After a bit of a busy run I get to do both days 6 and 7 at the same time, and it seems that the might, at least to a degree, have some overlap at least on the surface given that we’re looking at email analysis and CyberChef, so without further ado, let’s get crackin’ at Day 6 - Email Analysis.
Day 6 - Email Analysis
What is the email address of the sender?
After firing up the machine we can immediately see the file called Urgent:.eml on the desktop. Lets open it up with Sublime Text and look for the From: field on the very top to find the answer to our first task.
What is the return address?
The return address is a bit lower, marked Return-Path:.
On whose behalf was the email sent?
We know the email was forged, and the answer for third question can be found in the first answer.
What is the X-spam score?
Spam score is also included in the top part of the email file, namely X-Pm-Spamscore:.
What is hidden in the value of the Message-ID field?
Looking for the Message-ID field we can find short encoded string, and the == at the end hints at Base64 encoding. Using CyberChef (ha, told you!) we can decode the message and find the answer to this question.
What is the reputation result of the sender’s email address?
For this task we’ll need to navigate to https://emailrep.io/ and look up the email from the first question to find out the reputation result of the address, and an explanation of why it is what it is.
What is the filename of the attachment?
Looking at Content-Type: we can see that the email includes one .doc file, and we can also see the filename of the file there.
What is the hash value of the attachment?
To figure this out we can take a look back at the guide on THM and find a tool called emlAnalyzer. Using (the supplied) command
emlAnalyzer -i Urgent\:.eml --header --html -u --text --extract-all which will not only show us the information from the .eml file in a nice fashion, but also extract the included attachment. To find out the actual hash of the file we need to use sha256sum in terminal.
What is the second tactic marked in the Mitre ATT&CK section?
Moving on to VirusTotal, looking up the hash from above and checking the Behavior tab we can find “Mitre ATT&CK Tactics and Techniques” section, where we can find the correct answer to this question.
What is the subcategory of the file?
For the final trick of Day 6 we need to navigate to https://labs.inquest.net/ and look up our hash. Once we get the full details we can focus on the Overview section to find the Subcategory: portion and the correct answer to this final question.
Day 7 - CyberChef
Let’s swiftly move on to today’s task, which actually does pick up from the last one quite nicely. Firing up the lab and while waiting spending some time reading over the CyberChef instructions we’ll soon enough get to our first task.
What is the version of CyberChef found in the attached VM?
Let’s open up Firefox to find the link to CyberChef, and while for some rason for me the top information row doesn’t stay visible on this box I can see the version number in the actual URL of the page. A workaround, but it works - good enough for me!
How many recipes were used to extract URLs from the malicious doc?
Next step is dragging and dropping the malicious .doc file to CyberChef and using the strings function, selecting All printable chars (A). This is going to give us a heap of things, so let’s narrow things down by upping the minimum length to 256 characters.
Scrolling through the file now we can see many instances of [ _ ] which look suspicious, and try as I might this is the point where I have to take a look at the walkthrough as regex is something I just can’t wrap my head around. We need to use the Find / Replace function and find [**\[\]\n_**] in regex to find a hidden, encoded PowerShell command.
The command is clearly Base64 encoded, but first we need to get rid of some of the top content in order to work with the actual data. Using Drop bytes and then increasing the length enough we can combine this with the From base64 function and Decode text function with UTF-16LE encoding we can get still mangled up code, but something that’s starting to look like PowerShell.
With further regex ['()+'"`] we can start making sense out of this whole thing, but there’s still one thing that catches our eye: the apparent URL’s start with ]b2H_, not http. One more Find / Replace later we can add the Extract URLs function to gets us clean list of URLs to work with.
It quickly becomes apparent that the URL’s are not split with new lines, but instead with the @ symbol, so let’s use the split function and set the delimited to @ in order to achieve that.
One last thing we should do is to defang the URL’s, that’s to say make them unclickable by accident for when we’re sharing them with other people. CyberChef includes the Defang URL function to get this done easily since we cleaned up the URL’s before.
Now that’s a really long writeup, but we finally found the correct answer to this question, and all this hard work is going to make answering the follow up questions pretty easy.
We found a URL that was downloading a suspicious file; what is the name of that malware?
We can find the name of this executable in the list of our defanged URL’s.
What is the last defanged URL of the bandityeti domain found in the last step?
This in turn would be the last domain on the list, the one with bandityeti on it.
What is the ticket found in one of the domains? (Format: Domain/)
Finally we can find this flag in the domain list as well.
And we’re done! This one was a long project since I skipped yesterday due to work stuff, and even more so since the regex part of Day 7 is something I simply couldn’t or wouldn’t be able to figure out on my own. That’s to say it’s a perfect learning opportunity and show how powerful tool regex actually is. Now we’re just looking towards to tomorrow!