General
-
Target
a1cbb55f6316a7a7ef379e9b09802835_JaffaCakes118
-
Size
397KB
-
Sample
241126-n54dhaznhv
-
MD5
a1cbb55f6316a7a7ef379e9b09802835
-
SHA1
8a12b893d11dcf21da5c2ecdd4f4879406d4f848
-
SHA256
87b9a803fb991bd9e508b55bb01fb657e505d7bd077bc18ce13d0ea518f202fd
-
SHA512
e669e3eeebf6c72fda3ba4a20a1c5882ee6166fed120a5a00e8ae36ab8562586b40a3416cf8675a3665a6387e61c821d4ad63a9645d5a5e947efa3ffb6506af4
-
SSDEEP
6144:RWsKyc+w/50wpi+TafNEJrOuQVyX0Wglt1M/Nt+j2IVJ:Rhk+w/K+6xuQV80PP
Malware Config
Extracted
cobaltstrike
1627331580
http://rodeo.shoppond.com:443/api/messaging/read/46wjf9shdo33/events
-
access_type
512
-
beacon_type
2048
-
host
rodeo.shoppond.com,/api/messaging/read/46wjf9shdo33/events
-
http_header1
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAfQWNjZXB0LUxhbmd1YWdlOiBlbi1VUyxlbjtxPTAuNQAAAAoAAAAeQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlAAAABwAAAAAAAAAPAAAAAwAAAAIAAAAGX3Nlc3M9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAfQWNjZXB0LUxhbmd1YWdlOiBlbi1VUyxlbjtxPTAuNQAAAAoAAAAeQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlAAAABwAAAAEAAAAPAAAADQAAAAUAAAAEY29udgAAAAcAAAAAAAAADQAAAAUAAAAGdXBkYXRlAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
8448
-
polling_time
45500
-
port_number
443
-
sc_process32
%windir%\syswow64\logman.exe
-
sc_process64
%windir%\sysnative\logman.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCWFGJRvOhUDntqq2p3Eas2qveYiUJa20VeX34i4BT/A+imTotd4BKZrqx5XD1qxhQ0BW6t/pFlN59bwpFpNWOYtjMvIgUjMAQvKgNaRxukuqdO/orXWEdlw2fpb+jb03tgNKnBxs/Vt9BJd1E0y8w6dogw02nJlzbGX8MHDZUIvwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
6.711296e+07
-
unknown2
AAAABAAAAA8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown3
1.610612736e+09
-
uri
/api/messaging/send/37dj4sh873h
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36
-
watermark
1627331580
Targets
-
-
Target
a1cbb55f6316a7a7ef379e9b09802835_JaffaCakes118
-
Size
397KB
-
MD5
a1cbb55f6316a7a7ef379e9b09802835
-
SHA1
8a12b893d11dcf21da5c2ecdd4f4879406d4f848
-
SHA256
87b9a803fb991bd9e508b55bb01fb657e505d7bd077bc18ce13d0ea518f202fd
-
SHA512
e669e3eeebf6c72fda3ba4a20a1c5882ee6166fed120a5a00e8ae36ab8562586b40a3416cf8675a3665a6387e61c821d4ad63a9645d5a5e947efa3ffb6506af4
-
SSDEEP
6144:RWsKyc+w/50wpi+TafNEJrOuQVyX0Wglt1M/Nt+j2IVJ:Rhk+w/K+6xuQV80PP
Score10/10-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Cobaltstrike family
-
Suspicious use of SetThreadContext
-