cobaltstrike | f635f424b967e3df6bec0e6bd4643d5b19bb6e3e3d9c925d91124b80f85e8d1b

General

Target

ma.exe
Size

281KB
MD5

a7b18fa0a9729193ed5d8fe99e1b653f
SHA1

4ea028f43ef9c8d4866652c63a3fd94cb2b7b460
SHA256

f635f424b967e3df6bec0e6bd4643d5b19bb6e3e3d9c925d91124b80f85e8d1b
SHA512

edda7566ac9af482fe3c5a35f120798dfb6b47e4bb61e624c308225d5472dc0c9b0066b88d8ca2ca4e05b744fa70872d138be393359b2fd69c23f7ca1725aa09
SSDEEP

6144:MCjRB7HtIw3GSKpuKIbk4iUNXeSyKN2655R0Mfdp4up4Q:3jauKIbk4iCXKYtTLrp4Q

Score

10^/10

cobaltstrike 100000000 backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

100000000

C2

http://144.48.4.219:443/jquery-3.3.1.min.js

Attributes

access_type
512
beacon_type
2048
host
144.48.4.219,/jquery-3.3.1.min.js
http_header1
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAgUmVmZXJlcjogaHR0cDovL2NvZGUuanF1ZXJ5LmNvbS8AAAAKAAAAHkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQAAAAcAAAAAAAAADQAAAAIAAAAJX19jZmR1aWQ9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAgUmVmZXJlcjogaHR0cDovL2NvZGUuanF1ZXJ5LmNvbS8AAAAKAAAAHkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQAAAAcAAAAAAAAADwAAAA0AAAAFAAAACF9fY2ZkdWlkAAAABwAAAAEAAAAPAAAADQAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
jitter
9472
polling_time
45000
port_number
443
sc_process32
%windir%\syswow64\dllhost.exe
sc_process64
%windir%\sysnative\dllhost.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDJzGjWWirPLTxN5fL642s06JUEEiMAwAsctJ/wC6nElkxVMAqZvpfDkxgzo6BhQJ8KEbcpI8wTPq1G79spBJQWyZYdULAoV9N5G4j3KArpHvfmeNMOpMhyL664MSO9QtaT0GyFimui4AkDWzkYLWjynkqMr6iaJcaTV6GpCTQQyQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4.234810624e+09
unknown2
AAAABAAAAAEAAAXyAAAAAgAAAFQAAAACAAAPWwAAAA0AAAAPAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/jquery-3.3.2.min.js
user_agent
Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko
watermark
100000000

