Malware Analysis Report
10320115.r1.v1
2021-02-05
Notification
This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.
This document is marked TLP:WHITE--Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.us-cert.gov/tlp.
Summary
Description
This report provides detailed analysis of malicious artifacts associated with a sophisticated supply chain compromise of Solar Winds Orion network management software, identified by the security company FireEye as TEARDROP.
TEARDROP is a loader designed to decrypt and execute an embedded payload on the target system. The payload has been identified as the Cobalt Strike Beacon Implant (Version 4) and provides a remote operator command and control capabilities over a victim system through an encrypted network tunnel. The capabilities include the ability to rapidly exfiltrate data, log keystrokes, take screenshots, and deploy additional payloads.
For a downloadable copy of IOCs, see: MAR-10320115-1.v1.stix.
Submitted Files (2)
1817a5bf9c01035bcf8a975c9f1d94b0ce7f6a200339485d8f93859f8f6d730c (1817a5bf9c01035bcf8a975c9f1d94...)
b820e8a2057112d0ed73bd7995201dbed79a79e13c79d4bdad81a22f12387e07 (b820e8a2057112d0ed73bd7995201d...)
Domains (2)
ervsystem.com
infinitysoftwares.com
Findings
1817a5bf9c01035bcf8a975c9f1d94b0ce7f6a200339485d8f93859f8f6d730c
Tags
backdoordroppertrojan
Details
Name |
1817a5bf9c01035bcf8a975c9f1d94b0ce7f6a200339485d8f93859f8f6d730c |
Size |
321024 bytes |
Type |
PE32+ executable (DLL) (GUI) x86-64 (stripped to external PDB), for MS Windows |
MD5 |
35abfb98dac5bf48f7ac0e67afc9bdb7 |
SHA1 |
9185029c2630b220a74620c8f3d04886a457e1cf |
SHA256 |
1817a5bf9c01035bcf8a975c9f1d94b0ce7f6a200339485d8f93859f8f6d730c |
SHA512 |
93f1336e3bc7ac01561f0ad7ce5fec7ae078e55db0f5b0cf0663cb5dbbe2acb08f27490da179e27579debc04843bf02f047456c516bf0345ba827e0efe85149a |
ssdeep |
6144:NQGxkGwaxIOkqNQI7LI8L/pOXlZg2gv+rtcOHNManxm2wf:NtxpgyNQIo8LePWOHWgTa |
Entropy |
7.922861 |
Antivirus
BitDefender |
Generic.Teardrop.1.244AC43A |
Clamav |
Win.Dropper.Teardrop-9808996-3 |
Emsisoft |
Generic.Teardrop.1.244AC43A (B) |
Lavasoft |
Generic.Teardrop.1.244AC43A |
Microsoft Security Essentials |
Trojan:Win64/Cobaltstrike.RN!dha |
Symantec |
Backdoor.Teardrop |
YARA Rules
- rule CISA_10320115_01 : TEARDROP trojan backdoor
{
meta:
Author = "CISA Code & Media Analysis"
Incident = "10320115"
Date = "2020-12-31"
Last_Modified = "20201231_1800"
Actor = "n/a"
Category = "Trojan Backdoor"
Family = "TEARDROP"
Description = "Detects variants of TEARDROP malware"
MD5_1 = "f612bce839d855bbff98214a197489f7"
SHA256_1 = "dc20f4e50784533d7d10925e4b056f589cc73c139e97f40c0b7969728a28125c"
MD5_2 = "91e47c7bc9a7809e6b1560e34f2d6d7e"
SHA256_2 = "b37007db21a7f969d2c838f3bbbeb78a7402d66735bb5845ef31df9048cc33f0"
MD5_3 = "91e47c7bc9a7809e6b1560e34f2d6d7e"
SHA256_3 = "1817a5bf9c01035bcf8a975c9f1d94b0ce7f6a200339485d8f93859f8f6d730c"
strings:
$s0 = { 65 23 FB 7F 20 AA EB 0C B8 16 F6 BC 2F 4D D4 C4 39 97 C7 23 9F 3E 5C DE }
$s1 = { 5C E6 06 63 FA DE 44 C0 D4 67 95 28 12 47 C5 B5 EF 24 BC E4 }
