# [QuickNote] CobaltStrike SMB Beacon Analysis **[kienmanowar.wordpress.com/2022/06/04/quicknote-cobaltstrike-smb-beacon-analysis-2/](https://kienmanowar.wordpress.com/2022/06/04/quicknote-cobaltstrike-smb-beacon-analysis-2/)** **1. Executive Summary** June 4, 2022 At VinCSS, I recently wrote an analysis related to the samples of the Mustang Panda **[(PlugX) group. These samples are all uploaded from Vietnam. You can read the Vietnamese](https://blog.vincss.net/2022/05/re027-nhom-apt-mustang-panda-co-the-van-dang-tiep-tuc-hoat-dong-tan-cong-vao-cac-to-chuc-tai-Vietnam.html)** or [English blog post of this analysis.](https://blog.vincss.net/2022/05/re027-china-based-apt-mustang-panda-might-have-still-continued-their-attack-activities-against-organizations-in-Vietnam.html) However, in all the uploaded `log.dll files, there is one file that is not related to the` **Mustang Panda group’s attack technique, it is marked as the following picture:** **2. Analyze log.dll** [This file’s size is smaller than other files. The original name is](https://www.virustotal.com/gui/file/604b202cbe5e97c7c8a74a12e1f08e843c08ae08be34dc60b8518b9417c133a9/detection) `imageres.dll, it exports a` lot of functions have the same address, but the only one most notable is the `LogInit` function: ----- Analyze `LogInit ‘s code in IDA, I see it build path to the` `mpengindrv.db file:` Next, read the content of `mpengindrv.db into the allocated memory region and decrypt it` by using RC4 with the decryption key is “ A5A7F7E2B00C4A2B87FC0123F933EBD6 “. After successful decryption, call the decrypted payload to execute: ----- **3. Hunting and decrypting** Trying to hunt `mpengindrv.db file on VT, I found the only file uploaded from Vietnam and at` the same time as the log.dll file above: Using [CyberChef to decrypt file, we found that the file after decryption is a PE file, but we will](https://gchq.github.io/CyberChef/) see that immediately after the `MZ` signature is the opcode of the call command ( 0xE8 ): Save the decrypted file to disk, perform disassembly first bytes, and see that there are two calls as follows: ----- [The above information reminds me of the ReflectiveLoader technique that I have analyzed in](https://github.com/stephenfewer/grinder/blob/master/node/source/logger/ReflectiveLoader.c) [this article. Static analysis the decrypted file, which is a Dll with the original name](https://blog.vincss.net/2020/03/re012-phan-tich-ma-doc-loi-dung-dich-COVID-19-de-phat-tan-gia-mao-chi-thi-cua-thu-tuong-Nguyen-Xuan-Phuc-phan2.html) ``` Lotes.dll, exporting one function is ReflectiveLoader . ``` However, the unusual point is that, its Imports Table information is wrong, the names of sections are also confusing characters: ----- **4. Analyze Lotes.dll** Load the Dll file into IDA for analysis, the code in the `ReflectiveLoader` function is similar to the code [here, but it has been modified a bit related to processing import table . It first](https://github.com/stephenfewer/grinder/blob/master/node/source/logger/ReflectiveLoader.c) reads the `NumberOfSymbols` value from the `File Header and stores it in a variable. This` variable will be used as the xor_key . Then, when processing the import table, it uses the obtained `xor_key value to decode the names of the dlls, as well as the names of the API` functions that the malicious code will use: ----- Based on the above information, it is easy to recover the information of the Import Table: ----- After completing the Loader process, it will call the entry point of the Dll file to execute: The code at `DllEntryPoint` will call `DllMain, and then calls the function` ``` f_decrypt_and_parse_beacon_config . The reason I know this is a CobaltStrike Beacon ``` is because the `f_decrypt_and_parse_beacon_config` function will perform decode the ----- config with a hard-coded value of `0x2e` (as xor_key). The value `0x2e` is used in Beacon version 4. Based on this info, I used the script [1768.py by Mr. Didier Stevens to extract the](https://github.com/DidierStevens/DidierStevensSuite/blob/master/1768.py) configuration information of the CobaltStrike Beacon. The result shows that this is an SMB Beacon: ----- End. m4n0w4r -----