Skip to content

Instantly share code, notes, and snippets.

@MichaelKoczwara

MichaelKoczwara/beacon configs

Last active September 14, 2021 02:29
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save MichaelKoczwara/df3a814f93c57c2fe034e18cdfd0f68d to your computer and use it in GitHub Desktop.
Save MichaelKoczwara/df3a814f93c57c2fe034e18cdfd0f68d to your computer and use it in GitHub Desktop.
Download ZIP
Cobalt Strike C2 possibly attributed to CVE 2021 40444
Raw
beacon configs
Cobalt Strike C2 running on 45.147.229[.]242 (Watermark: 1580103814)
HTTP/1.1 404 Not Found
Server: Microsoft-IIS/8.5
Content-Type: text/plain
Cache-Control: max-age=1
Connection: keep-alive
X-Powered-By: ASP.NET
Content-Length: 0
CobaltStrike Beacon configurations:
| x86 URI Response:
| BeaconType: 8 (HTTPS)
| Port: 443
| Polling: 5000
| Jitter: 22
| C2 Server: dodefoh.com,/hr.html,joxinu.com,/ml.html
| HTTP Method Path 2: /sq
| Method1: GET
| Method2: POST
| Spawnto_x86: %windir%\syswow64\rundll32.exe
| Spawnto_x64: %windir%\sysnative\rundll32.exe
| Proxy_AccessType: 2 (Use IE settings)
|
|
| x64 URI Response:
| BeaconType: 8 (HTTPS)
| Port: 443
| Polling: 5000
| Jitter: 22
| C2 Server: dodefoh.com,/ml.html,joxinu.com,/hr.html
| HTTP Method Path 2: /ky
| Method1: GET
| Method2: POST
| Spawnto_x86: %windir%\syswow64\rundll32.exe
| Spawnto_x64: %windir%\sysnative\rundll32.exe
| Proxy_AccessType: 2 (Use IE settings)
|_
--------------------------------------------------------
Cobalt Strike C2 running on 45.147.229[.]93 (Watermark: 1580103814)
HTTP/1.1 404 Not Found
Server: Microsoft-IIS/8.5
Content-Type: text/plain
Cache-Control: max-age=1
Connection: keep-alive
X-Powered-By: ASP.NET
Content-Length: 0
CobaltStrike Beacon configurations:
| x86 URI Response:
| BeaconType: 8 (HTTPS)
| Port: 443
| Polling: 5000
| Jitter: 1
| C2 Server: tamunar.com,/boxes
| HTTP Method Path 2: /en
| Method1: GET
| Method2: POST
| Spawnto_x86: %windir%\syswow64\WUAUCLT.exe
| Spawnto_x64: %windir%\sysnative\WUAUCLT.exe
| Proxy_AccessType: 2 (Use IE settings)
|
|
| x64 URI Response:
| BeaconType: 8 (HTTPS)
| Port: 443
| Polling: 5000
| Jitter: 1
| C2 Server: tamunar.com,/links
| HTTP Method Path 2: /en
| Method1: GET
| Method2: POST
| Spawnto_x86: %windir%\syswow64\WUAUCLT.exe
| Spawnto_x64: %windir%\sysnative\WUAUCLT.exe
| Proxy_AccessType: 2 (Use IE settings)
|_
------------------------------------------------
Cobalt Strike C2 running on 45.147.229[.]94 (Watermark: 1580103814)
HTTP/1.1 404 Not Found
Server: Microsoft-IIS/8.5
Content-Type: text/plain
Cache-Control: max-age=1
Connection: keep-alive
X-Powered-By: ASP.NET
Content-Length: 0
CobaltStrike Beacon configurations:
| x86 URI Response:
| BeaconType: 8 (HTTPS)
| Port: 443
| Polling: 5000
| Jitter: 33
| C2 Server: hetamuf.com,/mobile-home.js,hepide.com,/link.js
| HTTP Method Path 2: /default
| Method1: GET
| Method2: POST
| Spawnto_x86: %windir%\syswow64\rundll32.exe
| Spawnto_x64: %windir%\sysnative\rundll32.exe
| Proxy_AccessType: 2 (Use IE settings)
|
|
| x64 URI Response:
| BeaconType: 8 (HTTPS)
| Port: 443
| Polling: 5000
| Jitter: 33
| C2 Server: hetamuf.com,/link.js,hepide.com,/link.js
| HTTP Method Path 2: /default
| Method1: GET
| Method2: POST
| Spawnto_x86: %windir%\syswow64\rundll32.exe
| Spawnto_x64: %windir%\sysnative\rundll32.exe
| Proxy_AccessType: 2 (Use IE settings)
|_
-------------------------------------------------------
Cobalt Strike C2 running on 45.147.229[.]161 (Watermark: 0)
