Newsletter
TechAnV Blog
Get updates on security engineering, Rust, eBPF, and DevSecOps. No spam, unsubscribe anytime.
Check your inbox and click the confirmation link to complete your subscription.
TryHackMe - The Greenholt Phish#

A Sales Executive at Greenholt PLC received an email that he didn’t expect to receive from a customer. He claims that the customer never uses generic greetings such as “Good day” and didn’t expect any amount of money to be transferred to his account. The email also contains an attachment that he never requested. He forwarded the email to the SOC (Security Operations Center) department for further investigation.
Investigate the email sample to determine if it is legitimate.
What is the Transfer Reference Number listed in the email’s Subject?

We can start off by finding other tools on the machine but seem like there are only Wireshark and CyberChef which we will not use it so we can now proceed with email.

Upon opening an email, we can see the subject that contains Reference Number and also in the body of this email as well.
109674321Who is the email from?

We can see that the email was sent from Mr. James Jackson as shown on the “From” and “Reply to” field but noticed that email on “Reply to” is different from email in “From”
1Mr. James JacksonWhat is his email address?
1info@mutawamarine.comWhat email address will receive a reply to this email?
1info.mutawamarine@mail.comWhat is the Originating IP?

Its time to inspect the source by typing V or click “More” -> “View Source”

Then we can see that the bottom “Received” header is the first hop that was received this email and it also contains domain and IP address of the sender as well.

We can copy whole source to MX Toolbox to automatically analyzed some of important headers, which we can see that the same information from this tool as well.
1192.119.71.157Who is the owner of the Originating IP? (Do not include the ”.” in your answer.)

Utilized Whois then we can see that the Organization that owns this IP is Hostwind LLC.
1Hostwinds LLCWhat is the SPF record for the Return-Path domain?

MX Toolbox already analyzed SPF and DMARC for us so we can go to the SPF analysis section which we can see that spf.protection.outlook.com is the authorized sender which if the receiver didn’t receive an email from this sender then it tells receiver to reject it if not received from authorized sender.
1v=spf1 include:spf.protection.outlook.com -allWhat is the DMARC record for the Return-Path domain?

This DMARC record telling us that any emails that fail both SPF and DKIM alignment checks will be flagged and sent to the spam/junk folder and generates failure reports for failed SPF/DKIM alignment.
1v=DMARC1; p=quarantine; fo=1What is the name of the attachment?

We can see that this email also shipped with an attachment and its not common file attachment too.

We can also confirm the name of it on from the source as well
1SWT_#09674321____PDF__.CABWhat is the SHA256 hash of the file attachment?

We can save an attachment from Thunderbird directly with this button.

And now we can generate file hash with sha256sum get an answer of this question and we will also use this hash on Threat Intel platform such as VirusTotal as well.
12e91c533615a9bb8929ac4bb76707b2444597ce063d84a4b33525e25074fff3fWhat is the attachments file size? (Don’t forget to add “KB” to your answer, NUM KB)

Since we could not determine that exact file size from Linux by calculation then we will use the intended solution by submit the hash of the attachment to VirusTotal which reveals this file attachment is actually RAR file that contains the actual payload which is Lokibot.
1400.26 KBWhat is the actual file extension of the attachment?
1rar
And now we are done!