cobaltstrike | fbd7a548c9687bd0a74f905b03cedb8072717c67b04ddd05418f2f9cbb7076ac

General

Target

JaffaCakes118_4bbc7c53d45152aa23d2d3f4322ed490.ps1
Size

194KB
MD5

4bbc7c53d45152aa23d2d3f4322ed490
SHA1

5508b012ff7ef2b34375f3a4b3067dbbfb4a453d
SHA256

fbd7a548c9687bd0a74f905b03cedb8072717c67b04ddd05418f2f9cbb7076ac
SHA512

ffb032a143e14215e6417d8f317958c0e18e4fbf99a940f4a07221590831a9e9d8f3202e4938593f9e2be30ad479cabec6e2fc90e76bc0d93a9d26d8d7a9631a
SSDEEP

3072:xKngySVRgypwBolhfJv0DO/sUy2T9QOcH9cHUD1lv9LGbIVu5kqKtjOt0BZ:xtNnXNXfJv0DWyP9SUhgGhA07

Score

10^/10

cobaltstrike 0 backdoor discovery execution trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

0

C2

http://auditsecuritybusworld.com:443/jquery-3.3.1.min.js

http://213.227.155.246:443/jquery-3.3.1.min.js

Attributes

access_type
512
beacon_type
2048
host
auditsecuritybusworld.com,/jquery-3.3.1.min.js,213.227.155.246,/jquery-3.3.1.min.js
http_header1
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAgUmVmZXJlcjogaHR0cDovL2NvZGUuanF1ZXJ5LmNvbS8AAAAKAAAAHkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQAAAAcAAAAAAAAADQAAAAIAAAAJX19jZmR1aWQ9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAgUmVmZXJlcjogaHR0cDovL2NvZGUuanF1ZXJ5LmNvbS8AAAAKAAAAHkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQAAAAcAAAAAAAAADwAAAA0AAAAFAAAACF9fY2ZkdWlkAAAABwAAAAEAAAAPAAAADQAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
jitter
9472
polling_time
45000
port_number
443
sc_process32
%windir%\syswow64\dllhost.exe
sc_process64
%windir%\sysnative\dllhost.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCnOM3nXx+7HBhkbDd+AwFrFisSunK999w2tM0uTpuuEiBalcJhcL+QgQWtf6S7zPp5hjImG+2YcPl18geU4f5JlSPXHwilbK4DFb/ePWyKFjhrA7emVRqhM21QMlo1ANsn14rY/RO2pzuft8P7TXoIjjI/B2GGVuzYNZX6X4I2EwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4.234810624e+09
unknown2
AAAABAAAAAEAAAXyAAAAAgAAAFQAAAACAAAPWwAAAA0AAAAPAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/jquery-3.3.2.min.js
user_agent
Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike

Blocklisted process makes network request 3 IoCs

flow	pid	Process
5	2208	powershell.exe
6	2208	powershell.exe
8	2208	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1996	powershell.exe
2208	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1996	powershell.exe
2208	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1996	powershell.exe
Token: SeDebugPrivilege	2208	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1996 wrote to memory of 2208	1996	powershell.exe	32
PID 1996 wrote to memory of 2208	1996	powershell.exe	32
PID 1996 wrote to memory of 2208	1996	powershell.exe	32
PID 1996 wrote to memory of 2208	1996	powershell.exe	32

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4bbc7c53d45152aa23d2d3f4322ed490.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1996
- \??\c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
  "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -s -NoLogo -NoProfile
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Z9AOY6IMAIEM2EF1TTTE.temp

Filesize
7KB

MD5
3eba250125f8dc2d0f9ef74ca660239e

SHA1
2dd19d0f71f11822fc41b4a85006764e1520aa3a

SHA256
19a6074f5c66dbac7e33b585f8be160e4c89763543a6bd6f66514c5c42a917fc

SHA512
0be1c6f9f7a6c41d27e8715decf09d11a1f89c1ec38a47778e4b745b4ddf5be45c89c0715f906fef927c656f1fb7899a4e918b42dd6d24ea2500d743ce7f9aee

Download Submit
memory/1996-11-0x0000000002BE0000-0x0000000002C12000-memory.dmp

Filesize
200KB

Download
memory/1996-5-0x000000001B5F0000-0x000000001B8D2000-memory.dmp

Filesize
2.9MB

Download
memory/1996-6-0x0000000002070000-0x0000000002078000-memory.dmp

Filesize
32KB

Download
memory/1996-8-0x000007FEF5860000-0x000007FEF61FD000-memory.dmp

Filesize
9.6MB

Download
memory/1996-9-0x000007FEF5860000-0x000007FEF61FD000-memory.dmp

Filesize
9.6MB

Download
memory/1996-10-0x000007FEF5860000-0x000007FEF61FD000-memory.dmp

Filesize
9.6MB

Download
memory/1996-7-0x000007FEF5860000-0x000007FEF61FD000-memory.dmp

Filesize
9.6MB

Download
memory/1996-4-0x000007FEF5B1E000-0x000007FEF5B1F000-memory.dmp

Filesize
4KB

Download
memory/1996-12-0x0000000002BE0000-0x0000000002C12000-memory.dmp

Filesize
200KB

Download
memory/1996-15-0x000007FEF5860000-0x000007FEF61FD000-memory.dmp

Filesize
9.6MB

Download
memory/1996-20-0x000007FEF5860000-0x000007FEF61FD000-memory.dmp

Filesize
9.6MB

Download
memory/1996-19-0x000007FEF5860000-0x000007FEF61FD000-memory.dmp

Filesize
9.6MB

Download
memory/1996-18-0x000007FEF5B1E000-0x000007FEF5B1F000-memory.dmp

Filesize
4KB

Download
memory/2208-17-0x0000000005830000-0x0000000005CA2000-memory.dmp

Filesize
4.4MB

Download
memory/2208-16-0x0000000005830000-0x0000000005CA2000-memory.dmp

Filesize
4.4MB

Download

Analysis

Sharing