Created
April 25, 2021 21:59
-
-
Save MichaelKoczwara/6832b625d659c73884579add0c58e04f to your computer and use it in GitHub Desktop.
Cobalt Strike 195.206.181.208, 195.206.181.210, 195.206.181.213
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| http://195.206.181.210:80/aaa9 200 209981 | |
| { | |
| "": "\u0004", | |
| ".cryptoscheme": "0", | |
| ".http-get.client": "\u0007\u0003\u0006\u0006Cookie", | |
| ".http-get.server.output": "\u0004", | |
| ".http-get.uri": "195.206.181.210,/ga.js", | |
| ".http-get.verb": "GET", | |
| ".http-post.client": "\n\u0026Content-Type: application/octet-stream\u0007\u0005\u0002id\u0007\u0001\u0004", | |
| ".http-post.uri": "/submit.php", | |
| ".http-post.verb": "POST", | |
| ".jitter": "0", | |
| ".post-ex.spawnto_x64": "%windir%\\sysnative\\rundll32.exe", | |
| ".post-ex.spawnto_x86": "%windir%\\syswow64\\rundll32.exe", | |
| ".proxy_type": "2", | |
| ".sleeptime": "60000", | |
| ".spawto": "", | |
| ".stage.cleanup": "0", | |
| ".user-agent": "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0; ASU2JS)", | |
| ".watermark": "0", | |
| "CFGCaution": "0", | |
| "cookieBeacon": "1", | |
| "dns": "false", | |
| "funk": "0", | |
| "host_header": "", | |
| "killdate": "0", | |
| "port": "80", | |
| "process-inject-min_alloc": "0", | |
| "process-inject-start-rwx": "64", | |
| "process-inject-use-rwx": "64", | |
| "publickey": "0\ufffd\ufffd0\r\u0006\t*\ufffdH\ufffd\ufffd\r\u0001\u0001\u0001\u0005\u0003\ufffd\ufffd0\ufffd\ufffd\u0002\ufffd\ufffd\ufffd8\ufffd\ufffd_\u001f\ufffd\u001c\u0018dl7~\u0003\u0001k\u0016+\u0012\ufffdr\ufffd\ufffd\ufffd6\ufffd\ufffd.N\ufffd\ufffd\u0012 Z\ufffd\ufffdap\ufffd\ufffd\ufffd\u0005\ufffd\ufffd\ufffd\ufffd\ufffdy\ufffd2\u0026\u001b\ufffd\ufffdp\ufffdu\ufffd\u0007\ufffd\ufffd\ufffdI\ufffd#\ufffd\u001f\u0008\ufffdl\ufffd\u0003\u0015\ufffd\ufffd=l\ufffd\u00168k\u0003\ufffd\ufffdU\u001a\ufffd3mP2Z5\ufffd'\ufffd\ufffd\u0013\ufffd\ufffd;\ufffd\ufffd\ufffd\ufffdMz\u0008\ufffd2?\u0007a\ufffdV\ufffd\ufffd5\ufffd\ufffd_\ufffd6\u0013\u0002\u0003\u0001\u0001", | |
| "shouldChunkPosts": "0", | |
| "ssl": "false", | |
| "text_section": "0" | |
| } | |
| https://195.206.181.210:443/aaa9 200 209984 | |
| { | |
| "": "\u0004", | |
| ".cryptoscheme": "0", | |
| ".http-get.client": "\u0007\u0003\u0006\u0006Cookie", | |
| ".http-get.server.output": "\u0004", | |
| ".http-get.uri": " citrixsecurityy.com,/updates.rss", | |
| ".http-get.verb": "GET", | |
| ".http-post.client": "\n\u0026Content-Type: application/octet-stream\u0007\u0005\u0002id\u0007\u0001\u0004", | |
| ".http-post.uri": "/submit.php", | |
| ".http-post.verb": "POST", | |
| ".jitter": "0", | |
| ".post-ex.spawnto_x64": "%windir%\\sysnative\\rundll32.exe", | |
| ".post-ex.spawnto_x86": "%windir%\\syswow64\\rundll32.exe", | |
| ".proxy_type": "2", | |
| ".sleeptime": "60000", | |
| ".spawto": "", | |
| ".stage.cleanup": "0", | |
| ".user-agent": "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)", | |
| ".watermark": "0", | |
| "CFGCaution": "0", | |
| "cookieBeacon": "1", | |
| "dns": "false", | |
| "funk": "0", | |
| "host_header": "", | |
| "killdate": "0", | |
| "port": "443", | |
| "process-inject-min_alloc": "0", | |
| "process-inject-start-rwx": "64", | |
| "process-inject-use-rwx": "64", | |
| "publickey": "0\ufffd\ufffd0\r\u0006\t*\ufffdH\ufffd\ufffd\r\u0001\u0001\u0001\u0005\u0003\ufffd\ufffd0\ufffd\ufffd\u0002\ufffd\ufffd\ufffd8\ufffd\ufffd_\u001f\ufffd\u001c\u0018dl7~\u0003\u0001k\u0016+\u0012\ufffdr\ufffd\ufffd\ufffd6\ufffd\ufffd.N\ufffd\ufffd\u0012 Z\ufffd\ufffdap\ufffd\ufffd\ufffd\u0005\ufffd\ufffd\ufffd\ufffd\ufffdy\ufffd2\u0026\u001b\ufffd\ufffdp\ufffdu\ufffd\u0007\ufffd\ufffd\ufffdI\ufffd#\ufffd\u001f\u0008\ufffdl\ufffd\u0003\u0015\ufffd\ufffd=l\ufffd\u00168k\u0003\ufffd\ufffdU\u001a\ufffd3mP2Z5\ufffd'\ufffd\ufffd\u0013\ufffd\ufffd;\ufffd\ufffd\ufffd\ufffdMz\u0008\ufffd2?\u0007a\ufffdV\ufffd\ufffd5\ufffd\ufffd_\ufffd6\u0013\u0002\u0003\u0001\u0001", | |
| "shouldChunkPosts": "0", | |
| "ssl": "true", | |
| "text_section": "0" | |
| } | |
| http://195.206.181.213:80/aaa9 200 208459 | |
| { | |
| "": "\u0004", | |
| ".cryptoscheme": "0", | |
| ".http-get.client": "\u0010\u001bHost: antivirusmallware.com\n\u0011Connection: close\n\u0015Accept-Encoding: gzip\n\u0016Accept-Language: en-US\u0007\u0008\u0003\u0002\u0005HSID=\u0006\u0006Cookie\t\u0008md5=true", | |
| ".http-get.server.output": "\u0004\u0002\u0001R\u0003\u000f", | |
| ".http-get.uri": "195.206.181.213,/ee.html", | |
| ".http-get.verb": "GET", | |
| ".http-post.client": "\u0010\u001bHost: antivirusmallware.com\n\u0011Connection: close\n\u0018Content-Type: text/plain\u0007\u0001\u0003\u0003\u0004\u0007\u0003\u0002\u000e__session__id=\u0006\u0006Cookie", | |
| ".http-post.uri": "/ak", | |
| ".http-post.verb": "POST", | |
| ".jitter": "43", | |
| ".post-ex.spawnto_x64": "%windir%\\sysnative\\WUAUCLT.exe", | |
| ".post-ex.spawnto_x86": "%windir%\\syswow64\\WUAUCLT.exe", | |
| ".proxy_type": "2", | |
| ".sleeptime": "55198", | |
| ".spawto": "", | |
| ".stage.cleanup": "1", | |
| ".user-agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246", | |
| ".watermark": "1359593325", | |
| "CFGCaution": "0", | |
| "cookieBeacon": "1", | |
| "dns": "false", | |
| "funk": "0", | |
| "host_header": "", | |
| "killdate": "0", | |
| "obfuscate_section": "`\u0002\ufffd\ufffd\u0002\u0003\ufffd\ufffd\u0003\ufffd\u0003\ufffd\ufffd\u0003", | |
