Write UP SOC — 101 Phsing Email Detected - Lets Defend

1 minute read

Published: May 16, 2022

SOC — 101 Phsing Email Detected is a blue team challenge available on https://app.letsdefend.io/

Our first step goes to the “Monitoring” section. focus on the soc101- Phishing Detected section.

the details of the alerts that we have to analyze

After knowing the details of the alert, enter the investigation section

click playbook to start investigation

The investigative alert stage is divided into 3 points

Detect

Parse email

Checking email, is there an attached URL in the email?

Analysis

Email Url Analysis

Add notes / important points

Delete Email if indicated phishing

Conclusion

Step 1 - Detect

Parse Email

When was it sent ?

What is the email’s SMTP address?

146.56.195.192

What is the sender address?

Lethuyan852@gmail.com

What is the recipient address?

mark@letsdefend.io

Cheking email, is there an attached URL in the email?

yes

Step 2 - Analysis

Is the mail content suspicious?

on the attached link, I tried to analyze through several tools

Virus Totals :

judging by the total viral results, the links generally read clean

Analysis Using Joe Sandbox

The URL indicates trojan activity

Important Points

Link url : http://nuangaybantiep.xyz/

Gmail : Lethuyan852@gmail.com

C2 : 146.56.195.192

Deleted Email

because the email is phishing, the best advice is to delete it via mailbox

Step 3- Conclusion

The email contains a malicious link. The email is actually indicated as phishing. the link is involved in trojan activity

Share on

Twitter Facebook LinkedIn

Abdi Bimantara

Write UP SOC — 101 Phsing Email Detected - Lets Defend

Detect

Analysis

Conclusion

Step 1 - Detect

Step 2 - Analysis

Important Points

Deleted Email

Step 3- Conclusion

Share on

You May Also Enjoy

Investigate of Email Harassment

Mengenal Lumma Stealer: Malware Pencuri Data yang Kian Canggih

Endpoint forensic with memory dumps on windows os

Outbound connection - OpenWire Cyberdefender Lab