- Backdoored Advanced_IP_Scanner_2.5.4594.1.exe
- 723227f3a71001fb9c0cd28ff52b2636 (MD5)
- fef06c28ae5a65672c31076b062e33cfaeb2b90309444f6567877f22997bc711 (SHA256)
- Malicious pcre.dll (DLL Sideloaded by main program executable)
- 21cdd0a64e8ac9ed58de9b88986c8983 (MD5)
- 9a0c600669772bc530fe07c2dbb23dbb4808c640d016ffb832460ed25d2bb49e (SHA256)
Extracted CobaltStrike Configuration
Field | Value | Description |
---|---|---|
BeaconType | HTTPS | Type of communication protocol used by the beacon. |
Port | 443 | Port number on which the communication is established. |
SleepTime | 83935 seconds or 24 hours | Time interval between beacon check-ins. |
MaxGetSize | 2807995 | Maximum size of data that can be received in one request. |
Jitter | 44 | Randomized time added to sleep interval for jitter. |
MaxDNS | Not Found | Maximum size of DNS request. |
C2Server | - nanopeb.com,/sub/access/PQODJO5X45JC | List of C2 servers and their associated paths. |
- coldfusioncnc.com,/sub/access/PQODJO5X45JC | ||
UserAgent | Not Found | User-Agent string used in HTTP requests. |
HttpPostUri | /inquiry/webcart/NPDTA4HJGYF2 | URI for HTTP POST requests. |
Malleable_C2_Instructions | - Remove 7449 bytes from the end | Instructions for manipulating C2 communication. |
- Remove 4338 bytes from the beginning | See description below | |
- Base64 URL-safe decode | ||
- XOR mask w/ random key | ||
HttpGet_Metadata | Not Found | Additional metadata included in HTTP GET requests. |
HttpPost_Metadata | Not Found | Additional metadata included in HTTP POST requests. |
SpawnTo | b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' | Process to spawn into. |
PipeName | Not Found | Named pipe used for communication. |
DNS_Idle | Not Found | Time interval for DNS queries when system is idle. |
DNS_Sleep | Not Found | Time interval for DNS queries during normal operation. |
SSH_Host | Not Found | Hostname for SSH connection. |
SSH_Port | Not Found | Port for SSH connection. |
SSH_Username | Not Found | Username for SSH authentication. |
SSH_Password_Plaintext | Not Found | Plaintext password for SSH authentication. |
SSH_Password_Pubkey | Not Found | Public key for SSH authentication. |
HttpGet_Verb | GET | HTTP method used in GET requests. |
HttpPost_Verb | POST | HTTP method used in POST requests. |
HttpPostChunk | 0 | Size of chunks for HTTP POST requests. |
Spawnto_x86 | %windir%\syswow64\systray.exe | Path to execute payload on x86 systems. |
Spawnto_x64 | %windir%\sysnative\svchost.exe -k netsvc | Path to execute payload on x64 systems. |
CryptoScheme | 0 | Encryption scheme used for communication. |
Proxy_Config | Not Found | Configuration for proxy server. |
Proxy_User | Not Found | Username for proxy server authentication. |
Proxy_Password | Not Found | Password for proxy server authentication. |
Proxy_Behavior | Use IE settings | Behavior regarding proxy usage. |
Watermark | 1357776117 | Watermark for identifying the beacon. |
bStageCleanup | True | Flag indicating whether cleanup is needed after stage. |
bCFGCaution | False | Flag indicating caution for CFG memory protection. |
KillDate | 0 | Date to kill the beacon if configured. |
bProcInject_StartRWX | False | Flag indicating whether to start RWX memory for injection. |
bProcInject_UseRWX | False | Flag indicating whether to use RWX memory injection. |
bProcInject_MinAllocSize | 15585 | Minimum size for memory allocation during injection. |
ProcInject_PrependAppend_x86 | - b'f\x0f\x1f\x84\x00\x00\x00\x00\x00PXPX\x0f\x1f\x84\x00\x00\x00\x00\x00PX\x0f{TRUNCATED}' | Code to prepend/append for x86 process injection. |
- b'f\x0f\x1fD\x00\x00f\x0f\x1fD\x00\x00\x90\x0f\x1f@\x00\x0f\x1f\x80\x00\x00\x00\x00' | See description below | |
ProcInject_PrependAppend_x64 | - b'\x0f\x1f\x84\x00\x00\x00\x00\x00\x0f\x1f@\x00f\x90f{TRUNCATED}' | Code to prepend/append for x64 process injection. |
- b'\x0f\x1f\x84\x00\x00\x00\x00\x00\x0f\x1fD{TRUNCATED}' | See description below | |
ProcInject_Execute | - ntdll:RtlUserThreadStart | Methods of execution for process injection. |
- CreateThread | ||
- NtQueueApcThread | ||
- CreateRemoteThread | ||
- RtlCreateUserThread | ||
ProcInject_AllocationMethod | VirtualAllocEx | Method used for memory allocation during injection. |
bUsesCookies | True | Flag indicating whether beacon uses cookies. |
HostHeader | Host header used in HTTP requests. |