$s2 = { 9E 96 BA 1B FB 7F 19 5A 8C 06 AB FA 43 3B F0 83 9E 54 0B 02 }
$s3 = { C2 7E 93 FC 02 B9 C6 DE 2B AF C6 C2 BE 2C 88 02 B4 1D 03 F5 }
$s4 = { 48 B8 53 4F 46 54 57 41 52 45 C7 44 24 60 66 74 5C 43 C6 44 24 66 00 48 89 44 24 50 48 B8 5C 4D 69 63 72 6F 73 6F }
$s5 = { 48 83 F8 FF 48 8D }
$s6 = { 8B 0A 48 83 C2 04 8D 81 FF FE FE FE F7 D1 21 C8 25 80 80 80 80 }
$s7 = { 5B 5E 5F 5D 41 5C 41 }
$s8 = { 4E 00 65 00 74 00 77 00 6F 00 72 00 6B 00 20 00 53 00 65 00 74 00 75 00 70 00 20 00 53 00 65 00 72 00 76 00 69 00 63 00 65 }
$s9 = { 64 6C 6C 00 4E 65 74 53 65 74 75 70 53 65 72 76 69 63 65 4D 61 69 6E }
$s10 = { 41 31 C0 45 88 04 0A 48 83 C1 01 45 89 C8 41 39 CB 7F }
condition:
($s0 or $s1 or $s2 or $s3) or ($s4 and $s5 and $s6 and $s7 and $s8 and $s9 and $s10)
}
- rule FireEye_20_00025665_01 : TEARDROP APT dropper
{
meta:
Author = "FireEye"
Date = "2020-12-13"
Last_Modified = "20201213_1916"
Actor = "n/a"
Category = "Hacktool"
Family = "TEARDROP"
Description = "This rule looks for portions of the TEARDROP backdoor that are vital to how it functions. TEARDROP is a memory only dropper that can read files and registry keys, XOR decode an embedded payload, and load the payload into memory. TEARDROP persists as a Windows service and has been observed dropping Cobalt Strike BEACON into memory."
MD5_1 = ""
SHA256_1 = ""
strings:
$sb1 = { C7 44 24 ?? 80 00 00 00 [0-64] BA 00 00 00 80 [0-32] 48 8D 0D [4-32] FF 15 [4] 48 83 F8 FF [2-64] 41 B8 40 00 00 00 [0-64] FF 15 [4-5] 85 C0 7? ?? 80 3D [4] FF }
$sb2 = { 80 3D [4] D8 [2-32] 41 B8 04 00 00 00 [0-32] C7 44 24 ?? 4A 46 49 46 [0-32] E8 [4-5] 85 C0 [2-32] C6 05 [4] 6A C6 05 [4] 70 C6 05 [4] 65 C6 05 [4] 67 }
$sb3 = { BA [4] 48 89 ?? E8 [4] 41 B8 [4] 48 89 ?? 48 89 ?? E8 [4] 85 C0 7? [1-32] 8B 44 24 ?? 48 8B ?? 24 [1-16] 48 01 C8 [0-32] FF D0 }
condition:
all of them
}
- rule FireEye_20_00025665_02 : TEARDROP APT dropper
{
meta:
Author = "FireEye"
Date = "2020-12-13"
Last_Modified = "20201213_1916"
Actor = "n/a"
Category = "Hacktool"
Family = "TEARDROP"
Description = "This rule is intended match specific sequences of opcode found within TEARDROP, including those that decode the embedded payload. TEARDROP is a memory only dropper that can read files and registry keys, XOR decode an embedded payload, and load the payload into memory. TEARDROP persists as a Windows service and has been observed dropping Cobalt Strike BEACON into memory."
MD5_1 = ""
SHA256_1 = ""
strings:
$loc_4218FE24A5 = { 48 89 C8 45 0F B6 4C 0A 30 }
$loc_4218FE36CA = { 48 C1 E0 04 83 C3 01 48 01 E8 8B 48 28 8B 50 30 44 8B 40 2C 48 01 F1 4C 01 FA }
$loc_4218FE2747 = { C6 05 ?? ?? ?? ?? 6A C6 05 ?? ?? ?? ?? 70 C6 05 ?? ?? ?? ?? 65 C6 05 ?? ?? ?? ?? 67 }
$loc_5551D725A0 = { 48 89 C8 45 0F B6 4C 0A 30 48 89 CE 44 89 CF 48 F7 E3 48 C1 EA 05 48 8D 04 92 48 8D 04 42 48 C1 E0 04 48 29 C6 }
$loc_5551D726F6 = { 53 4F 46 54 57 41 52 45 ?? ?? ?? ?? 66 74 5C 43 ?? ?? ?? ?? 00 }
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
ssdeep Matches
No matches found.
