{
	"id": "0ef0afaa-0c96-4c6b-95ff-d9fd81072bd1",
	"created_at": "2026-04-06T00:09:03.928434Z",
	"updated_at": "2026-04-10T13:12:50.730605Z",
	"deleted_at": null,
	"sha1_hash": "a47a6b4e5f479593f7830d35e7a7ecd0991fb511",
	"title": "ioc/Manjusaka at master · gendigitalinc/ioc",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 68508,
	"plain_text": "ioc/Manjusaka at master · gendigitalinc/ioc\r\nBy michalsalat\r\nArchived: 2026-04-05 23:02:41 UTC\r\nManjusaka is web based imitation of the Cobalt Strike framework.\r\nMore info: https://blog.talosintelligence.com/2022/08/manjusaka-offensive-framework.html\r\nManjusaka github: https://github.com/YDHCUI/manjusaka\r\nTable of Contents\r\nFramework content unpacking\r\nFramework Go build IDs\r\nBinaries PDB\r\nYara rule\r\nSamples (SHA-256)\r\nNetwork indicators\r\nOSINT data\r\nFramework content unpacking\r\nPayloads, binaries, and other hardcoded framework components are compressed (raw deflated) and encoded as\r\nhex strings. \r\nEach data blob start with header:\r\n1F 8B 08 00 00 00 00 00 00 FF\r\nUp to v04 the last two hardcoded data blobs are EXE and ELF binaries, since v05 all EXE and ELF binaries are\r\nstored inside plugins folder.\r\nPayloads unpacking example:\r\n1. Parse payload data blobs and remove header (20 chars)\r\n r = re.compile(b'1f8b08000000000000ff[0-9a-f]{1024,}?')\r\n data_blobs = re.finditer(r, buff)\r\n payloads = list(data_blobs)[-2:]\r\n payload_1_start = payloads[0].start()\r\n payload_1_end = payloads[1].start()\r\n payload_1_buff = buff[payload_1_start+20:payload_1_end]\r\nhttps://github.com/avast/ioc/tree/master/Manjusaka\r\nPage 1 of 4\n\npayload_2_start = payload_1_end\r\n payload_2_end = re.search(b'[0-9a-f]{4}?\\x00', buff[payload_2_start:]).start() + 4 + payload_2_st\r\n payload_2_buff = buff[payload_2_start+20:payload_2_end]\r\n2. Decode and decompress payload\r\n raw_data = binascii.unhexlify(payload_1_buff)\r\n data = zlib.decompressobj(wbits=-15) # -15 = no headers and trailers\r\n decompressed_data = data.decompress(raw_data)\r\n decompressed_data += data.flush()\r\nYou can also use our rip.py script.\r\nFramework Go build IDs\r\nWy_vibDZv2wm5bL2qsjJ/4PMVyM99vavXhzeZ4lv-/NYl_KmuSEbSNJk9EaRt1/-EMPWdjs0Nl7sygAAteT - ELF v01\r\ny0MW5jt0EkawUK5kkl12/Zh446aeMzbHG7OsVOfqu/m_XtCR229uKgZbQeD5Ct/fxfGJGaYN1_6nNv2XZSb - ELF v02\r\n0306BSKBqnqKtMQqgSXM/hLj4wvVVJLyBCaJB_8M0/stfbGsFZXgNkPwZKLqRe/MIFhigzePSeV5d_RmfC5 - ELF v03 (dev)\r\n654gijPAUkEazJpjD9NU/gDuHF1xfdp91Sf6SYQHX/vsnn7ekg0TKXWiOScF0D/Sam0sQmfyCaDC8qCfYx5 - ELF v03\r\nerRGOJVHe87XgmyOVwHD/BpxVvpyDXtLddyWFd8N9/oYwdpsmFEDX92XJURLUz/bbXY8CvkDMriB32dI6SX - EXE v03\r\nGnBKocLwvWZnC_UmIr-r/6P-OzFbQ79oYyyaDRHV4/8tmFwxcSdccmpfsZc3hb/w4-6IRPpuBfuahzPcL52 - ELF v04\r\nNPWAdPbWmnXr0a6gD7Kz/TtnYdOyCjvcCQuZ9GiDr/FCmOi8A066RPC6SOWvaM/CpW7O0s8aQ2BFVdfebTJ - ELF v05\r\nBinaries PDB\r\nZ:\\Code\\NPSC2\\npc\\target\\release\\deps\\npc.pdb\r\nD:\\CodeProject\\hw_src\\NPSC2\\npc\\target\\release\\deps\\npc.pdb\r\nYara rules\r\nmanjusaka_framework_go_build_id\r\nmanjusaka_payload_encoded_hexstring\r\nmanjusaka_payload_elf\r\nmanjusaka_payload_mz\r\nYou can download whole ruleset here.\r\nSamples (SHA-256)\r\nFramework GoLang binaries\r\nhttps://github.com/avast/ioc/tree/master/Manjusaka\r\nPage 2 of 4\n\n955e9bbcdf1cb230c5f079a08995f510a3b96224545e04c1b1f9889d57dd33c1 - ELF v01\r\nf275ca5129399a521c8cd9754b1133ecd2debcfafc928c01df6bd438522c564a - ELF v02 upx\r\n637f3080526d7d0ad5eb41bf9331fb51aaafd30f2895c00a44ad905154f76d70 - ELF v02 unpacked\r\nb5c366d782426bad4ba880dc908669ff785420dea02067b12e2261dd1988f34a - ELF v03 (dev) upx\r\n107b094031094cbb1f081d85ec2799c3450dce32e254bda2fd1bb32edb449aa4 - ELF v03 (dev) unpacked\r\nfb5835f42d5611804aaa044150a20b13dcf595d91314ebef8cf6810407d85c64 - ELF v03 upx\r\nff20333d38f7affbfde5b85d704ee20cd60b519cb57c70e0cf5ac1f65acf91a6 - ELF v03 unpacked\r\n3581d99feb874f65f53866751b7874c106b5ce65a523972ef6a736844209043c - EXE v03 upx\r\n6082bf26bcc07bf299a88eaa0272022418b12156cd987adfdff9fa1517afcf3d - EXE v03 unpacked\r\n14dfb43a1782b0b8d93c3d67d63b6c786b0a223bc50c3ec68106bd18d43652a4 - ELF v04 upx\r\n4a0f47132867c12a6d009e43812729a1bb41f4eb83472ac352fc5b20fe937bef - ELF v04 unpacked\r\nbb1b7d506559c783ed747da461f58ea5256ba0a083768ae6aa1a2325017c4387 - ELF v05 upx\r\nbd0e09e9ee4db74ada6433f00024a543f799046c15f635216ca4ae5e1f0c42e2 - ELF v05 unpacked\r\nHardcoded payload Rust binaries\r\n0063e5007566e0a7e8bfd73c4628c6d140b332df4f9afbb0adcf0c832dd54c2b - ELF v01, v02\r\nd5918611b1837308d0c6d19bff4b81b00d4f6a30c1240c00a9e0a9b08dde1412 - ELF v03 (dev)\r\n0a5174b5181fcd6827d9c4a83e9f0423838cbb5a6b23d012c3ae414b31c8b0da - ELF v03\r\n63e7f6fa89faa88b346d0cceddf2ef2e3ebf5d5828aa0087663c227422041db7 - ELF v04\r\n4eb337c12f0e0ee73b3209bed4b819719c4af9f63f3e81dbc3bbf06212450f1c - ELF v05\r\n400855b63b8452221869630c58b7ab03373dabf77c0f10df635e746c13f98ea9 - ELF v05\r\n443abf66039c6686b50e5091ac218810798a21884aa6bc0d5b6dd8782b0311a8 - ELF v05\r\n6839180bc3a2404e629c108d7e8c8548caf9f8249bbbf658b47c00a15a64758f - EXE v01\r\ncd0c75638724c0529cc9e7ca0a91d2f5d7221ef2a87b65ded2bc1603736e3b5d - EXE v02\r\n76eb9af0e2f620016d63d38ddb86f0f3f8f598b54146ad14e6af3d8f347dd365 - EXE v03 (dev)\r\n2b174d417a4e43fd6759c64512faa88f4504e8f14f08fd5348fff51058c9958f - EXE v03\r\n377bacba69d2bec770599ab21a202b574b92fb431fc35bbdf39080025d6cf2d6 - EXE v04\r\n51857882d1202e72c0cf18ff21de773c2a31ee68ff28385f968478401c5ab4bb - EXE v05\r\n86c633467ba7981d3946a63184dbfabce587b571f761b3eb1e3e43f6b1df6f2c - EXE v05\r\ne07aa10f19574a856a4ac389a3ded96f2d78f41f939935dd678811bd12b5bd03 - EXE v05\r\n9e7144540430d97de38a2adcef16ad43e23c91281462b135fcc56cafc2f34160 - EXE v05\r\nITW payload Rust binaries\r\n056bff638627d46576a3cecc3d5ea6388938ed4cb30204332cd10ac1fb826663\r\n399abe81210b5b81e0984892eee173d6eeb99001e8cd5d377f6801d092bdef68\r\n3a3c0731cbf0b4c02d8cd40a660cf81f475fee6e0caa85943c1de6ad184c8c31\r\n8e9ecd282655f0afbdb6bd562832ae6db108166022eb43ede31c9d7aacbcc0d8\r\n90b6a021b4f2e478204998ea4c5f32155a7348be4afb620999fa708b4a9a30ab\r\na8b8d237e71d4abe959aff4517863d9f570bba1646ec4e79209ec29dda64552f\r\necbe098ed675526a2c22aaf79fe8c1462fb4c68eb0061218f70fadbeb33eeced\r\nhttps://github.com/avast/ioc/tree/master/Manjusaka\r\nPage 3 of 4\n\nNetwork indicators\r\nC2 IPs\r\n45[.]137.117.219\r\n39[.]104.90.45\r\n95[.]179.151.49\r\n71[.]115.193.247:9000\r\n119[.]28.101.125\r\n104[.]225.234.200\r\nUser Agents\r\nMozilla/5.0 (Windows NT 8.0; WOW64; rv:40.0) Gecko\r\nMozilla/5.0 (Windows NT 8.0; WOW64; rv:58.0) Gecko/20120102 Firefox/58.0\r\nMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko\r\nOSINT data\r\nBinaries\r\nC:\\Users\\Administrator.WIN7-2021OVWRCZ\\.cargo\\registry\\src\\mirrors.ustc.edu.cn-C:\\Users\\root\\.cargo\\registry\\src\\mirrors.ustc.edu.cn-\r\n/root/.cargo/registry/src/mirrors.ustc.edu.cn-GitHub\r\nh5[.]qianxin[.]com\r\nhttps[:]//weixin[.]qq[.]com/g/AQYAAEoVSAjZ35xwIeusxAmY6Qm2wKXvvjp6Ed7stK2OrUIl-a6Czezgc4QYv6GS\r\nhttps[:]//profile-counter[.]glitch[.]me/DaxiaMM-new/count.svg\r\nFramework author\r\n#codeby 道长且阻\r\n#email @ydhcui/QQ664284092\r\nSource: https://github.com/avast/ioc/tree/master/Manjusaka\r\nhttps://github.com/avast/ioc/tree/master/Manjusaka\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://github.com/avast/ioc/tree/master/Manjusaka"
	],
	"report_names": [
		"Manjusaka"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434143,
	"ts_updated_at": 1775826770,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a47a6b4e5f479593f7830d35e7a7ecd0991fb511.pdf",
		"text": "https://archive.orkl.eu/a47a6b4e5f479593f7830d35e7a7ecd0991fb511.txt",
		"img": "https://archive.orkl.eu/a47a6b4e5f479593f7830d35e7a7ecd0991fb511.jpg"
	}
}