TryHackMe Walkthrough – Phishing Analysis Tools

Task 1: Introduction

Question 1: No answer needed

Task 2: What information should we collect?

Question 1: No answer needed

Task 3: Email header analysis

Question 1: What is the official site name of the bank that capitai-one.com tried to resemble?

This should be self-explanatory, google capitol one to see what their domain is.

Answer: capitalone.com

Task 4: Email body analysis

Question 1: How can you manually get the location of a hyperlink?

The answer is in the third line of text in the reading.

Below is an example of obtaining a link manually from an email by right-clicking the link and choosing Copy Link Location.

Answer: copy link location

Task 5: Malware Sandbox

Question 1: No answer needed

Task 6: PhishTool

Question 1: Look at the Strings output. What is the name of the EXE file?

Look in the above reading for a file ending in .exe

Answer: #454326_PDF.exe

Task 7: Phishing Case 1

Start the machine.

Question 1: What brand was this email tailored to impersonate?

I opened the email in ThunderBird which is available on the VM. At the bottom of the email is say Netflix.

Answer: netflix

Question 2: What is the From email address?

This shows up in the From section.

Answer: JGQ47wazXe1xYVBrkeDg-JOg7ODDQwWdR@JOg7ODDQwWdR-yVkCaBkTNp.gogolecloud.com

Question 3: What is the originating IP? Defang the IP address. 

In Thunderbird, click more then view source. Then look for originating ip. Defang the IP using CyberChef.

Answer: 209[.]85[.]167[.]226

Question 4: From what you can gather, what do you think will be a domain of interest? Defang the domain.

This is the return path. You will need to defang the URL with CyberChef.

Answer: etekno[.]xyz

Question 5: What is the shortened URL? Defang the URL.

This is asking for the CTA link. Thats the Update Account Now link. Don’t click on it, just right clikc to copy the link location, then paste into cyberchef to defang it.

Answer: hxxps[://]t[.]co/yuxfZm8KPg?amp=1

Task 8: Phishing Case 2

Question 1: What does AnyRun classify this email as?

The answer is at the top of this section of the webpage in orange.

Answer: suspicious activity

Question 2: What is the name of the PDF file?

The name is captured in the screenshot above and underlined.

Answer: Payment-updateid.pdf

Question 3: What is the SHA 256 hash for the PDF file?

Click on the underlined Payment-updateid.pdf and a overlay comes up where you can copy the SHA256.

Answer: cc6f1a04b10bcb168aeec8d870b97bd7c20fc161e8310b5bce1af8ed420e2c24

Question 4: What two IP addresses are classified as malicious? Defang the IP addresses. (answer: IP_ADDR,IP_ADDR)

I clicked on “Text Report” on the top right under the “Get sample” button. In the report scroll down to connections and use the next button to see the reputation of the IP addresses. Use cyberchef to defang them.

Answer:2[.]16[.]107[.]83,2[.]16[.]107[.]24

Question 5: What Windows process was flagged as Potentially Bad Traffic?

At the very bottom of the report, it list Threats and…

Answer: svchost.exe

Task 9: Phishing Case 3

Question 1: What is this analysis classified as?

Located in the same place as the last task. This one is called “malicious activity” and has a red background.

Answer: malicious activity

Question 2: What is the name of the Excel file?

Again, this is the same place as the last example and you can see it underlined in the screenshot above.

Answer: CBJ200620039539.xlsx

Question 3: What is the SHA 256 hash for the file?

Same place as the last text. Click on the underlined xls file and it opens details including the SHA 256.

Answer: 5f94a66e0ce78d17afc2dd27fc17b44b3ffc13ac5f42d3ad6a5dcfb36715f3eb

Question 4: What domains are listed as malicious? Defang the URLs & submit answers in alphabetical order. (answer: URL1,URL2,URL3)

This is in the Text Report. Go down to HTTP Requests and copy out the domains into cyberchef and defang the URLs.

Answer: biz9holdings[.]com,findresults[.]site,ww38[.]findresults[.]site

Question 5: What IP addresses are listed as malicious? Defang the IP addresses & submit answers from lowest to highest. (answer: IP1,IP2,IP3)

Same section and previous question just use the IP addresses instead removing the port from them (:80) and defang with cyberchef.

Answer: 204[.]11[.]56[.]48,103[.]224[.]182[.]251,75[.]2[.]11[.]24

Question 6: What vulnerability does this malicious attachment attempt to exploit?

For this one, we are looking for the CVE number. IT’s int he report under “Behavior activities”.

Answer: CVE-2017-11882

Task 10: Conclusion

Question 1: No answer needed