cobaltstrike | 4feae868284998cf234f15613f01acb5f2e2b4cb428a165abd82d9b5f9fb5e19

General

Target

4feae868284998cf234f15613f01acb5f2e2b4cb428a165abd82d9b5f9fb5e19.exe
Size

881KB
MD5

4712e23412b1502a347c230dff6202cd
SHA1

2e8c6bebd47b77ad2fa5b0e9a95853655a1ec173
SHA256

4feae868284998cf234f15613f01acb5f2e2b4cb428a165abd82d9b5f9fb5e19
SHA512

acc504c225d1e803a30630fbe2d06be2f9326bd6361aec933186397635219caee68f9a44e827f295362eeb162e3ddd89ee948a33dc2945bd181484b24044885d
SSDEEP

12288:62Ru8fivEvfjuokZOXwe/uAflYC/Ge/iuGuCF2jze5r/TTQYBOA:6Ku8PfKTZOXwe/uAR/quOr1YEOA

Score

10^/10

cobaltstrike 100000000 backdoor discovery trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

100000000

C2

http://127.0.0.1:6443/js/jquery-3.3.1.min.js

Attributes

access_type
512
beacon_type
2048
host
127.0.0.1,/js/jquery-3.3.1.min.js
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAcAAAAAAAAAAwAAAAIAAAAKU0VTU0lPTklEPQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAcAAAAAAAAAAwAAAAIAAAAJSlNFU1NJT049AAAABgAAAAZDb29raWUAAAAHAAAAAQAAAAMAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
polling_time
3000
port_number
6443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCfv7GErTrLbAar7TLZv91390uEtpo/rTpBPlU7eEZx1fNABBJiDs7CwLsIXtajWbvaV6EJmL0oab9eSGPZkGEHGwdgw01inIteAHKOBrzsaYNKClb63wt65/a4I5/v/k0J+uunqPZEej56aPfEB/NwTMN5qBXZ4LMZq38Bmbxj2QIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
1.481970944e+09
unknown2
AAAABAAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/js/jquery-3.3.2.min.js
user_agent
Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/5.0)
watermark
100000000

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2068	AcroRd32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2068	AcroRd32.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2068	AcroRd32.exe
2068	AcroRd32.exe
2068	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2720 wrote to memory of 2796	2720	4feae868284998cf234f15613f01acb5f2e2b4cb428a165abd82d9b5f9fb5e19.exe	31
PID 2720 wrote to memory of 2796	2720	4feae868284998cf234f15613f01acb5f2e2b4cb428a165abd82d9b5f9fb5e19.exe	31
PID 2720 wrote to memory of 2796	2720	4feae868284998cf234f15613f01acb5f2e2b4cb428a165abd82d9b5f9fb5e19.exe	31
PID 2796 wrote to memory of 2068	2796	cmd.exe	33
PID 2796 wrote to memory of 2068	2796	cmd.exe	33
PID 2796 wrote to memory of 2068	2796	cmd.exe	33
PID 2796 wrote to memory of 2068	2796	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\4feae868284998cf234f15613f01acb5f2e2b4cb428a165abd82d9b5f9fb5e19.exe
"C:\Users\Admin\AppData\Local\Temp\4feae868284998cf234f15613f01acb5f2e2b4cb428a165abd82d9b5f9fb5e19.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2720
- C:\Windows\system32\cmd.exe
  "cmd" /c start /B C:\Users\Admin\AppData\Local\Temp\xxx简历.pdf
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\xxx简历.pdf"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\xxx简历.pdf

Filesize
90KB

MD5
25edc4989b30b72d8ca97fdfa9fee142

SHA1
abc65c628ec624eebddcb5ca3e94c77fe450d8c2

SHA256
a91993040af3567d08d84a4892d7dbd5793d92fc126c14c149a4077c8c519a61

SHA512
de59bd19019de0c07064187e17ac4c1fac689e8a93879c302403d1cbb6d242c00f886d6827c9e86a13c258aeb3b9d30915a9dd5d3d0be2755fd77ace50300d03

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
96d64a84d25e67fc5a93c6b91a462a6b

SHA1
192df8407a7f2504fe344bcadc27a83b8fb518f0

SHA256
17e2612c488e6961a0e1b767e4bc7a928c6a060b4dbfbd42f42f9441c02510e4

SHA512
87dd6f05dd1eccd8f7625b04afbd012b0c99981612ba3631c9b77034650f2e12c868cac6a80b9bb678fb768dac150fed6c13a1bb390fbbf0c1eacf159b56c0a3

Download Submit
memory/2720-2-0x00000000000D0000-0x0000000000111000-memory.dmp

Filesize
260KB

Download
memory/2720-4-0x0000000000120000-0x000000000016F000-memory.dmp

Filesize
316KB

Download
memory/2720-43-0x0000000000120000-0x000000000016F000-memory.dmp

Filesize
316KB

Download

Analysis

Sharing