Cobalt Stike Beacon Detected – 119[.]3[.]141[.]162:443

Click the icon to Follow me:- twitterTelegramRedditDiscord

The Information provided at the time of posting was detected as “Cobalt Strike”. Depending on when you are viewing this article, it may no longer be the case and could be determined as being a false positive. Please do your own additional validation. – RedPacket Security

TimeStamp 2021-11-08T22:56:07.625348

Cobalt Strike
Cobalt Strike

General Information

880455244
Cloud Provider
Cloud Region
Service
Domainshwclouds-dns[.]com
Hostnamesecs-119-3-141-162[.]compute[.]hwclouds-dns[.]com
HTTP Host119[.]3[.]141[.]162
ISPHuawei Cloud Service data center
ORGHuawei Public Cloud Service (Huawei Software Technologies Ltd.Co)
OSN/A
HTTPN/A
HTTP HTML HASHN/A
HTTP LOCATION/
HTTP REDIRECTS
HTTP ROBOTSN/A
HTTP ROBOTS HASHN/A
HTTP SECURITY.TXTN/A
HTTP SECURITY.TXT HASHN/A
HTTP SERVERApache
HTTP SITEMAPN/A
HTTP SITEMAP HASHN/A
HTTP TITLEN/A
LOCATION (AREA CODE)N/A
LOCATION (CITY)Shanghai
LOCATION (COUNTRY CODE)CN
LOCATION (COUNTRY NAME)China
LOCATION (LATITUDE)31.22222
LOCATION (LONGITUDE)121.45806
LOCATION (POSTAL CODE)N/A
SSL SERIAL
SSL EXPIREDN/A
SSL FINGERPRINT (SHA1)bf7f0726aa156b869ea2297396492d24a652d1ed
SSL ISSUED20210816022411Z
SSL EXPIRES20220816022411Z
SSL CYPHERECDHE-RSA-AES256-GCM-SHA384
SSL VERSIONTLSv1/SSLv3
SSL TRUST (REVOKED)N/A
TAGSself-signed


Cobalt Strike Beacon Information

Beacon TypeHTTPS
http-get.clientAccept: text/html,application/xhtml+xml,application/xml;q=0[.]9,*/*;q=0[.]8, Accept-Encoding: gzip, deflate, __cdnuid=, Cookie
http-post.clientAccept: text/html,application/xhtml+xml,application/xml;q=0[.]9,*/*;q=0[.]8, Accept-Encoding: gzip, deflate, __cdnuid
DNS Beacon MaxDNSN/A
DNS Beacon IdleN/A
Beacon Jitter37
dns-beacon.strategy_fail_seconds-1
dns-beacon.strategy_rotate_seconds-1
dns-beacon.strategy_fail_x-1
HTTP GET URI140[.]249[.]37[.]234,/jquery-3[.]2[.]1[.]min[.]js,125[.]35[.]234[.]176,/jquery-3[.]2[.]1[.]min[.]js,140[.]249[.]37[.]249,/jquery-3[.]2[.]1[.]min[.]js,153[.]3[.]235[.]47,/jquery-3[.]2[.]1[.]min[.]js,139[.]227[.]230[.]54,/jquery-3[.]2[.]1[.]min[.]js,153[.]3[.]235[.]99,/jquery-3[.]2[.]1[.]min[.]js,157[.]0[.]6[.]248,/jquery-3[.]2[.]1[.]min[.]js
HTTP POST URI/jquery-3.2.2.min.js
Max GET Size1398107
Port443
post-ex.spawnto_x64%windir%\sysnative\dllhost[.]exe
post-ex.spawnto_x86%windir%\syswow64\dllhost[.]exe
process-inject.startrwx4
process-inject.userwx32
process-inject.allocator1
proxy.behavior2 (Use IE settings)
sleeptime45000
useragent_headerMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.91 Safari/537.36
uses_cookies1
process-inject.executentdll:RtlUserThreadStart, CreateThread, NtQueueApcThread-s, CreateRemoteThread, RtlCreateUserThread
Watermark426352781
Beacon Stage Cleanup1
Available for Amazon Prime