We start by locating the flagged email in the Email Security module. The message originated from a suspicious domain (coffeeshooop.com) and targets an internal user (Felix).
Cross-referencing with Log Management, we confirm the IP flow:
– Source IP: 103.80.134[.]63
– Destination IP: 172.16.20[.]3
The source IP is confirmed malicious on:
At this point, the email is highly suspicious — likely phishing with a malicious attachment.
We isolate and analyze the attachment using a Windows sandbox.
Steps:
1. Click Connect Issue to obtain access credentials.
2. RDP into the sandbox.
3. Download the zip attachment:
59cbd215-76ea-434d-93ca-4d6aec3bac98-free-coffee.zip
4. Extracted PE: coffee.exe
Static/dynamic analysis reveals:
– Malware: Backdoor.Marte.VenomRAT
We pivot back to Log Management to track internal activity:
– File download confirmed to Felix’s host(172.16.17.151) from (3.5.129.143)
Browser history shows direct access to the infected file (12:59 PM)
Network connections include several C2 endpoints flagged as malicious, IP 37.120.233[.]226
Process tree reveals:
explorer.exe → coffee.exe → cmd.exe → multiple child processes
Terminal history displays typical RAT behaviour with system enumeration
The rat is mapping out the system to decide what to do next
short breakdown of the reconaissance commands:
systeminfo and hostname
Wmic logical disk get…
net user
tasklist /svc
ipconfig /all
route print
EventID: 257 – [SOC282 – Phishing Alert – Deceptive Mail Detected]
EventID: 257
Exchange
On May 13, 2024, at 09:22 AM, the alert “SOC282 – Phishing Alert: Deceptive Mail Detected” was triggered.
A phishing email was sent from:
The message included:
At 12:59 PM, user Felix downloaded and executed the file on host 172.16.17.151.
At 13:00, terminal history showed classic post-compromise activity:
Cybersecurity learner, log nerd, and TryHackMe badge hoarder. Let’s connect on LinkedIn before I get pulled into another packet capture.
Apparently we have to tell you this: yes, cookies are used. They're not edible, and no, you can't escape them — but you can pick what gets tracked. Yay for EU law!