 Hello, DDS Tevens here, Senior Handler at the Internet Storm Center with another video on Cobblestrike. I'm here on Brad Duncan's website, malware traffic analysis, and as often Brad has a lot of interesting capture files, many of them with Cobblestrike, and here we have another one. This is the IP address of the Cobblestrike server and here the domain name. Now what I'm going to do in this video is show you how you can retrieve a beacon over a DNS. So test if the Cobblestrike server is responding to DNS request and then extract the beacon and extract the configuration over DNS. So let's do this with NSLookup and I'm doing this over VPN. So we are looking for TXT records and we are going to request the first TXT record for the complete beacon. So that's what the stager does, that downloads over DNS. This is what you have to do, AAA, that's the first record.stage. And then here, let's try this domain name. Now I'm going to ask Google and we get no TXT record back, we get no reply. So this is not the correct domain name. If it is serving DNS over DNS, there is a trick. You can actually ask the Cobblestrike server directly and then you can actually send whatever base name here, so whatever. And I'm sending this directly to that server and indeed now I get a TXT record back with this content. And when you get this, then you know you are dealing with a Cobblestrike beacon that is also communicating over DNS. I'm going to request the second like this and now let's put these two together because here at the end you see an E and here you see an FKF, so like this, okay. So here you can see ENFK. This ENFK is the letters MZ in net bios name encoding. So the start of a PE file, MZ, here encoding with net bios name encoding. And I have adapted recently my B64 dump program to support, sorry, B64 to support net bios encoding just for this case here with Cobblestrike DNS. And as you can see here, when this is the code, you can indeed see MZ here. And let's select 13 ASCII dump. So this is actually the start of the shellcode that is the beacon. So now we need to download all the records. So AAA, BAA, CAA, it is incrementing in letters, but it is reversed. So not AAA, AAA, BAA, CAA, but reversed, AAA, BAA, CAA, DAA and so on. I'm not going to do this manually. I have a script for that, as you can imagine. This is the script. So you need to give it the IP address of the Cobblestrike server and then just a file, a text file that will receive the concatenated content of all the TXT records that are requested. You can see here it is going through. This will take quite some time. I think there are about 1,600 requests to do. You can see here now it switched to ABA. So let's wait about 15 minutes and then we will reach the end of the queries. We are more than 15 minutes later and almost at the end of the queries. So this last one here returned an empty TXT record and then my script stops. So now we have downloaded this and concatenated all the results. That's what you have here. And so we can pass this on to my base64 dump with encoding netbiosname encoding. So we are dealing with a file of almost 400k and here you can see dmz. So we are going to select this entry, do a binary dump and pipe this into my Cobblestrike config analysis tool 1768 and indeed we have a Cobblestrike configuration and you can see here the actual domain name that is being used for the Cobblestrike DNS request. So if I do again an NS lookup of a TXT record aaa stage ns3saferem.com and ask Google then now this time I need to get an answer for the TXT record and this is again the start of the beacon encoded in netbiosname starting from here.