BTLO: Phishing Analysis
A technical walkthrough of Phishing Analysis 1 on Blue Team Labs Online.
BTLO: Phishing Analysis
This lab involved the manual inspection of a suspicious email file where a user received a phishing email and forwarded it to the SOC. i'm meant to investigate the email and attachment to collect useful artifacts.
Investigative Environment
- Hypervisor: VirtualBox
- OS: REMnux (Linux Toolkit for Reverse Engineering and Malware Analysis)
- Tools: SciTE Text Editor, WHOIS (DomainTools)
Technical Walkthrough
1. Who is the primary recipient of this email?
For me to get the Recipient, i searched for To: in the text editor.
2. What is the subject of this email?
Similar to the first task , i searched for the word Subject: to get the answer.
3. What is the date and time the email was sent?
In the same area i found the subject, i found the Date and time.
4. What is the originating IP?
I found the originating IP address by looking for IP:.
5. Perform reverse DNS on this IP address, what is the resolved host? (whois.domaintools.com)
I performed a reverse DNS lookup on the originating IP address using Whois.DomainTools.com. This step helped identify the resolve host.
6. What is the name of the attached file?
After a lot of searching, i identified that the primary artifact in this investigation was the file itself.
7 - 8. What is the URL found inside the attachment?, What service is this webpage hosted on?
The URL was embedded near the footer of the email body. which i also found the service in the url.
9. Using URL2PNG, what is the heading text on this page?
i used the tool provided to solve that.
and done
Success!
Thank you for reading, Stay tuned for more updates as I continue to expand my defensive capabilities!