Hello and welcome to the Wednesday, September 7, 2022 edition of the Sands and its Storms Centers.

Stormcast, my name is Johannes Ulrich, and I'm recording from Jacksonville, Florida.

Cobalt's strike, while not without competition these days, is still a very popular post-exploitation command

and control tool.

So really nice to have DDA's 1768.P.Y tool.

It's, of course, always helpful in analyzing Cobalt Strike if you're able to capture the process

on an infected machine or just get the executable.

In today's diary, DDA is going over how to use the tool in, well, less than an ideal

conditions if the sample that you captured was obfuscated and the tool isn't able to find

the configuration. This often happens if you capture the binary.

So one quick way to solve this problem is to run the malware in a sandbox,

capture the memory dump, and then often you'll get the post-offuscated binary.

That, of course, requires first you run the malware in a sandbox, and that's not everybody's

sort of thing to do necessarily.

It turns out that in this case, there's a little bit of different method that actually

worked for DDE.

The executable here had a large amount of

overlay data attached it. The really large overlay was, however, split into many small sections,

so DDA figured, well, they're really too small for a stateless cobalt strike beacon,

but there was a nice repeating pattern. So what you often

have with the obfuscation is sort of a simple XOR key. And when you have a repeating pattern like

this, that's often some null bites at the end that were, of course, then XOR'd and basically just reflect the key.

...