HTTP/1.1 404 Not Found
Server: Microsoft-IIS/8.5
Content-Type: text/plain
Cache-Control: max-age=1
Connection: keep-alive
X-Powered-By: ASP.NET
Content-Length: 0
CobaltStrike Beacon configurations:
| x86 URI Response:
| BeaconType: 8 (HTTPS)
| Port: 443
| Polling: 5000
| Jitter: 14
| C2 Server: rucajit.com,/language.html
| HTTP Method Path 2: /posting
| Method1: GET
| Method2: POST
| Spawnto_x86: %windir%\syswow64\wusa.exe
| Spawnto_x64: %windir%\sysnative\wusa.exe
| Proxy_AccessType: 2 (Use IE settings)
|
|
| x64 URI Response:
| BeaconType: 8 (HTTPS)
| Port: 443
| Polling: 5000
| Jitter: 14
| C2 Server: rucajit.com,/language.html
| HTTP Method Path 2: /posting
| Method1: GET
| Method2: POST
| Spawnto_x86: %windir%\syswow64\wusa.exe
| Spawnto_x64: %windir%\sysnative\wusa.exe
| Proxy_AccessType: 2 (Use IE settings)
|_
---------------------------------------------
Cobalt Strike C2 running on 104.194.10[.]21 (Watermark:1580103814)
HTTP/1.1 404 Not Found
Cache-Control: max-age=1
Connection: keep-alive
X-Powered-By: ASP.NET
Content-Length: 0
Server: Microsoft-IIS/8.5
Content-Type: text/plain
CobaltStrike Beacon configurations:
| x86 URI Response:
| BeaconType: 8 (HTTPS)
| Port: 443
| Polling: 5000
| Jitter: 16
| C2 Server: dodefoh.com,/tab_shop_active,joxinu.com,/tab_shop_active
| HTTP Method Path 2: /be
| Method1: GET
| Method2: POST
| Spawnto_x86: %windir%\syswow64\rundll32.exe
| Spawnto_x64: %windir%\sysnative\rundll32.exe
| Proxy_AccessType: 2 (Use IE settings)
|
|
| x64 URI Response:
| BeaconType: 8 (HTTPS)
| Port: 443
| Polling: 5000
| Jitter: 16
| C2 Server: dodefoh.com,/tab_shop_active,joxinu.com,/ce
| HTTP Method Path 2: /RELEASES
| Method1: GET
| Method2: POST
| Spawnto_x86: %windir%\syswow64\rundll32.exe
| Spawnto_x64: %windir%\sysnative\rundll32.exe
| Proxy_AccessType: 2 (Use IE settings)
|_
---------------------------------------------------------------
Cobalt Strike C2 running on 104.194.10[.]3 (Watermark: 0)
HTTP/1.1 404 Not Found
Content-Type: text/plain
Cache-Control: max-age=1
Connection: keep-alive
X-Powered-By: ASP.NET
Content-Length: 0
Server: Microsoft-IIS/8.5
CobaltStrike Beacon configurations:
| x86 URI Response:
| BeaconType: 8 (HTTPS)
| Port: 443
| Polling: 5000
| Jitter: 6
| C2 Server: bucudiy.com,/profile
| HTTP Method Path 2: /as
| Method1: GET
| Method2: POST
| Spawnto_x86: %windir%\syswow64\wusa.exe
| Spawnto_x64: %windir%\sysnative\wusa.exe
| Proxy_AccessType: 2 (Use IE settings)
|_
-------------------------------------------------
Cobalt Strike C2 running on 104.194.10[.]22 (Watermark: 1580103814)
HTTP/1.1 404 Not Found
Server: Microsoft-IIS/8.5
Content-Type: text/plain
Cache-Control: max-age=1
Connection: keep-alive
X-Powered-By: ASP.NET
Content-Length: 0
CobaltStrike Beacon configurations:
| x64 URI Response:
| BeaconType: 8 (HTTPS)
| Port: 443
| Polling: 5000
| Jitter: 12
| C2 Server: koxiga.com,/xmlconnect
| HTTP Method Path 2: /temp
| Method1: GET
| Method2: POST
| Spawnto_x86: %windir%\syswow64\mstsc.exe
| Spawnto_x64: %windir%\sysnative\mstsc.exe
| Proxy_AccessType: 2 (Use IE settings)
|_
-----------------------------------------------
Cobalt Strike C2 running on 104.194.10[.]26 (Watermark: 1580103814)
HTTP/1.1 404 Not Found
Server: Microsoft-IIS/8.5
Content-Type: text/plain
Cache-Control: max-age=1
Connection: keep-alive
X-Powered-By: ASP.NET
Content-Length: 0
CobaltStrike Beacon configurations:
| x86 URI Response:
| BeaconType: 8 (HTTPS)
| Port: 443
| Polling: 5000