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike

Modifies system certificate store 2 TTPs 2 IoCs

defense_evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\73A5E64A3BFF8316FF0EDCCC618A906E4EAE4D74	ma.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\73A5E64A3BFF8316FF0EDCCC618A906E4EAE4D74\Blob = 0f00000001000000300000004133c4e60fa183ee5e7a4416c5d54c3392c56c2f572829bf59347467bab07bcdcf840162988341d2d284fbd856df53b10b000000010000005c0000004d006900630072006f0073006f00660074002000520053004100200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f007200690074007900200032003000310037000000620000000100000020000000c741f70f4b2a8d88bf2e71c14122ef53ef10eba0cfa5e64cfa20f418853073e0090000000100000016000000301406082b0601050507030206082b0601050507030114000000010000001400000009cb597f86b2708f1ac339e3c0d9e9bfbb4db2231d000000010000001000000072a49195309fb934d60a98e4ec451a6c69000000010000000e000000300c060a2b0601040182373c030103000000010000001400000073a5e64a3bff8316ff0edccc618a906e4eae4d742000000001000000ac050000308205a830820390a00302010202101ed397095fd8b4b347701eaabe7f45b3300d06092a864886f70d01010c05003065310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e313630340603550403132d4d6963726f736f66742052534120526f6f7420436572746966696361746520417574686f726974792032303137301e170d3139313231383232353132325a170d3432303731383233303032335a3065310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e313630340603550403132d4d6963726f736f66742052534120526f6f7420436572746966696361746520417574686f72697479203230313730820222300d06092a864886f70d01010105000382020f003082020a0282020100ca5bbe94338c299591160a95bd4762c189f39936df4690c9a5ed786a6f479168f8276750331da1a6fbe0e543a3840257015d9c4840825310bcbfc73b6890b6822de5f465d0cc6d19cc95f97bac4a94ad0ede4b431d8707921390808364353904fce5e96cb3b61f50943865505c1746b9b685b51cb517e8d6459dd8b226b0cac4704aae60a4ddb3d9ecfc3bd55772bc3fc8c9b2de4b6bf8236c03c005bd95c7cd733b668064e31aac2ef94705f206b69b73f578335bc7a1fb272aa1b49a918c91d33a823e7640b4cd52615170283fc5c55af2c98c49bb145b4dc8ff674d4c1296adf5fe78a89787d7fd5e2080dca14b22fbd489adbace479747557b8f45c8672884951c6830efef49e0357b64e798b094da4d853b3e55c428af57f39e13db46279f1ea25e4483a4a5cad513b34b3fc4e3c2e68661a45230b97a204f6f0f3853cb330c132b8fd69abd2ac82db11c7d4b51ca47d14827725d87ebd545e648659daf5290ba5ba2186557129f68b9d4156b94c4692298f433e0edf9518e4150c9344f7690acfc38c1d8e17bb9e3e394e14669cb0e0a506b13baac0f375ab712b590811e56ae572286d9c9d2d1d751e3ab3bc655fd1e0ed3740ad1daaaea69b897288f48c407f852433af4ca55352cb0a66ac09cf9f281e1126ac045d967b3ceff23a2890a54d414b92aa8d7ecf9abcd255832798f905b9839c40806c1ac7f0e3d00a50203010001a3543052300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041409cb597f86b2708f1ac339e3c0d9e9bfbb4db223301006092b06010401823715010403020100300d06092a864886f70d01010c05000382020100acaf3e5dc21196898ea3e792d69715b813a2a6422e02cd16055927ca20e8bab8e81aec4da89756ae6543b18f009b52cd55cd53396d624c8b0d5b7c2e44bf83108ff3538280c34f3ac76e113fe6e3169184fb6d847f3474ad89a7ceb9d7d79f846492be95a1ad095333ddee0aea4a518e6f55abbab59446ae8c7fd8a2502565608046db3304ae6cb598745425dc93e4f8e355153db86dc30aa412c169856edf64f15399e14a75209d950fe4d6dc03f15918e84789b2575a94b6a9d8172b1749e576cbc156993a37b1ff692c919193e1df4ca337764da19ff86d1e1dd3faecfbf4451d136dcff759e52227722b86f357bb30ed244ddc7d56bba3b3f8347989c1e0f20261f7a6fc0fbb1c170bae41d97cbd27a3fd2e3ad19394b1731d248baf5b2089adb7676679f53ac6a69633fe5392c846b11191c6997f8fc9d66631204110872d0cd6c1af3498ca6483fb1357d1c1f03c7a8ca5c1fd9521a071c193677112ea8f880a691964992356fbac2a2e70be66c40c84efe58bf39301f86a9093674bb268a3b5628fe93f8c7a3b5e0fe78cb8c67cef37fd74e2c84f3372e194396dbd12afbe0c4e707c1b6f8db332937344166de8f4f7e095808f965d38a4f4abde0a308793d84d00716245274b3a42845b7f65b76734522d9c166baaa8d87ba3424c71c70cca3e83e4a6efb701305e51a379f57069a641440f86b02c91c63deaae0f84	ma.exe

C:\Users\Admin\AppData\Local\Temp\ma.exe
"C:\Users\Admin\AppData\Local\Temp\ma.exe"
1⤵
- Modifies system certificate store
PID:2600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2600-0-0x0000000000960000-0x00000000009A1000-memory.dmp

Filesize
260KB

Download
memory/2600-1-0x0000000000D10000-0x0000000001182000-memory.dmp

Filesize
4.4MB

Download
memory/2600-7-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download

Analysis

Sharing