| "port": "80", | |
| "process-inject-min_alloc": "5605", | |
| "process-inject-start-rwx": "4", | |
| "process-inject-use-rwx": "32", | |
| "publickey": "0\ufffd\ufffd0\r\u0006\t*\ufffdH\ufffd\ufffd\r\u0001\u0001\u0001\u0005\u0003\ufffd\ufffd0\ufffd\ufffd\u0002\ufffd\ufffdɼ-\ufffdA\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdE\ufffdT\ufffd\ufffd\ufffdR\ufffdrQ\ufffdDO\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdY3\ufffd\ufffd\ufffd\ufffd\ufffd\u001e\u001e*T\n\u003e\ufffd\ufffd\ufffd\ufffd \u00266\ufffd\u000f\ufffd}\ufffd\ufffd\ufffd\ufffdu%\ufffd\ufffdoi\ufffd\u000bv0B\ufffd\ufffd\ufffd\ufffd/\ufffd\ufffdUl_\ufffd\ufffd\u0005 `#\u0016\ufffd\ufffd\u0007\ufffdf\ufffd\u0001\u000fi\ufffd\ufffdמ#k\u001b\ufffd\ufffdÆ\u001b\ufffd\ufffd\ufffdf\ufffd]\ufffd\u0002ӕ\u0019\ufffd\ufffdq}\ufffd\ufffd\u0002\u0003\u0001\u0001", | |
| "shouldChunkPosts": "0", | |
| "ssl": "false", | |
| "text_section": "154890" | |
| } | |
| https://195.206.181.213:443/aaa9 200 208472 | |
| { | |
| "": "\u0004", | |
| ".cryptoscheme": "0", | |
| ".http-get.client": "\u0010\u001bHost: antivirusmallware.com\n\u0011Connection: close\n\u0015Accept-Encoding: gzip\n\u0016Accept-Language: en-US\u0007\u0008\u0003\u0002\u0005HSID=\u0006\u0006Cookie\t\u0008md5=true", | |
| ".http-get.server.output": "\u0004\u0002\u0001R\u0003\u000f", | |
| ".http-get.uri": "antivirusmallware.com,/cr.html", | |
| ".http-get.verb": "GET", | |
| ".http-post.client": "\u0010\u001bHost: antivirusmallware.com\n\u0011Connection: close\n\u0018Content-Type: text/plain\u0007\u0001\u0003\u0003\u0004\u0007\u0003\u0002\u000e__session__id=\u0006\u0006Cookie", | |
| ".http-post.uri": "/ak", | |
| ".http-post.verb": "POST", | |
| ".jitter": "43", | |
| ".post-ex.spawnto_x64": "%windir%\\sysnative\\WUAUCLT.exe", | |
| ".post-ex.spawnto_x86": "%windir%\\syswow64\\WUAUCLT.exe", | |
| ".proxy_type": "2", | |
| ".sleeptime": "55198", | |
| ".spawto": "", | |
| ".stage.cleanup": "1", | |
| ".user-agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246", | |
| ".watermark": "1359593325", | |
| "CFGCaution": "0", | |
| "cookieBeacon": "1", | |
| "dns": "false", | |
| "funk": "0", | |
| "host_header": "", | |
| "killdate": "0", | |
| "obfuscate_section": "`\u0002\ufffd\ufffd\u0002\u0003\ufffd\ufffd\u0003\ufffd\u0003\ufffd\ufffd\u0003", | |
| "port": "443", | |
| "process-inject-min_alloc": "5605", | |
| "process-inject-start-rwx": "4", | |
| "process-inject-use-rwx": "32", | |
| "publickey": "0\ufffd\ufffd0\r\u0006\t*\ufffdH\ufffd\ufffd\r\u0001\u0001\u0001\u0005\u0003\ufffd\ufffd0\ufffd\ufffd\u0002\ufffd\ufffdɼ-\ufffdA\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdE\ufffdT\ufffd\ufffd\ufffdR\ufffdrQ\ufffdDO\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdY3\ufffd\ufffd\ufffd\ufffd\ufffd\u001e\u001e*T\n\u003e\ufffd\ufffd\ufffd\ufffd \u00266\ufffd\u000f\ufffd}\ufffd\ufffd\ufffd\ufffdu%\ufffd\ufffdoi\ufffd\u000bv0B\ufffd\ufffd\ufffd\ufffd/\ufffd\ufffdUl_\ufffd\ufffd\u0005 `#\u0016\ufffd\ufffd\u0007\ufffdf\ufffd\u0001\u000fi\ufffd\ufffdמ#k\u001b\ufffd\ufffdÆ\u001b\ufffd\ufffd\ufffdf\ufffd]\ufffd\u0002ӕ\u0019\ufffd\ufffdq}\ufffd\ufffd\u0002\u0003\u0001\u0001", | |
| "shouldChunkPosts": "0", | |
| "ssl": "true", | |
| "text_section": "154890" | |
| } | |
| http://195.206.181.208:80/aaa9 200 208477 | |
| { | |
| "": "\u0004", | |
| ".cryptoscheme": "0", | |
| ".http-get.client": "\u0010\u0014Host: itsuppport.com\n\u0011Connection: close\n\u0015Accept-Encoding: gzip\n%Accept-Language: en-GB;q=0.9, *;q=0.7\u0007\r\u0003\u0002\u0005LSID=\u0006\u0006Cookie\t\nfunc=false", | |
| ".http-get.server.output": "\u0004\u0002\u0001R\u0003\u0008", | |
| ".http-get.uri": "195.206.181.208,/adminhtml", | |
| ".http-get.verb": "GET", | |
| ".http-post.client": "\u0010\u0014Host: itsuppport.com\n\u0011Connection: close\n/Content-Type: application/x-www-form-urlencoded\u0007\u0001\u0008\u0003\u0002\u0008contact=\u0004\u0007\u0003\u0002\u000e__session__id=\u0006\u0006Cookie", | |
| ".http-post.uri": "/search", | |
| ".http-post.verb": "POST", | |
| ".jitter": "37", | |
| ".post-ex.spawnto_x64": "%windir%\\sysnative\\svchost.exe", | |
| ".post-ex.spawnto_x86": "%windir%\\syswow64\\svchost.exe", | |
| ".proxy_type": "2", | |
| ".sleeptime": "60752", | |
| ".spawto": "", | |
| ".stage.cleanup": "1", | |
| ".user-agent": "Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202", | |
| ".watermark": "1359593325", | |
| "CFGCaution": "0", | |
| "cookieBeacon": "1", | |
| "dns": "false", | |
| "funk": "0", | |
| "host_header": "", | |
| "killdate": "0", | |
| "obfuscate_section": "`\u0002\ufffd\ufffd\u0002\u0003\ufffd\ufffd\u0003\ufffd\u0003\ufffd\ufffd\u0003", | |
| "port": "80", | |
| "process-inject-min_alloc": "25532", | |
| "process-inject-start-rwx": "4", | |
| "process-inject-use-rwx": "32", | |
| "publickey": "0\ufffd\ufffd0\r\u0006\t*\ufffdH\ufffd\ufffd\r\u0001\u0001\u0001\u0005\u0003\ufffd\ufffd0\ufffd\ufffd\u0002\ufffd\ufffdɼ-\ufffdA\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdE\ufffdT\ufffd\ufffd\ufffdR\ufffdrQ\ufffdDO\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdY3\ufffd\ufffd\ufffd\ufffd\ufffd\u001e\u001e*T\n\u003e\ufffd\ufffd\ufffd\ufffd \u00266\ufffd\u000f\ufffd}\ufffd\ufffd\ufffd\ufffdu%\ufffd\ufffdoi\ufffd\u000bv0B\ufffd\ufffd\ufffd\ufffd/\ufffd\ufffdUl_\ufffd\ufffd\u0005 `#\u0016\ufffd\ufffd\u0007\ufffdf\ufffd\u0001\u000fi\ufffd\ufffdמ#k\u001b\ufffd\ufffdÆ\u001b\ufffd\ufffd\ufffdf\ufffd]\ufffd\u0002ӕ\u0019\ufffd\ufffdq}\ufffd\ufffd\u0002\u0003\u0001\u0001", | |
