SOC282 β Phishing Alert Escalated to Malware Execution via ZIP Payload
by
π§ Summary
This investigation began as a Phishing Alert (SOC282 β Deceptive Mail Detected) triggered by a suspicious email sent to a user.
- Initial Analysis: Revealed signs of social engineering using a fake reward (βFree Coffee Voucherβ) and a typosquatted sender domain.
- Deep Dive: Uncovered a malicious ZIP attachment (coffee.zip) and a redirect-based malware delivery chain using AWS S3.
- Critical Finding: Endpoint analysis confirmed that the user downloaded and executed the malware (Coffee.exe), leading to command execution via cmd.exe.
[!CAUTION] This case escalated from a phishing attempt to a confirmed malware execution incident (host compromise).
π¨ Alert Overview
- Event ID: 257
- Rule: SOC282 β Phishing Alert β Deceptive Mail Detected
- Severity: Medium β π΄ Escalated to Critical * Source Email:
free@coffeeshooop.com - Destination User:
Felix@letsdefend.io - SMTP IP:
103.80.134.63 - Subject: Free Coffee Voucher
- Device Action: Allowed
π§ Email Analysis
π© Indicators:
- Typosquatting domain:
coffeeshooop.com - Social engineering lure: βFree Coffee Voucherβ
- Urgency tactic: βHurry, this offer expires soonβ
- Malicious link + attachment included
π Attachment Analysis
File Name: free-coffee.zip
π¨ Risk:
- Used to bypass email security.
- Likely contains executable payload.
π URL & Redirect Analysis
https://download.cyberlearn.academy/...
β‘ Redirects to: AWS S3 β free-coffee.zip
π© Findings:
- Redirect chain used to evade detection.
- AWS S3 abused for payload hosting.
- Staged malware delivery.
π§ͺ VirusTotal Analysis
- Results: 12 / 95 vendors flagged as malicious.
- Classified as: Malware / Phishing.
π» Endpoint Process Analysis (π₯ CRITICAL EVIDENCE)
π Findings:
- File executed:
C:\Users\Felix\Downloads\Coffee.exe - Parent process:
explorer.exe - User Action: Indicates user manually executed the file.
π¨ Malicious Behavior Observed:
Process spawned: cmd.exe
Execution chain:
explorer.exe- β³
Coffee.exe - β³
cmd.exe(π΄ Confirmed Command Execution)
π Additional Details:
- Process ID: 6697
- User: Felix
- Hash:
CD903AD2211CF7D166646D75E57FB866000F4A3B870B5EC759929BE2FD81D334
π Full Attack Chain
- Phishing Email received.
- User clicks link / downloads ZIP.
- User extracts
free-coffee.zip. - User executes
Coffee.exe. - Malware spawns
cmd.exe. - System Compromise achieved.
π§Ύ Artifacts Identified
| Type | Value | Description |
|---|---|---|
| URL | https://download.cyberlearn.academy |
Malicious redirect URL |
| IP Address | 103.80.134.63 |
SMTP server |
| IP Address | 172.67.166.172 |
Hosting infrastructure |
| IP Address | 37.120.233.226 |
C2 IP Address |
| IP Address | 172.16.20.151 |
Felix Host IP Address (Affected Host) |
| File | Coffee.exe |
Malicious payload |
| Hash | CD903AD2...1D334 |
SHA256 File hash |
π Investigation Findings
| Category | Result |
|---|---|
| Phishing Email | Confirmed |
| Malicious Attachment | Confirmed |
| Malicious URL | Confirmed |
| File Download | Confirmed |
| File Execution | π¨ Confirmed |
| Command Execution | π¨ Confirmed |
| Host Compromise | π΄ Confirmed |
π Final Verdict
- Attack Type: Phishing + Malware Execution
- Technique: Social Engineering + Payload Execution
- Payload: Malicious EXE (
Coffee.exe) - Impact: π΄ Host Compromise
- Alert Classification: True Positive
- Severity: π΄ Critical
π‘οΈ MITRE ATT&CK Mapping
| Tactic | ID | Technique | Description |
|---|---|---|---|
| Initial Access | T1566.002 |
Spearphishing Link | Phishing lure containing a malicious link to download.cyberlearn.academy. |
| Execution | T1204.002 |
User Execution: Malicious File | Victim manually downloaded, extracted, and executed Coffee.exe. |
| Execution | T1059.003 |
Command and Scripting Interpreter: Windows Command Shell | Coffee.exe spawned cmd.exe to execute arbitrary commands. |
| Command & Control | T1105 |
Ingress Tool Transfer | Use of AWS S3 and redirect chains to deliver the malicious ZIP payload. |
| Defense Evasion | T1036 |
Masquerading | Use of a βFree Coffeeβ lure and typosquatted domain to appear legitimate. |
π Incident Response Actions
- Isolation: Endpoint identified as compromised; immediate isolation recommended.
- Process Kill: Malicious process execution confirmed and documented.
- IOC Logging: Indicators of Compromise (IOCs) added to blocklist.
- Remediation: Full threat eradication and system re-imaging required.
π Analyst Notes
The alert was triggered due to a phishing email containing a malicious attachment and embedded download link. The sender domain (coffeeshooop.com) was identified as a typosquatting domain.
Endpoint investigation confirmed that the user downloaded and executed the file (Coffee.exe), which subsequently spawned cmd.exe. This confirms successful malware execution and system compromise. The alert is classified as a True Positive and escalated to Critical severity.
[!ATTENTION] Please type in the analyst note manually, copy pasting this section entirely may result in unable to close this alert.
π Conclusion
This case demonstrates a full attack lifecycle, highlighting the effectiveness of combining social engineering with cloud infrastructure abuse (AWS S3). Immediate response and containment are critical to prevent further lateral movement within the network.
tags: