 Hello, Didier Stevens here, Senior Handler at the Internet Storm Centre. So last weekend I wrote about some captured file that Brad Duncan posted about Cobblestrike traffic and I noticed that this traffic was unencrypted. And now this weekend I took a closer look, wrote a Python script to analyze it and that's what we are going to look at now. This is the diary I posted last week. So Brad Duncan, a fellow handler. He has a large collection of malware traffic and inside his collection I found traffic, so a malicious sample using Cobblestrike and traffic and in the pcap file. And that Cobblestrike traffic was not encrypted and that is because these malicious actors used a pirated trial version of Cobblestrike and then it will not encrypt its traffic. And since it's also HTTP, we can find some things and in this diary entry of last weekend I pointed out some things like for example here I see network data like IPv4 address, network mask, MTU and MAC address. So now in this video I'm going to show you the progress that I made. So you have the pcap file here and I also wrote a parser in Python for this traffic. So you can download this from Brad's site and I have it open here in Wireshark. Now the first thing that I'm going to do is to filter on that traffic on the IP address of the C2 like this and then also I'm going to look only at HTTP, so this filter. And here so this here is the download of the beacon itself, this too. And then you will see a lot of requests like this get visit.js. So that is the beacon contacting the C2 to see if there is anything to do. So I'm going also to filter that out all these requests. So no gets like this. And then you see a lot of answers. Now many of those answers there's actually nothing to do for the beacon. And then you can see that the content length is zero. So I'm going also to filter that one out. And then we end up with this. Here you see some posts. That's when the beacon is communicating its results back to the C2. And here you have some answers where the content is not zero. And that is where the beacon is sending some commands or sorry the C2 is sending some commands. So here this is a long length and you see that starts with mz. So that is probably the answer of the get to download the beacon itself. Here we have a small one. So this is the data that is sent by the C2 to get requests from the beacon. This data here. Now I found out that these four first bytes here are actually a Unix time epoch. And then with that information I found on GitHub repository of tools for parsing actually decrypting cobalt strike traffic when you have the keys to do the decryption. And there was also some parsing in this. And with that I could better understand what we have here. So this is like I said an epoch. Then you have a field with the length here. So 16 bytes. And this is the actual commands encoded. Then you have some padding here for the block cipher encryption with the AES. And then the last 16 bytes that is an HMAC authentication to the authenticator traffic. And here if we look at the post for example you don't see an epoch here. This is actually the size of what is transmitted again and terminated with an HMAC. And then you also have some different fields. And then here clear text like that IP address. So I wrote a parser to parse this. It's relying on Pyshark. So you need to install the Pyshark module, the Python Pyshark module. And then you give it the pcap file. And you just run it. And then you get output like this. So for each output you see the packet number. And if it was an HTTP response or an HTTP request. So you can see the first three are HTTP responses with a PE file. And then MD5 as you can see this is the same. So this is the actual download of the beacon. And this must be the initial download of the malware. And then next you can see an HTTP response 1369. So 1369 is this one here. And when this is decoded here you see the timestamp. So the epoch that is included. And you can see the date here corresponds with the date of the capture. This is in UTC here. Here this is also in UTC and there is a difference. So that must be the time zone. The packet is 16 bytes then. And this turns out to be a sleep command. Command number four is sleep. I found that in that PyBeacon source code. And the sleep command tells the beacon to sleep for 100 microseconds sorry milliseconds 100 milliseconds. And with jitter of 90 percent so variation of 90 percent. So this beacon here will be very responsive. Next there is again command coming from the C2 in packet 6658. You can find here 6658. And that is an unknown command. And it has arguments and this is the argument. I don't know exactly what this means. But in the following request so from the beacon to the C2 that is a post request so 6665 that's the packet number here you can see this is a post submit. So this is posting information back about the command that is executed here. In the PyBeacon code they call this a callback. So I call this also a callback. It's a callback 22 which is to do so the authors of PyBeacon don't know exactly what it is. But I observe that argument that was passed here 0 0 0 6 AD is also returned here. And then you have clear text. An IP address, a mask, an MTU and a MAC address. And then there is also some extra packet data that is not part of the communication. Next there is again a command coming from the C2 which is an unknown command. But there's a large piece of data that starts with MZ. So this might be again an executable 75K. And then another command also unknown but remark that there is a pipe here in the text in the data and that it ends with Portscanner. And next you will see that the post requests that follow are identified as callback 24 which is beacon output Portscanner. So we can see here the actual output of the Portscanner. So you see which machines are alive with our ARP. This one here. And then at the end you also see a machine which has a port opened 445 and this is the name of the machine. And then Scanner module is completed. This corresponds actually to what you can see in one of Cobalt-Strike's videos about using the Cobalt-Strike tool and performing a Portscan. So this is very similar. Next again we have another command that is unknown but again an executable or something like an executable is downloaded. This is the md5 hash and again a pipe and it ends here with bypass UAC. And that too is a command from Cobalt-Strike. You can find also a video on bypass UAC. And next the request, so the answer from the beacon to the C2 is again a callback 0 unknown but so callback 0 this must probably be clear text output because this looks exactly like what I saw in the videos, wrote hijackdll and then yeah okay this is another part of course than what I saw in the videos but this is a clear execution of UAC bypass. And then here at the end we have again a sleep command. Now you can also extract these things here, these payloads and you do this, let me take another command line. So parse option E for extract the pcap file, we get our output and here we have to wait a bit, it's how PyShark behaves. So here now you have the payload to disk. So let's go back here. So this must be the malware and this is the beacon that is downloaded twice, so 9E. So with my tool to analyze beacons 1768, so payload 9E here. You can see that this is indeed the configuration of that beacon and here you see the C2, the visit, the submit, the user agent string that is being used. And then let's look at the command here. So this is the port scan command. So F4, let's see if this is an executable, F4, yes indeed. So this is an unexecutable, let's get an overview, these are the sections. Let's find what's inside, let me see. So this is a port scan DLL, next, actually, let's look a bit more here. Let's look at the exports, I mean, okay, so here, yeah, port scan and here reflective loader. So this is a DLL that performs a port scan and it can be reflected to the world that is loaded reflectively. So that was the port scan and then we also have the UAC bypass, which is this one here, so 9C, so let's check if that too is a PE file, so 9C and that too is a PE file. Let's see what's inside. And yeah, we have a bypass 64-bit DLL, USC bypass, I mean, and also a temp.dll, so that's maybe the payload to execute. And let's look at the exports, so bypass UAC and also reflective loader. So this again is a reflective loader. So this is the progress that I was able to make to analyze this couple of strike traffic, there is still some parsing to do. For example, you have the unknowns here and also here you see bypass UAC, that is 9 characters and right before that, you have 0000 a backslash T, so a tap character and a tap is 9. So this is the length of the string here. So there is also some parsing to do here and this here wouldn't surprise me that that too is the length of the pipe string here. If we scroll back to port scanner, here you can see C, C that is 12 and port scanner that is indeed 12 letters.