PE Metadata
Compile Date |
2018-12-09 10:37:58-05:00 |
Import Hash |
0a331624686ac9055694d7ddd9c0815d |
Company Name |
None |
File Description |
Network Setup Service |
Internal Name |
None |
Legal Copyright |
© Microsoft Corporation. All rights reserved. |
Original Filename |
NETSETUPSVC.DLL |
Product Name |
Microsoft® Windows® Operating System |
Product Version |
10.0.14393.0 |
PE Sections
MD5 |
Name |
Raw Size |
Entropy |
d990149684ac611b98b9d389766a7e17 |
header |
1024 |
2.584189 |
5fbd9948fd72f083803635022111fd99 |
.text |
23552 |
6.358535 |
122bd1d155ed0c51226ea0b38872e13d |
.data |
286720 |
7.998098 |
9d8aead5ec18fa55740a34a7eaa3c2bb |
.rdata |
1536 |
3.673323 |
7b5aab64a2810cf05bd80323f8aa17d4 |
.pdata |
1536 |
3.660221 |
8b15f6849b0bf0f60bd81b23988f5ca7 |
.xdata |
1024 |
2.883941 |
d41d8cd98f00b204e9800998ecf8427e |
.bss |
0 |
0.000000 |
091c8665b4cd95cc583105c223f156aa |
.edata |
512 |
0.967748 |
c94c470079ed994735caebed176cd925 |
.idata |
2560 |
4.429320 |
c806ece4d1aa4e25beb529c6e7dc947d |
.CRT |
512 |
0.253231 |
9f168cc07fa95e573b1f74a2e4614f79 |
.tls |
512 |
0.331828 |
5b06dd2d5de3cb635e5e15313a541789 |
.rsrc |
1024 |
2.933337 |
99450283e3e0c313f697d0165f585598 |
.reloc |
512 |
1.239038 |
Relationships
1817a5bf9c... |
Connected_To |
ervsystem.com |
Description
This file is a malicious 64-bit DLL, identified as a variant of the TEARDROP loader. The malware attempts to read the first 64-bytes of a file named "festive_computer.jpg" (Figure 1). It does not utilize the data it reads from this file and it will continue executing even if this file is not present on the target system.
After attempting to read the file "festive_computer.jpg," it will decrypt and execute an embedded code buffer using an XOR based stream cipher (Figure 2). Below is the key utilized by the cipher algorithm to decrypt the embedded code buffer:
—Begin Cipher Key—
C27E93FC02B9C6DE2BAFC6C2BE2C8802B41D03F53365B25AEE1A67D0E9525171F5F7149045E5D1F672176CA686C3C7A0D34E5FF1FBCBF6C14C4BEE2867A296DDE199179CB4D4CC93EA4DFB75510AB9F531EDCCA291B74C7FAA9D7156A97F359B6E68D9EA2D77E646654D3533D8A135A1E604FE6A55EE72B4543A7F331B473A9B7D14765D01DF7ACC0370894DE2530F8FDB51066AE70B0D462A15
—End Cipher Key—
The embedded code buffer has been identified as the Cobalt Strike Beacon (version 4) Remote Access Tool (RAT). Displayed below is the embedded Beacon configuration data:
—Begin Cobalt Beacon Configuration Data—
Port - 443
SleepTime - 7200000
MaxGetSize - 1399696
Jitter - 18
MaxDNS - 255
C2Server - ervsystem.com/2019/Two-Man-Point-The-Brands/
UserAgent - Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; rv:11.0) like Gecko
HttpPostUri - /2019/Users-Case-Documentation-And-Yourselt/
Malleable_C2_Instructions - Remove 38 bytes from the end
Remove 1554 bytes from the beginning
Base64 decode
HttpGet_Metadata - Referer: https://yahoo.com/
Host: ervsystem.com
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
Connection: close
PHPSESSID=
Cookie
HttpPost_Metadata - Referer: https://yahoo.com/
Host: ervsystem.com
Accept: */*
Accept-Language: en-US
Connection: close
name="uploaded_1";filename="04373.avi"
Content-Type: text/plain
p
SpawnTo - b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
