Disclaimer

Tuesday, November 5, 2019

CobaltStrike - beacon.dll : Your No Ordinary MZ Header

Today I found some interesting sample that was flag as cobaltstrike sample in app.any.run (links are below). The execution of this file is quite interesting how it evade detection by running multi-component files and maximize the DOS header to execute small shellcode.

SFX CODE:

This sample start with a SFX file that contains an executable name as "virus_load.exe" and a blob file name as "k2Hw". The sfx will run the virus_load.exe base on the setup script of the sfx file.

figure 1: the sfx to execute virus_load.exe

virus_load.exe and the k2Hw files:

this part of execution is also interesting, because virus_load.exe is only a loader of "k2Hw". The said blob file is a shellcode that will decrypt and execute the "beacon.dll" by calling CreateThread API.

figure 2: virus_load.exe loading the "k2Hw" blob file.
The shellcode is not big actually, the only task it will do is to decrypt the actual payload which is the beacon.dll using the initial decryption key in offset 0x40.
figure 3: decryption routine to decrypt the beacon.dll

figure 4: the initial structure of the k2Hw shellcode

Interesting Execution of Its Export function:

This part is quite interesting, because it just used around 40 bytes of code including the actual "MZ" header to jump or to execute its export function " _ReflectiveLoader@4".

figure 5: the shellcode structure including the MZ header

figure 6: 0x4F + 0x9155 = 0x91A4 the export function of this dll payload.

Some Backdoor Features:

This .dll file is waiting for some backdoor command to execute several function to the infected machine. some of it is read file, write file, Open Process, Set Current Directory, Impersonate Process, LSA server un-trusted connection , Create and Open services, code Injection and many more.

figure 7: Process Impersonation

figure 8: CurrentProcess Code Injection


figure 9: LSA Server Connection

Conclusion:

In this sample we saw how malware try to use different approach to execute their code even in the actual DOS header of the PE file. This technique is not new but still effective to run code or shellcode.

IOC:

Debug.exe
Sha1: 9e16e2de4e4da93965b3cbcd19bbaf32b490bf63
md5: e2d265ced204eb807cb5ed0093500205
Sha256: 3462e89f38d399d93e2dbe2cf415f8dabbd93c45bd8b9725274116c9b309be88

beacon.dll
Sha1: 19359d10155d98414c03951fd4871c0b387f7dd7
Md5: 5cd3ba72cda97276bb77c42e42e2fb7c
Sha256: 31d9bde8825cad11a6072fc2b8f320e2686966232b7471fe2fb9ea2ca2873fbd

https://app.any.run/tasks/dc833ad4-508a-42eb-9bc2-cef42a558e89/
https://www.virustotal.com/gui/file/3462e89f38d399d93e2dbe2cf415f8dabbd93c45bd8b9725274116c9b309be88/detection

YARA:



  import "pe"

rule unpack_CobaltStrike_beacon_dll_ {
    meta:
        author =  "tcontre"
        description = "detecting Cobaltstrike malware"
        date =  "2019-11-05"
        sha256 = "31d9bde8825cad11a6072fc2b8f320e2686966232b7471fe2fb9ea2ca2873fbd"

    strings:
        $mz = { 4d 5a }
 
        $shell = { 4D 5A E8 00 00 00 00 5B 89 DF 52 45 55 89 E5 81 C3 55 91 00 00 FF D3 }
        $code2 = { 64 A1 30 00 00 00 89 45 C0 8B 45 C0 8B 40 0C 89 }
        $code3 = { 8B 45 8C C1 C8 0D 89 45 8C 8B 45 88 0F BE 00 03}
        $s1 = "cdn.%x%x.%s" fullword
        $s2 = "¦www6.%x%x.%s" fullword
        $s3 = "%s.2%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x.%x%x.%s" fullword
     
    condition:
        ($mz at 0) and ($shell at 0) or 2 of ($code*) and 1 of ($s*)
 
    }




"Reg Restore" Odyssey: Journey to Persistence And Evasion

The Windows Registry, a fundamental component of the Windows Operating System, empowers users to fine-tune system policies and manipulate lo...