For this lab, we are given the original .EML file to analyse instead of an lab environment. It is recommended to always analyse lab files (even if its for practice!) in a VM environment.
As a cybersecurity analyst for an educational institution, you receive an alert about a phishing email targeting faculty members. The email, appearing from a trusted contact, claims a $625,000 purchase and provides a link to download an invoice. Your task is to investigate the email using Threat Intel tools. Analyze the email headers and inspect the link for malicious content. Identify any Indicators of Compromise (IOCs) and document your findings to prevent potential fraud and educate faculty on phishing recognition.
Question 1
Identifying the sender's IP address with specific SPF and DKIM values helps trace the source of the phishing email. What is the sender's IP address that has an SPF value of softfail and a DKIM value of fail?
Let's start by inspecting the email header. A quick way to do this is to open the .EML via a text editor. Though there are automated email analysis tools online (such as PhishTools) that are much efficient, we'll go down the traditional route to better understand email structures.
From the question, it has already hinted that the sender IP address we are looking for will have specified SPF and DKIM values.
A brief intro to SPF and DKIM:
SPF - verifies that the email appearing from a domain was sent from the servers of the actual domain owner
DKIM - signs outgoing mail with encrypted signatures and the recipient email server will utilise the shared public key to verify integrity.
In short, both SPF and DKIM should never have a value other than "Pass" if the email were to be legitimate.
Answer
18.208.22.104
Question 2
Understanding the return path of the email helps in tracing its origin. What is the return path specified in this email?
The Return-Path header will provide us the answer to this question. This header is used in situations where emails gets undelivered or bounces back to the sender. However, threat actors may modify this field value with their own return email address.
Identifying the source of malware is critical for effective threat mitigation and response. What is the IP address hosting the malicious file associated with malware distribution?
Looking at the email content body, we can see that it is masquerading as a invoice document to get the recipient to download malware hosted on an external IP address.
Answer
107.175.247.199
Question 4
Determining which malware exploits system resources to mine cryptocurrencies helps prioritize threat response. The malicious URL distributes multiple types of malware. What is the malware family used for cryptocurrency mining?
As we have the IP address of where the malware is hosted, we can check out open source intelligence tools such as VirusTotal and URLHaus. For example, searching the IP on VirusTotal, we can look at the "RELATIONS" tab for the communicating files.
In this Scenario, it appears that the IP address has hosted multiple versions of the install.exe file. Let's take a look at URLHaus for the IP IOC instead. From URLHaus, we can see that there were 3 different payload signatures and we have found the one associated with mining crypto.
Answer
CoinMiner
Question 5
Understanding the registry entries added to the auto-run key by malware is crucial for identifying its persistence mechanisms. According to the analysis of BitRAT, what is the executable name in the first value added to the registry auto-run key?
From Question 4, we were able to locate different hashes served by the malicious IP address and one of them has the payload signature of "BitRAT". Let's pivot back to VirusTotal and search up the associated hash: bf7628695c2df7a3020034a065397592a1f8850e59f9a448b555bc1c8c639539
When reviewing the "Registry Keys Set" section, the run key that we'll noticed is as follows: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Jzwvix
Answer
Jzwvix.exe
Question 6
Introducing a delay in malware execution can help evade detection mechanisms. What is the delay (in seconds) caused by the PowerShell command according to the BitRAT analysis?
Looking through the process tree for the binary, we'll notice a Base64 encoded powershell command.
Encoded Base64 command:
Once we've put that through CyberChef for decoding and remove null bytes, we'll get our answer of 50 seconds.
Answer
50
Question 7
Analyzing the HTTP requests made by malware helps in identifying its communication patterns. What is the HTTP request used by the loader to retrieve the BitRAT malware?
This answer can be found from the HTTP requests made by the binary.
Answer
hxxp[://]107.175.247[.]199/LOADER/SERVER.EXE
Question 8
Identifying the SHA-256 hash of files downloaded by a malicious URL aids in tracking and analyzing malware activities. According to the BitRAT analysis, what is the SHA-256 hash of the second file downloaded and added to autorun keys?
This question is a bit tricky and the wording is confusing but keep in mind the first file downloaded after clicking on the malicious phishing email would be install.exe. The second file downloaded would be Jzwvix.exe which was added to the run keys mentioned in Q5. The hash can be found under the "File Dropped" sections on VT.
Although in my opinion, the second file downloaded should actually be server.exe instead which has a different hash. This question did took some trial and error to get "right".
Tracking the command and control (C2) domains used by malware is essential for detecting and blocking malicious activities. What is the C2 domain used by the BitRAT malware?
As the URL IOC we got was associated with three different malware signatures, let's hop back to URLHaus and check out specifically the sample tagged with BitRAT.
Looking at the comments of the sample on VT, we can find the published reports with the C2 address.
Answer
gh9st.mywire[.]org
Question 10
Understanding the methods malware uses for exfiltrating data is crucial for detecting and preventing data breaches. According to the AsyncRAT analysis, what is the Telegram Bot ID used by the malware to exfiltrate stolen data?
Similar to the previous question, we'll have to analyse specifically on the sample tagged with AsyncRAT.
Pivoting from VT, we can look into other reports related to this binary. It does take some digging but we are able to find the GET request from this report: https://tria.ge/221025-a5kz9sbbcm/behavioral1
Answer
bot5610920260
Question 11
Understanding the specific URLs requested by malware is essential for disrupting its communication channels and mitigating its activities. According to the CoinMiner analysis, what is the URL requested by the CoinMiner malware sample?
Now let's go to the CoinMiner tagged sample on VT. From VT, we can find the subsequent HTTP requests which downloads further payloads.
