Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Appendix A: IOCs
- https://kassanova[.]kz/files/docs/T47188445.doc – Malicious document drop-zone
- 7f0f3689b728d12a00ca258c688bf034 – MD5: Malicious document
- a26722fc7e5882b5a273239cddfe755f – MD5: Downloaded Payload
- 185.61.149[.]186 – Cobalt Strike beacon C2
- Appendix B: Cobalt beacon configuration
- {
- 'PROTOCOL': '0',
- 'SPAWNTO_X64':'%windir%\\sysnative\\gpupdate.exe',
- 'SLEEPTIME': '30000',
- 'C2_VERB_GET': 'GET',
- 'DNS_SLEEP': '0',
- 'MAXGET': '1398102',
- 'USERAGENT': 'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)', 'PORT': '80',
- 'DNS_IDLE': '134744072',
- 'C2_POSTREQ': "[('_HEADER', 0, 'Accept: */*'), ('BUILD', ('BASE64URL',)), ('PREPEND', 0, 'wla42='), ('PREPEND', 0, 'xid=730bf7;'), ('PREPEND', 0, 'MSPAuth=3EkAjDKjI;'), ('PREPEND', 0, 'ClientId=1C0F6C5D910F9;'), ('PREPEND', 0, 'MicrosoftApplicationsTelemetryDeviceId=95c18d8-4dce9854;'), ('HEADER', 0, 'Cookie')]",
- 'WATERMARK': '3',
- 'PUBKEY': '30819f300d06092a864886f70d010101050003818d00308189028181008f8c237f7f407fcf5f47e2d76c589982b2595ead0d45d4e4ea875b2d07f2b8283f64786c7a142d3ce78baa01d1bb14479162d14520cc8ba15b1dc0b5e57850ab7bccb95838156dec5b58097a007d0180e358e144653d80381ac240efe9b789adf5f319515651bdfc3eb160b411f5cba2b8e7e21cb2cbc743b5ffb6fba5d2b8ff0203010001',
- 'SPAWNTO_X86': '%windir%\\syswow64\\gpupdate.exe',
- 'C2_REQUEST': "[('_HEADER', 0, 'Accept: */*'), ('_HEADER', 0, 'Cookie: MicrosoftApplicationsTelemetryDeviceId=95c18d8-4dce9854;ClientId=1C0F6C5D910F9;MSPAuth=3EkAjDKjI;xid=730bf7;wla42=ZG0yMzA2KjEs'), ('BUILD', ('BASE64URL',))]",
- 'CRYPTO_SCHEME': '0',
- 'JITTER': '20',
- 'C2_CHUNK_POST':'96',
- 'PIPENAME': '',
- 'C2_VERB_POST': 'GET',
- 'SUBMITURI': '/OWA/',
- 'DOMAINS': '185.61.149.186,/owa/',
- 'MAXDNS': '235'
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
