drole/cobaltstrike_ais.md

## cobaltstrike_ais.md

      
    Raw
  

              cobaltstrike_ais.md
            
          
Backdoored Advanced_IP_Scanner_2.5.4594.1.exe

723227f3a71001fb9c0cd28ff52b2636 (MD5)
fef06c28ae5a65672c31076b062e33cfaeb2b90309444f6567877f22997bc711 (SHA256)


Malicious pcre.dll (DLL Sideloaded by main program executable)

21cdd0a64e8ac9ed58de9b88986c8983 (MD5)
9a0c600669772bc530fe07c2dbb23dbb4808c640d016ffb832460ed25d2bb49e (SHA256)


Extracted CobaltStrike Configuration


Field
Value
Description


BeaconType
HTTPS
Type of communication protocol used by the beacon.


Port
443
Port number on which the communication is established.


SleepTime
83935 seconds or 24 hours
Time interval between beacon check-ins.


MaxGetSize
2807995
Maximum size of data that can be received in one request.


Jitter
44
Randomized time added to sleep interval for jitter.


MaxDNS
Not Found
Maximum size of DNS request.


C2Server
- nanopeb.com,/sub/access/PQODJO5X45JC
List of C2 servers and their associated paths.


- coldfusioncnc.com,/sub/access/PQODJO5X45JC


UserAgent
Not Found
User-Agent string used in HTTP requests.


HttpPostUri
/inquiry/webcart/NPDTA4HJGYF2
URI for HTTP POST requests.


Malleable_C2_Instructions
- Remove 7449 bytes from the end
Instructions for manipulating C2 communication.


- Remove 4338 bytes from the beginning
See description below


- Base64 URL-safe decode


- XOR mask w/ random key


HttpGet_Metadata
Not Found
Additional metadata included in HTTP GET requests.


HttpPost_Metadata
Not Found
Additional metadata included in HTTP POST requests.


SpawnTo
b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
Process to spawn into.


PipeName
Not Found
Named pipe used for communication.


DNS_Idle
Not Found
Time interval for DNS queries when system is idle.


DNS_Sleep
Not Found
Time interval for DNS queries during normal operation.


SSH_Host
Not Found
Hostname for SSH connection.


SSH_Port
Not Found
Port for SSH connection.


SSH_Username
Not Found
Username for SSH authentication.


SSH_Password_Plaintext
Not Found
Plaintext password for SSH authentication.


SSH_Password_Pubkey
Not Found
Public key for SSH authentication.


HttpGet_Verb
GET
HTTP method used in GET requests.


HttpPost_Verb
POST
HTTP method used in POST requests.


HttpPostChunk
0
Size of chunks for HTTP POST requests.


Spawnto_x86
%windir%\syswow64\systray.exe
Path to execute payload on x86 systems.


Spawnto_x64
%windir%\sysnative\svchost.exe -k netsvc
Path to execute payload on x64 systems.


CryptoScheme
0
Encryption scheme used for communication.


Proxy_Config
Not Found
Configuration for proxy server.


Proxy_User
Not Found
Username for proxy server authentication.


Proxy_Password
Not Found
Password for proxy server authentication.


Proxy_Behavior
Use IE settings
Behavior regarding proxy usage.


Watermark
1357776117
Watermark for identifying the beacon.


bStageCleanup
True
Flag indicating whether cleanup is needed after stage.


bCFGCaution
False
Flag indicating caution for CFG memory protection.


KillDate
0
Date to kill the beacon if configured.


bProcInject_StartRWX
False
Flag indicating whether to start RWX memory for injection.


bProcInject_UseRWX
False
Flag indicating whether to use  RWX memory injection.


bProcInject_MinAllocSize
15585
Minimum size for memory allocation during injection.


ProcInject_PrependAppend_x86
- b'f\x0f\x1f\x84\x00\x00\x00\x00\x00PXPX\x0f\x1f\x84\x00\x00\x00\x00\x00PX\x0f{TRUNCATED}'
Code to prepend/append for x86 process injection.


- b'f\x0f\x1fD\x00\x00f\x0f\x1fD\x00\x00\x90\x0f\x1f@\x00\x0f\x1f\x80\x00\x00\x00\x00'
See description below


ProcInject_PrependAppend_x64
- b'\x0f\x1f\x84\x00\x00\x00\x00\x00\x0f\x1f@\x00f\x90f{TRUNCATED}'
Code to prepend/append for x64 process injection.


- b'\x0f\x1f\x84\x00\x00\x00\x00\x00\x0f\x1fD{TRUNCATED}'
See description below


ProcInject_Execute
- ntdll:RtlUserThreadStart
Methods of execution for process injection.


- CreateThread


- NtQueueApcThread


- CreateRemoteThread


- RtlCreateUserThread


ProcInject_AllocationMethod
VirtualAllocEx
Method used for memory allocation during injection.


bUsesCookies
True
Flag indicating whether beacon uses cookies.


HostHeader

Host header used in HTTP requests.
Field	Value	Description
BeaconType	HTTPS	Type of communication protocol used by the beacon.
Port	443	Port number on which the communication is established.
SleepTime	83935 seconds or 24 hours	Time interval between beacon check-ins.
MaxGetSize	2807995	Maximum size of data that can be received in one request.
Jitter	44	Randomized time added to sleep interval for jitter.
MaxDNS	Not Found	Maximum size of DNS request.
C2Server	- nanopeb.com,/sub/access/PQODJO5X45JC	List of C2 servers and their associated paths.
	- coldfusioncnc.com,/sub/access/PQODJO5X45JC
UserAgent	Not Found	User-Agent string used in HTTP requests.
HttpPostUri	/inquiry/webcart/NPDTA4HJGYF2	URI for HTTP POST requests.
Malleable_C2_Instructions	- Remove 7449 bytes from the end	Instructions for manipulating C2 communication.
	- Remove 4338 bytes from the beginning	See description below
	- Base64 URL-safe decode
	- XOR mask w/ random key
HttpGet_Metadata	Not Found	Additional metadata included in HTTP GET requests.
HttpPost_Metadata	Not Found	Additional metadata included in HTTP POST requests.
SpawnTo	b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'	Process to spawn into.
PipeName	Not Found	Named pipe used for communication.
DNS_Idle	Not Found	Time interval for DNS queries when system is idle.
DNS_Sleep	Not Found	Time interval for DNS queries during normal operation.
SSH_Host	Not Found	Hostname for SSH connection.
SSH_Port	Not Found	Port for SSH connection.
SSH_Username	Not Found	Username for SSH authentication.
SSH_Password_Plaintext	Not Found	Plaintext password for SSH authentication.
SSH_Password_Pubkey	Not Found	Public key for SSH authentication.
HttpGet_Verb	GET	HTTP method used in GET requests.
HttpPost_Verb	POST	HTTP method used in POST requests.
HttpPostChunk	0	Size of chunks for HTTP POST requests.
Spawnto_x86	%windir%\syswow64\systray.exe	Path to execute payload on x86 systems.
Spawnto_x64	%windir%\sysnative\svchost.exe -k netsvc	Path to execute payload on x64 systems.
CryptoScheme	0	Encryption scheme used for communication.
Proxy_Config	Not Found	Configuration for proxy server.
Proxy_User	Not Found	Username for proxy server authentication.
Proxy_Password	Not Found	Password for proxy server authentication.
Proxy_Behavior	Use IE settings	Behavior regarding proxy usage.
Watermark	1357776117	Watermark for identifying the beacon.
bStageCleanup	True	Flag indicating whether cleanup is needed after stage.
bCFGCaution	False	Flag indicating caution for CFG memory protection.
KillDate	0	Date to kill the beacon if configured.
bProcInject_StartRWX	False	Flag indicating whether to start RWX memory for injection.
bProcInject_UseRWX	False	Flag indicating whether to use RWX memory injection.
bProcInject_MinAllocSize	15585	Minimum size for memory allocation during injection.
ProcInject_PrependAppend_x86	- b'f\x0f\x1f\x84\x00\x00\x00\x00\x00PXPX\x0f\x1f\x84\x00\x00\x00\x00\x00PX\x0f{TRUNCATED}'	Code to prepend/append for x86 process injection.
	- b'f\x0f\x1fD\x00\x00f\x0f\x1fD\x00\x00\x90\x0f\x1f@\x00\x0f\x1f\x80\x00\x00\x00\x00'	See description below
ProcInject_PrependAppend_x64	- b'\x0f\x1f\x84\x00\x00\x00\x00\x00\x0f\x1f@\x00f\x90f{TRUNCATED}'	Code to prepend/append for x64 process injection.
	- b'\x0f\x1f\x84\x00\x00\x00\x00\x00\x0f\x1fD{TRUNCATED}'	See description below
ProcInject_Execute	- ntdll:RtlUserThreadStart	Methods of execution for process injection.
	- CreateThread
	- NtQueueApcThread
	- CreateRemoteThread
	- RtlCreateUserThread
ProcInject_AllocationMethod	VirtualAllocEx	Method used for memory allocation during injection.
bUsesCookies	True	Flag indicating whether beacon uses cookies.
HostHeader		Host header used in HTTP requests.