cobaltstrike | 4966995948c5710a64d5c8f8d2647077b5caddcd172a0ff49c9b918f687a575b | Triage

Sharing

General

Target

da6f1dabce9dbefb31cf2304265cac72_JaffaCakes118
Size

278KB
Sample

240911-qmhp7aselr
MD5

da6f1dabce9dbefb31cf2304265cac72
SHA1

6c50e56261c7548ef49058b33467f31a9004c89c
SHA256

4966995948c5710a64d5c8f8d2647077b5caddcd172a0ff49c9b918f687a575b
SHA512

974773f84d4e319ca77615b3bfd65d14375a5f4ed1131adda5bfe45f68bfc0072f71ad63265aa9ff008a9771e72df84684008a11cbaf1e9afa338344d23e099c
SSDEEP

6144:VVcy1IYDj01I8b/2Hn6hk+53tUZkbMVMBajKvbannnZy:VGCI2j0egJkU3kkgV5jKvb

Score

10^/10

cobaltstrike 0 backdoor discovery trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

0

C2

http://3.3.3.3:89/___utm.gif

Attributes

access_type
256
create_remote_thread
768
host
3.3.3.3,/___utm.gif
http_header1
AAAACQAAABJ1dG1hYz1VQS0yMjAyNjA0LTIAAAAJAAAAB3V0bWNuPTEAAAAJAAAAEHV0bWNzPUlTTy04ODU5LTEAAAAJAAAAD3V0bXNyPTEyODB4MTAyNAAAAAkAAAAMdXRtc2M9MzItYml0AAAACQAAAAt1dG11bD1lbi1VUwAAAAoAAAAbaG9zdDogUWJhbGxSVC5henVyZWVkZ2UubmV0AAAABwAAAAAAAAANAAAAAgAAAAZfX3V0bWEAAAAFAAAABXV0bWNjAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAABwAAAAAAAAACAAAABlVBLTIyMAAAAAEAAAACLTIAAAAFAAAABXV0bWFjAAAACQAAAAd1dG1jbj0xAAAACQAAABB1dG1jcz1JU08tODg1OS0xAAAACQAAAA91dG1zcj0xMjgweDEwMjQAAAAJAAAADHV0bXNjPTMyLWJpdAAAAAkAAAALdXRtdWw9ZW4tVVMAAAAKAAAAG2hvc3Q6IFFiYWxsUlQuYXp1cmVlZGdlLm5ldAAAAAcAAAABAAAADQAAAAIAAAAGX191dG1hAAAABQAAAAV1dG1jYwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_method1
GET
http_method2
GET
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
89
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCWcQk6EBdEzEZedItvAqhlutbDOFlMiCnFlJ/hVvOnlgAti7Ajc7nBIIglO8czXsKebovdn1SgQlYmc8Uz33yhGK/eDoUFa087YJPocDsul8Jry3oUMHsvq+U8YCT5GvAq7E9bU1QUK/w7AVIQ82fWGRzOABvMPgtNV+7G0ZYgmwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
6.71092736e+08
unknown2
AAAABAAAAAIAAAAPAAAAAgAAAA8AAAACAAAACgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown3
1.610612736e+09
uri
/__utm.gif
user_agent
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MALC)
watermark
0

Targets

- Target
  
  da6f1dabce9dbefb31cf2304265cac72_JaffaCakes118
- Size
  
  278KB
- MD5
  
  da6f1dabce9dbefb31cf2304265cac72
- SHA1
  
  6c50e56261c7548ef49058b33467f31a9004c89c
- SHA256
  
  4966995948c5710a64d5c8f8d2647077b5caddcd172a0ff49c9b918f687a575b
- SHA512
  
  974773f84d4e319ca77615b3bfd65d14375a5f4ed1131adda5bfe45f68bfc0072f71ad63265aa9ff008a9771e72df84684008a11cbaf1e9afa338344d23e099c
- SSDEEP
  
  6144:VVcy1IYDj01I8b/2Hn6hk+53tUZkbMVMBajKvbannnZy:VGCI2j0egJkU3kkgV5jKvb
Score

10^/10

cobaltstrike 0 backdoor discovery trojan
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

cobaltstrike0backdoordiscoverytrojan

behavioral2

cobaltstrike0backdoordiscoverytrojan