cobaltstrike | 5b579e53f60a2f5dcf1d29fd23a86d6efe3aba784f95165e1618db1ee1ace425

Analysis

max time kernel
140s
max time network
139s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
25/08/2024, 08:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c058d12469e9ae495c9bdd07dc025019_JaffaCakes118.exe
Size

686KB
MD5

c058d12469e9ae495c9bdd07dc025019
SHA1

04b285bef63b647b2d357c61727a50693948c418
SHA256

5b579e53f60a2f5dcf1d29fd23a86d6efe3aba784f95165e1618db1ee1ace425
SHA512

7993adfb7cf6de7c45a20d97716d525bd23c00c84d172b6f47f0787319d8a7e714d128e7fdd5c79ac3fefb7b34c7d751b433425219f8b67817edef927553ed5e
SSDEEP

6144:aoAC13YOw8pYc7uqMaYv1oga4JSkDulLITHb5:aSlY8KmuR7SkDAI

Score

10^/10

cobaltstrike 0 305419896 backdoor discovery trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

305419896

http://94.232.40.167:9338/visit.js

Attributes

access_type
512
host
94.232.40.167,/visit.js
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
polling_time
60000
port_number
9338
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCvsrx1MajFB0Lntr9Q8LCjtPlOeJNk/ZX5uHHFaTtx9vdxHnI1roe44hAErcPmt4N8CSAuJhBIFZcFnxwtSo1OmyPZg2pJ5a3UBi9/dVqK3yMAJ0HZtRu2HgOcIxnKiGRJQXntGjIcCuNa3Z6QvEgQOaliL0l74RmN4CjIMNSkpQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/submit.php
user_agent
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
watermark
305419896

Extracted

Family

cobaltstrike

Botnet

Attributes

watermark
0

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2664	cmd.exe
2928	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2928	PING.EXE

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 2664	2028	c058d12469e9ae495c9bdd07dc025019_JaffaCakes118.exe	30
PID 2028 wrote to memory of 2664	2028	c058d12469e9ae495c9bdd07dc025019_JaffaCakes118.exe	30
PID 2028 wrote to memory of 2664	2028	c058d12469e9ae495c9bdd07dc025019_JaffaCakes118.exe	30
PID 2664 wrote to memory of 2928	2664	cmd.exe	32
PID 2664 wrote to memory of 2928	2664	cmd.exe	32
PID 2664 wrote to memory of 2928	2664	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\c058d12469e9ae495c9bdd07dc025019_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c058d12469e9ae495c9bdd07dc025019_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Windows\system32\cmd.exe
  cmd.exe /c echo 1234567890 && ping -n 6 127.0.0.1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:2664
- - C:\Windows\system32\PING.EXE
    ping -n 6 127.0.0.1
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2028-0-0x00000000003C0000-0x0000000000400000-memory.dmp

Filesize
256KB

Download
memory/2028-1-0x00000000004C0000-0x000000000050C000-memory.dmp

Filesize
304KB

Download
memory/2028-2-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2028-3-0x00000000004C0000-0x000000000050C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads