Cobalt Stike Beacon Detected – 18[.]188[.]42[.]205:443

Click the icon to Follow me:- twitterTelegramRedditDiscord

The Information provided at the time of posting was detected as “Cobalt Strike”. Depending on when you are viewing this article, it may no longer be the case and could be determined as being a false positive. Please do your own additional validation. – RedPacket Security

TimeStamp 2021-11-09T10:59:13.722853

Cobalt Strike
Cobalt Strike

General Information

1216966476
Cloud ProviderAmazon
Cloud Regionus-east-2
ServiceAMAZON
Domainsamazonaws[.]com
Hostnamesec2-18-188-42-205[.]us-east-2[.]compute[.]amazonaws[.]com
HTTP Host18[.]188[.]42[.]205
ISPAmazon.com, Inc.
ORGAmazon Technologies Inc.
OSN/A
HTTPN/A
HTTP HTML HASHN/A
HTTP LOCATION/
HTTP REDIRECTS
HTTP ROBOTSN/A
HTTP ROBOTS HASHN/A
HTTP SECURITY.TXTN/A
HTTP SECURITY.TXT HASHN/A
HTTP SERVERN/A
HTTP SITEMAPN/A
HTTP SITEMAP HASHN/A
HTTP TITLEN/A
LOCATION (AREA CODE)N/A
LOCATION (CITY)Hilliard
LOCATION (COUNTRY CODE)US
LOCATION (COUNTRY NAME)United States
LOCATION (LATITUDE)40.0334
LOCATION (LONGITUDE)-83.15825
LOCATION (POSTAL CODE)N/A
SSL SERIAL
SSL EXPIREDN/A
SSL FINGERPRINT (SHA1)bd319fbc6382e8e3a0681d7cd820a45af2604c7c
SSL ISSUED20210714213041Z
SSL EXPIRES20220714213041Z
SSL CYPHERECDHE-RSA-AES256-GCM-SHA384
SSL VERSIONTLSv1/SSLv3
SSL TRUST (REVOKED)N/A
TAGScloud, self-signed


Cobalt Strike Beacon Information

Beacon TypeHTTPS
http-get.clientAccept: text/html,application/xhtml+xml,application/xml;q=0[.]9,*/*;q=0[.]8, Host: code[.]jquery[.]com, Referer: http://code[.]jquery[.]com/, Accept-Encoding: gzip, deflate, __cfduid=, Cookie
http-post.clientAccept: text/html,application/xhtml+xml,application/xml;q=0[.]9,*/*;q=0[.]8, Host: code[.]jquery[.]com, Referer: http://code[.]jquery[.]com/, Accept-Encoding: gzip, deflate, __cfduid
DNS Beacon MaxDNSN/A
DNS Beacon IdleN/A
Beacon Jitter37
dns-beacon.strategy_fail_seconds-1
dns-beacon.strategy_rotate_seconds-1
dns-beacon.strategy_fail_x-1
HTTP GET URIevergreenhealthnet[.]org,/jquery-3[.]3[.]1[.]min[.]js
HTTP POST URI/jquery-3.3.2.min.js
Max GET Size1403644
Port443
post-ex.spawnto_x64%windir%\sysnative\rundll32[.]exe
post-ex.spawnto_x86%windir%\syswow64\rundll32[.]exe
process-inject.startrwx64
process-inject.userwx32
process-inject.allocatorN/A
proxy.behavior2 (Use IE settings)
sleeptime60000
useragent_headerMozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko
uses_cookies1
process-inject.executeCreateThread, SetThreadContext, CreateRemoteThread, RtlCreateUserThread
Watermark552176587
Beacon Stage Cleanup1
Available for Amazon Prime