PipeName -
DNS_Idle - 9.9.9.9
DNS_Sleep - 0
SSH_Host - Not Found
SSH_Port - Not Found
SSH_Username - Not Found
SSH_Password_Plaintext - Not Found
SSH_Password_Pubkey - Not Found
HttpGet_Verb - GET
HttpPost_Verb - POST
HttpPostChunk - 0
Spawnto_x86 - %windir%\syswow64\msiexec.exe
Spawnto_x64 - %windir%\sysnative\print.exe
CryptoScheme - 0
Proxy_Config - Not Found
Proxy_User - Not Found
Proxy_Password - Not Found
Proxy_Behavior - Use IE settings
Watermark - 892810033
bStageCleanup - True
bCFGCaution - False
KillDate - 0
bProcInject_StartRWX - False
bProcInject_UseRWX - False
bProcInject_MinAllocSize - 7281
ProcInject_PrependAppend_x86 - b'\x90'
Empty
ProcInject_PrependAppend_x64 - b'\x90\x90\x90'
Empty
ProcInject_Execute - ntdll:RtlUserThreadStart
CreateThread
NtQueueApcThread
SetThreadContext
ProcInject_AllocationMethod - NtMapViewOfSection
bUsesCookies - True
HostHeader -
—End Cobalt Beacon Configuration Data—
Screenshots
Figure 1 - Screenshot of the code structure that tries to read "festive_computer.jpg" from disk.
Figure 2 - Screenshot of TEARDROP using an algorithm to decrypt the embedded code buffer which contains the Cobalt Strike Beacon remote access tool (RAT).
ervsystem.com
Tags
command-and-control
URLs
- ervsystem.com/2019/Two-Man-Point-The-Brands/
Ports
Whois
Domain Name: ERVSYSTEM.COM
Registry Domain ID: 2222911627_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.epik.com
Registrar URL: http://www.epik.com
Updated Date: 2020-09-04T23:23:29Z
Creation Date: 2018-02-04T08:45:05Z
Registrar Registration Expiration Date: 2022-02-04T08:45:05Z
Registrar: Epik, Inc.
Registrar IANA ID: 617
Registrar Abuse Contact Email: abuse@epik.com
Registrar Abuse Contact Phone: +1.4253668810
Reseller:
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Registry Registrant ID:
Registrant Name: Privacy Administrator
Registrant Organization: Anonymize, Inc.
Registrant Street: 704 228th Ave NE
Registrant City: Sammamish
Registrant State/Province: WA
Registrant Postal Code: 98074
Registrant Country: US
Registrant Phone: +1.4253668810
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: ervsystem.com@anonymize.com
Registry Admin ID:
Admin Name: Privacy Administrator
Admin Organization: Anonymize, Inc.
Admin Street: 704 228th Ave NE
Admin City: Sammamish
Admin State/Province: WA
Admin Postal Code: 98074
Admin Country: US
Admin Phone: +1.4253668810
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email: ervsystem.com@anonymize.com
Registry Tech ID:
Tech Name: Privacy Administrator
Tech Organization: Anonymize, Inc.
Tech Street: 704 228th Ave NE
Tech City: Sammamish
Tech State/Province: WA
Tech Postal Code: 98074
Tech Country: US
Tech Phone: +1.4253668810
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email: ervsystem.com@anonymize.com
Name Server: NS3.EPIK.COM
Name Server: NS4.EPIK.COM
DNSSEC: signedDelegation
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
Relationships
ervsystem.com |
Connected_From |
1817a5bf9c01035bcf8a975c9f1d94b0ce7f6a200339485d8f93859f8f6d730c |
Description
This domain is the command and control (C2) for the sample "1817a5bf9c01035bcf8a975c9f1d94b0ce7f6a200339485d8f93859f8f6d730c."
