General
-
Target
ca4c28da94badca2a6b3eb6dd575363e0cccdfc01db77d6ad10d15688d56a698
-
Size
484KB
-
Sample
240911-jvvldszekj
-
MD5
c85093a181cbec6816dc09c8ee35e338
-
SHA1
923fa0010bf2828d03d801a6fd64d78ab21355b2
-
SHA256
ca4c28da94badca2a6b3eb6dd575363e0cccdfc01db77d6ad10d15688d56a698
-
SHA512
0ea8d20ed02ec983e86b20f79160793a36399c7529da0af9948a7be8e7ac4f5d2d4fad0befb5cf3417bbd3409c67d40cf95973040eb819b2e6b577419a707753
-
SSDEEP
12288:OgHiT7mUJifMJV1dGzfNLPg29w5vUeDsvYpbyRcjTS:i71Jif2VoN19w5JXVjTS
Malware Config
Extracted
cobaltstrike
100000000
http://192.168.19.128:443/jquery-3.3.1.min.js
-
access_type
512
-
beacon_type
2048
-
host
192.168.19.128,/jquery-3.3.1.min.js
-
http_header1
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAgUmVmZXJlcjogaHR0cDovL2NvZGUuanF1ZXJ5LmNvbS8AAAAKAAAAHkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQAAAAcAAAAAAAAADQAAAAIAAAAJX19jZmR1aWQ9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAgUmVmZXJlcjogaHR0cDovL2NvZGUuanF1ZXJ5LmNvbS8AAAAKAAAAHkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQAAAAcAAAAAAAAADwAAAA0AAAAFAAAACF9fY2ZkdWlkAAAABwAAAAEAAAAPAAAADQAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
9472
-
polling_time
45000
-
port_number
443
-
sc_process32
%windir%\syswow64\dllhost.exe
-
sc_process64
%windir%\sysnative\dllhost.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC0Uum3OeaFUNltaoTds/hVsvHB51wXxb/tTyPvBAi3EbkZoZhWBv389yPOyiNBzHSPELAsWq9Rr2EDDwJCxPuLT3VrC0nt92vXoIv1C+10QXQke8WbUYbkoG16dbtmLtiU+5arEXfXQtWeWm+0vWVe6aYWcrPjfa1wCvUmuwLsLwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4.234810624e+09
-
unknown2
AAAABAAAAAEAAAXyAAAAAgAAAFQAAAACAAAPWwAAAA0AAAAPAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/jquery-3.3.2.min.js
-
user_agent
Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko
-
watermark
100000000
Targets
-
-
Target
ca4c28da94badca2a6b3eb6dd575363e0cccdfc01db77d6ad10d15688d56a698
-
Size
484KB
-
MD5
c85093a181cbec6816dc09c8ee35e338
-
SHA1
923fa0010bf2828d03d801a6fd64d78ab21355b2
-
SHA256
ca4c28da94badca2a6b3eb6dd575363e0cccdfc01db77d6ad10d15688d56a698
-
SHA512
0ea8d20ed02ec983e86b20f79160793a36399c7529da0af9948a7be8e7ac4f5d2d4fad0befb5cf3417bbd3409c67d40cf95973040eb819b2e6b577419a707753
-
SSDEEP
12288:OgHiT7mUJifMJV1dGzfNLPg29w5vUeDsvYpbyRcjTS:i71Jif2VoN19w5JXVjTS
Score10/10-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-