# CobaltStrike Stager Utilizing Floating Point Math

**[medium.com/walmartglobaltech/cobaltstrike-stager-utilizing-floating-point-math-9bc13f9b9718](https://medium.com/walmartglobaltech/cobaltstrike-stager-utilizing-floating-point-math-9bc13f9b9718)**

Jason Reaves April 20, 2021

[Jason Reaves](https://medium.com/@jason.reaves?source=post_page-----9bc13f9b9718--------------------------------)

Apr 20, 2021


3 min read

By: Jason Reaves and Joshua Platt

## Executive summary

1. New CobaltStrike stagers utilizing floating point mnemonics[1] to decode out stager

shellcode.
2. Using raw sockets and date value from Google headers to check overwritten sleep

values such as in some sandbox detonations.

## Date checking


-----

The stager employs an interesting technique to check for being detonated in controlled
environments such as sandboxes that might overwrite sleep values, at the same time it also
checks for network connectivity.

The stager utilizes raw sockets to connect to ‘google.com’ over port 80 and send a GET
request.

Raw socket to google.com
The request is not parsed as an HTTP request in most utilities including Wireshark[2] and
Suricata[3] because it is incomplete with just a newline and no carriage return.

Incomplete request
The request is enough to retrieve the 404 response from the webserver and then the
malware begins parsing the values out of the date, specifically it parses out the day, year and
time values.


-----

Parse values from response
After parsing out the values it converts it to seconds but without accounting for the month.

Convert values to seconds

Time Check
Above you can see a sleep call is sandwiched by two of these calls to the function
responsible for retrieving the converted value from a google request, the sleep is 30 seconds
and then it checks if the values differ less than 28. It is checking if the process took less than
28 seconds or not.


-----

Error or decode logic
If the check fails then a fake DirectX error message is displayed, otherwise the process for
decoding the stager shellcode begins.

## Shellcode decode

The shellcode is decoded by utilizing floating point mnemonics, judging by some of the
actors testing this appears to be pretty good at bypassing static detection engines.

Decode loop
The process involved begins with floating point modulus against a table of data using a key
value that is hardcoded.


-----

fpmod
After the modulus the value is rounded to an int value. Example python code for decoding
the data can be seen below:
```
def fpmod_decode(key, data, l): out = "" for i in range(l): temp =
struct.unpack_from('<d', data[i*8:])[0] if temp > int(temp%key):  out +=
chr((ord(struct.pack('<Q', int(temp%key))[0])+1)&0xff) else:  out +=
chr((ord(struct.pack('<Q', int(temp%key))[0]))&0xff) return out

```
Using our decode code we can quickly enumerate samples for decoding out the shellcode
and harvesting IOCs.

## Indicators of compromise
```
cda7edc9414814ef57c31e473ce87e489bcd6f1ed8d81a504e960e184fce1609abaf70728e6f940195e35e
 tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"CS stager time check 1"; dsize:8;
content:"GET drv|0a|"; offset:0; classtype:trojan-activity; sid:9000009; rev:1;
metadata:author Jason Reaves;)alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"CS
stager time check 2"; dsize:11; content:"GET driver|0a|"; offset:0; classtype:trojanactivity; sid:9000010; rev:1; metadata:author Jason Reaves;)

 References

```

-----