 Hello, Didier Stevens here, Senior Handler at the Internet Stone Center. I had a couple of questions about my last diary entry, finding Metasploit and Cobblestrike URLs. So in this video, I will explain what I wrote about in this diary entry and then also answers the questions. Now it started with a diary entry by Brad. So let's open it, where he shared a capture file. And it's about a Quackbot infection with Cobblestrike. So if you go down here in his screenshots, Brad always had a lot of screenshots. That's very nice. So here you can see a couple of HTTP requests. And this is Cobblestrike as Brad points out. And there's actually a way to recognize this based on these letters here in the URL. And that's what my diary entry is about. So I have here the capture file of Brad. I renamed it so that the name is a bit shorter. So let's take a look at this capture file with Tshark. So Tshark, the command line tool to read capture files. So option R to read a capture file. And then here you get the summary of all the packets in the capture file. Let me interrupt this. If you use option V, per case V, you get the complete packet 3 for each packet and the complete 3 view dissection here frame one all the values. Then Ethernet, then IP version 4, then here IDMP and so on. So that's here the complete dissection for each packet. Now by doing this, the URLs will also be listed in that packet dissection. Let me interrupt for example HTTP as you can see here now we have HTTPS. These are for CRLs, but we will also have some for get requests. Let me filter. So let me do a display filter like this for HTTP. And here you can see the different URLs for the HTTP requests like this one here that Brad pointed out that this is cobalt strike. Now you can do a calculation on these letters here and this will give you an indication if indeed this is something suspicious or not. And that's what my Metasploit tool can do, MetaTool and you give it command URL8. I will explain immediately what that is like this. Okay. And you see that now it's selected to URLs and it tells you okay the checksum is this value here. Okay. So what is this about? When Metasploit shellcode and also cobalt strike shellcode when they download the stager they will do a request HTTP or HTTPS request with a domain name, a host name or IPv4 address and then slash four characters, four random characters like you see here uppercase w capital w lowercase j s uppercase h uppercase. If you calculate the checksum the byte checksum so the 8-bit checksum of the ASCII values of those letters and if you then take the model of 256 and so the least significant byte of that checksum then you end up with a value and if that value is 5c for example exodysmal then you know that you are dealing with Metasploit URL well likely dealing with Metasploit URL I will explain why that is likely but not certain. And if you go back to my diary entry here at the beginning I post here a screenshot from the source code of Metasploit on github where you can see the different values. So 92, 80, 88, 98, 95 these correspond to different stages 92 that's 5c exodysmal so that's what we have here so let's do a calculation so byte entry and let's print the ASCII value ordinal of uppercase w so the first letter in our part you can see that is 87 and you can do lowercase j 106 okay so you have to add these values together I'm going to do that here with a small discontention so ord of variable i for i in w jsh like this so now here we have the four values so the checksum is just summing those values adding those values together that is your checksum and it is called the checksum 8 bit checksum because we are only going to consider the eight least significant bits of that checksum and one way to do that is take the modulo division to see the remainder by 256 so the 256 different values that the byte can have and now you can see that is 92 and 92 corresponds to this here your right checksum in it w and so this is a stager for windows and now let's just print that out as exodysmal like this and you can see that is indeed the value of 5c so this is a small trick to to filter out your eyes that are potentially used by shellcode for example of metasploit or cobalt strike it is not a good method to go hunting for example in your proxy logs or in your full package capture files because that 8 bit checksum has a low entropy it's only 8 bit so you have 256 combinations so that's rather small for a checksum and you will find therefore often false positives so a URL with four characters at the end letters numbers and they are just legitimate they belong to a website but they happen to have also a checksum that is 92 an 8 bit checksum and that is because the checksum 8 bits yeah that's that's a low entropy you have only 256 possible combinations so if you take 256 random URLs well you have a chance in one in 256 yeah so you have high probability that in there there is a URL that conforms to this but of course it's not given that this is cobalt strike or metasploit what I do here is is the other way around I know of our suspect that I have something malicious from metasploit in cobalt strike in my capture or in my proxy logs and then I strike the URLs go through my meta tool will do the calculations and then report it to me so this is done by shellcode so it's not the actual cobalt strike beacon that does this so I'm gonna ask about this yeah cobalt strike doesn't it usually use HTTPS and indeed often you see HTTPS for cobalt strike so you will not find it in the capture if I like we find it here but here we are actually looking at the shellcode that downloads the stager and that in my experience that's more likely that it is HTTP instead of HTTP as I mean it's not all the time HTTPS will often find also HTTP now I have another example here of shellcode so that is that sc.vir that is shellcode that we also talked about in a diary entry a couple of months ago also related to cobalt strike and if I do an X dump of this shellcode here you can see the IP address at the end and then here for example the URL so that is the shellcode that contains sorry that was not URL that was the user agent string so this is shellcode that will contain that URL that downloads the beacon now the beacon is actually also present in in the capture file because that request here by the shellcode downloads the beacon and we can extract that again with T shark here so I'm going to read the capture file and now I'm going to export the objects all the HTTP objects and I will write them to a folder here the log or the current folder now this will very likely generate the virus alert so watch out when you do this so the file is being parsed and objects are being extracted and written to disk okay yeah and there you see the alert so the different objects that were found here in the capture file have been written to the folder here and it's actually this file here that triggers the antivirus and here you see the name that we analyze this is actually the downloaded beacon and that is something that we can analyze with my two thousand seven hundred and sixty eight so I launch my tool give it this file here and the cobalt strike configuration has been extracted and here you see the host names or IP addresses to which it will connect with with the parts and so that is something that you can find back here in brett screenshot here you can see and us all and submit and that's what we have here and us all and submit here submit for the post because as you can see here is a post the others are good and that's how the configuration is built up and logon secure windows x i z and this ipv4 address that's what we also find back here now why are we able to see this because this is HTTP and why is it HTTP well that's because the the attacker decided that it would be HTTP you can see this here at the beginning payload type windows beacon HTTP reverse HTTP so it's not HTTPS this one here is an HTTP and that is why we can read this but indeed often the beacons themselves will use HTTPS