaCakes118

    • Size

      1.2MB

    • MD5

      68cee0aa77911b98d7cdf22e177c05d8

    • SHA1

      d453439358ffdd5944ed65b8fd38381ea77a294f

    • SHA256

      3778737d251d8faff9386d8cf18fcdc25ad392b6f9ea9ed3baaf66bb96d54988

    • SHA512

      010cc6a87bab2186c78795c32105b0ec7d9aa108c247d54ec8cbfa9f1979c475bc4729478f2d9ac2557ee5e42f7184af1d8a8eed684d92e98e03cc7055424e4b

    • SSDEEP

      12288:9amsmGGEPZTRAisny9Zuf3m5yVNtELh8Mz3LRqVlVJGjoGSjkaHdawbyHHfWZt5y:mj+YE8ff2zy

    • Cobaltstrike

      Detected malicious payload which is part of Cobaltstrike.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Office macro that triggers on suspicious action

      Office document macro which triggers in special circumstances - often malicious.

    • Deletes itself

    • Loads dropped DLL

MITRE ATT&CK Enterprise v15

Tasks