General

  • Target

    6b6ebf1923001878daa1fbf09640655c_JaffaCakes118

  • Size

    219KB

  • Sample

    240523-s5szzsga6z

  • MD5

    6b6ebf1923001878daa1fbf09640655c

  • SHA1

    d0c22d0277cea08f176d3b0e0cb030947e21851c

  • SHA256

    fc4c45524b459ee65fff5e9bc484cb1209cf89cff5e9e5a534d439533a95ceed

  • SHA512

    c195f8e15b63b9dfc4d890c79545450309080bbaed618a42faa428877b01562a5db25644615ce442cc2560739fec9b14b8036bea7ed144b48ef5e0581a969149

  • SSDEEP

    6144:8m168FmCFsPeN8fdoIg4j5T0MJHYV1o6ckOnNyjtnlQ:8iwvmN8fKl4j5AMJ13k+NulQ

Malware Config

Extracted

Family

cobaltstrike

Botnet

0

C2

http://103.140.238.125:443/directory/all/tags/dcf598ca-b5de-47d4-af33-ecabe9eaeee1

Attributes
  • access_type

    512

  • beacon_type

    2048

  • dns_sleep

    2.68468224e+09

  • host

    103.140.238.125,/directory/all/tags/dcf598ca-b5de-47d4-af33-ecabe9eaeee1

  • http_header1

    AAAACQAAAAlvZz1hcHBfaWQAAAAQAAAAE0hvc3Q6IHd3dy50d2l0Y2gudHYAAAAKAAAAIEFjY2VwdDogdGV4dC9wbGFpbjtjaGFyc2V0PVVURi04AAAACgAAABZBY2NlcHQtTGFuZ3VhZ2U6IGVuLVVTAAAACgAAAB5BY2NlcHQtRW5jb2Rpbmc6IGd6aXAsIGRlZmxhdGUAAAAHAAAAAAAAAA0AAAACAAAACktpbU5lNzhLY3gAAAABAAAADTZ3S2k1ZlhBcDMxa28AAAAGAAAACUNsaWVudC1JZAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • http_header2

    AAAAEAAAABNIb3N0OiBncWwudHdpdGNoLnR2AAAACgAAAAtBY2NlcHQ6ICovKgAAAAcAAAABAAAAAwAAAAIAAAAeInF1ZXJ5IjoiY3Mgb25saW5lIiwib3B0aW9ucyI6AAAAAQAAAB4sImV4dGVuc2lvbnMiOiJwZXJzaXN0ZWRRdWVyeSIAAAAEAAAABwAAAAAAAAANAAAAAgAAAA82MFUycjNySVloSDZ6aS0AAAABAAAAFC1DNnMyd08waFNZU2tvZ2hLUT09AAAABgAAAAlDbGllbnQtSWQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • http_method1

    GET

  • http_method2

    POST

  • jitter

    6144

  • maxdns

    244

  • polling_time

    63141

  • port_number

    443

  • sc_process32

    %windir%\syswow64\mfpmp.exe

  • sc_process64

    %windir%\sysnative\mfpmp.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCNhBzcit/pmBVAe4IwGwtIADckSNF/F9EmZgXqGW+PWWQ7mAicB1pieRhSfoJwgPGsj8H5+fE1YfgVgalNRGbGqByhw4GfTv0bbeLr0oqNmUP/pP6TLaAcgV0EP0rFGUdDDXI/RHXAIor7jCGC0vfnQ9mrjtbIN99tWb+YYW8pbQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    1.645355008e+09

  • unknown2

    AAAABAAAAAEAAAY4AAAAAgAADCoAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /gql

  • user_agent

    Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36

  • watermark

    0

Targets

    • Target

      6b6ebf1923001878daa1fbf09640655c_JaffaCakes118

    • Size

      219KB

    • MD5

      6b6ebf1923001878daa1fbf09640655c

    • SHA1

      d0c22d0277cea08f176d3b0e0cb030947e21851c

    • SHA256

      fc4c45524b459ee65fff5e9bc484cb1209cf89cff5e9e5a534d439533a95ceed

    • SHA512

      c195f8e15b63b9dfc4d890c79545450309080bbaed618a42faa428877b01562a5db25644615ce442cc2560739fec9b14b8036bea7ed144b48ef5e0581a969149

    • SSDEEP

      6144:8m168FmCFsPeN8fdoIg4j5T0MJHYV1o6ckOnNyjtnlQ:8iwvmN8fKl4j5AMJ13k+NulQ

MITRE ATT&CK Matrix

Tasks