cobaltstrike | 1a1f96760887c076a2a656cd841b46bb2c24cf6f49545af26772cd6c7a652aea

Analysis

max time kernel
130s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 19:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6c038e685bc79b14f7a8d021172fccb2_JaffaCakes118.dll
Size

96KB
MD5

6c038e685bc79b14f7a8d021172fccb2
SHA1

879eb98a697cfc932bf8b69356e3564d477c4567
SHA256

1a1f96760887c076a2a656cd841b46bb2c24cf6f49545af26772cd6c7a652aea
SHA512

22c10a461f581b0c4269aebdecb87fba8e1896a35771c0195f206b11c19a32f0316926cbfb9096c025fc71b13e8eb3f12c972577e64996e78d9c42d621e41152
SSDEEP

1536:DqN5DQW3dIw5z/c1CHDV2bTRrcuqjNnT3dPbxM/4xoT0dt+t:wNIwhkeMbTRAjjFKm4

Score

10^/10

cobaltstrike backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

http://opncloud.net:443/full-beta.crl

Attributes

user_agent
User-Agent: Microsoft-CryptoAPI /10.0 Accept-Encoding: identity Host: opncloud.net

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

4444 reg.exe

pid	process
4444	reg.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

regsvr32.execmd.exe

description	pid	process	target process
PID 2184 wrote to memory of 3648	2184	regsvr32.exe	cmd.exe
PID 2184 wrote to memory of 3648	2184	regsvr32.exe	cmd.exe
PID 3648 wrote to memory of 4444	3648	cmd.exe	reg.exe
PID 3648 wrote to memory of 4444	3648	cmd.exe	reg.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\6c038e685bc79b14f7a8d021172fccb2_JaffaCakes118.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2184

C:\Windows\system32\cmd.exe
cmd.exe /c set ehlmjYTHBB=682 & reg add HKCU\SOFTWARE\ikOGWhMCdq /v gLPckSZwUoi /t REG_DWORD /d 3192 & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:3648

C:\Windows\system32\reg.exe
reg add HKCU\SOFTWARE\ikOGWhMCdq /v gLPckSZwUoi /t REG_DWORD /d 3192
3⤵
- Modifies registry key
PID:4444

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2184-0-0x0000000001400000-0x0000000001401000-memory.dmp

Filesize
4KB

Download
memory/2184-1-0x000000006BAC0000-0x000000006BAE0000-memory.dmp

Filesize
128KB

Download