b820e8a2057112d0ed73bd7995201dbed79a79e13c79d4bdad81a22f12387e07
Tags
backdoortrojan
Details
Name |
b820e8a2057112d0ed73bd7995201dbed79a79e13c79d4bdad81a22f12387e07 |
Size |
530432 bytes |
Type |
PE32+ executable (DLL) (GUI) x86-64 (stripped to external PDB), for MS Windows |
MD5 |
bd842c41b4c1b3c2deb475d7a3876599 |
SHA1 |
f7e61eb028b399b74c73883a2fccedbe56ecea2e |
SHA256 |
b820e8a2057112d0ed73bd7995201dbed79a79e13c79d4bdad81a22f12387e07 |
SHA512 |
110a10662342b0d5716c3307c51fa8a591bf621049d8d291aa44f8ab864ab075064651750334619292e9362136e328c14dd637033c244d42551ac5b321941aad |
ssdeep |
12288:NMINVoXxVuxcowWRjZ9dpOLg8UU8YhUhKEcBvg+:2rxIwU19eL4oUAEun |
Entropy |
7.533146 |
Antivirus
BitDefender |
Trojan.Teardrop.C |
ESET |
a variant of Generik.NFGRBKQ trojan |
Emsisoft |
Trojan.Teardrop.C (B) |
Lavasoft |
Trojan.Teardrop.C |
Microsoft Security Essentials |
Trojan:Win64/Cobaltstrike.RN!dha |
Symantec |
Backdoor.Teardrop |
YARA Rules
- rule FireEye_20_00025665_02 : TEARDROP APT dropper
{
meta:
Author = "FireEye"
Date = "2020-12-13"
Last_Modified = "20201213_1916"
Actor = "n/a"
Category = "Hacktool"
Family = "TEARDROP"
Description = "This rule is intended match specific sequences of opcode found within TEARDROP, including those that decode the embedded payload. TEARDROP is a memory only dropper that can read files and registry keys, XOR decode an embedded payload, and load the payload into memory. TEARDROP persists as a Windows service and has been observed dropping Cobalt Strike BEACON into memory."
MD5_1 = ""
SHA256_1 = ""
strings:
$loc_4218FE24A5 = { 48 89 C8 45 0F B6 4C 0A 30 }
$loc_4218FE36CA = { 48 C1 E0 04 83 C3 01 48 01 E8 8B 48 28 8B 50 30 44 8B 40 2C 48 01 F1 4C 01 FA }
$loc_4218FE2747 = { C6 05 ?? ?? ?? ?? 6A C6 05 ?? ?? ?? ?? 70 C6 05 ?? ?? ?? ?? 65 C6 05 ?? ?? ?? ?? 67 }
$loc_5551D725A0 = { 48 89 C8 45 0F B6 4C 0A 30 48 89 CE 44 89 CF 48 F7 E3 48 C1 EA 05 48 8D 04 92 48 8D 04 42 48 C1 E0 04 48 29 C6 }
$loc_5551D726F6 = { 53 4F 46 54 57 41 52 45 ?? ?? ?? ?? 66 74 5C 43 ?? ?? ?? ?? 00 }
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
ssdeep Matches
No matches found.
