General

  • Target

    new-简历.zip

  • Size

    183KB

  • Sample

    240724-k9xjzayclp

  • MD5

    bce4b66ee902743747218464a591bfe1

  • SHA1

    6436cb1b157dbca99fa4873fb605725dcffc4343

  • SHA256

    8350b8ef0417e5b7814c387288b7df8962a13a20d1626efaaf9ceccba1bd0bf1

  • SHA512

    d19791c9f3bd48bce02a9fc2748b25754d58976828ce05f65fa1cb5b7b1acde904969020a000119b67501b45148bf50b17019fbf1cdd0cd576d99978a05b61e3

  • SSDEEP

    3072:tBErCdVxGft4Yhg7VzgoGVNnDua3bNr6J8v79D7hU8p84SVZfSRpYXhZOOpeb95P:LE4Vxk47Vzgom1PrAQ7FVUruAbYb90S

Malware Config

Extracted

Family

cobaltstrike

C2

http://cdn.ipv6ipts.com:2087/jquery-3.3.2.slim.min.js

Attributes
  • user_agent

    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Host: cdn.ipv6ipts.com Referer: http://code.jquery.com/ Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko

Extracted

Family

cobaltstrike

Botnet

100000000

C2

http://cdn.ipv6ipts.com:2087/jquery-3.3.1.min.js

Attributes
  • access_type

    512

  • beacon_type

    2048

  • host

    cdn.ipv6ipts.com,/jquery-3.3.1.min.js

  • http_header1

    AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAABAAAAAWSG9zdDogY2RuLmlwdjZpcHRzLmNvbQAAAAoAAAAgUmVmZXJlcjogaHR0cDovL2NvZGUuanF1ZXJ5LmNvbS8AAAAKAAAAHkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQAAAAcAAAAAAAAADQAAAAIAAAAJX19jZmR1aWQ9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_header2

    AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAABAAAAAWSG9zdDogY2RuLmlwdjZpcHRzLmNvbQAAAAoAAAAgUmVmZXJlcjogaHR0cDovL2NvZGUuanF1ZXJ5LmNvbS8AAAAKAAAAHkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQAAAAcAAAAAAAAADwAAAA0AAAAFAAAACF9fY2ZkdWlkAAAABwAAAAEAAAAPAAAADQAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_method1

    GET

  • http_method2

    POST

  • jitter

    9472

  • polling_time

    45000

  • port_number

    2087

  • sc_process32

    %windir%\syswow64\dllhost.exe

  • sc_process64

    %windir%\sysnative\dllhost.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCI5WtxqQdX5dCeyUhn8mtxlpU5Ngvsm3PJBITh24stQL8PMuY/FCQj3X1y+vOZXQwT6sQ60qJYci30GVpHSy6p+/E3plLUAYEdeiwIvIavPLwkp8QBotbY/5Kzzs/yCXtc6S+0DeByu8krVF7NyCt91e5tFQNx6GaDMZFUxnNL8wIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4.234810624e+09

  • unknown2

    AAAABAAAAAEAAAXyAAAAAgAAAFQAAAACAAAPWwAAAA0AAAAPAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /jquery-3.3.2.min.js

  • user_agent

    Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko

  • watermark

    100000000

Targets

    • Target

      简历/main.jpg

    • Size

      1KB

    • MD5

      275239236ccb783aaa7346fae1b6e929

    • SHA1

      f2c0aed2872a3d6b4a815642b12416446718b60d

    • SHA256

      cfe82ccf6f301988cf61849d475672644976a642d14fcd8a3633665686cbb7f1

    • SHA512

      b1810ca21aa081f6005d2e1f2cf982722ba2cf158c996c69daf4c6f3066cf1188d5f84afeaff315ccacae286e191bd9a191fe69f83a12f4cd7ac7e88e14c6051

    • Cobaltstrike

      Detected malicious payload which is part of Cobaltstrike.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Target

      简历/pic.gif

    • Size

      200KB

    • MD5

      a54071c21b0a21cf41ad9581d9c777da

    • SHA1

      bb91de85829a66cbe466c1085b1edcb6e09c3d9c

    • SHA256

      3f7366ba8abab9f4c0a4de588cbf1dc47b63f5c60549165c57652a22bb7b844f

    • SHA512

      05f7fc1faa1552f4d52f6d6326198618848c4e55e2960bcdec1fec79c977004e092af4bf35ac6a8da3b87b2667bf3727c34c1025ece151ab781521ad476296d7

    • SSDEEP

      6144:iovUSG1zgo4jGzr+Q7DDBva2vKP90Cb9W:NvUSno40+MBC2ylppW

    Score
    3/10
    • Target

      简历/简历.lnk

    • Size

      2KB

    • MD5

      02bdfa20126332a8f2276f6636d97f39

    • SHA1

      8d014e2333bcfed17dfc6a50c54ffc84d4e2155a

    • SHA256

      1b767ac81894efefd5def83692106e6b2b63f22378a438f4b923edade16f51ae

    • SHA512

      8303a8b1879677370a5960fb57d220ca6c2a1663d22ee81120b78a8e26f2eeb4a3ac669692c9c8d2c84be6ac218d2499f14010c0bd69a711464ebce84953fd63

    • Cobaltstrike

      Detected malicious payload which is part of Cobaltstrike.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

MITRE ATT&CK Enterprise v15

Tasks