cobaltstrike | 015f6c70da31119e6b346ebf40b247cf0ff54b7b7b6a064353430769873855b8 | Triage

Sharing

General

Target

c92c145981f88c23fdd82cb81d055354_JaffaCakes118
Size

623KB
Sample

241205-yldc3syqet
MD5

c92c145981f88c23fdd82cb81d055354
SHA1

fc2a0e9c0bb79111879ae31bcc8d3eae9a6af857
SHA256

015f6c70da31119e6b346ebf40b247cf0ff54b7b7b6a064353430769873855b8
SHA512

5353930e8044f341841d642fd84b66929c30fbca13894079ec9a102183e107a63b696661c94d988afe2460cc1a21113393e4c924cedf547cb27ce25ad92da769
SSDEEP

12288:87T0pLWNX7Ru1DkREAuiJist8ibKRwc/qOna8el0:87TEC0iiniOiCR/qOn5eC

Score

10^/10

cobaltstrike 305419896 backdoor discovery trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

305419896

C2

http://cacheapps.global.ssl.fastly.net:443/homes/for_sale/minneapolis/

Attributes

access_type
512
beacon_type
2048
dns_idle
1.34744072e+08
host
cacheapps.global.ssl.fastly.net,/homes/for_sale/minneapolis/
http_header1
AAAABwAAAAAAAAANAAAABQAAAAxmcm9tSG9tZVBhZ2UAAAAJAAAAC2dvdG89U2VhcmNoAAAACQAAAAlxc2JpdD1ubmIAAAAJAAAAGnNob3VsZEZpcmVTZWxsUGFnZUltPWZhbHNlAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAABwAAAAEAAAANAAAABQAAAA5mcm9tSG9tZVBhZ2VUbwAAAAkAAAAPZ290b3F1ZXJ5PVF1ZXJ5AAAACQAAAAtsaXN0aWQ9U2FsZQAAAAkAAAAKeXE9dG9zb3RvcAAAAAcAAAAAAAAADQAAAAUAAAAQc2hvdWxkRmlyZVNlbERBSAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_method1
GET
http_method2
GET
jitter
2560
maxdns
235
polling_time
60000
port_number
443
sc_process32
%windir%\syswow64\gpresult.exe
sc_process64
%windir%\sysnative\gpresult.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCIZJS4ZYjuNkh/VH7DIH4/k6ZyhegdMOZa4GAJl+R7pGWVWI+SjJtGzmtCPyGzAnUUVh6N14HBTJBxp6xXdERRcKnSYC+edReZMxx0UvePk4HxSWaaVJuU0ibj48jqNIe7Za7qS7loVXKpax5hAhvS3zPmkRSHKbSVaPdJMTqxyQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
2.551529472e+09
unknown2
AAAABAAAAAEAAAGjAAAAAgAAE/UAAAAIAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown3
1.610612736e+09
uri
/homes/for_sale/New_york/
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/82.0.991.00 Safari/537.36
watermark
305419896

Targets

- Target
  
  c92c145981f88c23fdd82cb81d055354_JaffaCakes118
- Size
  
  623KB
- MD5
  
  c92c145981f88c23fdd82cb81d055354
- SHA1
  
  fc2a0e9c0bb79111879ae31bcc8d3eae9a6af857
- SHA256
  
  015f6c70da31119e6b346ebf40b247cf0ff54b7b7b6a064353430769873855b8
- SHA512
  
  5353930e8044f341841d642fd84b66929c30fbca13894079ec9a102183e107a63b696661c94d988afe2460cc1a21113393e4c924cedf547cb27ce25ad92da769
- SSDEEP
  
  12288:87T0pLWNX7Ru1DkREAuiJist8ibKRwc/qOna8el0:87TEC0iiniOiCR/qOn5eC
Score

10^/10

cobaltstrike 305419896 backdoor discovery trojan
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
- Cobaltstrike family
  cobaltstrike
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

cobaltstrike305419896backdoordiscoverytrojan

behavioral2

cobaltstrike305419896backdoordiscoverytrojan