Task 1: Just another day as a SOC analyst
Only one task for this room.
Question 1: What date was the email received? (answer format: M/DD/YY)
I opened the email in Thunderbird.
Answer: 6/10/20
Question 2: Who is the email from?
In the From…
Answer: Mr. James Jackson
Question 3: What is his email address?
Also in the From…
Answer: info@mutawamarine.com
Question 4: What email address will receive a reply to this email?
In Reply-To
Answer: info.mutawamarine@mail.com
Question 5: What is the Originating IP?
Click More, then View Source. Although, it says x.x.x.x in a few places ofr originating ip, Keep looking it’s in there…
Answer: 192.119.71.157
Question 6: Who is the owner of the Originating IP? (Do not include the “.” in your answer.)
Google whois and search the ip address from the previous answer.
Answer: Hostwinds LLC
Question 7: What is the SPF record for the Return-Path domain?
This requires us to look up the SPF. We can do this with https://mxtoolbox.com/spf.aspx. There if we search for mutawamarine.com we will receive this back…
Answer: v=spf1 include:spf.protection.outlook.com -all
Question 8: What is the DMARC record for the Return-Path domain?
We can use the same website different page to look up this information as well. https://mxtoolbox.com/dmarc.aspx. Search for the same domain.
Answer: v=DMARC1; p=quarantine; fo=1
Question 9: What is the name of the attachment?
We can go back to the email and see this…
Answer: SWT_#09674321____PDF__.CAB
Question 10: What is the SHA256 hash of the file attachment?
Save the file to the desktop. Open terminal and type…
cd Desktop
sha256sum SWT_#09674321____PDF__.CAB
Answer: 2e91c533615a9bb8929ac4bb76707b2444597ce063d84a4b33525e25074fff3f
Question 11: What is the attachments file size? (Don’t forget to add “KB” to your answer, NUM KB)
I tried to do this using ls -l, but tryhackme didn’t like this answer. So I looked up the has we found earlier and searched for it on VirusTotal. From here we get the correct…
Answer: 400.26 KB
Question 12: What is the actual file extension of the attachment?
According to virustotal it is a RAR.
Answer: RAR