- #DETECTING COBALT STRIKE BEACON TRAFFIC FULL#
- #DETECTING COBALT STRIKE BEACON TRAFFIC LICENSE#
- #DETECTING COBALT STRIKE BEACON TRAFFIC SERIES#
#DETECTING COBALT STRIKE BEACON TRAFFIC LICENSE#
Security researcher Michael Koczwara is tracking Cobalt Strike license 1580103814 as APT actor LuckyMouse (a.k.a.
#DETECTING COBALT STRIKE BEACON TRAFFIC FULL#
The full output from our re-scan of Sergiu's C2 list can be found on pastebin.
We found the following 27 domains and IP's running Cobalt Strike C2 servers on TCP 443 using that license-id. We fed this list to Tek's scan_list.py script in order to see if license-id 1580103814 is still active. Yesterday, which included a list of Cobalt Strike C2 servers. This ID can be used to link this Cobalt Strike beacon to other campaigns.īelow is a list of Cobalt Strike C2 servers using license-id 1580103814 POST URI: We can also see that the Cobalt Strike license-id (a.k.a.The output from 1768.py reveals that this Cobalt Strike beacon is using the following URIs for C2 communication: This turns out to be a Cobalt Strike beacon download, which we can decode with Didier Stevens' NetworkMiner extracts this file as "9r8z.octet-stream". The first HTTP request to that domain is used to download a 261703 byte file, as can be seen in this Flow Transcript from CapLoader: The IcedID C2 traffic continues for over 19 hours, at which point we suddenly see a connection to a new suspicious domain called "" on 185.141.26.140.
Several legitimate Windows applications unfortunately have the same JA3 hashes, so we can't use them to uniquely identify the IcedID agents. Image: NetworkMiner's Parameters tab with keyword filter "JA3 Hash" The JA3 hashes used by the IcedID malware agent can be found in NetworkMiner's Hosts tab as well as in the Parameters tab. The X.509 certificate was created using OpenSSL's default values, such as "Internet Widgits Pty Ltd" etc.įurther details about this certificate can be found on It turns out that all these sites used the same self-signed certificate, which had SHA1 fingerprint 452e969c51882628dac65e38aff0f8e5ebee6e6b. NetworkMiner has extracted the X.509 certificates for vaccnavalcod.website, mazzappa.fun, ameripermanentno.website and odichaly.space to disk as "localhost.cer". What we can do, however, is to extract the HTTPS server's X.509 certificate and the JA3 hash of the client's TLS implementation from the encrypted traffic. The traffic to 83.97.20.176 is encrypted, so we can't inspect the payload to verify whether or not it is IcedID C2 communications. Image: CapLoader's Services tab showing that the IcedID malware agent connects to the C2 server every 5 minutes (00:05:01). Where the malware agent connects back to the C2 server on regular intervals to check for new tasks.
Periodic connection patterns like this is a typical indicator of C2 traffic, That host is most likely a command-and-control (C2) server used by the IcedID malware.ĬapLoader's "Services" tab also reveals that the TLS connections to port 443 on 83.97.20.176 are very periodic, Vaccnavalcod.website, mazzappa.fun, ameripermanentno.website and odichaly.space,Īll of which resolved to IP 83.97.20.176.
#DETECTING COBALT STRIKE BEACON TRAFFIC SERIES#
Right after the IcedID download we see a series of HTTPS connections towards odd domains like This turns out to be an encrypted IcedID DLL file, which has been analyzed by
0 kommentar(er)
