Try Hack Me | Phishing Analysis Tools | Write up

11 min readSep 22, 2023

Learn the tools used to aid an analyst to investigate suspicious emails.

Task 1: Introduction

In this Room, we will explore various tools and techniques to analyze phishing emails more effectively. Here’s an overview of what will be covered:

Examining email header information: We will discuss tools that assist in analyzing email headers, which can provide valuable information about the email’s source.
Handling hyperlinks: We’ll explore techniques for extracting and expanding URLs in emails, especially when they are shortened to hide their true destination.
Evaluating links without interaction: We’ll introduce tools that can help assess potentially malicious links without directly clicking on them, reducing risks.
Dealing with malicious attachments: We’ll cover methods for extracting malicious attachments from phishing emails and using malware sandboxes to safely analyze them, gaining insights into their intended functionality.

A warning is provided that the examples used in this section contain information from actual spam and phishing emails, emphasizing the need for caution when dealing with any IP addresses, domains, attachments, or other potentially harmful elements.

Questions

Question No 1: Read the above.
No answer needed.

Task 2: What information should we collect?

This task involves outlining the steps for analyzing a suspicious or malicious email. The process includes collecting specific information from both the email header and the email body, while exercising caution not to interact with any potentially harmful links or attachments.

From the email header, the analyst should gather the following information:

Sender email address
Sender IP address
Reverse lookup of the sender IP address
Email subject line
Recipient email address (which may be in the CC/BCC field)
Reply-to email address (if applicable)
Date/time of the email

From the email body and any attachments, the analyst should collect the following artifacts:

Any URL links, and if URL shorteners were used, obtaining the real URL link.
The name of the attachment (if present)
The hash value of the attachment, preferably using MD5 or SHA256 hash types.

A warning is emphasized, advising caution to avoid accidentally clicking on any links or opening attachments in the email, given the potential risks associated with them.

Questions

Question No 1: Read the above.
No answer needed.

Task 3: Email header analysis

This task provides information on tools and resources that can aid in the analysis of suspicious or malicious emails. It emphasizes the importance of collecting various details from email headers and the availability of tools to facilitate this process. Some of the tools and resources mentioned include:

Message header from Google Admin Toolbox: A tool for analyzing SMTP message headers to identify the root cause of delivery delays. It helps detect misconfigured servers and mail-routing problems. Users can copy and paste the email header for analysis.
Message Header Analyzer: Another tool for analyzing email headers, which assists in understanding email delivery issues.
Mailheader.org: A resource for email header analysis.
IPinfo.io: A tool that provides information about IP addresses, enabling users to pinpoint user locations, customize experiences, prevent fraud, ensure compliance, and more.
URLScan.io: A free service for scanning and analyzing websites, recording various details about the visited URL, including domains, IPs, resources, and a screenshot. It helps identify potentially malicious sites.
Talos Reputation Center: A resource for checking the reputation of domains and IPs, particularly helpful in assessing the trustworthiness of email sources.

The note emphasizes that the choice of which tool to use depends on individual preferences and requirements, and it can be beneficial to use multiple resources as each tool may reveal different information. Additionally, it highlights the screenshot feature of urlscan.io, which provides a visual representation of the scanned URL without the need to navigate to it directly. Other tools with similar functionality, such as URL2PNG and Wannabrowser, are also mentioned as alternatives.

Questions

Question No 1: What is the official site name of the bank that capitai-one.com tried to resemble?
Hint: Search on internet
Answer: capitalone.com

Task No 4: Email body analysis

This task focuses on analyzing the email body, where malicious content may be delivered, either as links or attachments. The key points are as follows:

Manual Link Extraction: Links can be manually extracted either from HTML-formatted emails or by reviewing the raw email header. The example shows how to obtain a link manually by right-clicking and choosing “Copy Link Location.”
URL Extractor Tool: URL Extractor is a tool that can assist in extracting links from email headers. Users can copy and paste the raw header into the tool’s text box, and the extracted URLs are visible in the output.
Use of CyberChef: CyberChef can also be used to extract URLs using the “Extract URLs” recipe.
Root Domain Analysis: It’s important to note the root domain for the extracted URLs, as root domain analysis is crucial.
Checking URL and Domain Reputation: After extracting URLs, the next step is to check the reputation of both the URLs and root domains. Various tools mentioned in a previous task can aid in this process.
Handling Email Attachments: If the email contains an attachment, it should be obtained safely. Thunderbird’s “Save” button is mentioned as a method for saving email attachments.
Hashing Attachments: After obtaining the attachment, its hash value should be generated. The SHA256 hash is recommended. This hash can then be used to check the file’s reputation and determine if it’s a known malicious document.
Tools for File Reputation Checking:
a. Talos File Reputation: A tool that allows casual lookups against the Talos File Reputation system, focusing on hash matching.
b. VirusTotal: A platform for analyzing suspicious files and URLs to detect various types of malware. It facilitates sharing with the security community.
c. Mention of Reversing Labs, which also provides a file reputation service.

The information highlights the importance of thorough analysis of email content, including links and attachments, while also emphasizing the significance of checking the reputation of associated URLs and files.

Questions

Question No 1: How can you manually get the location of a hyperlink?
Hint: Read the passage ca
Answer: Copy Link Location

Task 5: Malware Sandbox

As defenders, it’s not necessary to possess malware analysis skills to dissect and reverse engineer malicious attachments. Online tools and services known as malware sandboxes provide the capability to upload and analyze malicious files to gain a better understanding of their functionality. These services offer insights into various aspects of malware behavior, such as communication with URLs, additional payloads, persistence mechanisms, and Indicators of Compromise (IOCs).

Some of the online malware sandbox services mentioned include:

Any.Run: This service allows users to analyze network, file, module, and registry activities. It enables direct interaction with the operating system from a web browser and provides immediate feedback on actions taken.
Hybrid Analysis: Hybrid Analysis is a free malware analysis service that detects and analyzes unknown threats using a unique Hybrid Analysis technology. It’s designed to benefit the community by providing insights into potential threats.
Joe Sandbox: Joe Sandbox offers a wide range of features for analysts, including live interaction, URL analysis, AI-based phishing detection, support for Yara and Sigma rules, MITRE ATT&CK matrix, AI-based malware detection, and more. It empowers analysts with tools for in-depth malware analysis and threat intelligence.

These malware sandbox services serve as valuable resources for analyzing and understanding the behavior of potentially malicious attachments. They will be utilized in upcoming phishing cases to aid in investigations and threat assessments.

Questions

Question No 1: Read the above.
No answer needed.

Task 6: PhishTool

The provided information discusses a tool called “PhishTool,” which aids in automated phishing analysis. PhishTool serves various roles for security professionals and analysts dealing with phishing threats:

Overview: PhishTool is described as a comprehensive phishing response platform that combines threat intelligence, OSINT (Open Source Intelligence), email metadata, and automated analysis pathways. It is designed to help security researchers, SOC (Security Operations Center) analysts, threat intelligence analysts, and investigators combat phishing attacks effectively.
Features: The tool offers the ability to gather critical information from malicious emails, including details such as email sender, recipient (including CCed email addresses), timestamp, originating IP with reverse DNS lookup, SMTP relays, X-header information, and IP info. It also provides insights into email body content, attachments, and URLs.
Integration with VirusTotal: PhishTool can connect with VirusTotal using a community edition API key, allowing users to automatically obtain information about attachments, including file names and hashes, without manual interaction with the malicious email. Additional actions can be performed with attachments, such as viewing Strings output and retrieving information from VirusTotal.
Flagging and Resolution: Users can flag submissions as malicious and add notes, similar to how SOC analysts handle cases. This helps in tracking and managing identified threats. The attachment file name and file hashes can be marked as malicious, and the case can be resolved with different classification codes based on the type of phishing email.
Classification Codes: Classification codes are mentioned as a way to categorize phishing emails into specific types, such as “Whaling” for high-value target phishing attacks, like those targeting CFOs.

The provided information gives an insight into how PhishTool can assist in automating the analysis of malicious emails, enhancing the efficiency of security professionals in identifying and responding to phishing threats. It also highlights the tool’s integration with VirusTotal and its capabilities for flagging, resolving, and classifying phishing cases.

Questions

Question No 1: Look at the Strings output. What is the name of the EXE file?
Answer : #454326_PDF.exe

Task 7: Phishing Case 1

In this task we are given machine with email on it, which we have to anaylze to answer the given questions.

Questions

Question No 1: What brand was this email tailored to impersonate?Question No Question No 2: What is the From email address?
Question No 3: What is the originating IP? Defang the IP address.
Question No 4: From what you can gather, what do you think will be a domain of interest? Defang the domain.
Question No 5: What is the shortened URL? Defang the URL.
Answer: Netflix
Answer: JGQ47wazXe1xYVBrkeDg-JOg7ODDQwWdR@JOg7ODDQwWdR-yVkCaBkTNp.gogolecloud.com
Answer: 209[.]85[.]167[.]226
Answer: etekno[.]xyz
Answer: hxxps[://]t[.]co/yuxfZm8KPg?amp=1
Procedure: You can open the given email in thunderbird or any given email client. For first 2 and last question you can extract data from the rendered email easily but for the question no 3 and 4 you have to view the source code and you can find answer in there.

Task 8: Phishing Case 2

In this task the previous email is uploaded to any run and link of the any run is given to analyze and answer the question.

Questions

Question No 1: What does AnyRun classify this email as?
Question No 2: What is the name of the PDF file?
Question No 3: What is the SHA 256 hash for the PDF file?
Question No 4: What two IP addresses are classified as malicious? Defang the IP addresses. (answer: IP_ADDR,IP_ADDR)
Question No 5: What Windows process was flagged as Potentially Bad Traffic?
Answer: Suspicious Activity
Answer: Payment-updateid.pdf
Answer: cc6f1a04b10bcb168aeec8d870b97bd7c20fc161e8310b5bce1af8ed42
0e2c24
Answer: 2[.]16[.]107[.]24,2[.]16[.]107[.]83
Answer: svchost.exe
Procedure: For the question no 1 you can look in the upper right corner and can see that what any run is marking the file as. For second question you can also see the name of the file there in upper right corner.
For finding the SHA 256 hash of the file click on the file name more details will open up. You will find the hash there.
Or you can click on the text report, will find in the right corner, a detailed report will pop up. You can find the answer for first three questions in the General Info group. And for the question 4 and 5 you can get information form the network activity group.

Task 9: Phishing Case 3

In this task malicious attachment from a phishing email inspected in the previous Phishing Room was uploaded to Any Run for analysis and link to the any run was given for answering the questions.

Questions

Question No 1: What is this analysis classified as?
Question No 2: What is the name of the Excel file?
Question No 3: What is the SHA 256 hash for the file?
Question No 4:What domains are listed as malicious? Defang the URLs & submit answers in alphabetical order. (answer: URL1,URL2,URL3)
Question No 5: What IP addresses are listed as malicious? Defang the IP addresses & submit answers from lowest to highest. (answer: IP1,IP2,IP3)
Question No 6: What vulnerability does this malicious attachment attempt to exploit?
Answer: Malicious activity
Answer: CBJ200620039539.xlsx
Answer: 5F94A66E0CE78D17AFC2DD27FC17B44B3FFC13AC5F42D3AD6A5
DCFB36715F3EB
Answer: biz9holdings[.]com,findresults[.]site,ww38[.]findresults[.]site
Answer: 204[.]11[.]56[.]48,103[.]224[.]182[.]251,75[.]2[.]11[.]242
Answer: CVE-2017–11882
Procedure: You can open the text report present in the upper right corner. After opening the report you will find the answers of the question no 1,2,3 and 6 in general info group and for question 4 and 5 you have to look in network activity group.