Score
100%
Playbook Success Rate
100%
Investigation Time
SOC Alert Details
| SEVERITY | DATE | RULE NAME | EVENTID | TYPE | ||
|---|---|---|---|---|---|---|
| High | May, 29, 2023, 01:01 PM | SOC202 - FakeGPT Malicious Chrome Extension | 153 | Data Leakage | ||
EventID : 153 Event Time : May, 29, 2023, 01:01 PM Rule : SOC202 - FakeGPT Malicious Chrome Extension Level : Security Analyst Hostname : Samuel IP Address : 172.16.17.173 File Name : hacfaophiklaeolhnmckojjjjbnappen.crx File Path : C:\Users\LetsDefend\Download\hacfaophiklaeolhnmckojjjjbnappen.crx File Hash : 7421f9abe5e618a0d517861f4709df53292a5f137053a227bfb4eb8e152a4669 Command Line : chrome.exe --single-argument C:\Users\LetsDefend\Download\hacfaophiklaeolhnmckojjjjbnappen.crx Trigger Reason : Suspicious extension added to the browser. Device Action : Allowed Show Hint | ||||||
Playbook Answers
Question:Check If Someone Requested the C2
User answer:Accessed
Question:Analyze Malware
User answer:Malicious
Question:Check if the malware is quarantined/cleaned
User answer:Not Quarantined
Playbook Note
On May 29, 2023, at 01:01 PM, Letsdefend.io SIEM detected a potential security incident on the endpoint "Samuel" (IP: 172[g]16.17.173) involving a suspicious Chrome extension file named "hacfaophiklaeolhnmckojjjjbnappen.crx" (file hash: 7421f9abe5e618a0d517861f4709df53292a5f137053a227bfb4eb8e152a4669) located in the Downloads folder. The extension was executed via a single-argument command using chrome.exe, and its addition triggered alert SOC202 for a FakeGPT Malicious Chrome Extension, indicating that the extension may be designed to inject malicious behavior into the browser. Further investigation revealed connections to external domains version[g]chatgpt4google.workers.dev (IP addresses 104[g]21.63.166 and 172[g]67.147.243) and chatgptforgoogle.pro (IP addresses 52[g]76.101.124, 3.1.17.18, and 18[g]140.6.45) suggesting potential communication with malicious infrastructure.
Extracted Artifacts
| Value | Comment | Type |
|---|---|---|
| version[g]chatgpt4google.workers.dev | Server URL | E-mail Domain |
| chatgptforgoogle[g]pro | Malicious Extension | E-mail Domain |
| 52[g]76.101.124 | Malicious IP Extension | IP Address |
| 3[g]1.17.18 | Malicious IP Extension | IP Address |
| 18[g]140.6.45 | Malicious IP Extension | IP Address |
| 172[g]67.147.243 | Malicious IP Server | IP Address |
| 104[g]21.63.166 | Malicious IP Server | IP Address |
| 9cc6c26bd215549c39ba5b65e9eec9ea | Malicious MD5 HASH | MD5 Hash |
| 172.16.17.173 | Victim IP | IP Address |
| 7421f9abe5e618a0d517861f4709df53292a5f137053a227bfb4eb8e152a4669 | File Hash | MD5 Hash |
Alert Answers
Question:Is this alert True Positive or False Positive?
User answer:
Alert Note
On May 29, 2023, at 01:01 PM, Letsdefend.io SIEM detected a potential security incident on the endpoint "Samuel" (IP: 172[g]16.17.173) involving a suspicious Chrome extension file named "hacfaophiklaeolhnmckojjjjbnappen.crx" (file hash: 7421f9abe5e618a0d517861f4709df53292a5f137053a227bfb4eb8e152a4669) located in the Downloads folder. The extension was executed via a single-argument command using chrome.exe, and its addition triggered alert SOC202 for a FakeGPT Malicious Chrome Extension, indicating that the extension may be designed to inject malicious behavior into the browser. Further investigation revealed connections to external domains version[g]chatgpt4google.workers.dev (IP addresses 104[g]21.63.166 and 172[g]67.147.243) and chatgptforgoogle.pro (IP addresses 52[g]76.101.124, 3.1.17.18, and 18[g]140.6.45) suggesting potential communication with malicious infrastructure.