Cobalt Strike Stager - Malware Analysis Lab

6 minute read

Technical Analysis of a Cobalt Strike Stager

Overview (AI generated from video):

Summary

Cobalt Strike is a popular hacking tool used by hackers worldwide. This video shows how to extract relevant information from a Cobalt Strike Stager using Cyberchef and a Python script.

Timestamps

0:20 ⏱️ Cobalt Strike is widely used by hackers and was created in 2012 by Raphael Mudge.
1:05 ⏱️ Using Cyberchef, relevant information can be extracted from a Cobalt Strike Powershell Stager.
2:40 ⏱️ A Python script can also extract information, including the watermark or license key.

Key Insights

🔍 The Malware Bazaar database is a useful resource for finding malware samples.
💡 Understanding the bitwise exclusive or operation and using regular expressions helps extract relevant information.
🧩 Cyberchef offers features like content storage and restoration, making analysis easier.
📝 Extracting the watermark or license key from the Cobalt Strike payload can aid in tracking individuals.
🛠️ Tools like the Python script mentioned can provide configuration details from Shell Code.
🕵️ Extracted information like command and control IP address can be used in investigations.
💻 Cyberchef and Python scripts are valuable tools for analyzing and extracting information from Cobalt Strike Stagers.

Transcript (AI generated from video):

00:00:00	Cobalt strike is one of the most prolifically used defensive security tools on the planet it was created back in 2012 by one person Raphael Mudge and has since become the go-to tool for hackers of all types now I'm going to show you how you can take a Cobalt strike Powershell Stager and extract relevant information including the command and control IP address using nothing but Cyberchef then I'm going to show you how you can take a python script and extract more relevant information from the Cobalt strike
00:00:31	Stager including the watermark or license key okay so I found a sample on malware Bazaar database now mware Bazaar is just a place for sharing malware samples probably a good one to look into make sure that we can click all the motorcycles all the motorcycles that's a person but I'm sure it counts hey winner winner I'm going to extract it it password is infected dropp in the payload if we remove the null bites the next thing we want want to do is get what is hidden within this uh Char bite array and the reason is because this is
00:01:07	going to have an bitwise exclusive or operation a bxo operation with a key of 136 and it's essentially going to be then allocated into memory what we want to know is what is this Shell Code let's get uh some regular Expressions going on and what we're probably going to look for is any kind of characters that are numbers and commas in this particular case we could go 0 to 9 also add in that and let's just say it has to be more than 60 characters and look at that straight away this little shortcut has
00:01:42	just given us everything that we need so very easy to extract that relevant information so let's list the matches what we want to do here is we want to take this from decimal and now the delimiter here is a comma and we've got something a little bit more usable now let's do that EXP exclusive or operation the bitwise exclusive or operation and we have a key of 136 it's not heximal it is actually decimal and suddenly we get something a little bit more interesting so let's go ahead and use strings in order to get
00:02:15	rid of a lot of the junk and now we can actually see that this looks like what it is essentially using to gather that second stage payload for the Cobalt stroke Beacon so the Stager will be connecting back to this particular IP address using this particular user agent we could actually do this a little little bit more robust what if all of it was using this Char by array but yet sometimes the key chain so it wasn't an exclusive or operation of 136 so we would then have to have some Rex to pick up everything after this bxo R so now
00:02:49	that we've got the dot matches all there we go that will allow us to just extract the 136 key A lot of people don't know but cyberchef has registered where you can actually store your content and restore your content so first off we're going to store everything that we've got in register Zer so that we can restore it because it is a linear set of operations so we're going to store that in r0 we are going to extract the key of 136 then we are going to store that in another register so we've got 136 there
00:03:22	as well now we are going to do a find and replace for everything replace it with everything that is in register zero that's going to give us our content back now we can do a regular expression from decimal and then instead of using the 136 here we should be able to just use uh an R1 and get the exact same content back and you can see it looks like it's actually worked we want to get rid of this Global match when we do that and same stuff key works well there you go if we actually look at this particular
00:03:58	payload and we go back a little bit this little bit of characters after the IP address is a little bit interesting I'll show you why what we're going to do is we're going to convert this to hex now this gets us 1374 cd1c so we can convert it from Baye 16 and that gets us this number of 326 421 788 now that is the water mark or the license key tied to this Cobalt strike Beacon the actual license used by the Cobalt strike framework in order to create this payload and this can be very useful for tracking individuals that
00:04:36	have actually used this but how can we confirm this well there is a really nice tool now I've gone ahead and cloned it already now this tool will allow you to get the configuration details from the Shell Code that we actually have we want this this is the raw Shell Code now if we save this to a file call it download. sure and now we open up our terminal and we use this particular pip python script you can see that it's extracted the same relevant information that we just did it's got the net location path the
00:05:07	command and control IP address it's also got the port that it's on it shows the headers that are going to be used by it a few other things like internet connection flags that are going to be set and that Watermark that 326 421 788 so that's just one way that you can take a Cobalt strike Stager get relevant information and then use that in your investigation did you find it interesting what is your favorite cyber Chef recipe let me know in the comment section below