General

  • Target

    China's_gray_zone_warfare_against_Taiwan.doc.lnk .zip

  • Size

    3.5MB

  • Sample

    240719-ppn5ba1dpn

  • MD5

    dfaf0fecf79428852b0b685cbdbe039f

  • SHA1

    63392f6dd62c7c63b11cf2ae1631af4681d53074

  • SHA256

    1fcd696c75e9dea9ab04213e2a7925aa18198e30afd99cf3bd0eb01b6ebcbc88

  • SHA512

    9c253e806a01ef1e4ed9ae6e3220a035aa5c664440823cf2d59b748cd2254ae111e52f8bb87c0693fc7da6438462501ccbc158b8905a167c6b1b1c3f09e4a29f

  • SSDEEP

    98304:NZlS3xs1yrxPfuTyRHE/lNAUs8Huc8fg7WBG+:NXSi1KP0yRslJsZUWg+

Malware Config

Extracted

Family

cobaltstrike

Botnet

100000000

C2

http://upserver.updateservice.store:443/common.html

Attributes
  • access_type

    512

  • beacon_type

    2048

  • host

    upserver.updateservice.store,/common.html

  • http_header1

    AAAAEAAAACJIb3N0OiB1cHNlcnZlci51cGRhdGVzZXJ2aWNlLnN0b3JlAAAACgAAABFDb25uZWN0aW9uOiBjbG9zZQAAAAcAAAAAAAAACwAAAAMAAAACAAAAA2x1PQAAAAYAAAAGQ29va2llAAAACQAAAAt2ZXJpZnk9dHJ1ZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_header2

    AAAAEAAAACJIb3N0OiB1cHNlcnZlci51cGRhdGVzZXJ2aWNlLnN0b3JlAAAACgAAABFDb25uZWN0aW9uOiBjbG9zZQAAAAoAAAAvQ29udGVudC1UeXBlOiBhcHBsaWNhdGlvbi94LXd3dy1mb3JtLXVybGVuY29kZWQAAAAHAAAAAQAAAAMAAAADAAAAAgAAAAhhdXRob3JzPQAAAAQAAAAHAAAAAAAAAAMAAAACAAAADl9fc2Vzc2lvbl9faWQ9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_method1

    GET

  • http_method2

    POST

  • jitter

    9472

  • polling_time

    58666

  • port_number

    443

  • sc_process32

    %windir%\syswow64\svchost.exe

  • sc_process64

    %windir%\sysnative\svchost.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCdQ5nVpJ13O9CwiQRtLOdTAwGg6oj4mvtVqZvCbSy9YyU3ngZSDBgmWjSMwrTqMvvKUr5RvigK1N00xTGT4LVtDESUaUvyGU79G24yPaF5rUOJjnAIRazosjB87DvXbI6k45HQsVyZD7wgEXnKFmv3E0Tk9ti5G0eVOKL5tqdS5QIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    6.1158912e+08

  • unknown2

    AAAABAAAAAIAAAJYAAAAAwAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /r-arrow

  • user_agent

    Mozilla/5.0 (Windows Phone 10.0; Android 6.0.1; Microsoft; RM-1152) AppleWebKit/537.36 (KHTML, like Gecko)

  • watermark

    100000000

Targets

    • Target

      China's_gray_zone_warfare_against_Taiwan.doc.lnk

    • Size

      1.4MB

    • MD5

      6f7d85c196c277a6a619f6d94b8f69b9

    • SHA1

      530c0833454ca14c01af28961239cb07f783d977

    • SHA256

      2fa270cf83b341bc469b0d4430d2b5c3e95109b4b47f4f99c9e878aeaff8ec33

    • SHA512

      6bf3761c2157957d5f3349864b4905cf5f2d12f4aa1a78b5aa899de4e9a57544dabcafaf204443f2a85ca2041c94f3ecc95818445885b959b7fbf0bbd2a26f41

    • SSDEEP

      24576:yfxwTgCX64xkh3Rj8PVWNvBIIqZGjEbiyiqWwwwDT2VmpoovXoHDImimX6fTG5XF:4

    • Cobaltstrike

      Detected malicious payload which is part of Cobaltstrike.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Target

      China_paper.pdf.lnk

    • Size

      1.7MB

    • MD5

      b04d484d1e1d793b04af2a5fb88a8a57

    • SHA1

      e25ca637223300856f721d2d894589644069e2f8

    • SHA256

      b7afa2662f99edcda4be8539fcc6149176f3cb241a724932cadda4088ca695ea

    • SHA512

      93092c56d381c6ae2f1526c91f1221824f6a135ef9515e37f64c483a265dd2a38155c966582d055a57e19a92ca38d4b4ae71fdd50edb079af5b279be96d9a3aa

    • SSDEEP

      24576:5E4WChcawAdDbiNyhMgM/tyBMZBRKqOr8UHJt7aOefLDDlzWCFQYGsncMs03bdkA:C

    • Cobaltstrike

      Detected malicious payload which is part of Cobaltstrike.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Target

      __MACOS/_params.cat.js

    • Size

      1.4MB

    • MD5

      5acef2454ed89c4ea4453b5110e88023

    • SHA1

      704729e91c09bf8c9ece3d477af1a9f7bb1f4744

    • SHA256

      32dda71e75546bed9c3032a139fb1ef8d1b05e35f26bccb568cebbae76db7f01

    • SHA512

      c7db5cea6dc13467beece885b52e5803f0147359e4522e355b270af7a8fd23a63d0033380ecdce871051ab1a3d9087b74cccfdfc044db60fe40e411e6ad3398a

    • SSDEEP

      24576:NfxwTgCX64xkh3Rj8PVWNvBIIqZGjEbiyiqWwwwDT2VmpoovXoHDImimX6fTG5X9:9

    • Cobaltstrike

      Detected malicious payload which is part of Cobaltstrike.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Target

      __MACOS/_params2.cat.js

    • Size

      1.7MB

    • MD5

      dee63329fa6efe64693d90a54585cff0

    • SHA1

      4072887f7f5a706b1986df229d4b3fe4bfe1f209

    • SHA256

      22b2d9c5d3aa575283bc0afc60df5fb8720c384bd7040ca6e4e42491b5fefcde

    • SHA512

      573f524deee9ac23c8b962c1394c9d7c2d885cf1127afa172b5d48da2ff45667a6e204f90aaf2dd5e12dab907f83d7458a959565700c45191ade2fda8e684232

    • SSDEEP

      24576:OE4WChcawAdDbiNyhMgM/tyBMZBRKqOr8UHJt7aOefLDDlzWCFQYGsncMs03bdkS:d

    • Cobaltstrike

      Detected malicious payload which is part of Cobaltstrike.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

MITRE ATT&CK Enterprise v15

Tasks