Threat Level: green Handler on Duty: Richard Porter

SANS ISC: SANS Internet Storm Center SANS Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

NMAP Announces release of nPcap 1.30, Raw Wifi + Better Performance. https://seclists.org/nmap-announce/2021/1

Example of Cleartext Cobalt Strike Traffic (Thanks Brad)

Published: 2021-04-12
Last Updated: 2021-04-12 20:30:42 UTC
by Didier Stevens (Version: 1)
1 comment(s)

Brad has a large collection of malware traffic (thanks Brad :-) ).

I've been searching his collection for a particular sample, and I found one:

2019-07-25 - HANCITOR-STYLE AMADEY MALSPAM PUSHES PONY & COBALT STRIKE

What is special about this sample? Let me show you.

Open Brad's pcap file with Wireshark, go to File / Export Objects / HTTP ..., and sort the table by size, descending:

You see 3 filenames (H7mp, H7mp, OLIx). These are the Cobalt Strike beacons with a "checksum8 URL":

See my diary entry "Finding Metasploit & Cobalt Strike URLs" for more information.

Save one of the files to disk (the 3 files are identical) and analyze it with my tool 1768.py:

Notice that the value of CryptoScheme is 1: this means that this beacon (and the C2) will not encrypt their transmitted data with AES. Because encryption is disabled for trial versions.

And since the beacon communicates over HTTP, we can see cleartext traffic directly with Wireshark. For example, filter on "submit.php" requests:

And follow the HTTP stream of the first request:

We can see strings that look like IPv4 config information: internal IPv4 address (10.7.25.101), network mask (255.255.255.0), MTU (1500) and MAC address (00:08:02:1C:47:AE).

Isn't that nice? :-)

If you like looking through pcap files, like we handlers do, I invite you to find more unencrypted Cobalt Strike traffic in Brad's pcap file, and share your comments here.

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

Keywords: beacon pcap
1 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Building an IDS Sensor with Suricata & Zeek with Logs to ELK
Apr 10th 2021
2 days ago by Guy (0 comments)

No Python Interpreter? This Simple RAT Installs Its Own Copy
Apr 9th 2021
4 days ago by Xme (0 comments)

Simple Powershell Ransomware Creating a 7Z Archive of your Files
Apr 8th 2021
5 days ago by Xme (0 comments)

WiFi IDS and Private MAC Addresses
Apr 7th 2021
6 days ago by Johannes (0 comments)

Malspam with Lokibot vs. Outlook and RFCs
Apr 6th 2021
6 days ago by Jan (0 comments)

View All Diaries →

Latest Discussions

Handler's Diary (Full text) RSS Feeds stopt working due to a typo
created Mar 5th 2021
1 month ago by bas.auer@auerplace.nl (0 replies)

port_scan issue in Snort3
created Feb 23rd 2021
1 month ago by astraea (0 replies)

PFSense
created Dec 23rd 2020
3 months ago by bas.auer@auerplace.nl (6 replies)

Port 23 & 2323 107.173.58.179
created Nov 15th 2020
4 months ago by Anonymous (0 replies)

Gmail hacked vis MS Outlook / request.zip virus/malware
created Oct 13th 2020
5 months ago by Anonymous (3 replies)

View All Forums →

Latest News

Top Diaries

An infection from Rig exploit kit
Jun 17th 2019
1 year ago by Brad (0 comments)

Qakbot infection with Cobalt Strike
Mar 3rd 2021
1 month ago by Brad (0 comments)

Fun with DNS over TLS (DoT)
Mar 1st 2021
1 month ago by Rob VandenBrink (0 comments)

Adversary Simulation with Sim
Mar 2nd 2021
1 month ago by Russ McRee (0 comments)

Maldocs: Protection Passwords
Feb 28th 2021
1 month ago by DidierStevens (0 comments)