Port and Sleep Settings reported incorrectly for CS4 beacon

Question

Port and Sleep Settings reported incorrectly for CS4 beacon

FranticTyping opened this issue 4 years ago · comments

Hi,

Thanks for releasing this tool. Testing it across a couple of samples shows a few incorrectly reported settings for a CS4.0 memory dump:

Port                             - 450
SleepTime                        - 50090

Sleep should be 60000 in the above example, and the remote port should be 443. I can't provide the sample in this case, but thought it would be worth highlighting for visibility.

Kristal-g · Answer 1 · Wed May 20 2020 00:33:01 GMT+0800 (China Standard Time)

Thanks for the notice! I will check it

James D · Answer 2 · Wed May 20 2020 00:38:29 GMT+0800 (China Standard Time)

I found an example on VT which should help you debug:

https://www.virustotal.com/gui/file/2f438fa4634ed975834f945f7820eaa7eff69ee804c75e07c66be2de060427a8/detection

Running the sample above through this parser results in:

BeaconType - HTTPS
Port - 450
SleepTime - 50090
MaxGetSize - 1048576
Jitter - 0
MaxDNS - 195

However, the output should be:

Cobalt Strike Config:
0x01 - Beacon type : '0x1 (HTTPS)'
0x02 - Port : 443
0x03 - Polling (ms) : 60000
0x04 - Max Get : 1048576
0x05 - Jitter : 0
0x06 - Max DNS : 255

Looks like the offsets for the Port, Polling and MaxDNS might be wrong?
Hope this helps.

Kristal-g · Answer 3 · Wed May 20 2020 03:55:27 GMT+0800 (China Standard Time)

Found the bug and updated the repo :)
You can now try again.
Please comment if it's fixed for you

James D · Answer 4 · Wed May 20 2020 06:58:34 GMT+0800 (China Standard Time)

Just tried it on a few other CS samples and it looks like it's working perfectly now. Thanks again for open sourcing this tool :)