Cobalt Strike Hunting — simple PCAP and Beacon Analysis

Legit healthcare company.


Threat actors TTP’s

Threat Actors acquired expired and categorized healthcare domain


and redirected malicious domain claycityhealthcare[.]com to the legit one bonneralgeneral[.]org

When you click on claycityhealthcare[.]com it goes to

Threat Actors TTP’s — hiding Cobalt Strike in claycityhealthcare[.]com subdomain.

Let's investigate subdomains using Shodan and VirusTotal.

Quick Virus Total and Shodan check.

Shodan check.

When you go to remote.claycityhealthcare[.]com the browser will display HTTP Error 404 page.

Subdomain with two ports opened 80 and 443.

HTTP/1.1 404 Not Found and Content-Type: text/plain Content-Length:0 is always suspicious to me.

Right, so now let's scan the subdomain using Nmap script to identify potential Cobalt Strike/C2.

What is interesting in this one is Malleable profile

A Malleable C2 is a way for an attacker to blend in command and control traffic (beacons between victim and server) with the goal of avoiding detection. Malleable C2 Profiles can be customized.

If you don't know about Comfoo, this is a good read.

PCAP analysis

Cobalt Strike/Comfoo HTTP traffic. that’s remote.claycityhealthcare[.]com where Cobalt Strike/C2 is hiding.

and take a look a bit closer

An active C2 server responds with headers HTTP/1.1 200 OK

Beacon analysis

Let's quickly analyze the Beacon and clarify the most interesting info.

“BeaconType”: [
“MD5”: “9773d90443383e04c171c5b3e3017740”,
“Filename”: “cshell/a36fbae6e4c3e98560fc0f90ce075fb0d65ca926fdcfebea11a1b90445374c82.decoded”,
“Port”: 80,
“SleepTime”: 30000,

(0.5 minute) time when beacon will call home, 60000 is a default one.

“MaxGetSize”: 1048576,
“Jitter”: 20,

Beacon will vary each of its check in times by the random percentage you specify as a jitter factor from 0 -99.

“MaxDNS”: “Not Found”,

“C2Server”: “,/CWoNaJLBo/VTNeWw11212/”,

“UserAgent”: “Not Found”,
“HttpPostUri”: “/CWoNaJLBo/VTNeWw11213/”,
“HttpGet_Metadata”: “Not Found”,
“HttpPost_Metadata”: “Not Found”,
“SpawnTo”: “Sm5rsPpaNgDLmwgX+eatPw==”,
“PipeName”: “Not Found”,
“DNS_Idle”: “Not Found”,
“DNS_Sleep”: “Not Found”,
“SSH_Host”: “Not Found”,
“SSH_Port”: “Not Found”,
“SSH_Username”: “Not Found”,
“SSH_Password_Plaintext”: “Not Found”,
“SSH_Password_Pubkey”: “Not Found”,
“HttpGet_Verb”: “GET”,
“HttpPost_Verb”: “POST”,
“HttpPostChunk”: 0,

“Spawnto_x86”: “%windir%\\syswow64\\rundll32.exe”,
“Spawnto_x64”: “%windir%\\sysnative\\rundll32.exe”,

This is where Cobalt Strike shellcode would spawn.

rundll32.exe it is a default one.

“CryptoScheme”: 0,
“Proxy_Config”: “Not Found”,
“Proxy_User”: “Not Found”,
“Proxy_Password”: “Not Found”,
“Proxy_Behavior”: “Use IE settings”,

“Watermark”: 2005485734,

Watermark is unique to a customer and sometimes could be assigned and attributed to specific threat actors.

“bStageCleanup”: “False”,
“bCFGCaution”: “False”,
“KillDate”: “2099–01–01”,
“bProcInject_StartRWX”: “True”,
“bProcInject_UseRWX”: “True”,
“bProcInject_MinAllocSize”: 0,
“ProcInject_PrependAppend_x86”: “Empty”,
“ProcInject_PrependAppend_x64”: “Empty”,
“ProcInject_Execute”: [
“ProcInject_AllocationMethod”: “VirtualAllocEx”,
“bUsesCookies”: “False”,
“HostHeader”: “”


Security Researcher [RED&BLUE]

Love podcasts or audiobooks? Learn on the go with our new app.