Analyze email headers and threat intelligence to identify phishing indicators, malware persistence, and C2 channels, extracting actionable IOCs.
Introduction#
It’s no secret that I’m no stranger to phishing emails. A lot of the grunt-y SOC work I do is analyzing potential phishing emails. Some people consider it boring or repetitive and while I understand this sentiment I don’t entirely agree with it. The process can be pretty fun if you see new phishing lures and compile IOCs.
It looks like we’ll be doing something similar in this challenge from CyberDefenders.
Question one#
Identifying the sender’s IP address with specific SPF and DKIM values helps trace the source of the phishing email. What is the sender’s IP address that has an SPF value of softfail and a DKIM value of fail?
First thing we need to do is actually look at the .eml file. I’ll cut out the HTML/Body of the email and we’ll first start by looking at the headers. Fair warning, this is a big block of text but I’ll break it down for the questions:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
|
Received: from SJ0PR01MB7512.prod.exchangelabs.com (2603:10b6:a03:3d2::9) by
DS7PR01MB7855.prod.exchangelabs.com with HTTPS;Thu, 9 Dec 2022 14:58:55
+0000
ARC-Seal: i=2; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=fail;
b=duSdPQF6MkHA6NDKezdwwXo0cytNw6pKTyXfmDvi22cwiu15XbtSLWvmqSHiYcaOHDQNUg5f7tY+9JY/CEBHmaBO7E3lusTGIpLFNrNF7v4HyOwH2/XWf+JxNDSUM3TE24w0u8DhCnVy2lAoiH/iINzpcewzwrIQWVvKXkhk8UGbOf4SIgEJfiv9JrrQVPUql0wysWGU3gqoduOgIbFvpjyyGiS/Exd9ddgnfa0sS+83SRQg3jVmLEfSVcmg+9wvZfR6wFcX9Sga7efMqt6a9hT0q3ajrVBYuH+sY2El9UVvViZREf/FBYYkzJ8xO5oLFQanthp6EoFyN/DqNgO2Tw==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=AXBCwGkRxYZo4VpdXt4XQsGpZAHIDSpANJ7sP0OmP3M=;
b=YV4rXtkEs8amVnLpcgziiiy3nO93s3HgMRy5SCHjk2Hw+yNPHRtJ2XWmWhSPI6W5aaIFstGBWpjyhE0u9A3vzC9r7ooUojm+hWE3Np2Kr2RyqtHrGzRQkzlGQ51vzG1U7jFokrXN0bUclFoXMlhZMvIoATxCZfj+TpT/zyoVxok1bxb1fyul8TWqqvPVFWO3lB38fuZ7QXcLCoc0GwVELhF8RfiHlEqiyS8u5emyOlJOSZBO1RniGFcZ+eDvGfM9bSui8daMiifi7VvoaMX0+ed6ajqa1zsBzWOD4BfGyVSgD5udi6wtnzcTKcqDJo9JyTfocwmCR8FIhINRFo0CcQ==
ARC-Authentication-Results: i=2; mx.microsoft.com 1; spf=softfail (sender ip
is 18.208.22.104) smtp.rcpttodomain=fsfb.org.co smtp.mailfrom=uptc.edu.co;
dmarc=none action=none header.from=uptc.edu.co; dkim=fail (no key for
signature) header.d=uptc.edu.co; arc=fail (35)
Received: from BL1PR13CA0359.namprd13.prod.outlook.com (2603:10b6:208:2c6::34)
by SJ0PR01MB7512.prod.exchangelabs.com (2603:10b6:a03:3d2::9) with Microsoft
SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
15.20.7025.29;Thu, 9 Dec 2022 14:58:44 +0000
Received: from BL6PEPF0001AB51.namprd04.prod.outlook.com
(2603:10b6:208:2c6:cafe::8b) by BL1PR13CA0359.outlook.office365.com
(2603:10b6:208:2c6::34) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7046.19 via Frontend
Transport;Thu, 9 Dec 2022 14:58:43 +0000
Authentication-Results: spf=softfail (sender IP is 18.208.22.104)
smtp.mailfrom=uptc.edu.co; dkim=fail (no key for signature)
header.d=uptc.edu.co;dmarc=none action=none
header.from=uptc.edu.co;compauth=softpass reason=201
Received-SPF: SoftFail (protection.outlook.com: domain of transitioning
uptc.edu.co discourages use of 18.208.22.104 as permitted sender)
Received: from inpost.tmes.trendmicro.com (18.208.22.104) by
BL6PEPF0001AB51.mail.protection.outlook.com (10.167.242.75) with Microsoft
SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
15.20.7046.17 via Frontend Transport;Thu, 9 Dec 2022 14:58:42 +0000
Received: from 209.85.221.65_.trendmicro.com (unknown [192.168.179.155])
by inpost.tmes.trendmicro.com (Postfix) with SMTP id 195401000084A
for <servicios.informaticos@fsfb.org.co>;Thu, 9 Dec 2022 14:58:42 +0000 (UTC)
ARC-Authentication-Results: i=1; tmes.trendmicro.com; spf=pass (sender IP address: 209.85.221.65) smtp.mailfrom=uptc.edu.co; dkim=none (no processed signatures) header.d=uptc.edu.co; dmarc=pass action=no records header.from=uptc.edu.co; arc=none
ARC-Message-Signature: i=1; a=rsa-sha256; d=tmes.trendmicro.com;
s=tm-arc-20210909; t=1701097121; c=relaxed/relaxed;
bh=AXBCwGkRxYZo4VpdXt4XQsGpZAHIDSpANJ7sP0OmP3M=; h=From; b=DWbGdzZDbHDWC4dTaUens7tgxkLjC7esdzXEOixEmOMtolAQuuZXge+056e1LU1EMxahXgFQm6CaCpEo7okxRwumjyK2pS0eE5V8UD3lCfu1cUBDI+lGaywMOm5Xd7jatj7N0BWeZWxEF8N/WujwCmaN9RNkuR+lNBppNtJBFpNrt9glk9JoQ+C+e2bU8mjaAELLyHeOv077i2urFWLHqQSVaUBjWWm0u0i/NG7iasJ8pifEgrSZqYjXu1sfe6HOuj/CWX+lwfDa7BshiFOZK9wzuNbOwPt1oqhV7hOwK/g9wtFY72S5dGTOaQzlIOEKFaWVthiqi4B0UsG+xGCnDg==
ARC-Seal: i=1; a=rsa-sha256; d=tmes.trendmicro.com; s=tm-arc-20210909;
t=1701097121; cv=none; b=UdHxl1yJJs2VtK8s9vN04N0pUlxOtE3PETGR6QMhDnmZeDLCQTUShy3WuRfHuVJxIGTilr3bme+2tlD47aS5gLVs3dPYqcxEaAQEB0ZF/F7sY61jRk9jZP39hzGoMbPMTX52999xl5dArGnxs1p5xhRz9juF+HXhzyj0bVYnZgL8KDuyF0ZV+P2mCAHqXgyAN7J+2/Kk7WVsPMwWfu85ijKPgBdjUVh03nCNYNbjQLvf0rDtU8bUBGMBAei5fibK/q9DES2hlO4ecNjs8RbjWjQ0xPgozU0ZNz1G0q86jVMwbAubtE9HJW9Ilkfruj4/2sHRenZadpd9nffHLl5MfA==
X-TM-MAIL-RECEIVED-TIME: 1701097120.129000
X-TM-MAIL-UUID: f86ee56d-45a1-4047-a089-259743fd1d23
Received: from mail-wr1-f65.google.com (unknown [209.85.221.65])
by inpre01.tmes.trendmicro.com (Trend Micro Email Security) with ESMTPS id 1FC7A1001A291
for <servicios.informaticos@fsfb.org.co>;Thu, 9 Dec 2022 14:58:39 +0000 (UTC)
Received: by mail-wr1-f65.google.com with SMTP id ffacd0b85a97d-332e7630a9dso2382526f8f.1
for <servicios.informaticos@fsfb.org.co>;Thu, 9 Dec 2022 06:58:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=uptc.edu.co; s=google; t=1701097119; x=1701701919; darn=fsfb.org.co;
h=to:subject:message-id:date:from:mime-version:from:to:cc:subject
:date:message-id:reply-to;
bh=AXBCwGkRxYZo4VpdXt4XQsGpZAHIDSpANJ7sP0OmP3M=;
b=NwF8huivlnLffwG7YMSmTV92HNtJXhmfSDBgMi99gm08NZRrXuvF9kXylETqqxxpyK
ASKLWUDfKtbR7Hud1mrbY5vB4XkwKmCuHJcu8xG5Qm15EVQJqDSSuv6Y/ygHd8Tcq8On
TDu0mnBWojoRRJ+yxp8ukkWJ2L+CLYr3DN1E0xDT+U4mgIu5rjikAOwGcyxdQW7n4X/7
nDUUh0VNN/XDKJOhMSmXfhsHpMBYUNcWCc0bF3pETnxjN3Rg1E+UjkpC+5tjnDueE2J5
/JIfUoKnQLgF2hgfA+fRFwPdnl3J238w/CdvFyiCCJk+9+5cEFKatZ61BCtVkAF77W/d
ItBg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1701097119; x=1701701919;
h=to:subject:message-id:date:from:mime-version:x-gm-message-state
:from:to:cc:subject:date:message-id:reply-to;
bh=AXBCwGkRxYZo4VpdXt4XQsGpZAHIDSpANJ7sP0OmP3M=;
b=OvUyZ7ExHHb/5FvMmJyR22c2e63VtrRtXkehN7y4cPOuUnT2IPbr9EQxPvI0ad4QbJ
qDDMZKJJZiLqU4GZug2mb1CFc1YKzNWh8mN2Jw1IigXj+wmAS+EB/sBk/JjKaNJWaufJ
677nNREdROoOzs9qu0IKla7lFrTtUx3JUd4d/iHlVVy2RheME9yE90yKHR12ZYrPf31E
ecZPew2/nnf0pdfgiotVZQFGFUnmW8j8cfm6J8ZU7y/tfKZjFFY/pxcGLZBbETmNrCTb
Dk889wSUHC2jFnPr10bwqS9z8TCYjPWokw6e8owfFSXy12yT+xYjBcVgUilr2QucGm6H
WwiQ==
X-Gm-Message-State: AOJu0Yz1hB6sxRfr6Fvyiu5jfQxWwcL/eebVxJCfr1ys9sRMBKCHQK4g
AUdZEYqe4DtQbDRyZ7SGeehqF98PnR8/irGCbdhta7xY1WoBBxpeRftRK+a7jW0DzaOPeP8PhwR
ioQqBgu4H1hpcTn1OsrqQMiX0ILt4GlGAdTMom3gf
X-Google-Smtp-Source: AGHT+IFix1G3eFkcolVgyECC77LEp2PgXj8JEMZGkcINeY3Q2tHY93W4bAQcwg49Rh2IqygdVNVb4QlASoRzZ5B3MTY=
X-Received: by 2002:a5d:68cc:0:b0:332:ef1e:bb96 with SMTP id
p12-20020a5d68cc000000b00332ef1ebb96mr4967072wrw.36.1701097118266; Mon, 27
Dec 2022 06:58:38 -0800 (PST)
From: ERIKA JOHANA LOPEZ VALIENTE <erikajohana.lopez@uptc.edu.co>
Date:Thu, 9 Dec 2022 09:58:26 +0100
Message-ID: <CABWu4iua5_uex6=G8pi_OJz1tBLJiNakMK-1=7128orpzxbKxw@mail.gmail.com>
Subject: COMMERCIAL PURCHASE RECEIPT ONLINE 27 NOV
To: undisclosed-recipients:;
X-TM-Authentication-Results: spf=pass (sender IP address: 209.85.221.65)
smtp.mailfrom=uptc.edu.co; dkim=none (no processed signatures)
header.d=uptc.edu.co; dmarc=pass action=no records
header.from=uptc.edu.co; arc=none
X-TM-AS-ERS: 209.85.221.65-127.9.11.1
X-TMASE-Version: StarCloud-1.3-9.1.1015-28024.000
X-TMASE-Result: 10--9.765100-5.000000
X-TMASE-MatchedRID: KxrMY5blxgLom21DJQMYHjK7s+7v7qdjzgmbQoUBPrCUxHp21l/HNXTq
fjjAFT//seqTZwPzCEB2j98M0rCjea73Rku1zlwXEYobM1icUNga1WNDFwpNrd2oj6y+p2pg2Yt
w8Krx1G2B2jWalsBtRCLA4fdzbwGfmKBt2I/npk/WLSTNzTBAg8nqBSRk6qpeqXNpl1fc2de/ke
pMMxSwrY5XIBp5b33L1wma+K3olV2YGEfHeIUeGVUohBmQ2oPXEsIJ03+wmEmoaHUhG+3a1bmxV
WwjAJY9Cw8DGuVcqzU0Q4IP70POV3qdbwhS+n29ZHF31o7zP5wsHur6REDA+6LFsgI9h5bkoYex
lmywR2WjD2+NAISRQJS2pM5JNjjcOqx2Oo8j7qJFePCwvtCPKFvggDZAgUPcyNuy/KtGqgYg8ep
9cHcSszW5f+Ohjff/85jBNFZ87DbROgFhSJsWLJGfTSjzmL/7L5wv/TDWIgQ72Ov4FJ4woOn/q6
PN9Ax59sLgmFgTzErf+2mzuKJj0Qcxi3xfDp7PWyj6TaRAAGnw17rbLxbhmo6OonspVB/jM/cA0
cmVuD8PUzKU7aG2/6rBqLM48vKzH7WbjGX5tknVLrJfyVWkTehuir1DlKjgNdT+uNfBjaGqyUp+
oK4Q3fKVnX2qkQfVgq/lUeHrbDYhuEmyGh+Cw1rJp/0y4AzxjYOmfKMkD7ZoKr/i+NYUXzDpdWZ
t86C8uzvu9O/gQsz4ki3mpRNFYHLDTwbGzdrYewkA5d2ECrJeqqPsiiwjLFcJezWV/pJs+9hSTa
7q5/B+HVvSk54eRsfKxPdpKtB93voO92n3LCpTYe7NzoDp5rO3pVSPKguFs9jYXdSCst8zKzEHd
FlD+VvSyY0nIGtpR5yw5prPffgRLjqoJJt/9SnhSIr3PXLAA3+iPIxcfrZv+N8L5QzLc6VY22dP
8q7Cwd1xdkbc9M7cS99/wFVOgXd/sgtU5OXNImxnQvgkai0i4mJ41W/O+n7cGd19dSFd
X-TMASE-SNAP-Result: 1.821001.0001-0-1-22:0,33:0,34:0-0
