TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

Cobalt Strikes Again: An Analysis of Obfuscated Malware | Huntress

2021-05-25 · Read original ↗

ATT&CK techniques detected

16 predictions
T1059.001PowerShell
99%
“legitimately and maliciously to create persistent footholds between reboots. in this particular case, we found multiple commands for legitimate applications contained in the runonce key, but there was one that looked awfully suspicious. we inspected the command in the suspicious …”
T1055.001Dynamic-link Library Injection
99%
“. in case you ’ re not familiar with delphi, it ’ s a programming language that allows you to write, package and deploy cross - platform native applications across a number of operating systems. evasion techniques : part two we initially performed some basic static analysis and f…”
T1055.001Dynamic-link Library Injection
98%
“is often used to bypass automated scanning tools that don ’ t have the time to wait for the sleep functions to complete. it can also be used to evade manual dynamic analysis, since an analyst may falsely believe that the malware is not doing anything when it ’ s actually just tak…”
T1059.001PowerShell
98%
“unfamiliar with powershell, that script may look a bit intimidating. ultimately, the powershell script achieves four main things : - loads an obfuscated string that has been stored in the registry. - de - obfuscates the string and converts the result into a byte array. - loads th…”
T1055.001Dynamic-link Library Injection
98%
“not have been widely used, or that it was potentially still active. the fifth binary file we are well beyond the point of necessary analysis, but we decided to continue down this rabbit hole. using a debugger, we tried to monitor the buffers used by the named pipes, as they are o…”
T1055.001Dynamic-link Library Injection
97%
“these two functions combined allow a piece of malware to hide functionality from static analysis and potentially evade some basic forms of detection. loading up the file within the x32dbg debugger, we observed a large number of calls to the sleep function, which would cause the p…”
T1547.001Registry Run Keys / Startup Folder
95%
“##b ) of this file, we were suspicious that we might have missed something. the file seemed too small to contain a proper payload. we suspected that this was not the final payload and was likely a stager used to retrieve another payload. since the file was written in. net, we wer…”
T1620Reflective Code Loading
87%
“. it essentially generates the number 1000 and stores it into the $ ko variable. it does this in a way that takes a million loop iterations to generate — which might be an anti - analysis technique. - line 27 : loads the stringtobytes function, but first replaces any instance of …”
T1055.001Dynamic-link Library Injection
84%
“sometimes ignored or whitelisted by detection systems. ( look up lolbas as to why it ’ s a terrible idea to whitelist microsoft binaries. ) - since the werfault. exe process performs error reporting, it may have legitimate reasons for making external network connections, meaning …”
T1559Inter-Process Communication
79%
“##ware. in most cases, named pipes are legitimately used for inter - process communication. but they are also a key component of cobalt strike beacons and a common tactic used to evade automated analysis as they tend to cause issues for emulation tools and automated sandboxes. be…”
T1055.001Dynamic-link Library Injection
63%
“of memory, we eventually hit a breakpoint on createthread, which was targeting one of the newly allocated sections of memory created by the virtualalloc calls. we inspected that section further and found an mz header, indicating that we had found our fourth binary file. the fourt…”
T1059.001PowerShell
48%
“. it essentially generates the number 1000 and stores it into the $ ko variable. it does this in a way that takes a million loop iterations to generate — which might be an anti - analysis technique. - line 27 : loads the stringtobytes function, but first replaces any instance of …”
T1547.001Registry Run Keys / Startup Folder
47%
“and evasion, while others are focused on the silent exfiltration of corporate data. while the intent of cobalt strike is to better equip legitimate red teams and pen testers with the capabilities of sophisticated threat actors, it is often misused when in the wrong hands. you kno…”
T1071Application Layer Protocol
46%
“eventually, we hit loadlibrary again and observed the wininet. dll and ws2 _ 32. dll module being loaded. since these are windows libraries used for network and web communication, we knew that the code might be about to reach out to its c2 server. we were able to set breakpoints …”
T1071.001Web Protocols
36%
“##8xwblnmwpv3y10tgabupka2lk + gbrljnti6gpqbul although it looked like the data was base64 encoded, we were unable to extract anything meaningful from using variations of base64 decoders. but wait – are these actually addresses? looking at the cookie data within the dump view, we …”
T1071.001Web Protocols
32%
“eventually, we hit loadlibrary again and observed the wininet. dll and ws2 _ 32. dll module being loaded. since these are windows libraries used for network and web communication, we knew that the code might be about to reach out to its c2 server. we were able to set breakpoints …”

Summary

Join us for a threat hunting adventure as we analyze a suspicious run key that leads us to Cobalt Strike malware hidden across nearly 700 registry values.