PE Metadata
Compile Date |
2018-03-09 23:23:43-05:00 |
Import Hash |
3417123af2f473f771d46841bfce6d48 |
Company Name |
None |
File Description |
GetText: library and tools for native language support |
Internal Name |
None |
Legal Copyright |
© 2015 Free Software Foundation <www.fsf.org> |
Original Filename |
libintl3.dll |
Product Name |
libintl3.dll |
Product Version |
0.14.4.1952 |
PE Sections
MD5 |
Name |
Raw Size |
Entropy |
1ae8ec5795f9a3cad5d54e569634d668 |
header |
1024 |
2.703747 |
989e04fb5dc1eb83a3055a3fea30fb7a |
.text |
209408 |
6.327319 |
d2bcd776a8ca1ed76feb8344d0739f1a |
.data |
286720 |
7.998501 |
fdbd0954169972c21876938dbd536da3 |
.rdata |
1536 |
3.636101 |
7eddb104f4aad897faffc33762e896cf |
.pdata |
7680 |
5.364572 |
8232395ce211b61e4df169c38afdb7f6 |
.xdata |
3072 |
1.658757 |
d41d8cd98f00b204e9800998ecf8427e |
.bss |
0 |
0.000000 |
add3d2ca7de32da5c3a5d2718129d600 |
.edata |
15872 |
5.809199 |
8e6af2ae43eb16502507eeb8c7c03aa5 |
.idata |
2560 |
3.983544 |
768bf26d947f32101953daeeea4a19b1 |
.CRT |
512 |
0.238291 |
60227c557d35a7f2cf79a13c284b1dab |
.tls |
512 |
0.335735 |
2d007e3e5c7f7423ed5c43b129f03f34 |
.rsrc |
1024 |
2.956911 |
ddbe94bbe8aeacf9cb120fe816659354 |
.reloc |
512 |
1.215071 |
Relationships
b820e8a205... |
Connected_To |
infinitysoftwares.com |
Description
This file is a malicious 64-bit DLL, identified as a variant of the TEARDROP loader. During runtime, the malicious application decodes and executes an embedded code buffer using an XOR based stream cipher. Displayed below is the key utilized by the cipher algorithm to decrypt the embedded code buffer:
—Begin XOR Cipher Key—
AFAFD51031EE936AFC50B611CDC70E7E62A7BAFCA72B43DB0023915BBBBAC016A5331CB28EE6E3DF0804B24004D219EE7ED24C7B41D9669C21A7AECB1B87927C4ED5A25949404DD2218091F00DD9F874B955D1615534FEF8C5200DFDA816FF4A023CF1D2E679AFCA79A5C5BB4C871ABF34CA641E5F1ACC42864CEE8BF5921A4E0DAC1D18C090D15D0CC79A843D9F763B4D323A34B26216F065705A62B47000BED185E7E2A7DE306DB6C94B5D3C2DA5FF8149AB8A7D13C3E0A3DAC5BEC46A9BD0D9
—End XOR Cipher Key—
The embedded code buffer contains the malicious identified as Cobalt Strike Beacon (version 4) RAT. Displayed below is the embedded Beacon configuration data:
—Begin Cobalt Beacon Configuration Data—
BeaconType - HTTPS
Port - 443
SleepTime - 14400000
MaxGetSize - 1049217
Jitter - 23
MaxDNS - 255
C2Server - infinitysoftwares.com,/files/information_055.pdf
UserAgent - Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.92 Safari/537.36
HttpPostUri - /wp-admin/new_file.php
Malleable_C2_Instructions - Remove 313 bytes from the end
Remove 324 bytes from the beginning
XOR mask w/ random key
HttpGet_Metadata - Referer: https://twitter.com/
Host: infinitysoftwares.com
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
Connection: close
PHPSESSID=
Cookie
HttpPost_Metadata - Host: infinitysoftwares.com
Accept: */*
Accept-Language: en-US
Connection: close
name="uploaded_1";filename="33139.pdf"
Content-Type: text/plain
r
SpawnTo - b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
PipeName -
DNS_Idle - 208.67.220.220
DNS_Sleep - 0
SSH_Host - Not Found
SSH_Port - Not Found
SSH_Username - Not Found
SSH_Password_Plaintext - Not Found
SSH_Password_Pubkey - Not Found
HttpGet_Verb - GET
HttpPost_Verb - POST
HttpPostChunk - 0
Spawnto_x86 - %windir%\syswow64\print.exe
Spawnto_x64 - %windir%\sysnative\msiexec.exe
CryptoScheme - 0
Proxy_Config - Not Found
Proxy_User - Not Found
Proxy_Password - Not Found
Proxy_Behavior - Use IE settings
Watermark - 943010104
bStageCleanup - True
bCFGCaution - False
KillDate - 0
bProcInject_StartRWX - False
bProcInject_UseRWX - False
bProcInject_MinAllocSize - 8493
ProcInject_PrependAppend_x86 - b'\x90\x90'
Empty
ProcInject_PrependAppend_x64 - b'\x0f\x1f\x00'
Empty
ProcInject_Execute - ntdll:RtlUserThreadStart
CreateThread
NtQueueApcThread
SetThreadContext
ProcInject_AllocationMethod - NtMapViewOfSection
bUsesCookies - True
HostHeader -
—End Cobalt Beacon Configuration Data—
Screenshots
Figure 3 - Screenshot of the XOR based cipher utilized by this TEARDROP variant to decode an embedded Cobalt Strike Beacon payload.
infinitysoftwares.com
Tags
command-and-control
URLs
- infinitysoftwares.com/files/information_055.pdf
Ports
Whois
Domain Name: infinitysoftwares.com
Registry Domain ID: 2356151174_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.namesilo.com
Registrar URL: https://www.namesilo.com/
Updated Date: 2021-01-01T07:00:00Z
Creation Date: 2019-01-28T07:00:00Z
Registrar Registration Expiration Date: 2021-01-28T07:00:00Z
Registrar: NameSilo, LLC
Registrar IANA ID: 1479
Registrar Abuse Contact Email: abuse@namesilo.com
Registrar Abuse Contact Phone: +1.4805240066
Domain Status: clientTransferProhibited https://www.icann.org/epp#clientTransferProhibited
Registry Registrant ID:
Registrant Name: Domain Administrator
Registrant Organization: See PrivacyGuardian.org
Registrant Street: 1928 E. Highland Ave. Ste F104 PMB# 255
Registrant City: Phoenix
Registrant State/Province: AZ
Registrant Postal Code: 85016
Registrant Country: US
Registrant Phone: +1.3478717726
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: pw-531dcecd9bbebe6f78f00ff61cc84da6@privacyguardian.org
Registry Admin ID:
Admin Name: Domain Administrator
Admin Organization: See PrivacyGuardian.org
Admin Street: 1928 E. Highland Ave. Ste F104 PMB# 255
Admin City: Phoenix
Admin State/Province: AZ
Admin Postal Code: 85016
Admin Country: US
Admin Phone: +1.3478717726
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email: pw-531dcecd9bbebe6f78f00ff61cc84da6@privacyguardian.org
Registry Tech ID:
Tech Name: Domain Administrator
Tech Organization: See PrivacyGuardian.org
Tech Street: 1928 E. Highland Ave. Ste F104 PMB# 255
Tech City: Phoenix
Tech State/Province: AZ
Tech Postal Code: 85016
Tech Country: US
Tech Phone: +1.3478717726
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email: pw-531dcecd9bbebe6f78f00ff61cc84da6@privacyguardian.org
Name Server: NS1.DNSOWL.COM
Name Server: NS2.DNSOWL.COM
Name Server: NS3.DNSOWL.COM
DNSSEC: unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
Relationships
infinitysoftwares.com |
Connected_From |
b820e8a2057112d0ed73bd7995201dbed79a79e13c79d4bdad81a22f12387e07 |
Description
This domain is the C2 for the sample "b820e8a2057112d0ed73bd7995201dbed79a79e13c79d4bdad81a22f12387e07."
Relationship Summary
1817a5bf9c... |
Connected_To |
ervsystem.com |
ervsystem.com |
Connected_From |
1817a5bf9c01035bcf8a975c9f1d94b0ce7f6a200339485d8f93859f8f6d730c |
b820e8a205... |
Connected_To |
infinitysoftwares.com |
infinitysoftwares.com |
Connected_From |
b820e8a2057112d0ed73bd7995201dbed79a79e13c79d4bdad81a22f12387e07 |
Recommendations
CISA recommends that users and administrators consider using the following best practices to strengthen the security posture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.
- Maintain up-to-date antivirus signatures and engines.
- Keep operating system patches up-to-date.
- Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
- Restrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
- Enforce a strong password policy and implement regular password changes.
- Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
- Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
- Disable unnecessary services on agency workstations and servers.
- Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header).
- Monitor users' web browsing habits; restrict access to sites with unfavorable content.
- Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).
- Scan all software downloaded from the Internet prior to executing.
- Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).
Additional information on malware incident prevention and handling can be found in National Institute of Standards and Technology (NIST) Special Publication 800-83, "Guide to Malware Incident Prevention & Handling for Desktops and Laptops".
Contact Information
CISA continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: https://www.surveymonkey.com/r/G8STDRY
Document FAQ
What is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in a timely manner. In most instances this report will provide initial indicators for computer and network defense. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.
What is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware analysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.
Can I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to this document should be directed to the CISA at 1-888-282-0870 or CISA Service Desk.
Can I submit malware to CISA? Malware samples can be submitted via three methods:
CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on CISA's homepage at www.cisa.gov.
|