banner
毅种循环

毅种循环

请将那贻笑罪过以逐字吟咏 如对冰川投以游丝般倾诉

Trace a phishing email

0X01#

Received a customer notification, found a suspected phishing email, and requested assessment and tracing.
The email is roughly as follows:
image.png

0X02#

After changing the compressed file to EML and opening the file, the contents of the compressed file are as follows:
image.png
PS: The initial state of the index.exe in this case is index.sc. In order to facilitate analysis, the original suffix has been changed here. The most important executable file is index.exe, which is used to launch the html file through this exe.

At the beginning, I didn't understand the intention. As we all know, the PE header of an executable file under the Windows system is as follows:
image.png
If you open it directly, the status is as follows:
ef042dd71bf6eb97651b44697e64398.png

There is something that confuses me here. The .sc file inside is in EXE format, but it will not be executed as an exe by default under Windows GUI. Only console will be executed as EXE.
But for phishing, it definitely needs to be triggered in GUI mode, and here is this kind of writing.
The intention is probably that there is something else to start this file, or it is a mistake...

企业微信截图_17109141659656.png
Start the indexrcs.html in the same directory
企业微信截图_1710914319440.png
But the html file in the directory is called index, which does not match the name of the file in the folder.
It seems that the attacker made a mistake.
And both WeiBu and VirusTotal are all green. Here is a picture:
image.png

The anti-virtual machine is also well done. It detects the files in your temp directory. If there are fewer files, it will not execute.
There are hundreds of files in the temp directory of a normal physical machine, and the virtual machine is relatively clean.

The overall behavior is to open the index.html file in the same path, which is a normal scan report, and then execute the shellcode, CS Trojan, C2 address: 207.XXX.XXX.XXX.

0X03#

After obtaining the IP, you can try to trace it and collect intelligence on the IP.
image.png
Fortunately, I found that a historical resolution is a CN domain name.
image.png
By querying the whois information, the registrant's email information and personal name can be obtained.
image.png
By associating the email with historical information, the following results can be obtained:
Name: xx Xin
Email: ***[email protected]
ID card number: 440********16
Phone number: 176
*** 113

So how to determine if the IP is the real attacker?
As mentioned above, you can query which data center the IP segment belongs to. By querying the IP, it is found that the corresponding service provider is Vultr.
By obtaining the registration account information of Vultr, the result is obtained:
image.png

It can be confirmed that the phishing email/malicious IP/domain name/person has all the necessary elements for high-intensity association.

At the same time, intelligence was obtained from a PDF file. It was determined that the employee is a member of the information department of a certain group.
image.png

Thanks again to my colleague for providing me with the virus analysis process.
END.

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.