![]() Unfortunately, decoding traffic is not one of them. Knowing this, there’s tons of interesting things we could do. Let’s run it against our executable and see what happens.Īnd… It works! We can see where the beacon is sending data to (solvesalesoftcom:8080/af). This tool can be used to do exactly that! Parse Cobalt Strike Beacon Configs. On Kali, I cloned Sentinel One’s Cobalt Strike Beacon Parser which can be found on GitHub. You will be prompted to name the file, I kept it “download.bin”. ![]() Anyways - Now that we have the binary executable, let’s Download it from CyberChef by clicking the “Save Output to File” icon. It’s a NOP Sled! I don’t think I’ve ever seen that before. You can find the Recipe here.Īfter setting the key to Decimal, we should see a MZ header… Or one would think? Oh wait, it is there! It’s just a few bytes off…. One thing I always found tricky about XOR is the format that the key is. Pivoting over to CyberChef, we can easily remove “Gunzip” and replace it with XOR. We simply have to scroll down to the bottom of the file to find that our shellcode is actually XORed with a key of 35. Fortunately, it’s almost as simple as our “From Base64, Gunzip”. Unfortunately, this isn’t straight Base64, we cant just decode the shellcode and all will be well in the world. This is the chunk that contains shellcode used to communicate with the Cobalt Strike C2 Server itself. If you looked closely at the screenshot, you may have noticed a little bit more Base64 poking out at the bottom of the script. This is all pretty standard way to run EXEs from PowerShell. The PowerShell script certainly didn’t lie… Here’s our deobfuscated PowerShell script! I’ll be honest, I’m going to skip a lot of this. Let’s copy the base64 into CyberChef and decode it. So far, this is pretty standard for Cobalt Strike. ![]() Interesting - So we have a Base64 encoded GZIP stream that needs to be decompressed. We have ourselves a nice giant base64 encoded glob here, let’s scroll all the way down to the bottom of the file and see what else may be lurking below. I fired up my Kali VM and went to the URL mentioned above, and to my suprise - The URL was still live. Here’s the specific URL the Adversary hit: We were able to identify that an adversary used Powershell to download another stage that had lead to Cobalt Strike. Today, me and my coworker were doing some analysis of this specific malware samples PCAP that was posted and something interesting caught our eyes. It’s a remarkable thing to do, and I hope others follow suit in the future. Today we’re going to talk about a real live piece of malware that has been attributed to TA578 and IcedID/Bokbot.Īt the time of writing, I was able to locate a real live Cobalt Strike sample thanks to Brad over at If you’re unfamiliar with him and his work, he works for Palo Alto Unit 42 and provides PCAP samples of malware running in his lab. Welcome back to a new type of post, this one is going to be a litte bit different from my normal blog posts. Cobalt Strike Beacon Analysis from a Live C2 ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |