Skip to content

Instantly share code, notes, and snippets.

@MichaelKoczwara
Created August 9, 2021 10:50
Show Gist options
  • Save MichaelKoczwara/0f24e3a12e26bbbef5e83c3ab6add9fd to your computer and use it in GitHub Desktop.
Save MichaelKoczwara/0f24e3a12e26bbbef5e83c3ab6add9fd to your computer and use it in GitHub Desktop.
Possible Conti C2 Cobalt Strike
Possible Conti C2 Cobalt Strike Infrastructure
----------------------------------
217.12.202.110
fivefkl.com,/jquery-3.3.1.min.js
185.203.116.231
amusient.com,/jquery-3.5.1.min.js
217.12.202.71
arctiusa.com,/jquery-3.3.1.min.js
88.80.145.31
fondfbr.com,/jquery-3.3.1.min.js
----------------------------------
beacons
----------------------------------
217.12.202.110
HTTP/1.1 404 Not Found
Content-Type: text/plain
Server: Apache
Content-Length: 0
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
CobaltStrike Beacon configurations:
| x86 URI Response:
| BeaconType: 8 (HTTPS)
| Port: 443
| Polling: 5000
| Jitter: 10
| C2 Server: fivefkl.com,/jquery-3.3.1.min.js
| HTTP Method Path 2: /jquery-3.3.2.min.js
| Method1: GET
| Method2: POST
| Spawnto_x86: %windir%\syswow64\dllhost.exe
| Spawnto_x64: %windir%\sysnative\dllhost.exe
| Proxy_AccessType: 2 (Use IE settings)
|
|
| x64 URI Response:
| BeaconType: 8 (HTTPS)
| Port: 443
| Polling: 5000
| Jitter: 10
| C2 Server: fivefkl.com,/jquery-3.3.1.min.js
| HTTP Method Path 2: /jquery-3.3.2.min.js
| Method1: GET
| Method2: POST
| Spawnto_x86: %windir%\syswow64\dllhost.exe
| Spawnto_x64: %windir%\sysnative\dllhost.exe
| Proxy_AccessType: 2 (Use IE settings)
|_
--------------------------------------------------
185.203.116.231
HTTP/1.1 404 Not Found
Server: nginx
Content-Type: text/plain
Content-Length: 0
Connection: keep-alive
CobaltStrike Beacon configurations:
| x86 URI Response:
| BeaconType: 8 (HTTPS)
| Port: 443
| Polling: 55775
| Jitter: 17
| C2 Server: amusient.com,/jquery-3.5.1.min.js
| HTTP Method Path 2: /jquery-3.6.0.min.js
| Method1: GET
| Method2: POST
| Spawnto_x86: %windir%\syswow64\WerFault.exe
| Spawnto_x64: %windir%\sysnative\WerFault.exe
| Proxy_AccessType: 2 (Use IE settings)
|
|
| x64 URI Response:
| BeaconType: 8 (HTTPS)
| Port: 443
| Polling: 55775
| Jitter: 17
| C2 Server: amusient.com,/jquery-3.5.1.min.js
| HTTP Method Path 2: /jquery-3.6.0.min.js
| Method1: GET
| Method2: POST
| Spawnto_x86: %windir%\syswow64\WerFault.exe
| Spawnto_x64: %windir%\sysnative\WerFault.exe
| Proxy_AccessType: 2 (Use IE settings)
|_
-----------------------------------------------------
217.12.202.71
HTTP/1.1 404 Not Found
Content-Type: text/plain
Server: Apache
Content-Length: 0
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
CobaltStrike Beacon configurations:
| x86 URI Response:
| BeaconType: 8 (HTTPS)
| Port: 443
| Polling: 5000
| Jitter: 10
| C2 Server: arctiusa.com,/jquery-3.3.1.min.js
| HTTP Method Path 2: /jquery-3.3.2.min.js
| Method1: GET
| Method2: POST
| Spawnto_x86: %windir%\syswow64\dllhost.exe
| Spawnto_x64: %windir%\sysnative\dllhost.exe
| Proxy_AccessType: 2 (Use IE settings)
|
|
| x64 URI Response:
| BeaconType: 8 (HTTPS)
| Port: 443
| Polling: 5000
| Jitter: 10
| C2 Server: arctiusa.com,/jquery-3.3.1.min.js
| HTTP Method Path 2: /jquery-3.3.2.min.js
| Method1: GET
| Method2: POST
| Spawnto_x86: %windir%\syswow64\dllhost.exe
| Spawnto_x64: %windir%\sysnative\dllhost.exe
| Proxy_AccessType: 2 (Use IE settings)
|_
-----------------------------------------------------
88.80.145.31
HTTP/1.1 404 Not Found
Server: Apache
Content-Length: 0
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Content-Type: text/plain
CobaltStrike Beacon configurations:
| x86 URI Response:
| BeaconType: 0 (HTTP)
| Port: 80
| Polling: 5000
| Jitter: 10
| C2 Server: fondfbr.com,/jquery-3.3.1.min.js
| HTTP Method Path 2: /jquery-3.3.2.min.js
| Method1: GET
| Method2: POST
| Spawnto_x86: %windir%\syswow64\dllhost.exe
| Spawnto_x64: %windir%\sysnative\dllhost.exe
| Proxy_AccessType: 2 (Use IE settings)
|
|
| x64 URI Response:
| BeaconType: 0 (HTTP)
| Port: 80
| Polling: 5000
| Jitter: 10
| C2 Server: fondfbr.com,/jquery-3.3.1.min.js
| HTTP Method Path 2: /jquery-3.3.2.min.js
| Method1: GET
| Method2: POST
| Spawnto_x86: %windir%\syswow64\dllhost.exe
| Spawnto_x64: %windir%\sysnative\dllhost.exe
| Proxy_AccessType: 2 (Use IE settings)
|_
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment