THM Writeup – Phishing Emails 5

March 26, 2022 Titus74

Use the knowledge attained to analyze a malicious email.

Difficulty: Easy

Operating System: Linux

A Sales Executive at Greenholt PLC received an email that he didn’t expect to receive from a customer. He claims that the customer never uses generic greetings such as “Good day” and didn’t expect any amount of money to be transferred to his account. The email also contains an attachment that he never requested. He forwarded the email to the SOC (Security Operations Center) department for further investigation.

Investigate the email sample to determine if it is legitimate.

Tip: Open the EML file with Thunderbird.

Open Thunderbird:

Open Thunderbird’s menu (burger icon in the upper right corner), select File -> Open -> Saved Message… and select the message saved on the desktop (challenge.eml):

In the header part click More and select View Source:

Now we see the source of the message and we can answer few questions:

What is the email’s timestamp? (answer format: mm/dd/yyyy hh:mm)

You can find it here:

and here as well:

Who is the email from?

Again, you can find it here:

and here:

What is his email address?

Here:

and here:

What email address will receive a reply to this email?

Here:

and here:

What is the Originating IP?

Who is the owner of the Originating IP? (Do not include the “.” in your answer.)

root@ip-10-10-39-184:~# whois 192.119.71.157

#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/resources/registry/whois/tou/
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/resources/registry/whois/inaccuracy_reporting/
#
# Copyright 1997-2022, American Registry for Internet Numbers, Ltd.
#


NetRange:       192.119.64.0 - 192.119.127.255
CIDR:           192.119.64.0/18
NetName:        HOSTWINDS-18-2
NetHandle:      NET-192-119-64-0-1
Parent:         NET192 (NET-192-0-0-0-0)
NetType:        Direct Allocation
OriginAS:       AS54290
Organization:   Hostwinds LLC. (HL-29)
RegDate:        2012-11-12
Updated:        2021-09-23
Comment:        https://www.hostwinds.com
Comment:        Abuse Contact: abuse@hostwinds.com
Ref:            https://rdap.arin.net/registry/ip/192.119.64.0


OrgName:        [REDACTED]
OrgId:          HL-29
. . .

Look at OrgName

What is the SPF record for the Return-Path domain?

root@ip-10-10-39-184:~# dig mutawamarine.com txt

; <<>> DiG 9.11.3-1ubuntu1.13-Ubuntu <<>> mutawamarine.com txt
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51376
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;mutawamarine.com.		IN	TXT

;; ANSWER SECTION:
mutawamarine.com.	300	IN	TXT	"MS=842BCB91F2AB2807BE05D25DC690D1226B349676"
mutawamarine.com.	300	IN	TXT	"[REDACTED]"
mutawamarine.com.	300	IN	TXT	"MS=ms97822417"

;; Query time: 32 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Thu Feb 17 15:14:58 GMT 2022
;; MSG SIZE  rcvd: 186

What is the DMARC record for the Return-Path domain?

Browse to https://dmarc.live/info/mutawamarine.com

What is the name of the attachment?

Here:

and here:

What is the SHA256 hash of the file attachment?

Save the file:

And make sha256sum:

ubuntu@ip-10-10-184-65:~$ cd Desktop/
ubuntu@ip-10-10-184-65:~/Desktop$ sha256sum [FILE_NAME_REDACTED]
[REDACTED]  [FILE_NAME_REDACTED]

What is the attachments file size? (Don’t forget to add “KB” to your answer, NUM KB)

Browse to https://virustotal.com

And search for the sha256 hash of the file:

What is the actual file extension of the attachment?

Look at virustotal’s search result of the file again 😉

Do you like this writeup? Check out other THM Writeups.