Overview

overview

10

Static

static

3

coba164.exe

windows7-x64

10

coba164.exe

windows10-2004-x64

10

coba164s.exe

windows7-x64

10

coba164s.exe

windows10-2004-x64

10

coba186.exe

windows7-x64

10

coba186.exe

windows10-2004-x64

10

coba186s.exe

windows7-x64

1

coba186s.exe

windows10-2004-x64

10

cobabecx86.exe

windows7-x64

3

cobabecx86.exe

windows10-2004-x64

10

cobabehttpx86.exe

windows7-x64

3

cobabehttpx86.exe

windows10-2004-x64

10

cobahttpx86.exe

windows7-x64

3

cobahttpx86.exe

windows10-2004-x64

10

cobasslx64.exe

windows7-x64

1

cobasslx64.exe

windows10-2004-x64

10

cobasx86.exe

windows7-x64

10

cobasx86.exe

windows10-2004-x64

10

cobax86_408.exe

windows7-x64

10

cobax86_408.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    JaffaCakes118_88cfede42188d89c02902431f688fd90b5947eb2155f6b40a1f75f3cfc010e2b

  • Size

    7.0MB

  • Sample

    241230-chxfwstqgs

  • MD5

    891ec166da139cd00c0342441c18e055

  • SHA1

    ed3b9c99e70d9076d208022c412e30987d357613

  • SHA256

    88cfede42188d89c02902431f688fd90b5947eb2155f6b40a1f75f3cfc010e2b

  • SHA512

    b02bbd40525574967f2881d6d85626c9b872a7430365642777db0c11fc910cec2bacea10fc441082d049f86d1cd3833ca90c8d16426f47da395e5ab6b8b51e59

  • SSDEEP

    196608:z65gfXC73iV8ujsQKJScOkBNDee7buKVGJ:zrfSzV3Ssbp7bx4

Score
10/10
cobaltstrikemetasploit305419896backdoordiscoverytrojan

Malware Config

Extracted

Family

cobaltstrike

C2

http://217.12.218.46:80/YPbR

http://1nevadasports.com:443/erDB
Attributes
  • user_agent

    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko

Extracted

Family

cobaltstrike

Botnet

305419896

C2

http://goodgish.com:443/jquery-3.3.1.min.js

http://195.123.217.12:80/jquery-3.3.1.min.js
Attributes
  • access_type

    512

  • beacon_type

    2048

  • dns_idle

    2.15579587e+08

  • host

    goodgish.com,/jquery-3.3.1.min.js

  • http_header1

    AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAgUmVmZXJlcjogaHR0cDovL2NvZGUuanF1ZXJ5LmNvbS8AAAAKAAAAHkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQAAAAcAAAAAAAAADQAAAAIAAAAJX19jZmR1aWQ9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • http_header2

    AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAgUmVmZXJlcjogaHR0cDovL2NvZGUuanF1ZXJ5LmNvbS8AAAAKAAAAHkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQAAAAcAAAAAAAAADwAAAA0AAAAFAAAACF9fY2ZkdWlkAAAABwAAAAEAAAAPAAAADQAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • http_method1

    GET

  • http_method2

    POST

  • jitter

    9472

  • maxdns

    255

  • polling_time

    45000

  • port_number

    443

  • sc_process32

    %windir%\syswow64\dllhost.exe

  • sc_process64

    %windir%\sysnative\dllhost.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDCT42RZXDkOt4TBaANg7RggQbQZgKIt9JoHuhWGb5HcZdWd3ZmoqFQuFJ53NsjMvGrDkwxGokAV2GaGhCCb1GHK1NigI6uBcokE6seiXhny94nDmEEu4EEdYyFgLrsswJ04NA8tnIQD11iUz7XxzwocHN1161Yj66YCBK61DUomQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4.234810624e+09

  • unknown2

    AAAABAAAAAEAAAXyAAAAAgAAAFQAAAACAAAPWwAAAA0AAAAPAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /jquery-3.3.2.min.js

  • user_agent

    Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko

  • watermark

    305419896

Extracted

Family

metasploit

Version

windows/download_exec

C2

http://195.123.217.12:80/jquery-3.3.1.slim.min.js

http://goodgish.com:443/jquery-3.3.1.slim.min.js

http://globalpressinfo.com:443/jquery-3.3.1.slim.min.js

http://217.12.218.46:80/1tjM

http://1nevadasports.com:443/NDQy
Attributes
  • headers Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Referer: http://code.jquery.com/ Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko

Extracted

Family

cobaltstrike

Botnet

305419896

C2

http://goodgish.com:443/jquery-3.3.1.min.js

Attributes
  • access_type

    512

  • beacon_type

    2048

  • dns_idle

    2.15579587e+08

  • host

    goodgish.com,/jquery-3.3.1.min.js

  • http_header1

    AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAgUmVmZXJlcjogaHR0cDovL2NvZGUuanF1ZXJ5LmNvbS8AAAAKAAAAHkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQAAAAcAAAAAAAAADQAAAAIAAAAJX19jZmR1aWQ9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • http_header2

    AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAgUmVmZXJlcjogaHR0cDovL2NvZGUuanF1ZXJ5LmNvbS8AAAAKAAAAHkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQAAAAcAAAAAAAAADwAAAA0AAAAFAAAACF9fY2ZkdWlkAAAABwAAAAEAAAAPAAAADQAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • http_method1

    GET

  • http_method2

    POST

  • jitter

    9472

  • maxdns

    255

  • polling_time

    45000

  • port_number

    443

  • sc_process32

    %windir%\syswow64\dllhost.exe

  • sc_process64

    %windir%\sysnative\dllhost.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDCT42RZXDkOt4TBaANg7RggQbQZgKIt9JoHuhWGb5HcZdWd3ZmoqFQuFJ53NsjMvGrDkwxGokAV2GaGhCCb1GHK1NigI6uBcokE6seiXhny94nDmEEu4EEdYyFgLrsswJ04NA8tnIQD11iUz7XxzwocHN1161Yj66YCBK61DUomQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4.234810624e+09

  • unknown2

    AAAABAAAAAEAAAXyAAAAAgAAAFQAAAACAAAPWwAAAA0AAAAPAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /jquery-3.3.2.min.js

  • user_agent

    Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko

  • watermark

    305419896

Targets

    • Target

      coba164.exe

    • Size

      318KB

    • MD5

      f5b735e40d63c8a0eff9c64131efdb2f

    • SHA1

      54666928682558b67f89a5c320f16b8650cc8d90

    • SHA256

      478fce8dc2caf098beb2dd5695fdf57ab5117b36e53d92ec8de137b5138aa80c

    • SHA512

      620ffdd28973a6078356b1090e6d0f207246686a3e270caf62b0c4d7b912602c83c15468abe340846123fb427cc2d29bb2b04fae7721672b721698653cbd6c5d

    • SSDEEP

      6144:buEmSCZP781jWoYYMH7UtnvGu++vqIAJW8iocoEikKqn6Q:1678koYZUtg+vqICeroF2nl

    Score
    10/10
    cobaltstrikebackdoortrojan
    behavioral1behavioral2

    • Target

      coba164s.exe

    • Size

      318KB

    • MD5

      1715d2b27d963988cac67a955812e4d0

    • SHA1

      8831d9c375b0f3df5e40731d091d468d5764dad2

    • SHA256

      d61f250ce0bc5dd194878de7495bf657bf9749ead64130935c24b7b12978e683

    • SHA512

      ea5a9a8266cba81ec3232c1ae41897f8ef6972851c15cb51fd364ee895f4edcff2e62babef8a278560e17b33e639ab1b0024c1de7024d4d0b3180f60adb1acc0

    • SSDEEP

      6144:4FKitXrJ6qUIbupzBTk1TRnK+kuuEci72o0i/p1IEh:OstIeBTcK+kuuFFo0l

    Score
    10/10
    cobaltstrikebackdoortrojan
    behavioral3behavioral4

    • Target

      coba186.exe

    • Size

      256KB

    • MD5

      b08152a9426f1453e466d4026fc6d1db

    • SHA1

      93e3defbf52344e05ea4e0cb63373f8f5fa2c3f7

    • SHA256

      c8e5dc8cf704b2c8f339ac43610d8c20d3d00fd8f1a3296cb288f644236d9583

    • SHA512

      fdd2de24b673deeb3e58569d802213bba7aeccd7699d5edafafb6d96ca7c5116b4803c4c9b57994678a57d8aa66a7ccbda7b366a7b336385a0e2fd4bc0adb9df

    • SSDEEP

      6144:mK/BF7FuCc1XWSMO1YWTDDRLJtiqAiveAONCyh2Dst:mQBuCc1XlMO1YWTnBiqAiGXCyYs

    Score
    10/10
    metasploitbackdoordiscoverytrojan

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

      trojanbackdoormetasploit

    • Metasploit family

      metasploit
    behavioral5behavioral6

    • Target

      coba186s.exe

    • Size

      256KB

    • MD5

      93bac4f33045a02c34e48ef3fdffdb2f

    • SHA1

      17225c1f602f19396f4aa2628deba1fe9680e3c1

    • SHA256

      992b42d1d6d4685e2821e7316ea403aed10b38bfe1879a0eca241a23f74d0269

    • SHA512

      0638a120ee9e131d0ef91111b75ed106d16cf87a79a21ebf388d360dd5d8840ca1c63b3c87d58704b16e3807eed942220980d8c01afe9db8cf0b4c547ef025e9

    • SSDEEP

      6144:NGxnghuicwAAMWrrloCwLackBYDIePeAOemHJyg9Fws3b:OghuicwASloCwLa4IemcMws3

    Score
    10/10
    metasploitbackdoordiscoverytrojan

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

      trojanbackdoormetasploit

    • Metasploit family

      metasploit
    behavioral7behavioral8

    • Target

      cobabecx86.exe

    • Size

      3.0MB

    • MD5

      f14dc05a209a93c4afa1f67d214dc5e5

    • SHA1

      90c674231824d0bd7fbe78fa2fb3ae53b8fdab8f

    • SHA256

      13709d93be7a32fed69a6334b16488e172566679a4d950335963f7f438a77d29

    • SHA512

      09ce80c1571de439b40c73f48bdf5c595461b266f5e2a3c36b235d4a42e33019d812ec46785f265a99451a56afe0b1050604f47096684b9d4ed1a83451ba10cb

    • SSDEEP

      49152:69o5tIl1QWRgDJik7Ibaw7jHgDLESqfQC+NR7Qd6WygCZeiYAzcrzUR80ex5dj6b:69o5tIl1QCgliQIOg4OURsx5kwQFIOBN

    Score
    10/10
    cobaltstrike305419896backdoordiscoverytrojan
    behavioral10behavioral9

    • Target

      cobabehttpx86.exe

    • Size

      3.0MB

    • MD5

      e1e8c1f522869f486b89e77c05d45ba3

    • SHA1

      e975b3aa9a1f47ae11d078caf5863c8de272a724

    • SHA256

      7ee3baef75f367c136e7d1a3fb829cb381dd9ad9cc4b3ca46da1dd1c1976e394

    • SHA512

      bbda0dba35cebd32b25e08c2430ce772bdd643a7e7187eed638eea453afae9f33249db93953fb36d2280ac50656612dcf6047553e1162b209263d92e77690628

    • SSDEEP

      49152:qAq5iCl58uwrrZb7/HHN7DHgjLESKfQCbNxt0MiEeg28riYAzcrzUR80ex5dj65R:qAq5iCl58Lrtb7/sgmOURsx5UwQFNQMJ

    Score
    10/10
    discoverycobaltstrike305419896backdoortrojan
    behavioral11behavioral12

    • Target

      cobahttpx86.exe

    • Size

      2.7MB

    • MD5

      5415d117067af06eca07d3eca2a77577

    • SHA1

      6e018746c810c88adf7bccf570ff240056988c84

    • SHA256

      5e6466283d75f4fdfb6dc2c6a6b249c441f0692c3a82521024fe53a19749c35e

    • SHA512

      dcbcb53099cb0bb49e8538692fd20a96b152a791bb43a2c064f73145be38bdfac3b6388ab7144813fc6f58e8ce77afb2c46a00644c09f4e2d2244de56dea95c7

    • SSDEEP

      49152:Ws6o30lU0jmz+3lnSvNw7jHgDLEShfQCmNm6AMd6grmevOZVer3U5E0ev5N0aGI8:Ws6o30lU0w+VnSvgwAU5Uv5QIZFpGHB3

    Score
    10/10
    discoverymetasploitbackdoortrojan

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

      trojanbackdoormetasploit

    • Metasploit family

      metasploit
    behavioral13behavioral14

    • Target

      cobasslx64.exe

    • Size

      3.8MB

    • MD5

      e59fb03e91165f508223a27dfdfff0b0

    • SHA1

      46a8c17f3155cfbf5fb1c871954c9697322aeb28

    • SHA256

      3c6390e8c2eb4264e5a56a777110022ca533c3fa42ec0619151de6e2f9929a0a

    • SHA512

      14120923cd2104dd354c80f24de32c11a45100373c6e810b45c37554340fada3b0cddb7edb8823e544535c0eafd926dbdb9897e08a089b187959543cd9d1fcc3

    • SSDEEP

      49152:rkfRcO0CvVN8otW/bFw6vPnLv6TUJPsE1:YaWVSotWTp3LxyO

    Score
    10/10
    cobaltstrike305419896backdoortrojan
    behavioral15behavioral16

    • Target

      cobasx86.exe

    • Size

      2.7MB

    • MD5

      af6732e05c0d12769e6742d46376ab08

    • SHA1

      5850da9662e53e36f66ca932bf80786ac39f544f

    • SHA256

      ebfd43ae62687f69b4bcec5aa9a6328d2d405a2b7c00c4929df18ae444460852

    • SHA512

      655deb4b098c3edc55d847cbdfd9efcb903a140e19d83445b1091bd8b6e6d85c1e9f163aec2f130f9fee82cc25e2f15e44b379d1ca741719ed3bdd47ebb8341f

    • SSDEEP

      49152:2s6o30lU0jmz+3lnSvNw7jHgDLEShfQCmNm6AMd6grmevOZVer3U5E0ev5N0aGIL:2s6o30lU0w+VnSvgwAU5Uv5QIZFpGQBb

    Score
    10/10
    metasploitbackdoordiscoverytrojan

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

      trojanbackdoormetasploit

    • Metasploit family

      metasploit
    behavioral17behavioral18

    • Target

      cobax86_408.exe

    • Size

      250KB

    • MD5

      577a7463c63d02169a33ca2736f7ac98

    • SHA1

      cb34c1b37698cfd3fc0382abaec40e463354b6c3

    • SHA256

      d9316f608fefe966a073cc79381a63c27da6b0db00a70fd34b672ca429bde8ef

    • SHA512

      a5deb168a322914db09a1a2c5eb20f33c2913e542a5a0e777c390c4b11034d03a62de59d91fd8fc9b379aa55041d51818ea327486e3452de4eae0da314ff2a57

    • SSDEEP

      6144:L3j/Zua8BWOpto2j6p+MqVIAeAOOK6E3A:Tj/Zua8BWOg2j60IN8NE3

    Score
    10/10
    metasploitbackdoordiscoverytrojan

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

      trojanbackdoormetasploit

    • Metasploit family

      metasploit
    behavioral19behavioral20

MITRE ATT&CK Enterprise v15

Tasks

static1

Score
3/10

behavioral1

cobaltstrikebackdoortrojan
Score
10/10

behavioral2

cobaltstrikebackdoortrojan
Score
10/10

behavioral3

cobaltstrikebackdoortrojan
Score
10/10

behavioral4

cobaltstrikebackdoortrojan
Score
10/10

behavioral5

metasploitbackdoordiscoverytrojan
Score
10/10

behavioral6

metasploitbackdoordiscoverytrojan
Score
10/10

behavioral7

Score
1/10

behavioral8

metasploitbackdoordiscoverytrojan
Score
10/10

behavioral9

discovery
Score
3/10

behavioral10

cobaltstrike305419896backdoordiscoverytrojan
Score
10/10

behavioral11

discovery
Score
3/10

behavioral12

cobaltstrike305419896backdoordiscoverytrojan
Score
10/10

behavioral13

discovery
Score
3/10

behavioral14

metasploitbackdoordiscoverytrojan
Score
10/10

behavioral15

Score
1/10

behavioral16

cobaltstrike305419896backdoortrojan
Score
10/10

behavioral17

metasploitbackdoordiscoverytrojan
Score
10/10

behavioral18

metasploitbackdoordiscoverytrojan
Score
10/10

behavioral19

metasploitbackdoordiscoverytrojan
Score
10/10

behavioral20

metasploitbackdoordiscoverytrojan
Score
10/10