{ "id": "28ec393a-22a6-4c2a-ac4d-91354a41685b", "created_at": "2026-04-06T00:14:51.780137Z", "updated_at": "2026-04-10T03:20:32.377808Z", "deleted_at": null, "sha1_hash": "35a60ac1f374a9784d4594f0ff7fec04531afc35", "title": "CobaltStrike Stager Utilizing Floating Point Math", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1061809, "plain_text": "CobaltStrike Stager Utilizing Floating Point Math\r\nBy Jason Reaves\r\nPublished: 2021-04-20 · Archived: 2026-04-05 18:32:24 UTC\r\nPress enter or click to view image in full size\r\nBy: Jason Reaves and Joshua Platt\r\nExecutive summary\r\n1. New CobaltStrike stagers utilizing floating point mnemonics[1] to decode out stager shellcode.\r\n2. Using raw sockets and date value from Google headers to check overwritten sleep values such as in some\r\nsandbox detonations.\r\nDate checking\r\nThe stager employs an interesting technique to check for being detonated in controlled environments such as\r\nsandboxes that might overwrite sleep values, at the same time it also checks for network connectivity.\r\nGet Jason Reaves’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nhttps://medium.com/walmartglobaltech/cobaltstrike-stager-utilizing-floating-point-math-9bc13f9b9718\r\nPage 1 of 6\n\nThe stager utilizes raw sockets to connect to ‘google.com’ over port 80 and send a GET request.\r\nPress enter or click to view image in full size\r\nRaw socket to google.com\r\nThe request is not parsed as an HTTP request in most utilities including Wireshark[2] and Suricata[3] because it is\r\nincomplete with just a newline and no carriage return.\r\nIncomplete request\r\nThe request is enough to retrieve the 404 response from the webserver and then the malware begins parsing the\r\nvalues out of the date, specifically it parses out the day, year and time values.\r\nhttps://medium.com/walmartglobaltech/cobaltstrike-stager-utilizing-floating-point-math-9bc13f9b9718\r\nPage 2 of 6\n\nParse values from response\r\nAfter parsing out the values it converts it to seconds but without accounting for the month.\r\nConvert values to seconds\r\nPress enter or click to view image in full size\r\nTime Check\r\nAbove you can see a sleep call is sandwiched by two of these calls to the function responsible for retrieving the\r\nconverted value from a google request, the sleep is 30 seconds and then it checks if the values differ less than 28.\r\nIt is checking if the process took less than 28 seconds or not.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/walmartglobaltech/cobaltstrike-stager-utilizing-floating-point-math-9bc13f9b9718\r\nPage 3 of 6\n\nError or decode logic\r\nIf the check fails then a fake DirectX error message is displayed, otherwise the process for decoding the stager\r\nshellcode begins.\r\nShellcode decode\r\nThe shellcode is decoded by utilizing floating point mnemonics, judging by some of the actors testing this appears\r\nto be pretty good at bypassing static detection engines.\r\nDecode loop\r\nThe process involved begins with floating point modulus against a table of data using a key value that is\r\nhardcoded.\r\nhttps://medium.com/walmartglobaltech/cobaltstrike-stager-utilizing-floating-point-math-9bc13f9b9718\r\nPage 4 of 6\n\nfpmod\r\nAfter the modulus the value is rounded to an int value. Example python code for decoding the data can be seen\r\nbelow:\r\ndef fpmod_decode(key, data, l):\r\n out = \"\"\r\n for i in range(l):\r\n temp = struct.unpack_from('\u003cd', data[i*8:])[0]\r\n if temp \u003e int(temp%key):\r\n out += chr((ord(struct.pack('\u003cQ', int(temp%key))[0])+1)\u00260xff)\r\n else:\r\n out += chr((ord(struct.pack('\u003cQ', int(temp%key))[0]))\u00260xff)\r\n return out\r\nUsing our decode code we can quickly enumerate samples for decoding out the shellcode and harvesting IOCs.\r\nIndicators of compromise\r\ncda7edc9414814ef57c31e473ce87e489bcd6f1ed8d81a504e960e184fce1609\r\nabaf70728e6f940195e35e689cae40e0d598f2e85e2c881f8b558a45bb57cce5\r\n7793c2fd34248236e83206fdd01b547436e966bcb6cae21adcbf61550b62daea\r\n5d4fd3e3fef4e46cff33d0772f0c0c2c13ab7ba50cdd95f0761401652bb898de\r\n9ee75f2d28d93c90e2cf0da6d6d0d39fe9c12ce65c7ba6b880cf1c2c94add657\r\n7c047718e71e393bebd8147889087a4d207b125b98099b9effbf78f2291d2a68\r\n603e112de99388f8aea461a539ae57e38ca83faf2bd43984036eb3b7080c24be\r\naca0a3e30d83e10197ebf1bf0fc2e7557e4e07f45066d6d1b3e997ca78d683f6\r\n6c6e49e0e822618c21d04ffd02ab26a0cb20b296d9d5a4e0cb27a5809a416089\r\n13177de544464a87be341fda62b7c62efd34adc858728893963d5169d2763b1f\r\nb4dceaded7b0184ebefbdac8b6d6af543b19b248a64754ffe8cee02473cefa83adsec[.]pro\r\nmanageupdaternetwork[.]com\r\nhttps://medium.com/walmartglobaltech/cobaltstrike-stager-utilizing-floating-point-math-9bc13f9b9718\r\nPage 5 of 6\n\n192.99.250[.]7\r\n192.95.16[.]237\r\n195.123.234[.]60\r\naloogi[.]com\r\n45.141.86[.]9\r\n185.4.65[.]139\r\n107.181.187[.]96\r\n5.34.179[.]35alert tcp $HOME_NET any -\u003e $EXTERNAL_NET 80 (msg:\"CS stager time check 1\"; dsize:8; cont\r\nReferences\r\n1. https://www.felixcloutier.com/x86/index.html\r\n2. https://www.wireshark.org/\r\n3. https://suricata-ids.org/\r\nSource: https://medium.com/walmartglobaltech/cobaltstrike-stager-utilizing-floating-point-math-9bc13f9b9718\r\nhttps://medium.com/walmartglobaltech/cobaltstrike-stager-utilizing-floating-point-math-9bc13f9b9718\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://medium.com/walmartglobaltech/cobaltstrike-stager-utilizing-floating-point-math-9bc13f9b9718" ], "report_names": [ "cobaltstrike-stager-utilizing-floating-point-math-9bc13f9b9718" ], "threat_actors": [], "ts_created_at": 1775434491, "ts_updated_at": 1775791232, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/35a60ac1f374a9784d4594f0ff7fec04531afc35.pdf", "text": "https://archive.orkl.eu/35a60ac1f374a9784d4594f0ff7fec04531afc35.txt", "img": "https://archive.orkl.eu/35a60ac1f374a9784d4594f0ff7fec04531afc35.jpg" } }