-
Notifications
You must be signed in to change notification settings - Fork 24
/
2022-01-31_CobaltStrikeConfigs
189 lines (180 loc) · 5.71 KB
/
2022-01-31_CobaltStrikeConfigs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
Cobalt Strike en 139.60.161.0/24
Referencias a Emotet:
https://twitter.com/Cryptolaemus1/status/1488263011961868294
https://twitter.com/Myrtus0x0/status/1488251571800477696
####################################################
https://139.60.161.45/
C2 Server: jenevabaiden.com (/jquery-3.3.1.min.js)
Watermark: 0
BeaconType: HTTPS
Port: 443
UserAgent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko
HttpPostUri: /jquery-3.3.2.min.js
SleepTime: 5000
MaxGetSize: 1403644
Jitter: 10
MaxDNS: Not Found
PublicKey MD5: 3c876d4fa9c8a7d52fe2dc960a6fc1ed
Malleable C2 Instructions: Remove 1522 bytes from the end
Remove 84 bytes from the beginning
Remove 3931 bytes from the beginning
Base64 URL-safe decode
XOR mask w/ random key
Spawnto_x86: %windir%\syswow64\dllhost.exe
Spawnto_x64: %windir%\sysnative\dllhost.exe
####################################################
https://139.60.161.47/
C2 Server: sbronm.com (/jquery-3.3.1.min.js)
Watermark: 0
BeaconType: HTTPS
Port: 443
UserAgent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko
HttpPostUri: /jquery-3.3.2.min.js
SleepTime: 5000
MaxGetSize: 1403644
Jitter: 10
MaxDNS: Not Found
PublicKey MD5: 70a24c3ee15bdd939a0f78e43fb9a760
Malleable C2 Instructions: Remove 1522 bytes from the end
Remove 84 bytes from the beginning
Remove 3931 bytes from the beginning
Base64 URL-safe decode
XOR mask w/ random key
Spawnto_x86: %windir%\syswow64\dllhost.exe
Spawnto_x64: %windir%\sysnative\dllhost.exe
####################################################
https://139.60.161.60/
C2 Server: vedingumbr.com (/jquery-3.3.1.min.js)
Watermark: 0
BeaconType: HTTPS
Port: 443
UserAgent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko
HttpPostUri: /jquery-3.3.2.min.js
SleepTime: 5000
MaxGetSize: 1403644
Jitter: 10
MaxDNS: Not Found
PublicKey MD5: a2df88cfe1d3cbd405a03a3d053214dc
Malleable C2 Instructions: Remove 1522 bytes from the end
Remove 84 bytes from the beginning
Remove 3931 bytes from the beginning
Base64 URL-safe decode
XOR mask w/ random key
Spawnto_x86: %windir%\syswow64\dllhost.exe
Spawnto_x64: %windir%\sysnative\dllhost.exe
####################################################
https://139.60.161.62/
C2 Server: gookju.com (/jquery-3.3.1.min.js)
Watermark: 0
BeaconType: HTTPS
Port: 443
UserAgent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko
HttpPostUri: /jquery-3.3.2.min.js
SleepTime: 5000
MaxGetSize: 1403644
Jitter: 10
MaxDNS: Not Found
PublicKey MD5: e80a376f105de678f8821c926c13905d
Malleable C2 Instructions: Remove 1522 bytes from the end
Remove 84 bytes from the beginning
Remove 3931 bytes from the beginning
Base64 URL-safe decode
XOR mask w/ random key
Spawnto_x86: %windir%\syswow64\dllhost.exe
Spawnto_x64: %windir%\sysnative\dllhost.exe
####################################################
https://139.60.161.69/
C2 Server: bornometa.com (/jquery-3.3.1.min.js)
Watermark: 0
BeaconType: HTTPS
Port: 443
UserAgent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko
HttpPostUri: /jquery-3.3.2.min.js
SleepTime: 5000
MaxGetSize: 1403644
Jitter: 10
MaxDNS: Not Found
PublicKey MD5: 1ea99b53955fccf29f96f4e2f367337f
Malleable C2 Instructions: Remove 1522 bytes from the end
Remove 84 bytes from the beginning
Remove 3931 bytes from the beginning
Base64 URL-safe decode
XOR mask w/ random key
Spawnto_x86: %windir%\syswow64\dllhost.exe
Spawnto_x64: %windir%\sysnative\dllhost.exe
####################################################
https://139.60.161.208/
C2 Server: motyol.com (/jquery-3.3.1.min.js)
Watermark: 0
BeaconType: HTTPS
Port: 443
UserAgent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko
HttpPostUri: /jquery-3.3.2.min.js
SleepTime: 5000
MaxGetSize: 1403644
Jitter: 10
MaxDNS: Not Found
PublicKey MD5: 60bd890169d8400e3b25ecf2699ffdf3
Malleable C2 Instructions: Remove 1522 bytes from the end
Remove 84 bytes from the beginning
Remove 3931 bytes from the beginning
Base64 URL-safe decode
XOR mask w/ random key
Spawnto_x86: %windir%\syswow64\dllhost.exe
Spawnto_x64: %windir%\sysnative\dllhost.exe
####################################################
https://139.60.161.165/
C2 Server: zhanzhibox.com (/jquery-3.3.1.min.js)
Watermark: 0
BeaconType: HTTPS
Port: 443
UserAgent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko
HttpPostUri: /jquery-3.3.2.min.js
SleepTime: 5000
MaxGetSize: 1403644
Jitter: 10
MaxDNS: Not Found
PublicKey MD5: f19f6ace6499cf610d808b5d5c9909db
Malleable C2 Instructions: Remove 1522 bytes from the end
Remove 84 bytes from the beginning
Remove 3931 bytes from the beginning
Base64 URL-safe decode
XOR mask w/ random key
Spawnto_x86: %windir%\syswow64\dllhost.exe
Spawnto_x64: %windir%\sysnative\dllhost.exe
####################################################
https://139.60.161.228/
C2 Server: 139.60.161.228 (/fwlink)
Watermark: 426352781
BeaconType: HTTPS
Port: 443
UserAgent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)
HttpPostUri: /submit.php
SleepTime: 60000
MaxGetSize: 1048576
Jitter: 0
MaxDNS: Not Found
PublicKey MD5: daf05e69a6f4a769a56ccc7aa8f997aa
Malleable C2 Instructions:
Spawnto_x86: %windir%\syswow64\rundll32.exe
Spawnto_x64: %windir%\sysnative\rundll32.exe
####################################################
https://139.60.161.229/
C2 Server: germanzup.com (/jquery-3.3.1.min.js)
Watermark: 0
BeaconType: HTTPS
Port: 443
UserAgent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko
HttpPostUri: /jquery-3.3.2.min.js
SleepTime: 5000
MaxGetSize: 1403644
Jitter: 10
MaxDNS: Not Found
PublicKey MD5: ea7fa892c20f358e31404c8efe8138e2
Malleable C2 Instructions: Remove 1522 bytes from the end
Remove 84 bytes from the beginning
Remove 3931 bytes from the beginning
Base64 URL-safe decode
XOR mask w/ random key
Spawnto_x86: %windir%\syswow64\dllhost.exe
Spawnto_x64: %windir%\sysnative\dllhost.exe