Cobalt Strike 4.3 - A malware analysis.
I am a 19 year old, self-taught, computer programmer and aspired malware analyst. I have also taught myself penetration testing via TryHackMe and HTB. I hope to one day work in a security operations centre, protecting companies world-wide from threats.
In search of malware to reverse, my friend gave me a sample to look at.
https://bazaar.abuse.ch/sample/fa87935161707d6675f094392d2c8519a5747735820e55f3688c7fc535f8e794
Stage 1 : Decompressing Gunzip
When I downloaded the original payload, I discovered it is heavily encoded and even uses Gunzip compression to hide.
This revealed Powershell code which was readable however, it also included a new Base64 encoded string. Presumably a new payload :D
Stage 2 : Decoding Base64, XOR, and revealing the C2.
Looking at the code, I noticed the Cobalt Strike payload uses binary XOR (bxor) in the Powershell code to encrypt itself. Decoding and decrypting this was as simple as going to CyberChef and using the following recipes: "From Base64" and "XOR". I used the standard options on the base64 recipe but for XOR I used a key of 35. Heres why:
$var_code is the variable where the base64 payload is stored. This code is essentially just encoding the payload with XOR using a key of 35 which you can see at -bxor 35.
After decoding all of the payloads, we now have a binary file for the executable. We can tell this because, in the new output, it says "This program cannot be run in DOS mode."
We can also tell it is a binary file because of the magic byte "MZ".
Now I just downloaded this new program to my machine and ran it against "DidierStevensSuite".
I specifically used his 1768.py to analyse the Cobalt Strike Beacon.
Running this payload against Didier's program it revealed the IP address and port which it communicates with.
Not only that but it also tells us which LOLBIN it uses to stay on the victim's machine:
In addition, it tells us the attack technique used:
Stage 3 : Overall report.
IP/Port: 88.119.161.147:24567
Attack method: Process injection into rundll32.exe (https://lolbas-project.github.io/lolbas/Binaries/Rundll32/)
Since the payload is injected into rundll32.exe we know that it's a .dll file. Attackers use this to avoid triggering any scanning software or anything that would usually pickup a normal .exe payload. (https://attack.mitre.org/techniques/T1218/011/)
