[QuickNote] CobaltStrike SMB Beacon Analysis

Posted: June 4, 2022 in My Tutorials, [QuickNote.En] CobaltStrike SMB Beacon Analysis
Tags: , , , , , , ,

1. Executive Summary

At VinCSS, I recently wrote an analysis related to the samples of the Mustang Panda (PlugX) group. These samples are all uploaded from Vietnam. You can read the Vietnamese or English blog post of this analysis.

However, in all the uploaded log.dll files, there is one file that is not related to the Mustang Panda group’s attack technique, it is marked as the following picture:

2. Analyze log.dll

This file’s size is smaller than other files. The original name is imageres.dll, it exports a lot of functions have the same address, but the only one most notable is the LogInit function:

Analyze LogInit‘s code in IDA, I see it build path to the mpengindrv.db file:

Next, read the content of mpengindrv.db into the allocated memory region and decrypt it by using RC4 with the decryption key is “A5A7F7E2B00C4A2B87FC0123F933EBD6“. After successful decryption, call the decrypted payload to execute:

3. Hunting and decrypting

Trying to hunt mpengindrv.db file on VT, I found the only file uploaded from Vietnam and at the same time as the log.dll file above:

Using CyberChef to decrypt file, we found that the file after decryption is a PE file, but we will see that immediately after the MZ signature is the opcode of the call command (0xE8):

Save the decrypted file to disk, perform disassembly first bytes, and see that there are two calls as follows:

The above information reminds me of the ReflectiveLoader technique that I have analyzed in this article. Static analysis the decrypted file, which is a Dll with the original name Lotes.dll, exporting one function is ReflectiveLoader.

However, the unusual point is that, its Imports Table information is wrong, the names of sections are also confusing characters:

4. Analyze Lotes.dll

Load the Dll file into IDA for analysis, the code in the ReflectiveLoader function is similar to the code here, but it has been modified a bit related to processing import table . It first reads the NumberOfSymbols value from the File Header and stores it in a variable. This variable will be used as the xor_key. Then, when processing the import table , it uses the obtained xor_key value to decode the names of the dlls, as well as the names of the API functions that the malicious code will use:

Based on the above information, it is easy to recover the information of the Import Table:

After completing the Loader process, it will call the entry point of the Dll file to execute:

The code at DllEntryPoint will call DllMain, and then calls the function f_decrypt_and_parse_beacon_config. The reason I know this is a CobaltStrike Beacon is because the f_decrypt_and_parse_beacon_config function will perform decode the config with a hard-coded value of 0x2e (as xor_key). The value 0x2e is used in Beacon version 4.

Based on this info, I used the script 1768.py by Mr. Didier Stevens to extract the configuration information of the CobaltStrike Beacon. The result shows that this is an SMB Beacon:

End.

m4n0w4r

Comments
  1. […] 0day in {REA_TEAM}[QuickNote] CobaltStrike SMB Beacon Analysis […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.