| "shouldChunkPosts": "0", | |
| "ssl": "false", | |
| "text_section": "154890" | |
| } | |
| https://195.206.181.208:443/aaa9 200 208458 | |
| { | |
| "": "\u0004", | |
| ".cryptoscheme": "0", | |
| ".http-get.client": "\u0010\u0014Host: itsuppport.com\n\u0011Connection: close\n\u0015Accept-Encoding: gzip\n%Accept-Language: en-GB;q=0.9, *;q=0.7\u0007\r\u0003\u0002\u0005LSID=\u0006\u0006Cookie\t\nfunc=false", | |
| ".http-get.server.output": "\u0004\u0002\u0001R\u0003\u0008", | |
| ".http-get.uri": "itsuppport.com,/adminhtml", | |
| ".http-get.verb": "GET", | |
| ".http-post.client": "\u0010\u0014Host: itsuppport.com\n\u0011Connection: close\n/Content-Type: application/x-www-form-urlencoded\u0007\u0001\u0008\u0003\u0002\u0008contact=\u0004\u0007\u0003\u0002\u000e__session__id=\u0006\u0006Cookie", | |
| ".http-post.uri": "/search", | |
| ".http-post.verb": "POST", | |
| ".jitter": "37", | |
| ".post-ex.spawnto_x64": "%windir%\\sysnative\\svchost.exe", | |
| ".post-ex.spawnto_x86": "%windir%\\syswow64\\svchost.exe", | |
| ".proxy_type": "2", | |
| ".sleeptime": "60752", | |
| ".spawto": "", | |
| ".stage.cleanup": "1", | |
| ".user-agent": "Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202", | |
| ".watermark": "1359593325", | |
| "CFGCaution": "0", | |
| "cookieBeacon": "1", | |
| "dns": "false", | |
| "funk": "0", | |
| "host_header": "", | |
| "killdate": "0", | |
| "obfuscate_section": "`\u0002\ufffd\ufffd\u0002\u0003\ufffd\ufffd\u0003\ufffd\u0003\ufffd\ufffd\u0003", | |
| "port": "443", | |
| "process-inject-min_alloc": "25532", | |
| "process-inject-start-rwx": "4", | |
| "process-inject-use-rwx": "32", | |
| "publickey": "0\ufffd\ufffd0\r\u0006\t*\ufffdH\ufffd\ufffd\r\u0001\u0001\u0001\u0005\u0003\ufffd\ufffd0\ufffd\ufffd\u0002\ufffd\ufffdɼ-\ufffdA\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdE\ufffdT\ufffd\ufffd\ufffdR\ufffdrQ\ufffdDO\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdY3\ufffd\ufffd\ufffd\ufffd\ufffd\u001e\u001e*T\n\u003e\ufffd\ufffd\ufffd\ufffd \u00266\ufffd\u000f\ufffd}\ufffd\ufffd\ufffd\ufffdu%\ufffd\ufffdoi\ufffd\u000bv0B\ufffd\ufffd\ufffd\ufffd/\ufffd\ufffdUl_\ufffd\ufffd\u0005 `#\u0016\ufffd\ufffd\u0007\ufffdf\ufffd\u0001\u000fi\ufffd\ufffdמ#k\u001b\ufffd\ufffdÆ\u001b\ufffd\ufffd\ufffdf\ufffd]\ufffd\u0002ӕ\u0019\ufffd\ufffdq}\ufffd\ufffd\u0002\u0003\u0001\u0001", | |
| "shouldChunkPosts": "0", | |
| "ssl": "true", | |
| "text_section": "154890" | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment