Cobalt Strike Hunting — simple PCAP and Beacon Analysis
Legit healthcare company.
Threat actors TTP’s
Threat Actors acquired expired and categorized healthcare domain
claycityhealthcare[.]com
and redirected malicious domain claycityhealthcare[.]com to the legit one bonneralgeneral[.]org
When you click on claycityhealthcare[.]com it goes to bonnergeneral.org
Threat Actors TTP’s — hiding Cobalt Strike in claycityhealthcare[.]com subdomain.
Let's investigate subdomains using Shodan and VirusTotal.
Quick Virus Total and Shodan check.
Shodan check.
When you go to remote.claycityhealthcare[.]com the browser will display HTTP Error 404 page.
Subdomain with two ports opened 80 and 443.
HTTP/1.1 404 Not Found and Content-Type: text/plain Content-Length:0 is always suspicious to me.
Right, so now let's scan the subdomain using Nmap script to identify potential Cobalt Strike/C2.
What is interesting in this one is Malleable profile
remote.claycityhealthcare.com/CWoNaJLBo/VTNeWw11212
A Malleable C2 is a way for an attacker to blend in command and control traffic (beacons between victim and server) with the goal of avoiding detection. Malleable C2 Profiles can be customized.
If you don't know about Comfoo, this is a good read.
PCAP analysis
Cobalt Strike/Comfoo HTTP traffic.
172.105.10.217 that’s remote.claycityhealthcare[.]com where Cobalt Strike/C2 is hiding.
and take a look a bit closer
An active C2 server responds with headers HTTP/1.1 200 OK
Beacon analysis
Let's quickly analyze the Beacon and clarify the most interesting info.
{
“BeaconType”: [
“HTTP”
],
“MD5”: “9773d90443383e04c171c5b3e3017740”,
“Filename”: “cshell/a36fbae6e4c3e98560fc0f90ce075fb0d65ca926fdcfebea11a1b90445374c82.decoded”,
“Port”: 80,
“SleepTime”: 30000,
(0.5 minute) time when beacon will call home, 60000 is a default one.
“MaxGetSize”: 1048576,
“Jitter”: 20,
Beacon will vary each of its check in times by the random percentage you specify as a jitter factor from 0 -99.
“MaxDNS”: “Not Found”,
“PublicKey”: “MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC4P4BXSFMmJsHj3ePkNMOVGRsqJFQngo2QAFX0spN5orR8gltRgIcI0cseMS9BE2iPXZs7cl5zVRg1n29JF4dlhq37hKaOCY2RncPCZVvX4elC9hZuRqmtIGOmsCRHhf3/KZbYIMT0t5E+N4KcQaHqWD7SFx43P8QzPJ4fUzootwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==”,
“C2Server”: “remote.claycityhealthcare.com,/CWoNaJLBo/VTNeWw11212/”,
“UserAgent”: “Not Found”,
“HttpPostUri”: “/CWoNaJLBo/VTNeWw11213/”,
“HttpGet_Metadata”: “Not Found”,
“HttpPost_Metadata”: “Not Found”,
“SpawnTo”: “Sm5rsPpaNgDLmwgX+eatPw==”,
“PipeName”: “Not Found”,
“DNS_Idle”: “Not Found”,
“DNS_Sleep”: “Not Found”,
“SSH_Host”: “Not Found”,
“SSH_Port”: “Not Found”,
“SSH_Username”: “Not Found”,
“SSH_Password_Plaintext”: “Not Found”,
“SSH_Password_Pubkey”: “Not Found”,
“HttpGet_Verb”: “GET”,
“HttpPost_Verb”: “POST”,
“HttpPostChunk”: 0,
“Spawnto_x86”: “%windir%\\syswow64\\rundll32.exe”,
“Spawnto_x64”: “%windir%\\sysnative\\rundll32.exe”,
This is where Cobalt Strike shellcode would spawn.
rundll32.exe it is a default one.
“CryptoScheme”: 0,
“Proxy_Config”: “Not Found”,
“Proxy_User”: “Not Found”,
“Proxy_Password”: “Not Found”,
“Proxy_Behavior”: “Use IE settings”,
“Watermark”: 2005485734,
Watermark is unique to a customer and sometimes could be assigned and attributed to specific threat actors.
“bStageCleanup”: “False”,
“bCFGCaution”: “False”,
“KillDate”: “2099–01–01”,
“bProcInject_StartRWX”: “True”,
“bProcInject_UseRWX”: “True”,
“bProcInject_MinAllocSize”: 0,
“ProcInject_PrependAppend_x86”: “Empty”,
“ProcInject_PrependAppend_x64”: “Empty”,
“ProcInject_Execute”: [
“CreateThread”,
“SetThreadContext”,
“CreateRemoteThread”,
“RtlCreateUserThread”
],
“ProcInject_AllocationMethod”: “VirtualAllocEx”,
“bUsesCookies”: “False”,
“HostHeader”: “”
References:
