File name:

jsp

Full analysis: https://app.any.run/tasks/3f95eea9-b139-4b39-bd1e-3eff137593be
Verdict: Malicious activity
Threats:

Cobalt Strike is a legitimate penetration software toolkit developed by Forta. But its cracked versions are widely adopted by bad actors, who use it as a C2 system of choice for targeted attacks.

Malware Trends Tracker     >>>
Analysis date: April 04, 2025, 10:45:02
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
cobaltstrike
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (console) x86-64, for MS Windows, 6 sections
MD5:

7805A6416D1FBB8B50648728081667CE

SHA1:

E460F2F1F53508627626AC3A2F6AB442D5A742CB

SHA256:

9AC98C1F6D4E41B891737064D0EEEDD7AA41DD75DF6CC0BD77889795E348C0FD

SSDEEP:

192:hvsgn0ql1km+Qo8WiIMS9odDl0j88upcanHXFRqas5gAT2af/e3Q5tfDJdlG:hBnl88ZIMS9okocaHXt3gG

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • COBALTSTRIKE has been detected (YARA)

      • jsp.exe (PID: 4164)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • jsp.exe (PID: 4164)

    • Connects to unusual port

      • jsp.exe (PID: 4164)

  • INFO

    • Reads the computer name

      • jsp.exe (PID: 4164)

    • Checks supported languages

      • jsp.exe (PID: 4164)

    • Checks proxy server information

      • jsp.exe (PID: 4164)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

CobalStrike

(PID) Process(4164) jsp.exe
C2192.168.152.128:4545/Ys9X
HeadersUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:04:04 08:21:37+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.42
CodeSize: 6144
InitializedDataSize: 10240
UninitializedDataSize: -
EntryPoint: 0x1a40
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows command line
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
135
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #COBALTSTRIKE jsp.exe conhost.exe no specs sppextcomobj.exe no specs slui.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
4164"C:\Users\admin\AppData\Local\Temp\jsp.exe" C:\Users\admin\AppData\Local\Temp\jsp.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\temp\jsp.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\vcruntime140_1.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
c:\windows\system32\wininet.dll
CobalStrike
(PID) Process(4164) jsp.exe
C2192.168.152.128:4545/Ys9X
HeadersUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
5960\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exejsp.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7376C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
7408"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exeSppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
493
Read events
493
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
22
DNS requests
11
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
7944
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
23.53.41.90:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
7944
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4436
RUXIMICS.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
2104
svchost.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:138
whitelisted
5496
MoUsoCoreWorker.exe
23.53.41.90:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5496
MoUsoCoreWorker.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4164
jsp.exe
192.168.152.128:4545
unknown
3216
svchost.exe
20.7.2.167:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6544
svchost.exe
40.126.31.67:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 172.217.23.110
whitelisted
crl.microsoft.com
  • 23.53.41.90
  • 23.53.40.200
  • 23.53.40.201
whitelisted
client.wns.windows.com
  • 20.7.2.167
whitelisted
login.live.com
  • 40.126.31.67
  • 20.190.159.128
  • 20.190.159.23
  • 40.126.31.0
  • 40.126.31.71
  • 20.190.159.68
  • 20.190.159.129
  • 40.126.31.130
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
slscr.update.microsoft.com
  • 4.245.163.56
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 40.69.42.241
whitelisted

Threats

No threats detected
No debug info