Created
December 22, 2020 16:23
-
-
Save mgraeber-rc/9eab38e68f40bf5a57d7894e951090ea to your computer and use it in GitHub Desktop.
Extracted Cobalt Strike Beacon config for 3cfbf519913d703a802423e6e3fb734abf8297971caccc7ae45df172196b6e84 from this post: https://research.checkpoint.com/2020/sunburst-teardrop-and-the-netsec-new-normal/
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "BeaconType": [ | |
| "HTTPS" | |
| ], | |
| "Port": 443, | |
| "SleepTime": 5000, | |
| "MaxGetSize": 1049611, | |
| "Jitter": 99, | |
| "MaxDNS": 255, | |
| "C2Server": "static.rennorigroup.com,/api/v1/meemes/latest", | |
| "UserAgent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; Xbox)", | |
| "HttpPostUri": "/api/v1/user/2159215/chat/", | |
| "Malleable_C2_Instructions": [ | |
| "Remove 321 bytes from the end", | |
| "Remove 714 bytes from the beginning" | |
| ], | |
| "HttpGet_Metadata": [ | |
| "Host: 10.137.0.37", | |
| "Accept-Language: de-DE", | |
| "Accept: */*", | |
| "Connection: Keep-Alive", | |
| "Cache-Control: no-cache", | |
| "session_tracker=", | |
| "0001eqt60.2.1;", | |
| ";_ga=GA1.2.9924", | |
| ";_gat=1", | |
| "Cookie" | |
| ], | |
| "HttpPost_Metadata": [ | |
| "Host: 10.137.0.37", | |
| "{type:5, h:\"89f55c797591308d62f78915b27f6c06c0897b91\", body:\"", | |
| "\"}", | |
| "session_tracker=", | |
| "0001eqt60.2.1;", | |
| "loid=", | |
| ";reddaid=", | |
| "SHXIJU204B", | |
| "Cookie" | |
| ], | |
| "SpawnTo": "9Bmk6b02QRanL/U6nF8rPQ==", | |
| "PipeName": "", | |
| "DNS_Idle": "0.0.0.0", | |
| "DNS_Sleep": 0, | |
| "SSH_Host": "Not Found", | |
| "SSH_Port": "Not Found", | |
| "SSH_Username": "Not Found", | |
| "SSH_Password_Plaintext": "Not Found", | |
| "SSH_Password_Pubkey": "Not Found", | |
| "HttpGet_Verb": "GET", | |
| "HttpPost_Verb": "POST", | |
| "HttpPostChunk": 0, | |
| "Spawnto_x86": "%windir%\\syswow64\\gpupdate.exe", | |
| "Spawnto_x64": "%windir%\\sysnative\\gpupdate.exe", | |
| "CryptoScheme": 0, | |
| "Proxy_Config": "Not Found", | |
| "Proxy_User": "Not Found", | |
| "Proxy_Password": "Not Found", | |
| "Proxy_Behavior": "Use IE settings", | |
| "Watermark": 1745912540, | |
| "bStageCleanup": "True", | |
| "bCFGCaution": "False", | |
| "KillDate": 0, | |
| "bProcInject_StartRWX": "True", | |
| "bProcInject_UseRWX": "False", | |
| "bProcInject_MinAllocSize": 16700, | |
| "ProcInject_PrependAppend_x86": "Empty", | |
| "ProcInject_PrependAppend_x64": "Empty", | |
| "ProcInject_Execute": [ | |
| "ntdll.dll:RtlUserThreadStart", | |
| "SetThreadContext", | |
| "NtQueueApcThread-s", | |
| "kernel32.dll:LoadLibraryA", | |
| "RtlCreateUserThread" | |
| ], | |
| "ProcInject_AllocationMethod": "NtMapViewOfSection", | |
| "bUsesCookies": "True", | |
| "HostHeader": "" | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Thank you for that clarification! The blog post didn't make it super clear that the posted hash was unrelated to TEARDROP but reading it over again, it becomes clearer to me that it is not related.