- #COBALT STRIKE BEACON WHAT IS IT CODE#
- #COBALT STRIKE BEACON WHAT IS IT DOWNLOAD#
- #COBALT STRIKE BEACON WHAT IS IT WINDOWS#
AnyRun records the command line, so let’s have a look into this. On the AnyRun analysis, we can see that cmd did launch "C:\Windows\System32\cmd.exe" /c powershell -nop -w hidden -encodedcommand” where a Base64 command was parsed to PowerShell. As my lab is not currently set up to counter VM aware malware, we are going to cheat slightly and use data from a sample that was run on AnyRun. There could be a few reasons for this, one could be that the malware has anti-analysis capabilities and knows when it is being run in a standard VM. However, that did not occur on my test machine when running the executable. HKU\S-1-5-21-1245055219-2462972176-1415829347-1001\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell:"explorer.exe, "C:\ProgramData\9ea94915b24a4616f72c\gennt.exe""Īfter doing some additional research on the executable, I found that it is supposed to launch cmd which then launches PowerShell.
#COBALT STRIKE BEACON WHAT IS IT WINDOWS#
Adding the gennt.exe executable to the registry key here ensures that the malware is started every time Windows is restarted. The entry below shows the malware’s persistence mechanism. I used RegShot to take a before and after snapshot of the registry to compare the two after running the executable. It then deletes the fedex912.exe file from the filesystem. The reason for placing the file here is that it is a hidden directory and not normally visible to the user. Firstly, the file fedex912.exe drops a new file called gennt.exe, which is basically just a copy of itself, into the directory C:\ProgramData\9ea94915b24a4616f72c\. I ran the executable in my analysis environment with process monitor and regshot and there were a few things of note. However, there is a sample on Virus Total that we can download.
#COBALT STRIKE BEACON WHAT IS IT DOWNLOAD#
Unfortunately, at the time of writing, the domain hosting the fedex912.exe is no longer active meaning we cannot download the file from here. The JAR file will also load the legitimate FedEx tracking website which is most likely to try and reassure the user that the file they have downloaded is a legitimate one. The executable will be placed into the Windows temp directory, where it will then be executed.
#COBALT STRIKE BEACON WHAT IS IT CODE#
(I copied the code into Atom after opening with JD-GUI as I like the syntax highlighting there.) FedEx_Delivery_invoice.jarĪs the code snippet above shows, the FedEx_Delivery_invoice.jarfile is going to attempt to download the file fedex912.exe from the domain hxxp://fedex-trackingpress. JD-GUI is a simple tool that allows you to decompile and view the code of JAR files. Once we have the file, we will analyse it with JD-GUI.
The domain hxxp://fedex-tracking.fun is still up, so we can download the FedEx_Delivery_invoice.jar file from here. As shown in the XML code below, we can see that this JNLP file will be used to load and execute the JAR file FedEx_Delivery_invoice.jar from the domain hxxp://fedex-tracking.funĪs we know the name and location of the 2nd stage payload, we can try and download it. You can easily view the content of a JNLP file by changing the extension to XML and loading the file in a text editor like notepad++. They are generally quite simple and are not difficult to analyse. It is worth noting that to be susceptible to phishing via a JNLP the user will have to have java installed on their machine. JNLP files can be used to allow for applications hosted on a remote server to be launched locally. Javaws.exe is an application that is part of the Java Runtime Environment and is used to give internet functionality to java applications.
A JNLP file is a java web file, which when clicked, the application javaws.exe will attempt to load and execute the file.
0 kommentar(er)
