Home The Greenholt Phish
Post
Cancel

The Greenholt Phish

Use the knowledge attained to analyze a malicious email.

THM Room https://tryhackme.com/room/phishingemails5fgjlzxc

TASK 1 : Just another day as a SOC Analyst..

For questions 1-4 and 9, we can get the responses directly viewing the email in Thunderbird :

email.eml email.eml

What is the email’s timestamp? (answer format: dd/mm/yy hh:mm)

Answer : 06/10/2020 5:58

Who is the email from?

Answer : Mr. James Jackson

What is his email address?

Answer : info@mutawamarine.com

What email address will receive a reply to this email?

Answer : info.mutawamarine@mail.com

What is the Originating IP?

Header : From Header : From

Answer : 192.119.71.157

Who is the owner of the Originating IP? (Do not include the “.” in your answer.)

ISP ISP

Using BD-IP https://db-ip.com/, we get the ISP.

Answer : Hostwinds LLC

What is the SPF record for the Return-Path domain?

I check the retrun-path on Dmarcian :

SPF SPF

Answer : v=spf1 include:spf.protection.outlook.com -all

What is the DMARC record for the Return-Path domain?

I check the retrun-path on Dmarcian https://dmarcian.com/spf-survey/ :

DMARC DMARC

Answer : v=DMARC1; p=quarantine; fo=1

What is the name of the attachment?

Answer :

1
SWT_#09674321____PDF__.cab

What is the SHA256 hash of the file attachment?

Attachment SHA256 Attachment SHA256

Answer : 2e91c533615a9bb8929ac4bb76707b2444597ce063d84a4b33525e25074fff3f

What is the attachments file size? (Don’t forget to add “KB” to your answer, NUM KB)

File Size File Size

I use VirusTotal with the hash to get the file size.

Answer : 400.26 KB

What is the actual file extension of the attachment?

Answer : rar

This post is licensed under CC BY 4.0 by the author.