Attack Analysis — Cobalt Strike C2 & Hancitor/Malware

Incident Response & PCAP/Attack Analysis

Agenda:

• PCAP Analysis.
• Malicious Macro Analysis.
• CyberChef & VT Analysis.
• Cobalt Strike C2.
• Short Summary.

PCAP Analysis

In red I highlighted areas of our interest/key points during this attack analysis.

HTTP GET/uninviting.php request and HTTP GET response 200 OK is where the victim opened an email and triggered a malicious macro.

We can see in the below screenshot URL: xn-keynavigator-ky-i08g0k.com (malicious URL).

Now we can grab the artefacts from the PCAP (Object extraction/HTTP in Wireshark).