2021-07-21 (WEDNESDAY) - TA551 (SHATHAK) BAZARLOADER WITH COBALT STRIKE

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2021-07-21-TA551-IOCs-for-BazarLoader-and-Cobalt-Strike.txt.zip   4.5 kB (4,510 bytes)

• 2021-07-21-TA551-IOCs-for-BazarLoader-and-Cobalt-Strike.txt   (6,642 bytes)

• 2021-07-21-TA551-BazarLoader-with-Cobalt-Strike-2-pcaps.zip   16.8 MB (16,759,658 bytes)

• 2021-07-21-TA551-part-1-of-2-BazarLoader-and-Bazar-C2.pcap   (3,741,575 bytes)
• 2021-07-21-TA551-part-2-of-2-Bazar-C2-and-Cobalt-Strike.pcap   (14,960,099 bytes)

• 2021-07-21-TA551-BazarLoader-and-Cobalt-Strike-malware.zip   9.1 MB (9,146,094 bytes)

• Extracted-docs/07.21.doc   (73,427 bytes)
• Extracted-docs/deed contract-07.21.doc   (74,729 bytes)
• Extracted-docs/deed contract_07.21.2021.doc   (73,971 bytes)
• Extracted-docs/direct.07.21.doc   (71,047 bytes)
• Extracted-docs/facts-07.21.2021.doc   (71,134 bytes)
• Extracted-docs/input 07.21.2021.doc   (74,255 bytes)
• Extracted-docs/instruct 07.21.2021.doc   (73,678 bytes)
• Extracted-docs/legal agreement-07.21.doc   (70,533 bytes)
• Extracted-docs/ordain_07.21.2021.doc   (73,425 bytes)
• HTA-and-DLL-files/2021-07-21-sds.hta-for-boysLove.jpg.txt   (2,827 bytes)
• HTA-and-DLL-files/2021-07-21-sds.hta-for-friendBoy.jpg.txt   (2,786 bytes)
• HTA-and-DLL-files/2021-07-21-sds.hta-for-friendIFriend.jpg.txt   (2,992 bytes)
• HTA-and-DLL-files/2021-07-21-sds.hta-for-girlBoyGirl.jpg.txt   (2,770 bytes)
• HTA-and-DLL-files/2021-07-21-sds.hta-for-girlGirlBoys.jpg.txt   (2,859 bytes)
• HTA-and-DLL-files/2021-07-21-sds.hta-for-girlYou.jpg.txt   (2,901 bytes)
• HTA-and-DLL-files/2021-07-21-sds.hta-for-haveSimpleAnd.jpg.txt   (2,876 bytes)
• HTA-and-DLL-files/2021-07-21-sds.hta-for-simpleAndAnd.jpg.txt   (2,933 bytes)
• HTA-and-DLL-files/2021-07-21-sds.hta-for-uGirl.jpg.txt   (2,776 bytes)
• HTA-and-DLL-files/boysLove.jpg   (1,249,922 bytes)
• HTA-and-DLL-files/friendBoy.jpg   (1,249,922 bytes)
• HTA-and-DLL-files/friendIFriend.jpg   (1,249,922 bytes)
• HTA-and-DLL-files/girlBoyGirl.jpg   (1,249,922 bytes)
• HTA-and-DLL-files/girlGirlBoys.jpg   (1,249,922 bytes)
• HTA-and-DLL-files/girlYou.jpg   (1,249,922 bytes)
• HTA-and-DLL-files/haveSimpleAnd.jpg   (465,028 bytes)
• HTA-and-DLL-files/simpleAndAnd.jpg   (1,249,922 bytes)
• HTA-and-DLL-files/uGirl.jpg   (1,249,922 bytes)
• jyheeckptwa.exe   (7,602,176 bytes)

NOTES:

• This week, TA551 (Shathak) switched to pushing BazarLoader (it was previously pushing Trickbot).
• jyheeckptwa.exe is a Windows EXE based on the Gopurple shellcode runner.  This EXE was used to load & run Cobalt Strike.

 

IMAGES

Shown above:  Traffic from an infection filtered in Wireshark (part 1).

 

Shown above:  Traffic from an infection filtered in Wireshark (part 2).

 

Shown above:  Process showing how jyheeckptwa.exe is run.

 

Shown above:  Traffic from an infection filtered in Wireshark (part 3).

 

Click here to return to the main page.