Skip to main content
HashnodeSOC Analyst LabsSOC Analyst Labs

Command Palette

Search for a command to run...

Snapped Phish-ing Line

Phishing Email Analysis

Updated
•3 min read
Snapped Phish-ing Line
U
Umamaheswari B
👋Hi, I’m Umamaheswari Through this blog, I share visual walkthroughs and hands-on investigations on PCAP, phishing, Splunk, ELK, malware, and digital forensics—based on labs from TryHackMe, HackTheBox and CyberDefenders. Feel free to connect or ask questions — I am more happy to help.

Disclaimer

Based on real-world occurrences and past analysis, this scenario presents a narrative with invented names, characters, and events.

Please note: The phishing kit used in this scenario was retrieved from a real-world phishing campaign. Hence, it is advised that interaction with the phishing artefacts be done only inside the attached VM, as it is an isolated environment.

Scenario

An Ordinary Midsummer Day...

As an IT department personnel of SwiftSpend Financial, one of your responsibilities is to support your fellow employees with their technical concerns. While everything seemed ordinary and mundane, this gradually changed when several employees from various departments started reporting an unusual email they had received. Unfortunately, some had already submitted their credentials and could no longer log in.

You now proceeded to investigate what is going on by:

  1. Analysing the email samples provided by your colleagues.

  2. Analysing the phishing URL(s) by browsing it using Firefox.

  3. Retrieving the phishing kit used by the adversary.

  4. Using CTI-related tooling to gather more information about the adversary.

  5. Analysing the phishing kit to gather more information about the adversary.

Note: The phishing emails to be analysed are under the phish-emails directory on the Desktop. Usage of a web browser, text editor and some knowledge of the grep command will help.

Answer the questions below

  1. Who is the individual who received an email attachment containing a PDF?

Ans: William McClean

5 phishing emails were opened, all sent from Accounts.Payable@groupmarketingonline.icu

  • 4 employees received the same phishing email with an attachment named Direct Credit Advice.html.

  • One employee (William McClean) received a different phishing email with the attachment Quote.pdf

  1. What email address was used by the adversary to send the phishing emails?

Ans: Accounts.Payable@groupmarketingonline.icu

  1. What is the redirection URL to the phishing page for the individual Zoe Duncan? (defanged format)

Ans: hxxp[://]kennaroads[.]buzz/data/Update365/office365/40e7baa2f826a57fcf04e5202526f8bd/?email=zoe[.]duncan@swiftspend[.]finance&error

Save the attachment received by Zoe Duncan. Then cat the file

Defang the URL so it is no longer clickable.

  1. What is the URL to the .zip archive of the phishing kit? (defanged format)

Ans: hxxp[://]kennaroads[.]buzz/data/Update365[.]zip

Analysis of the redirecting phishing URL, hxxp[://]kennaroads[.]buzz/data/Update365/office365/, revealed the .zip file used by the attacker.

  1. What is the SHA256 hash of the phishing kit archive?

Ans: ba3c15267393419eb08c7b2652b8b6b39b406ef300ae8a18fee4d16b19ac9686

Download update365.zip and then calculate the hash

  1. When was the phishing kit archive first submitted? (format: YYYY-MM-DD HH:MM:SS UTC)

Ans: 2020-04-08 21:55:50 UTC

  1. When was the SSL certificate the phishing domain used to host the phishing kit archive first logged? (format: YYYY-MM-DD)

Ans: 2020-06-25

Look up the domain in crt.sh to identify SSL certificates issued for it.

  1. What was the email address of the user who submitted their password twice?

Ans: michael.ascot@swiftspend.finance

By browsing to the Update365/ directory, the /log.txt file was accessible and containg email addresses and passwords submitted by users.

The user Michelle entered credentials three times using three different passwords.

  1. What was the email address used by the adversary to collect compromised credentials?

Ans: m3npat@yandex.com

Now we have to anlayse Update365.zip file we downloaded, unzip it

open submit.php — script that sends our credentials along with all the details(IP address, User-agent, date) to attacker email address

  1. The adversary used other email addresses in the obtained phishing kit. What is the email address that ends in "@gmail.com"?

Ans: jamestanner2299@gmail.com

-r : It tells grep to search through all files inside a directory and its subdirectories, not just a single file.This is useful when you don’t know exactly which file contains the string.

  1. What is the hidden flag?

HINT: The flag contains a ".txt" extension and, with some adjustments, should be downloadable from the phishing URL. Look for the flag in every subdomain/directory of the phishing URL.

Thanks for reading—I hope you enjoyed the walkthrough.
Keep hunting!

#phishing-mail#socanalyst#tryhackme-walkthrough

Comments

Join the discussion

No comments yet. Be the first to comment.

More from this blog

S

SOC Analyst Labs

39 posts

Hands-on blue team journey covering phishing analysis, threat detection, threat intelligence, network and endpoint log analysis, web traffic analysis, and SIEM monitoring on TryHackMe and Let’s Defend