Add Comment

Close Issue

Exploitation + C2

High

2018/02/23 11:28 ID 19828381283 SN Ticket 3429929394 - OPEN

March 3, 2018

3 hours

15:03:18

File Downloaded

SHA-256: 39ad98e44ff3bfe58f4658213defa6789c599af32a5b2e71b689fe5367e2472a

From URL http://naturalpetfood.com

23 min

09:11:35

An executable was allowed to run

SHA-256: 39ad98e44ff3bfe58f4658213defa6789c599af32a5b2e71b689fe5367e2472a

Malware

Emotet

09:34:19

C2 traffic detected

To 54.227.38.29

Source	File Name	URL	Activity	Action
Firewall	78200.exe	http://myoneid.site90.com/	Download	Allow	Add
Traps	78200.exe		Run	Allow	Add
Traps	78200.exe		Run	Block	Add

View in Log Viewer

Sylvia Poggioli

Manager, Channel Sales

Santa Clara, CA

(o650) 123-4567

spoggioli@paloaltonetworks.com

Apple MacBook Air

macOS High Sierra, 64bit

OS version 10.13.3

Traps: Active (v 5.0.0.803)

Owned by Sylvia Poggioli

HTTP Requests

	Host	Method	URL	User Agent	In ENvironment
145	54.227.38.29	POST	/	Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET CLR 1.1.4322; .NET4.0C; .NET4.0E; InfoPath.3)
134	93.42.184.106	POST	/	Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET CLR 1.1.4322; .NET4.0C; .NET4.0E; InfoPath.3)	1
60	52.4.64.240	POST	/	Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET CLR 1.1.4322; .NET4.0C; .NET4.0E; InfoPath.3)
43	119.59.124.163	POST	/	Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET CLR 1.1.4322; .NET4.0C; .NET4.0E; InfoPath.3)	3
28	91.217.66.130	POST	/	Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET CLR 1.1.4322; .NET4.0C; .NET4.0E; InfoPath.3)
4	lapsurgerymos.com	GET	/XnGB/

	Filename/Hash	Type	URL	Size (KB)	WildFire Verdict	# in Logs
	invoice.doc 4fb319211b2e85cace04e8936100f024	DOC	random-url.com	19,287	Malware	4

Alert Source	Description	Severity	Fidelity	Notes	Count
Firewall	C2 traffic detected	5		(Rule has a high FP rate, traffic isn't corroborated by other sources, maybe there are instances of the same C2 traffic before the file was downloaded?)	1.2K
Traps	Post detection alert	4		(Rule has a low FP rate, WF verdict correlates with VirusTotal and autofocus)	1

Time	Source	Destination	Lorem Ipsum	Lorem Ipsum	Lorem Ipsum	Lorem Ipsum	Lorem Ipsum

SHA256	4cd8c536449ee9a21e18d51678a5cdf088e2e656a8b9f3f729634d102ad180ab
SHA1	a8d36f88ea3223797104fd61781e2b1ce7c19e1e

Presence

Signed By

Alerts

Alerts

Presence

File

URL

Exploitation + C2

URL

WildFire Verdict	Malware
AutoFocus Tags	NotPetya
VirusTotal	16/60

SHAA-256	39ad98e44ff3bfe58f4658213defa6789c599af32a5b2e71b689fe5367e2472a


Name	78200.exe

WildFire	Malware
AutoFocus	NotPetya
VirusTotal	16/60
Signed By	Lorem Ipsum

Found	2018/02/23 11:28
Priority	High
Risk Area	Malware
ID	423984723987
Links	SN Ticket 3429929394 - OPEN

	Alert	Date