cobaltstrike

General

Target

deaf4a4861c73bf31b02baefdb15d99c_JaffaCakes118
Size

220KB
Sample

240913-xeh5basgle
MD5

deaf4a4861c73bf31b02baefdb15d99c
SHA1

7dd451b04d713c55b6adfb0dd65daa900337d807
SHA256

5e64039561c03a0af6a96ae348d8b57515fdc9e234ad8809e5cd311a69377bae
SHA512

c778328edadce01ef7b3e7ba80718fe15829e9d474d18c7d28b8ed07626f9764581f4e3b7fd8247fa71090ee9e6c89b5f6a17df8447d615aa7bcc343efe37938
SSDEEP

3072:T/QPFX1eqEfuBNSYuiM8CNj8hFsoMX0ghsJRgCD3iFw9jdUmZ5rP:T/MEfuN0t8C5oFsoeRM3o0jpX

Score

10^/10

Malware Config

Extracted

Family

cobaltstrike

Botnet

922183268

C2

http://ajax.microsoft.com:443/c/msdownload/update/1930155_

Attributes

access_type
512
beacon_type
2048
host
ajax.microsoft.com,/c/msdownload/update/1930155_
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAABAAAAAlSG9zdDogY29udGVudC10cmFja2VyczIuYXp1cmVlZGdlLm5ldAAAAAoAAAAVWC1Bc3BuZXQtVmVyc2lvbjogMS4zAAAABwAAAAAAAAANAAAAAQAAAAQuY2FiAAAADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAABAAAAAlSG9zdDogY29udGVudC10cmFja2VyczIuYXp1cmVlZGdlLm5ldAAAAAoAAAAVWC1Bc3BuZXQtVmVyc2lvbjogMS4zAAAABwAAAAAAAAACAAAABlVBLTIyMAAAAAEAAAACLTIAAAAFAAAABXV0bWFjAAAABwAAAAEAAAANAAAAAQAAAAQuY2FiAAAADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
POST
http_method2
POST
jitter
5120
polling_time
60000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDdhSmNi7p+0zSNEuquIktBUtSRqxyog2WtT9wJvGIn5+qWNtVnnO70BCiSqQ9jtM41APWqyamHV8AnDu8+G9Cm8Xvtlv71dmKQgpqPGx8I9HW7KpWw85Qt52KMlFMW/K7eIa8LKslpPaeLTYbV0kUldDeHCyPncGzFRs6M8Xc8QQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown3
1.610612736e+09
uri
/c/msdownload/update/1534335_
user_agent
Windows-Update-Agent/10.0.10011.16384 Client-Protocol/1.40
watermark
922183268

Targets

- Target
  
  deaf4a4861c73bf31b02baefdb15d99c_JaffaCakes118
- Size
  
  220KB
- MD5
  
  deaf4a4861c73bf31b02baefdb15d99c
- SHA1
  
  7dd451b04d713c55b6adfb0dd65daa900337d807
- SHA256
  
  5e64039561c03a0af6a96ae348d8b57515fdc9e234ad8809e5cd311a69377bae
- SHA512
  
  c778328edadce01ef7b3e7ba80718fe15829e9d474d18c7d28b8ed07626f9764581f4e3b7fd8247fa71090ee9e6c89b5f6a17df8447d615aa7bcc343efe37938
- SSDEEP
  
  3072:T/QPFX1eqEfuBNSYuiM8CNj8hFsoMX0ghsJRgCD3iFw9jdUmZ5rP:T/MEfuN0t8C5oFsoeRM3o0jpX
Score

10^/10

cobaltstrike 922183268 backdoor discovery trojan
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
behavioral1 behavioral2