The Greenholt Phish - THM
Last updated
Last updated
Whois, MxToolBox (SPF Checker), Dmarcian (DMARC Checker), VirusTotal
A Sales Executive at Greenholt PLC received an email that he didn't expect to receive from a customer. He claims that the customer never uses generic greetings such as "Good day" and didn't expect any amount of money to be transferred to his account. The email also contains an attachment that he never requested. He forwarded the email to the SOC (Security Operations Center) department for further investigation.
Investigate the email sample to determine if it is legitimate.
1. What is the Transfer Reference Number listed in the email's Subject?
We begin by opening the challenge.eml
email file to examine its contents.
The transfer reference number is a unique identifier assigned to a specific transaction, allowing us to track and verify the details of the transfer. It is crucial for ensuring the accuracy and security of financial transactions.
From the subject line of the email, we can see that the transfer reference number is 09674321.
09674321
2. Who is the email from?
From the same email, we can see it is from Mr. James Jackson.
Mr. James Jackson
3. What is his email address?
From the same email, we can see the email address is info.@mutawamarine.com
.
info@mutawamarine.com
4. What email address will receive a reply to this email?
From the same email, we can see that replies will be directed to info.mutawamarine@mail.com
.
info.mutawamarine@mail.com
5. What is the Originating IP?
To see the originating IP, we open the email message source.
By examining the email headers closely, we identify the first public IP address that appears, which is 192.119.71.157.
This IP address is associated with the domain mutawamarine.com, making it the most likely originating IP in this case.
192.119.71.157
6. Who is the owner of the Originating IP? (Do not include the "." in your answer.)
To find out the owner of the IP, we search it using Whois.
From the result, the OrgName field specifies that the owner is Hostwinds LLC.
Hostwinds LLC
7. What is the SPF record for the Return-Path domain?
An SPF (Sender Policy Framework) record is a DNS record that specifies which mail servers are authorized to send emails on behalf of a domain. The Return-Path domain is the domain specified in the “Return-Path” header of an email, which is used to process bounced messages.
We open an SPF checker tool and input the previously identified domain, mutawamarine.com
.
The result is v=spf1 include:spf.protection.outlook.com -all
.
This means that the domain mutawamarine.com authorizes the mail servers listed in the SPF record of spf.protection.outlook.com to send emails on its behalf.
The -all
at the end indicates that any server not listed in the SPF record should be considered unauthorized to send emails for this domain, and such emails should be rejected.
This setup helps prevent email spoofing and ensures that only legitimate emails are sent from the domain.
v=spf1 include:spf.protection.outlook.com -all
8. What is the DMARC record for the Return-Path domain?
A DMARC (Domain-based Message Authentication, Reporting, and Conformance) record is a DNS record that helps protect email senders and recipients from spam, phishing, and email spoofing. It works alongside SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) to provide a mechanism for email authentication and reporting.
We open a DMARC domain checker tool and input the same domain, mutawamarine.com.
The result is v=DMARC1; p=quarantine; fo=1
.
This means that the domain mutawamarine.com has a DMARC policy in place.
The v=DMARC1
indicates the version of DMARC being used.
The p=quarantine
policy specifies that emails failing the DMARC check should be treated as suspicious and moved to the spam or quarantine folder.
The fo=1
tag means that a forensic report should be generated if either SPF or DKIM fails to authenticate.
This setup helps enhance email security by ensuring that only legitimate emails are delivered and providing detailed reports on any authentication failures.
v=DMARC1; p=quarantine; fo=1
9. What is the name of the attachment?
Looking at the previously opened email tells us the name of the attachment is SWT_#09674321____PDF__.CAB
.
SWT_#09674321____PDF__.CAB
10. What is the SHA256 hash of the file attachment?
First, we download the attachment from the email. Once we have the file saved locally, we use the command line to identify the SHA256 hash.
By running the command sha256sum SWT_#09674321____PDF__.CAB
, we generate the hash value for the file.
The result of this command is 2e91c533615a9bb8929ac4bb76707b2444597ce063d84a4b33525e25074fff3f
.
2e91c533615a9bb8929ac4bb76707b2444597ce063d84a4b33525e25074fff3f
11. What is the attachments file size? (Don't forget to add "KB" to your answer, NUM KB)
To look up the true attachment file size, we head to VirusTotal.
We search for the previously identified hash, 2e91c533615a9bb8929ac4bb76707b2444597ce063d84a4b33525e25074fff3f
.
Under the details tab, we can see the file size is 400.26 KB.
400.26 KB
12. What is the actual file extension of the attachment?
From VirusTotal, under the same details tab, we can see the actual file type is .RAR.
RAR