| Jitter: 10
| C2 Server: hiwiko.com,/r_config.html
| HTTP Method Path 2: /groupcp
| Method1: GET
| Method2: POST
| Spawnto_x86: %windir%\syswow64\mstsc.exe
| Spawnto_x64: %windir%\sysnative\mstsc.exe
| Proxy_AccessType: 2 (Use IE settings)
|
|
| x64 URI Response:
| BeaconType: 8 (HTTPS)
| Port: 443
| Polling: 5000
| Jitter: 10
| C2 Server: hiwiko.com,/styles.html
| HTTP Method Path 2: /groupcp
| Method1: GET
| Method2: POST
| Spawnto_x86: %windir%\syswow64\mstsc.exe
| Spawnto_x64: %windir%\sysnative\mstsc.exe
| Proxy_AccessType: 2 (Use IE settings)
|_
-------------------------------------------------
Cobalt Strike C2 running on 104.194.10[.]57 (Watermark: 0)
HTTP/1.1 404 Not Found
Connection: keep-alive
X-Powered-By: ASP.NET
Content-Length: 0
Server: Microsoft-IIS/8.5
Content-Type: text/plain
Cache-Control: max-age=1
CobaltStrike Beacon configurations:
| x86 URI Response:
| BeaconType: 8 (HTTPS)
| Port: 443
| Polling: 5000
| Jitter: 45
| C2 Server: cubigif.com,/jp.html
| HTTP Method Path 2: /ky
| Method1: GET
| Method2: POST
| Spawnto_x86: %windir%\syswow64\wusa.exe
| Spawnto_x64: %windir%\sysnative\wusa.exe
| Proxy_AccessType: 2 (Use IE settings)
|
|
| x64 URI Response:
| BeaconType: 8 (HTTPS)
| Port: 443
| Polling: 5000
| Jitter: 45
| C2 Server: cubigif.com,/fam_newspaper.html
| HTTP Method Path 2: /ky
| Method1: GET
| Method2: POST
| Spawnto_x86: %windir%\syswow64\wusa.exe
| Spawnto_x64: %windir%\sysnative\wusa.exe
| Proxy_AccessType: 2 (Use IE settings)
|_
------------------------------------------------
Cobalt Strike C2 running on 104.194.10[.]201 (Watermark:0)
HTTP/1.1 404 Not Found
Content-Length: 0
Server: Microsoft-IIS/8.5
Content-Type: text/plain
Cache-Control: max-age=1
Connection: keep-alive
X-Powered-By: ASP.NET
CobaltStrike Beacon configurations:
| x86 URI Response:
| BeaconType: 8 (HTTPS)
| Port: 443
| Polling: 5000
| Jitter: 13
| C2 Server: meyise.com,/default.js
| HTTP Method Path 2: /as
| Method1: GET
| Method2: POST
| Spawnto_x86: %windir%\syswow64\wusa.exe
| Spawnto_x64: %windir%\sysnative\wusa.exe
| Proxy_AccessType: 2 (Use IE settings)
|
|
| x64 URI Response:
| BeaconType: 8 (HTTPS)
| Port: 443
| Polling: 5000
| Jitter: 13
| C2 Server: meyise.com,/modules.js
| HTTP Method Path 2: /as
| Method1: GET
| Method2: POST
| Spawnto_x86: %windir%\syswow64\wusa.exe
| Spawnto_x64: %windir%\sysnative\wusa.exe
| Proxy_AccessType: 2 (Use IE settings)
|_
-----------------------------------------
Cobalt Strike C2 running on 45.153.240[.]72 (Watermark: 1580103814)
HTTP/1.1 404 Not Found
Server: Microsoft-IIS/8.5
Content-Type: text/plain
Cache-Control: max-age=1
Connection: keep-alive
X-Powered-By: ASP.NET
Content-Length: 0
CobaltStrike Beacon configurations:
| x86 URI Response:
| BeaconType: 8 (HTTPS)
| Port: 443
| Polling: 5000
| Jitter: 42
| C2 Server: gimazic.com,/ur,fipoleb.com,/ur
| HTTP Method Path 2: /fam_cart
| Method1: GET
| Method2: POST
| Spawnto_x86: %windir%\syswow64\rundll32.exe
| Spawnto_x64: %windir%\sysnative\rundll32.exe
| Proxy_AccessType: 2 (Use IE settings)
|
|
| x64 URI Response:
| BeaconType: 8 (HTTPS)
| Port: 443
| Polling: 5000
| Jitter: 42
| C2 Server: gimazic.com,/ur,fipoleb.com,/ur
| HTTP Method Path 2: /fam_cart
| Method1: GET
| Method2: POST
| Spawnto_x86: %windir%\syswow64\rundll32.exe
| Spawnto_x64: %windir%\sysnative\rundll32.exe
| Proxy_AccessType: 2 (Use IE settings)
|_
------------------------------------------------
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment