{ "id": "8559eba2-ee38-42e1-94be-86e0aac85177", "created_at": "2026-04-06T00:06:17.700572Z", "updated_at": "2026-04-10T03:24:23.547106Z", "deleted_at": null, "sha1_hash": "db7ee71024da34e6fc1dfd15bb349163e4c6bc2a", "title": "Cobalt Strike Hunting — simple PCAP and Beacon Analysis", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1797146, "plain_text": "Cobalt Strike Hunting — simple PCAP and Beacon Analysis\r\nBy Michael Koczwara\r\nPublished: 2021-08-08 · Archived: 2026-04-05 22:27:07 UTC\r\nThreat Actors TTP’s — hiding Cobalt Strike in claycityhealthcare[.]com subdomain.\r\nLet's investigate subdomains using Shodan and VirusTotal.\r\nQuick Virus Total and Shodan check.\r\nPress enter or click to view image in full size\r\nShodan check.\r\nPress enter or click to view image in full size\r\nhttps://michaelkoczwara.medium.com/cobalt-strike-hunting-simple-pcap-and-beacon-analysis-f51c36ce6811\r\nPage 1 of 5\n\nWhen you go to remote.claycityhealthcare[.]com the browser will display HTTP Error 404 page.\r\nPress enter or click to view image in full size\r\nSubdomain with two ports opened 80 and 443.\r\nHTTP/1.1 404 Not Found and Content-Type: text/plain Content-Length:0 is always suspicious to me.\r\nPress enter or click to view image in full size\r\nhttps://michaelkoczwara.medium.com/cobalt-strike-hunting-simple-pcap-and-beacon-analysis-f51c36ce6811\r\nPage 2 of 5\n\nRight, so now let's scan the subdomain using Nmap script to identify potential Cobalt Strike/C2.\r\nWhat is interesting in this one is Malleable profile\r\nremote.claycityhealthcare.com/CWoNaJLBo/VTNeWw11212\r\nGet Michael Koczwara’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nA Malleable C2 is a way for an attacker to blend in command and control traffic (beacons between victim and server) with\r\nthe goal of avoiding detection. Malleable C2 Profiles can be customized.\r\nIf you don't know about Comfoo, this is a good read.\r\nBeacon analysis\r\nLet's quickly analyze the Beacon and clarify the most interesting info.\r\n{\r\n“BeaconType”: [\r\n“HTTP”\r\n],\r\n“MD5”: “9773d90443383e04c171c5b3e3017740”,\r\n“Filename”: “cshell/a36fbae6e4c3e98560fc0f90ce075fb0d65ca926fdcfebea11a1b90445374c82.decoded”,\r\n“Port”: 80,\r\n“SleepTime”: 30000,\r\n(0.5 minute) time when beacon will call home, 60000 is a default one.\r\n“MaxGetSize”: 1048576,\r\n“Jitter”: 20,\r\nBeacon will vary each of its check in times by the random percentage you specify as a jitter factor from 0 -99.\r\n“MaxDNS”: “Not Found”,\r\n“PublicKey”:\r\nhttps://michaelkoczwara.medium.com/cobalt-strike-hunting-simple-pcap-and-beacon-analysis-f51c36ce6811\r\nPage 3 of 5\n\n“MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC4P4BXSFMmJsHj3ePkNMOVGRsqJFQngo2QAFX0spN5orR8gltRgIcI0cseMS9BE2iPXZ\r\n“C2Server”: “remote.claycityhealthcare.com,/CWoNaJLBo/VTNeWw11212/”,\r\n“UserAgent”: “Not Found”,\r\n“HttpPostUri”: “/CWoNaJLBo/VTNeWw11213/”,\r\n“HttpGet_Metadata”: “Not Found”,\r\n“HttpPost_Metadata”: “Not Found”,\r\n“SpawnTo”: “Sm5rsPpaNgDLmwgX+eatPw==”,\r\n“PipeName”: “Not Found”,\r\n“DNS_Idle”: “Not Found”,\r\n“DNS_Sleep”: “Not Found”,\r\n“SSH_Host”: “Not Found”,\r\n“SSH_Port”: “Not Found”,\r\n“SSH_Username”: “Not Found”,\r\n“SSH_Password_Plaintext”: “Not Found”,\r\n“SSH_Password_Pubkey”: “Not Found”,\r\n“HttpGet_Verb”: “GET”,\r\n“HttpPost_Verb”: “POST”,\r\n“HttpPostChunk”: 0,\r\n“Spawnto_x86”: “%windir%\\\\syswow64\\\\rundll32.exe”,\r\n“Spawnto_x64”: “%windir%\\\\sysnative\\\\rundll32.exe”,\r\nThis is where Cobalt Strike shellcode would spawn.\r\nPress enter or click to view image in full size\r\nrundll32.exe it is a default one.\r\n“CryptoScheme”: 0,\r\n“Proxy_Config”: “Not Found”,\r\n“Proxy_User”: “Not Found”,\r\n“Proxy_Password”: “Not Found”,\r\n“Proxy_Behavior”: “Use IE settings”,\r\n“Watermark”: 2005485734,\r\nWatermark is unique to a customer and sometimes could be assigned and attributed to specific threat actors.\r\n“bStageCleanup”: “False”,\r\n“bCFGCaution”: “False”,\r\n“KillDate”: “2099–01–01”,\r\n“bProcInject_StartRWX”: “True”,\r\n“bProcInject_UseRWX”: “True”,\r\n“bProcInject_MinAllocSize”: 0,\r\n“ProcInject_PrependAppend_x86”: “Empty”,\r\n“ProcInject_PrependAppend_x64”: “Empty”,\r\n“ProcInject_Execute”: [\r\n“CreateThread”,\r\n“SetThreadContext”,\r\n“CreateRemoteThread”,\r\n“RtlCreateUserThread”\r\n],\r\n“ProcInject_AllocationMethod”: “VirtualAllocEx”,\r\n“bUsesCookies”: “False”,\r\n“HostHeader”: “”\r\nReferences:\r\nhttps://michaelkoczwara.medium.com/cobalt-strike-hunting-simple-pcap-and-beacon-analysis-f51c36ce6811\r\nPage 4 of 5\n\nSource: https://michaelkoczwara.medium.com/cobalt-strike-hunting-simple-pcap-and-beacon-analysis-f51c36ce6811\r\nhttps://michaelkoczwara.medium.com/cobalt-strike-hunting-simple-pcap-and-beacon-analysis-f51c36ce6811\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://michaelkoczwara.medium.com/cobalt-strike-hunting-simple-pcap-and-beacon-analysis-f51c36ce6811" ], "report_names": [ "cobalt-strike-hunting-simple-pcap-and-beacon-analysis-f51c36ce6811" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775433977, "ts_updated_at": 1775791463, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/db7ee71024da34e6fc1dfd15bb349163e4c6bc2a.pdf", "text": "https://archive.orkl.eu/db7ee71024da34e6fc1dfd15bb349163e4c6bc2a.txt", "img": "https://archive.orkl.eu/db7ee71024da34e6fc1dfd15bb349163e4c6bc2a.jpg" } }