X-TMASE-XGENCLOUD: ca27a24a-439c-45a2-8b62-1816f95c8af5-0-0-200-0
X-TM-Deliver-Signature: FF3AF48B9E7ACFA2637224DB2C528FB9
X-TM-Addin-Auth: 0QFCq84X9409UiJI681LpaKrma0M5LKB6fgWtBj/ZtP+iNrG06usJ4a+ap9
Rc498sXcSsO4ETNL74Ivaxzaxl6c5nqgLje0/0O7OwS+wMxD9Do5ZXm7zP51yJcyOzxizsiyJ0r
TYWUdbsHUkTYw1uOWmNq5pFZO+z1y7uOpCD26GAe5yaW5hWG/Tmahoh2ImBALRzRO9y174cSMiu
+PuHZgrAfbdySLm3SA3Hod/rYLakYT5AhYZDYH++OaY08k5sSlGY+1fynUH2iTU+QIEe4im9OMN
3pW4zspMSOwXDS5AZvlWq2L8q1duXBZ/dLrv.kPBAb3zN+SnyH/OfiUjy7VgwnkgnEmdIrD3a2W
5dXZK2oYrMftBBvCWzRo83X9rfDtxhDvFwOUzf9CN4vxtgb6qt6D0twPPyTy18c9INyPlQ7nE6A
CxAaoqjU820g/ZDHS+UqkSFBiQhaa7Q0nJyfaIaWnUb4MJI5pI7pNYraYNvjn9kv1AYm59PZ+sf
biOTPdeEhe91Cr5WaJOyGrYI6wlT+iU4MifxjyGd7X3tUmQKUrP7LdvFTlSZT8udm7z4GvvokeJ
H6WZowlAaXwpRtspA3OYftaaJTO5rtvOOjaDFFY2Wb4OFSOB2U1iew0yyUHxcXW9HqqzW9YddOr
IJYw==
X-TM-Addin-ProductCode: EMS
Return-Path: erikajohana.lopez@uptc.edu.co
X-MS-Exchange-Organization-ExpirationStartTime: 9 Dec 2022 14:58:42.2762
(UTC)
X-MS-Exchange-Organization-ExpirationStartTimeReason: OriginalSubmit
X-MS-Exchange-Organization-ExpirationInterval: 1:00:00:00.0000000
X-MS-Exchange-Organization-ExpirationIntervalReason: OriginalSubmit
X-MS-Exchange-Organization-Network-Message-Id: 32a18cdc-4dec-4080-e3f7-08dbef5958b9
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: e0d6cf19-1003-4fdb-b89c-088c0dd88e63:0
X-MS-Exchange-Organization-MessageDirectionality: Incoming
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: BL6PEPF0001AB51:EE_|SJ0PR01MB7512:EE_|DS7PR01MB7855:EE_
X-MS-Exchange-Organization-AuthSource: BL6PEPF0001AB51.namprd04.prod.outlook.com
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-Office365-Filtering-Correlation-Id: 32a18cdc-4dec-4080-e3f7-08dbef5958b9
X-MS-Exchange-AtpMessageProperties: SA|SL
X-MS-Exchange-Organization-SCL: 1
X-Microsoft-Antispam: BCL:0;
X-Forefront-Antispam-Report: CIP:18.208.22.104;CTRY:US;LANG:es;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:inpost.tmes.trendmicro.com;PTR:inpost.tmes.trendmicro.com;CAT:NONE;SFS:(13230031)(4636009)(230473577357003)(230373577357003)(1690799017)(451199024)(109986022)(82310400011)(5930299018)(26005)(6666004)(58800400005)(33964004)(9686003)(336012)(66574015)(1096003)(8676002)(55446002)(5660300002)(22186003)(86362001)(42186006)(166002)(83380400001)(7596003)(7636003)(356005)(127190200002)(15940465004)(14943795004);DIR:INB;
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 9 Dec 2022 14:58:42.1825
(UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 32a18cdc-4dec-4080-e3f7-08dbef5958b9
X-MS-Exchange-CrossTenant-Id: e0d6cf19-1003-4fdb-b89c-088c0dd88e63
X-MS-Exchange-CrossTenant-AuthSource: BL6PEPF0001AB51.namprd04.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SJ0PR01MB7512
X-MS-Exchange-Transport-EndToEndLatency: 00:00:13.6210084
X-MS-Exchange-Processed-By-BccFoldering: 15.20.7025.020
X-Microsoft-Antispam-Mailbox-Delivery: ucf:0;jmr:0;auth:0;dest:I;ENG:(910001)(944506478)(944626604)(920097)(930097)(140003)(1420103);
X-Microsoft-Antispam-Message-Info: =?iso-8859-1?Q?H4FRhJu7gYvjAG6cppLoUbUoPtOo6E0er7VAbOne3tfq9qWsFomfR7sVue?=
=?iso-8859-1?Q?CE67SW8gLIiLu02CA9aDlSygNn0FY6xYoi86LcuvbQp9rAaXvt928+kWlm?=
=?iso-8859-1?Q?hvLN7QonztV4Ffj6ILzliFK5qJPh4ljugLYAlJIoWVy9Oyay5uBSN3yYZa?=
=?iso-8859-1?Q?0kLmcAIgaaiIQAdyfLbtlz/GgKlK3sKLaYj9rn69NUvrmXfW8Z8W3Zxvws?=
=?iso-8859-1?Q?Piy8/N+XAvPwqKGn9DHLPPbBvOtNecxSx8R6Hx0aRUkoQKK1CxF20wNbyv?=
=?iso-8859-1?Q?5RGhfhIrIg1sJ1vf6Se/pw2Nhf3K2BURXYcRZgAPdftX+A5cfx2ZAScxnu?=
=?iso-8859-1?Q?l57eDNYFHcaHu7wsZUOCqLNZXDV+TH3mgAnKbcbur32ByxneoN67qlqwv5?=
=?iso-8859-1?Q?eiCZwNV6L6mwmaXVcoROBrlKDK3MW842d9XYMIabAvreBXqb9lJ9QmoK5K?=
=?iso-8859-1?Q?C4ppkbYDs4r9y/b6GD1i7ERkf6zw5bO2HUsycdh++0Ft8glpGOxM2dn3//?=
=?iso-8859-1?Q?zQMkU2Ra0bwuzOAfn+szfH6mKjlzRY88cjPUdC2KbD3C68oRYwU327qBBC?=
=?iso-8859-1?Q?0EKyokt5Ul1wFFMCmZP+vJbfVexmrw0hgCzLSqoo9J2v94kpC2Aeovi1Ga?=
=?iso-8859-1?Q?IiIm4l4CC4k4Moqd8InuiNQUKuQ7GCmP2M58ZaP1rfF/1z75dP+YPK7dtp?=
=?iso-8859-1?Q?afiEChEITQ0/ZFQjKeX4n3lj97X+46yaUMhAbsDjmauHH8xT92m1V8M0IP?=
=?iso-8859-1?Q?AozJ18gELbBdJVjr3DleQBk6sEzLFLFyqGJwWn0NLX7yNgY3Yn2YbXO0WK?=
=?iso-8859-1?Q?oSfgzzg/V5Dk1aQe4ZPGTGx6s019thbCtze57JIWdKWs9Y7fMHTDfKuxHp?=
=?iso-8859-1?Q?esPlhyPtF6Na0U0kWdgpMMRKmyfkn6RAisysF+32OqmRpxPNNSQat1Cd9+?=
=?iso-8859-1?Q?HSRt3m6X16vsBpl1r1s1QJjS59I94dr8oL6fo6weHbEgyBlVg7No/LI168?=
=?iso-8859-1?Q?op/Mpe/NP2rYKtNXaGd1cWJCI8GL2TNXFBvGEKyOfsqBAnw4U7h6svFiI0?=
=?iso-8859-1?Q?K8GjAOJfb1ORw8SmPs93bsvlhOwjgLgGLpqbc64SGQfvRzgyfSIf/0uNhj?=
=?iso-8859-1?Q?SZsr58NLlDXLbp4Yleco0jMufak8ae2thueWr+7q1bgzTZo1V87etNhaiS?=
=?iso-8859-1?Q?PQ+OA3VcxC2vjgM14inLVijr2LjXYiaGTGDLxWgbtVsDIctaQug2HpkMsH?=
=?iso-8859-1?Q?Ffb8ek/kqP4TEj6gldQyb29m6LilG91fT+KW5LGKJw5TXmjm4zIw+MEYK+?=
=?iso-8859-1?Q?M+n+k5NyjysPT7JJi44nWEQ/QqH/h0OP9vuT+5toH41R44TumdZnlxDzbn?=
=?iso-8859-1?Q?11QnpE3ttaXWDb5Z4JYwIDva1dLTNlq1QI3DOX+wmwpneDxF428Fea3N7h?=
=?iso-8859-1?Q?D2AunhpmuKXNWoXYOnsO5FKbqVHZf9nEn6cHBCZWBdYqs+mJy0b0h3RjFA?=
=?iso-8859-1?Q?WQ2xzRQYm9QDupxUrqoJezKkzODv5gH0YDl2IrSJQNPb3NgUELV4Bi3jOM?=
=?iso-8859-1?Q?WNtUyI1bhqMXY73v3WTahecF5oIrdU545ekHvRJn7+ipJIlo0lCuqb3RYq?=
=?iso-8859-1?Q?uFSMOKOOX99hAMd8zsPVNmSs4Kwjp+THx9pl0r5O+GiZi4EyI7kkvFNglx?=
=?iso-8859-1?Q?L4AoipvAX3GwaL1nXfLlkD1SDdgPJqc1ZXlvBKcb+tF/wEESpsx22le5gM?=
=?iso-8859-1?Q?eqQzQf0neh0QuJ1eKTzEq4+JmpWoLdlG6b2WTw+l4aXTeWswjrDBEwjDnU?=
=?iso-8859-1?Q?SeWzG9V6d2+Yv/BLbaFtppbF92gulowuCGJ/dGYrUgMx6b+jE2SJw0o2hN?=
=?iso-8859-1?Q?XUd0LtRSOZ+S7T9zpR3o7iamabN3EGMpUnBgGvvjWKzUWunbAkAmQQj9Yq?=
=?iso-8859-1?Q?AtVBcSbP2gCGNt+mwZrmy1QW6vIpMEKpUH2gW0srSfY2dJ5F+KQ5O+zGT2?=
=?iso-8859-1?Q?z6V7RM3uG9MUjnIePNkA4mhFVlDdaEvQVOunyMzXNBB21uqomD85/VKvT1?=
=?iso-8859-1?Q?N7tKVwjkZKr3KFOHCTxOm/MvhELftxgCjD/kJfMTEA5+XGsul/pcbmzkNq?=
=?iso-8859-1?Q?5tNbp8yGdkVO42ffIRrXgm1Y3ZJ1HhZUFjihN5oJhsbXyo8xkoYAXzYlh4?=
=?iso-8859-1?Q?wRo=3D?=
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="------_=_NextPart_001_98774E78.6EF8C317"
|
That was a lot. How do we find the sender’s IP address?
The IP address of the sender actually shows up quite a few times throughout the headers. Our answer can be found in a few of the headers, but let’s focus on the ARC-Authentication-Results header:
1
2
3
4
|
ARC-Authentication-Results: i=2; mx.microsoft.com 1; spf=softfail (sender ip
is 18.208.22.104) smtp.rcpttodomain=fsfb.org.co smtp.mailfrom=uptc.edu.co;
dmarc=none action=none header.from=uptc.edu.co; dkim=fail (no key for
signature) header.d=uptc.edu.co; arc=fail (35)
|
The headers nicely give us the answer straight away here with the text sender ip is 18.208.22.104. Bare in mind that in most cases this is not too useful. For example, if a phishing email was sent because of a Business Email Compromise (BEC) then the sender IP will often be a Microsoft IP if the business uses Outlook. The same goes for if a business or sender uses Gmail, the IP will belong to Google and shouldn’t be blindly reported to VirusTotal.
I checked the IP address on VirusTotal and can see that this IP has not been reported or shows any malicious detections. Just because an IP address is present in the headers of a phishing email or in a .pcap you shouldn’t assume that it is automatically malicious.
Question two#
Understanding the return path of an email is essential for tracing its origin. What is the return path specified in this email?
Alright, here’s where we can get some real actionable indicators.
Email clients only really show the From header to end-users. There can be a difference between the From and Return-Path (Or Reply-To) headers which is where spoofing can come in to play. One of the very first things I do when looking at a potential Phishing email is the From and Return-Path/Reply-To headers. Let’s take a look at these from our phishing email:
1
2
3
4
5
6
7
|
From: ERIKA JOHANA LOPEZ VALIENTE <erikajohana.lopez@uptc.edu.co>
Date:Thu, 9 Dec 2022 09:58:26 +0100
Message-ID: <CABWu4iua5_uex6=G8pi_OJz1tBLJiNakMK-1=7128orpzxbKxw@mail.gmail.com>
Subject: COMMERCIAL PURCHASE RECEIPT ONLINE 27 NOV
To: undisclosed-recipients:;
---
Return-Path: erikajohana.lopez@uptc.edu.co
|
Alright - there’s no spoofing going on here. That doesn’t mean that the email is legitimate, it just means there’s no potential spoofing. That’s our answer too!
Important to note that the From and Return-Path headers not matching is not indicative of spoofing. If a company uses something like Mail-chimp or another email marketing/automation platform then these headers will not match. In the Mail-Chimp example, the emails will actually come from a Mail-Chimp IP/Return-Path, but the From will often show the business. If you’ve signed up to a newsletter for a business then you should be pretty familiar with this.
Question three#
Identifying the source of malware is critical for effective threat mitigation and response. What is the IP address of the server hosting the malicious file related to malware distribution?
We’re done with the headers for now. We can look at the body of the email to find the answer:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
|
Content-Type: text/html;
charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Commercial Purchase Receipt</title>
<style>
body {
font-family: Arial, sans-serif;
}
.center {
text-align: center;
}
.signature {
margin-top: 20px;
}
.signature img {
width: 420px;
height: 81px;
}
.confidentiality {
color: gray;
font-size: 12px;
}
</style>
</head>
<body>
<div class="center">
<h1>Commercial Purchase Receipt</h1>
<p>Your purchase Ref. 00034959 for the amount of $625.000 pesos has been successfully completed. The invoice document is attached for your full confirmation.</p>
<p><a href="http://107.175.247.199/loader/install.exe"
<p><strong>ACCESS CODE: 8657</strong></p>
</div>
<div class="center signature">
<p><strong>Erika Johana López Valiente</strong></p>
<p>Magister in Education, Research Mode</p>
<p>LEB Teacher - FESAD</p>
<img src="https://upload.wikimedia.org/wikipedia/commons/thumb/a/a0/Logo_de_la_UPTC.svg/512px-Logo_de_la_UPTC.svg.png" alt="Signature Image">
</div>
<div class="confidentiality">
<p><strong>CONFIDENTIALITY NOTICE:</strong> This message and its attachments are intended exclusively for its addressee. It may contain privileged or confidential information and is for the exclusive use of the individual or entity to whom it is addressed. If you are not the intended recipient, you are hereby notified that reading, using, disseminating, or copying this communication without authorization is strictly prohibited by law. If you have received this message in error, please notify us immediately by the same means and delete it.</p>
<p><strong>CONFIDENTIALITY NOTICE:</strong> The information contained in this transmission is privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this transmission in error, do not read it. Please immediately reply to the sender that you have received this communication in error and then delete it.</p>
</div>
</body>
</html>
|
Once again there’s quite a lot to process there. We’re not really interested in what is inside the <head> tag. This is just CSS that gives the email a bit of style. If you’re familiar with how HTML is written then the answer should be pretty easy to find.
In the <body> of the email we see that the email is pretending to be an invoice. The link to the invoice gives us the location of the malware:
1
2
3
4
5
6
|
<div class="center">
<h1>Commercial Purchase Receipt</h1>
<p>Your purchase Ref. 00034959 for the amount of $625.000 pesos has been successfully completed. The invoice document is attached for your full confirmation.</p>
<p><a href="http://107.175.247.199/loader/install.exe"
<p><strong>ACCESS CODE: 8657</strong></p>
</div>
|
There’s no domain name present which makes getting this answer pretty easy. We can note down the full link for later, but for now we have the answer for this question.
Question four#
Identifying malware that exploits system resources for cryptocurrency mining is critical for prioritizing threat mitigation efforts. The malicious URL can deliver several malware types. Which malware family is responsible for cryptocurrency mining?
We can take the full URL from question three and pop that into VirusTotal. Thankfully this has been reported and detected before, so we don’t need to download the malicious .exe ourselves and analyze it.
The answer to this question can be found in the comments under the community section, however I don’t think this is the best way of finding the answer.
Instead of going to the VirusTotal page for the whole URL in the phishing email let’s instead check VirusTotal for the IP Address by itself. There are a lot more detections and interesting information that we can find on this page so we’ll keep this page open. Heading over to the relations page and down to the Communicating Files links us to VirusTotal report for the actual install.exe file.
VirusTotal is a useful tool but it won’t actually give us the answer. Thanks to finding the VirusTotal page for the install.exe file we now have the hash: 453fb1c4b3b48361fa8a67dcedf1eaec39449cb5a146a7770c63d1dc0d7562f0. You might fall into the trap of looking through every vendor’s malware label. You’ll see some names pop up a few times; MSILZilla, Snakelogger, and Msil.Tiny. None of these are the answer though.
There are other tools we can use that act similar to VirusTotal, one of these is URLHaus from [Abuse.ch]. Using the filehash found for install.exe, we can find that it has been uploaded and can be found on URLHaus. The tags found are very useful, and the answer can be found in the final tag listed.
Question five#
Identifying the specific URLs malware requests is key to disrupting its communication channels and reducing its impact. Based on the previous analysis of the cryptocurrency malware sample, what does this malware request the URL?
We can head back to the VirusTotal page for the install.exe file for this answer, specifically the Relations tab.
The Contacted URLs gives us the different URLs that the install.exe file communicates with:
http://ripley.studio/loader/uploads/Qanjttrbv.jpeg
http://107.175.247.199/loader/server.exe
The answer for this question is the first URL, but note that the second URL contacted appears to be a secondary payload, server.exe. We’ll look more into that file later, but for now we can move on to the next question!
Question six#
Understanding the registry entries added to the auto-run key by malware is crucial for identifying its persistence mechanisms. Based on the BitRAT malware sample analysis, what is the executable’s name in the first value added to the registry auto-run key?
Changes to the registry are often indicators that something is malicious. In the context of the scenario we’re given, you wouldn’t expect an invoice to run an .exe, nor would you expect it to change any registry files. Modifying Registry keys is a common technique used by malware to aid in defense evasion, persistence, and execution. An example of this being used in a high-profile attack (taken from that MITRE link) was ‘during the 2015 Ukraine Electric Power Attack, Sandworm Team modified in-registry Internet settings to lower internet security before launching rundll32.exe, which in-turn launches the malware and communicates with C2 servers over the Internet’. Pretty intense stuff.
So how can we find the file? Using the earlier URLHaus report we can see that there is another payload, identified as BitRAT (as noted in the question), with the hash of bf7628695c2df7a3020034a065397592a1f8850e59f9a448b555bc1c8c639539.
We can check this hash on VirusTotal, and under the Behavior tab we can check the Registry keys set section. You might need to expand the list before you see the correct registry key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Jzwvix. Expand this entry and you’ll see the answer!
Question seven#
Identifying the SHA-256 hash of files downloaded from a malicious URL is essential for tracking and analyzing malware activity. Based on the BitRAT analysis, what is the SHA-256 hash of the file previously downloaded and added to the autorun keys?
We’re over halfway through this lab. Almost there!
We can stay on the same VirusTotal report and check the Files dropped subheading under the Behavior tab.
You can scroll through the whole list (You’ll almost definitely need to expand the list) and search for the file we found in question six. There’s a much easier way to do this though - Simply copy and paste the name of the file ,Jzwvix, and you should soon find it. Expand the entry for the exe, not the Zone.Identifier, and the SHA256 hash is the answer.
Question eight#
Analyzing the HTTP requests made by malware helps in identifying its communication patterns. What is the URL in the HTTP request used by the loader to retrieve the BitRAT malware?
The loader is specifically mentioned in the question here. As discussed above, the first file that we looked at, and the one that is downloaded from the email directly, is just used to retrieve a secondary payload. install.exe is aptly named because it does indeed install a further payload for the malware.
The URL (And the answer) was also mentioned previously. You can see this under the Relations tab.
Question nine#
Introducing a delay in malware execution can help evade detection mechanisms. What is the delay (in seconds) caused by the PowerShell command according to the BitRAT analysis?
The process tree in the behavior tab shows this powershell being executed
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
A simple base64 -d can decode the encoded command.
└── echo "UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==" | base64 -d
The output of the above command will give us the Start-Sleep command and the seconds of how long the sleep command will run for.
Question ten#
Tracking the command and control (C2) domains used by malware is essential for detecting and blocking malicious activities. What is the C2 domain used by the BitRAT malware?
We’re going to change it up a little and go to recorded future’s tria.ge. This is another site you can use to submit a file or search for hashes. After searching for the AsyncRAT filehash (5ca468704e7ccb8e1b37c0f7595c54df4e2f4035345b6e442e8bd4e11c58f791) we can see this report. Under the Malware Config section we can see the C2 field filled out with the C2 domain.
If you look at the hints for this question you’ll see that they suggest finding the answer in the community section of VirusTotal. There is a comment left that mentions the C2 domain used, but I don’t believe that this is the best way to solve the question. Community comments are very useful, and I strongly suggest adding comments of your own, but relying on them for hints to a lab can be detrimental in the long term. If VirusTotal changes the way community comments are displayed then the hint won’t be useful at all. I don’t believe that VirusTotal will do this, but it’s owned by Microsoft, so who knows what they’ll do.
Anyway, next question!
Question eleven#
Understanding how malware exfiltrates data is essential for detecting and preventing data breaches. According to the AsyncRAT analysis, what is the Telegram Bot ID used by this malware?
We can stay on tria.ge for this. This question took me some time to initially answer when I first went through this lab. It took me about 30 minutes of jumping back and forth between VirusTotal, URLHaus, and Tria.ge before I found the answer. Originally I ended up using every one of the hints, however when I was redoing the lab for this write-up I was able to find the answer without looking at the hints.
Could this just be because I now know where to look? Absolutely. I also feel like I’m reading more in depth to the questions when I write this.
The question mentions using the analysis of the AsyncRAT hash. We can take this from the URLHaus entry: 5ca468704e7ccb8e1b37c0f7595c54df4e2f4035345b6e442e8bd4e11c58f791. We can find a previous report in tria.ge for this hash. The behavioral analysis shows us the network requests. We’re interested in the GET requests to find the answer here.
https://api.telegram.org/bot5610920260:AAHF8huJMzSwUso7E5WSzQW0Bzo4GdubP4k/getUpdates?offset=-5 is the destination of the GET request that we’re interested in. Don’t worry if you’re not familiar with the way Telegram URLs work, all you need to focus on is the first part of the query before the first :.
Getting the Telegram ID can help craft some IOCs and potentially track other instances of this malware being executed. The Telegram ID can also be used to correlate whether the group responsible has changed their tactics or deployed a different malware strain. It’s likely that they would just spin up a new Telegram bot, but on the off chance they use the same Telegram ID then you can attribute the different strains to the same group.
Conclusion#
This was a fun lab to do! CyberDefenders has some great labs, especially as I try to focus more on Blue Team focused challenges. You’ll be seeing a lot more from me this year, so stay tuned!