Use the knowledge attained to analyze a malicious email.
THM Room https://tryhackme.com/room/phishingemails5fgjlzxc
TASK 1 : Just another day as a SOC Analyst..
For questions 1-4 and 9, we can get the responses directly viewing the email in Thunderbird :
email.eml
What is the email’s timestamp? (answer format: dd/mm/yy hh:mm)
Answer : 06/10/2020 5:58
Who is the email from?
Answer : Mr. James Jackson
What is his email address?
Answer : info@mutawamarine.com
What email address will receive a reply to this email?
Answer : info.mutawamarine@mail.com
What is the Originating IP?
Header : From
Answer : 192.119.71.157
Who is the owner of the Originating IP? (Do not include the “.” in your answer.)
ISP
Using BD-IP https://db-ip.com/, we get the ISP.
Answer : Hostwinds LLC
What is the SPF record for the Return-Path domain?
I check the retrun-path on Dmarcian :
SPF
Answer : v=spf1 include:spf.protection.outlook.com -all
What is the DMARC record for the Return-Path domain?
I check the retrun-path on Dmarcian https://dmarcian.com/spf-survey/ :
DMARC
Answer : v=DMARC1; p=quarantine; fo=1
What is the name of the attachment?
Answer :
1
SWT_#09674321____PDF__.cab
What is the SHA256 hash of the file attachment?
Attachment SHA256
Answer : 2e91c533615a9bb8929ac4bb76707b2444597ce063d84a4b33525e25074fff3f
What is the attachments file size? (Don’t forget to add “KB” to your answer, NUM KB)
File Size
I use VirusTotal with the hash to get the file size.
Answer : 400.26 KB
What is the actual file extension of the attachment?
Answer : rar