BTLO - Phishing Analysis
Challenge: https://blueteamlabs.online/home/challenge/phishing-analysis-f92ef500ce
Scenario
A user has received a phishing email and forwarded it to the SOC. Can you investigate the email and attachment to collect useful artifacts?
Tools
- Text Editor
- Mozilla Thunderbird
- URL2PNG
- WHOis
Q1
Who is the primary recipient of this email?
Recon
這一題可以直接用線上工具 - EML Viewer把eml file轉成pdf,不過風險就是有很多的資訊會流失掉,所以比較好的方式就是直接裝Mozilla Thunderbird查看
Flag: kinnar1975@yahoo.co.uk
Q2
What is the subject of this email?
Recon
呈上題
Flag: Undeliverable: Website contact form submission
Q3
What is the date and time the email was sent?
Recon
呈上題
Flag: 18 March 2021 04:14
Q4
What is the Originating IP?
Recon
這個就是要用Text Editor string search Originating就會發現這個IP
Flag: 103.9.171.10
Q5
Perform reverse DNS on this IP address, what is the resolved host? (whois.domaintools.com)
Recon
直接用線上工具看這個IP的相關資訊
Flag: c5s2-1e-syd.hosting-services.net.au
Q6
What is the name of the attached file?
Recon
呈第一題可以發現有一個attachment
Flag: Website contact form submission.eml
Q7
What is the URL found inside the attachment?
Recon
呈上題,點進這個附件可以看到一段URL
Flag: https://35000usdperwwekpodf.blogspot.sg?p=9swghttps://35000usdperwwekpodf.blogspot.co.il?o=0hnd
Q8
What service is this webpage hosted on?
Recon
呈上題,這個我是參考1的說明,可以觀察釣魚的網址
Flag: blogspot
Q9
Using URL2PNG, what is the heading text on this page? (Doesn’t matter if the page has been taken down!)
Recon
這個就直接看線上工具 - URL2PNG
Flag: Blog has been removed