Identifying and Extracting the execute-assembly Reflective DLL
Table of Contents
Introduction
This will be a short one, but what I wanted to do here is grab the component of Cobalt Strike which is responsible for execute-assembly
. The goal here is both for detection, but also to see if Cobalt Strike does anything fancy in their implementation as opposed to the publicly available redos:
Cobalt Strike will infamously use a Fork & Run method when running some/most of its Post Exploitation techniques. Beacon Object Files are the proposed solution to this, but are not the focus of this blog. So, as it is known that Fork & Run will be used, likely some kind of injection is being done to have that CLR load in a remote process. Naturally, I'll go ahead with the assumption that the CLR loaded is from a Reflective DLL.
The dotnet
Before poking at Cobalt Strike, the following dotnet code will be used to keep the forked process alive so it can be debugged effectively:
using System;
namespace dotnet_sleep_debug
{
internal class Program
{
static void Main()
{
while(true)
{
Console.WriteLine("Sleeping!");
System.Threading.Thread.Sleep(3000);
}
}
}
}
If this was to be ran with Cobalt Strike, the spawnto
value will be used to create a process, and inject whatever capability into it:
In this case, RuntimeBroker.exe
is the infected process running the Cobalt Strike beacon, and PresentationHost.exe
is the spawnto
setting.
Searching for the dotnet_sleep_debug
namespace:
Extracting the DLL
I'm not that good at Process Hacker'ing and didn't fancy tracking down the addresses so I moved onto more of a whim search: assembly
. This was immediately more lucrative:
invokeassembly.x64.dll
can be seen within the process. Further on ReflectiveLoader
can also be found:
Googling invokeassembly.x64.dll
results in RastaMouse tweeting about it:
The invokeassembly.x64.dll
string is at 0x1f0936b6a22
, locating this:
A PE can be found pretty easily with the MZ
Header and DOS Message
just hanging out at the base. To save this as a bin
, I just hit Save...
Opening the bin file in PE Studio confirms this is a well-and-true DLL:
To confirm this is the CLR, here is the function in IDA:
I have written about implementing a CLR Reflective DLL before:
Now that I have what I came for, I wanted to check it on VirusTotal before I go through it: ffb43c8c419b934a07f7432c75b834f4068b775991f7f716839fae7594242c1c
Conclusion
Thats it... A quick blog on how I extracted the execute-assembly
Reflective DLL. Looking at the results on VirusTotal, it seems that it was mainly matched on Yara Rules for ReflectiveLoader, specfically: Neo23x0/signature-base/blob/4f0f0ce2c154ca098b3c13f62e44ea383d8b8772/yara/gen_loaders.yar#L14.
Finally, here is the vendor detections:
- Ad-Aware:
Trojan.CobaltStrike.FZ
- ALYac:
Trojan.CobaltStrike.FZ
- Antiy-AVL:
Trojan/Generic.ASMalwS.335E3A5
- Arcabit:
Trojan.CobaltStrike.FZ
- Avast:
Win64:Trojan-gen
- AVG:
Win64:Trojan-gen
- BitDefender:
Trojan.CobaltStrike.FZ
- Cynet:
Malicious (score: 100)
- Elastic:
Malicious (high Confidence)
- Emsisoft:
Trojan.CobaltStrike.FZ (B)
- eScan:
Trojan.CobaltStrike.FZ
- ESET-NOD32:
A Variant Of Win64/HackTool.Inject.B
- FireEye:
Generic.mg.60bc1dce0c63f71f
- GData:
Trojan.CobaltStrike.FZ
- Kaspersky:
HEUR:HackTool.Win32.Inject.heur
- Malwarebytes:
Trojan.CobaltStrike
- MAX:
Malware (ai Score=84)
- Microsoft:
Program:Win32/Uwasson.A!ml
- SecureAge APEX:
Malicious
- SentinelOne (Static ML):
Static AI:
Malicious PE
- Sophos:
Harmony Loader (PUA)
- Zillya:
Tool.Inject.Win64.281