unexpected output of recent NOBELIUM samples

[zoomequipd]

Description

Today, a CISA Mawlare Analysis Report was released which details the CS Beacon config of ee44c0692fd2ab2f01d17ca4b58ca6c7f79388cbc681f885bb17ec946514088c and provides a config (detailed below in Expected Output) which is different than the config extract when running parse_beacon_config.py

Most fields are missing, thought it almost gets some of the fields, it seems to be missing a few while others appear to be jumbled.

Actual Output

> python parse_beacon_config.py 7edf943ed251fa480c5ca5abb2446c75
BeaconType                       - Not Found
Port                             - 187
SleepTime                        - Not Found
MaxGetSize                       - Not Found
Jitter                           - Not Found
MaxDNS                           - Not Found
PublicKey_MD5                    - Not Found
C2Server                         - Not Found
UserAgent                        - Not Found
HttpPostUri                      - j/uqre-y.3.3.2im.nowff2
Malleable_C2_Instructions        - Not Found
HttpGet_Metadata                 - Not Found
HttpPost_Metadata                - Not Found
PipeName                         - Not Found
DNS_Idle                         - Not Found
DNS_Sleep                        - Not Found
SSH_Host                         - Not Found
SSH_Port                         - Not Found
SSH_Username                     - Not Found
SSH_Password_Plaintext           - Not Found
SSH_Password_Pubkey              - Not Found
SSH_Banner                       - 
HttpGet_Verb                     - EGT
HttpPost_Verb                    - OPTS
HttpPostChunk                    - 0
Spawnto_x86                      - w%niid%rs\syow6w\4ldhlso.txee
Spawnto_x64                      - w%niid%rs\syanitevd\llohtse.ex
CryptoScheme                     - 0
Proxy_Config                     - Not Found
Proxy_User                       - Not Found
Proxy_Password                   - Not Found
Proxy_Behavior                   - Use IE settings
Watermark                        - 610669
bStageCleanup                    - Not Found
bCFGCaution                      - False
KillDate                         - 0
bProcInject_StartRWX             - False
bProcInject_UseRWX               - False
bProcInject_MinAllocSize         - 0
ProcInject_PrependAppend_x86     - Not Found
ProcInject_PrependAppend_x64     - Not Found
ProcInject_Execute               - Not Found
ProcInject_AllocationMethod      - NtMapViewOfSection
bUsesCookies                     - True
HostHeader                       - 
headersToRemove                  - Not Found
DNS_Beaconing                    - Not Found
DNS_get_TypeA                    - Not Found
DNS_get_TypeAAAA                 - Not Found
DNS_get_TypeTXT                  - Not Found
DNS_put_metadata                 - Not Found
DNS_put_output                   - Not Found
DNS_resolver                     - Not Found
DNS_strategy                     - Not Found
DNS_strategy_rotate_seconds      - Not Found
DNS_strategy_fail_x              - Not Found
DNS_strategy_fail_seconds        - Not Found

Expected Output

(From CISA report)

--Begin configuration data--
BeaconType                     - Not Found
Port                             - 187
SleepTime                        - Not Found
MaxGetSize                     - Not Found
Jitter                         - Not Found
MaxDNS                         - Not Found
PublicKey_MD5                    - Not Found
C2Server                         - dataplane.theyardservice[.]com,/jquery-3.3.1.min.woff2,cdn.theyardservice[.]com,/jquery-3.3.1.min.woff2,static.theyardservice[.]com,/jquery-3.3.1.min.woff2,worldhomeoutlet[.]com,/jquery-3.3.1.min.woff2
UserAgent                        - Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko
HttpPostUri                     - /jquery-3.3.2.min.woff2
Malleable_C2_Instructions        - Remove 1522 bytes from the end
                                Remove 84 bytes from the beginning
                                Remove 3931 bytes from the beginning
                                Base64 URL-safe decode
                                XOR mask w/ random key
HttpGet_Metadata                 - Metadata
                                      mask
                                      base64url
                                      prepend "_cfuid="
                                      header "Cookie"
HttpPost_Metadata                - SessionId
                                      mask
                                      base64url
                                      parameter "_cfuid"
                                Output
                                      mask
                                      base64url
                                      print
PipeName                         - Not Found
DNS_Idle                         - Not Found
DNS_Sleep                        - Not Found
SSH_Host                         - Not Found
SSH_Port                         - Not Found
SSH_Username                     - Not Found
SSH_Password_Plaintext         - Not Found
SSH_Password_Pubkey             - Not Found
SSH_Banner                     -
HttpGet_Verb                     - GET
HttpPost_Verb                    - POST
HttpPostChunk                    - 0
Spawnto_x86                     - %windir%\syswow64\dllhost.exe
Spawnto_x64                     - %windir%\sysnative\dllhost.exe
CryptoScheme                     - 0
Proxy_Config                     - Not Found
Proxy_User                     - Not Found
Proxy_Password                 - Not Found
Proxy_Behavior                 - Use IE settings
Watermark                        - 1359593325
bStageCleanup                    - True
bCFGCaution                     - False
KillDate                         - 0
bProcInject_StartRWX             - False
bProcInject_UseRWX             - False
bProcInject_MinAllocSize         - 0
ProcInject_PrependAppend_x86     - b'\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90'
                                Empty
ProcInject_PrependAppend_x64     - b'\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90'
                                Empty
ProcInject_Execute             - ntdll:RtlUserThreadStart
                                CreateThread
                                NtQueueApcThread-s
                                CreateRemoteThread
                                RtlCreateUserThread
ProcInject_AllocationMethod     - NtMapViewOfSection
bUsesCookies                     - True
HostHeader                     -
headersToRemove                 - Not Found
DNS_Beaconing                    - Not Found
DNS_get_TypeA                    - Not Found
DNS_get_TypeAAAA                 - Not Found
DNS_get_TypeTXT                 - Not Found
DNS_put_metadata                 - Not Found
DNS_put_output                 - Not Found
DNS_resolver                     - Not Found
DNS_strategy                     - Not Found
DNS_strategy_rotate_seconds     - Not Found
DNS_strategy_fail_x             - Not Found
DNS_strategy_fail_seconds        - Not Found

[Kristal-g]

They mention in the advisory: This file is a 64-bit DLL file identified as a custom Cobalt Strike Beacon Version 4 implant The configuration file is encoded via an XOR with the key 0x2e and a 16-bit byte swap. The parsed configuration file for the Cobalt Beacon implant is displayed below

We can't support custom beacons..

[ssnkhan]

I believe Didier's 1768.py beacon parser is able to parse beacons XOR-encoded with a changing XOR key:

https://blog.didierstevens.com/2021/01/28/update-xorselection-1sc-version-6-0/amp/

Unfortunately, it complains of the filesize being too large, but wondered whether some of the capabilities could be incorporated into this parser. I've tried to understand what is happening in that script, but honestly I got lost looking at the code!