HTB: Sherlock — PhishNet

Scenario

An accounting team receives an urgent payment request from a known vendor. The email appears legitimate but contains a suspicious link and a .zip attachment hiding malware. Your task is to analyze the email headers, and uncover the attacker’s scheme.

Artifacts Provided

• PhishNet.zip - SHA256:7d5621c46502fe5badf62137bb9340898e712fd3915d220022f9db046defd4d5
• email.eml - SHA256:cf48f767176524f8c3fce171607b846aae463cc6128a48de32dffe2da6ab37c4 (included in the ZIP)

Initial Analysis

For .eml files, we first open it in the text editor of our liking for analysis. We are going to use VS Code to answer (almost) all the questions below.

Questions

1. What is the originating IP address of the sender?

This can be found from the X-Sender-IP or X-Originating-IP. If these were absent we could just observe the hops of the traffic on the Received headers.

2. Which mail server relayed this email before reaching the victim?

For this we need to see the last hop of the Received headers which is the topmost one.

3. What is the sender’s email address?

Looking the From header.

4. What is the ‘Reply-To’ email address specified in the email?

Looking the Reply-To header.

5. What is the SPF (Sender Policy Framework) result for this email?

In the Authentication-Results header section we find the result.

6. What is the domain used in the phishing URL inside the email?

Looking at the body of the email we can see that in an <a href= tag.

7. What is the fake company name used in the email?

Again looking at the body of the email.

8. What is the name of the attachment included in the email?

That can be found below the body of the email, on the attachement section we starts with –boundary123.

9. What is the SHA-256 hash of the attachment?

For this we need to take the Base64 encoded attachment, decode it to bytes and get the SHA-256 digest of it. One quick way is to use Cyberchef.

10. What is the filename of the malicious file contained within the ZIP attachment?

We can easily see that only from decoding the Base64 attachement.

11. Which MITRE ATT&CK techniques are associated with this attack?

Here we search for phishing with ZIP attachment on the MITRE framework.