cobaltstrike | b6f640a14cc416e366e9bf899481fd6a_JaffaCakes118

Sharing

Copy URL Twitter E-mail

General

Target

b6f640a14cc416e366e9bf899481fd6a_JaffaCakes118
Size

236KB
MD5

b6f640a14cc416e366e9bf899481fd6a
SHA1

168a9694917422f0bf77aa0f8c2fccfd7aefde8d
SHA256

fb97a028760cf5cee976f9ba516891cbe784d89c07a6f110a4552fc7dbfce5f4
SHA512

334ef0f35c8ab47013efae30f24ab5751f6cdd367624226ca77b84e8b02c342e53f4a3e19080274109194bfd4002dd63216ebd024546012a57bc21de055263d1
SSDEEP

3072:CBYelJ7Rsf1I34Vc1VwXo+meRY+OJT215VFTkzWiiJ/a2UWzxYJ8jgEBVvv0:CBYelnoVewgV7QTkq/la2UW1IMVX

Score

10^/10

0 cobaltstrike

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://updatesupermaster.info:443/dpixel

http://93.113.131.162:443/ga.js

Attributes

beacon_type
2048
host
updatesupermaster.info,/dpixel,93.113.131.162,/ga.js
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
60000
port_number
443
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCEebq+4PL5n/BCjIoX5KVAbqqzFHHELNlq/vOwCFDYDqc7O7Rmp3qTRDlidnTNAxiHdvWnEzx78We8vDU+BlvxqmygY2LJe2U65GOIJ9kyN3ItBgyaJ9Gs8TXynB5WPhafCYdsYQLSXbHlB4Q4t+J6f8ES0+0JOZpZSvPvE7Y/WQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/submit.php
user_agent
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)
watermark
0

Signatures

Cobaltstrike family
cobaltstrike

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
b6f640a14cc416e366e9bf899481fd6a_JaffaCakes118

Files

b6f640a14cc416e366e9bf899481fd6a_JaffaCakes118
.dll windows:5 windows x64 arch:x64

b1acfa09fbd0e487edb4211292bbce2e

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Imports

kernel32

CreateRemoteThread
WriteProcessMemory
GetWindowsDirectoryA
FreeLibrary
SetLastError
CreateToolhelp32Snapshot
SetNamedPipeHandleState
PeekNamedPipe
WaitNamedPipeA
LocalAlloc
LocalFree
GetComputerNameA
TerminateProcess
ProcessIdToSessionId
Process32First
Process32Next
SystemTimeToTzSpecificLocalTime
FindClose
GetLogicalDrives
GetFullPathNameA
GetVersionExA
CreateNamedPipeA
GetModuleHandleA
ConnectNamedPipe
ReadFile
GetCurrentThread
CreateThread
GetCurrentProcess
GetProcAddress
CreateFileA
GetCurrentDirectoryW
GetCurrentDirectoryA
SetCurrentDirectoryA
GetEnvironmentVariableA
GetStartupInfoA
OpenProcess
DisconnectNamedPipe
CreatePipe
CloseHandle
SetFileTime
GetFileTime
FlushFileBuffers
WriteFile
WaitForSingleObject
GetLastError
GetTickCount
GetLocalTime
Sleep
SetEndOfFile
CreateFileW
VirtualQuery
WriteConsoleW
SetStdHandle
GetStringTypeW
LCMapStringW
GetCurrentProcessId
HeapReAlloc
HeapSize
OutputDebugStringW
LoadLibraryW
RaiseException
FreeEnvironmentStringsW
GetEnvironmentStringsW
QueryPerformanceCounter
GetModuleFileNameA
RemoveDirectoryW
CreateDirectoryW
DeleteFileW
GetFileType
SetFilePointerEx
SetFilePointer
ReadConsoleW
GetConsoleMode
VirtualAllocEx
FindNextFileA
FindFirstFileA
GetFileAttributesA
CreateProcessA
FileTimeToSystemTime
GetConsoleCP
WideCharToMultiByte
GetProcessHeap
GetCPInfo
EncodePointer
DecodePointer
ExitProcess
GetModuleHandleExW
AreFileApisANSI
MultiByteToWideChar
HeapFree
HeapAlloc
IsDebuggerPresent
IsProcessorFeaturePresent
GetCommandLineA
GetCurrentThreadId
GetSystemTimeAsFileTime
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSectionAndSpinCount
DeleteCriticalSection
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetStartupInfoW
GetModuleHandleW
GetStdHandle
GetModuleFileNameW
LoadLibraryExW
RtlUnwindEx
IsValidCodePage
GetACP
GetOEMCP

advapi32

CryptGenRandom
CryptReleaseContext
CryptAcquireContextA
CheckTokenMembership
DuplicateTokenEx
LogonUserA
LookupAccountSidA
FreeSid
AllocateAndInitializeSid
GetTokenInformation
RevertToSelf
SetSecurityDescriptorDacl
InitializeSecurityDescriptor
GetUserNameA
QueryServiceStatusEx
OpenServiceA
ControlService
ImpersonateLoggedOnUser
LookupPrivilegeValueA
AdjustTokenPrivileges
OpenThreadToken
OpenProcessToken
ImpersonateNamedPipeClient
StartServiceA
QueryServiceStatus
OpenSCManagerA
DeleteService
CreateServiceA
CloseServiceHandle
CreateProcessWithTokenW
CreateProcessWithLogonW
CreateProcessAsUserA

wininet

InternetCloseHandle
InternetConnectA
InternetReadFile
InternetQueryDataAvailable
InternetQueryOptionA
InternetSetOptionA
HttpOpenRequestA
HttpSendRequestA
HttpQueryInfoA
InternetOpenA

ws2_32

ntohs
socket
send
htons
__WSAFDIsSet
closesocket
WSACleanup
WSAStartup
gethostname
inet_ntoa
ntohl
htonl
accept
bind
ioctlsocket
listen
recv
select
shutdown
WSAGetLastError
inet_addr
connect
gethostbyname

dnsapi

DnsQuery_A
DnsFree

iphlpapi

GetIfEntry
GetIpAddrTable

secur32

LsaConnectUntrusted
LsaCallAuthenticationPackage
LsaLookupAuthenticationPackage

Exports

Exports

ReflectiveLoader

Sections

.text
Size: 152KB - Virtual size: 152KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 61KB - Virtual size: 61KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 10KB - Virtual size: 72KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 7KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 512B - Virtual size: 480B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Signatures

Files

b1acfa09fbd0e487edb4211292bbce2e

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

advapi32

wininet

ws2_32

dnsapi

iphlpapi

secur32

Exports

Exports

Sections

.text Size: 152KB - Virtual size: 152KB

.rdata Size: 61KB - Virtual size: 61KB

.data Size: 10KB - Virtual size: 72KB

.pdata Size: 7KB - Virtual size: 6KB

.rsrc Size: 512B - Virtual size: 480B

.reloc Size: 4KB - Virtual size: 3KB

.text
Size: 152KB - Virtual size: 152KB

.rdata
Size: 61KB - Virtual size: 61KB

.data
Size: 10KB - Virtual size: 72KB

.pdata
Size: 7KB - Virtual size: 6KB

.rsrc
Size: 512B - Virtual size: 480B

.reloc
Size: 4KB - Virtual size: 3KB