Phishing Emails 3

THM Room https://tryhackme.com/room/phishingemails3tryoe

    • Read the above. 

    No Answer

    • Read the above. 

     No Answer

    • What is the official site name of the bank that capitai-one.com tried to resemble?

    Googling capitai one bank and the result capitalone.com come at first and seems quite goodlooking !

    Answer : capitalone.com

    • How can you manually get the location of a hyperlink? 

    Answer : Copy Link Location

    • Read the above. 

    No Answer

    •  Look at the Strings output. What is the name of the EXE file?

     

    Answer : 454326_PDF.exe

     

    • What brand was this email tailored to impersonate?

     Answer : Netflix

    • What is the From email address?

    View source of email and paste it to https://mha.azurewebsites.net/.


    Answer : JGQ47wazXe1xYVBrkeDg-JOg7ODDQwWdR@JOg7ODDQwWdR-yVkCaBkTNp.gogolecloud.com

    • What is the originating IP? Defang the IP address.  

    We got the ip from the last question. We just need to defand the ip with CyberChef for example.

    Answer : 209[.]85[.]167[.]226

    • From what you can gather, what do you think will be a domain of interest? Defang the domain.

    Answer : etekno[.]xyz

    • What is the shortened URL? Defang the URL.

    Copy link location and the "update account now" button then defand the shortened URL.

    Answer : hxxps[://]t[.]co/yuxfZm8KPg?amp=1

    • What is this analysis classified as?

     

    Answer : Suspicious activity

    • What is the name of the PDF file?

    Check point 1 of the sceenshot.

    Answer : Payment-updateid.pdf

    • What is the SHA 256 hash for the PDF file?


    Answer : cc6f1a04b10bcb168aeec8d870b97bd7c20fc161e8310b5bce1af8ed420e2c24

    • What two IP addresses are classified as malicious? Defang the IP addresses. (answer: IP_ADDR,IP_ADDR)

     Checking inn the DNS request, i found 2 suspicious ip :

    Answer : 2[.]16[.]107[.]24,2[.]16[.]107[.]49

    • What Windows process was flagged as Potentially Bad Traffic?


    Answer : svchost.exe

    •  What is this analysis classified as?

     

    Answer :  Malicious activity

    • What is the name of the Excel file?

     

    Answer : CBJ200620039539.xlsx

    • What is the SHA 256 hash for the file?

     Check previous question.

    Answer : 5f94a66e0ce78d17afc2dd27fc17b44b3ffc13ac5f42d3ad6a5dcfb36715f3eb

    • What domains are listed as malicious? Defang the URLs & submit answers in alphabetical order. (answer: URL1,URL2,URL3)

     

    Answer : biz9holdings[.]com,findresults[.]site,ww38[.]findresults[.]site

    • What IP addresses are listed as malicious? Defang the IP addresses & submit answers from lowest to highest. (answer: IP1,IP2,IP3)


    Answer : 75[.]2[.]11[.]242,103[.]224[.]182[.]251,204[.]11[.]56[.]48

    • What vulnerability does this malicious attachment attempt to exploit?


    Answer : CVE-2017-11882

    • Read the above. 

      No Answer