challengesForensics
The Greenholt Phish
Use the knowledge attained to analyze a malicious email.
X-Atlas-Received: from 10.201.192.162 by atlas125.free.mail.bf1.yahoo.com with http; Wed, 10 Jun 2020 05:58:55 +0000
Return-Path: <info@mutawamarine.com>
Received: from x.x.x.x (EHLO sub.redacted.com)
by atlas125.free.mail.bf1.yahoo.com with SMTPs; Wed, 10 Jun 2020 05:58:55 +0000
X-Originating-Ip: [x.x.x.x]
Received-SPF: fail (domain of mutawamarine.com does not designate x.x.x.x as permitted sender)
Authentication-Results: atlas125.free.mail.bf1.yahoo.com;
spf=fail smtp.mailfrom=mutawamarine.com;
dmarc=unknown
X-Apparently-To: redacted@yahoo.com; Wed, 10 Jun 2020 05:58:55 +0000
X-YMailISG: CA2XOWoWLDuMav_xVT1F_okXM35Y6SWpmP6zsE6LeQRxoxw4
YjzuEZUWxEEJzHhUGbKbpzCq7GFztoIFDbqKMkWunxnYA6aofbh6xusqm_FJ
x591PPWDY5NhvW7H.Pwb9o9VmzNhbgKs3KzMN9IO7Uh5jf5y6rUw.dSshjuv
Answer
- What is the Transfer Reference Number listed in the email's Subject?
09674321
- Who is the email from?
Mr. James Jackson
- What is his email address?
- What email address will receive a reply to this email?
- What is the Originating IP?
192.119.71.157
whois 192.119.71.157- Who is the owner of the Originating IP? (Do not include the "." in your answer.)
Hostwinds LLC
- https://mxtoolbox.com/spf.aspx
- masukan mutawamarine.com
v=spf1 include:spf.protection.outlook.com -all
- What is the SPF record for the Return-Path domain?
v=spf1 include:spf.protection.outlook.com -all
- https://dmarcian.com/domain-checker/
- masukan mutawamarine.com
- What is the DMARC record for the Return-Path domain?
v=DMARC1; p=quarantine; fo=1
Content-Type: application/octet-stream; name="SWT_#09674321____PDF__.CAB"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="SWT_#09674321____PDF__.CAB"- What is the name of the attachment?
SWT_#09674321____PDF__.CAB
cd Documents/
sha256sum SWT_#09674321____PDF__.CAB
# 2e91c533615a9bb8929ac4bb76707b2444597ce063d84a4b33525e25074fff3f SWT_#09674321____PDF__.CAB- What is the SHA256 hash of the file attachment?
2e91c533615a9bb8929ac4bb76707b2444597ce063d84a4b33525e25074fff3f
ls -lh SWT_#09674321____PDF__.CAB
ls -l SWT_#09674321____PDF__.CAB
-rw-rw-r-- 1 ubuntu ubuntu 409868 Jan 11 17:02 SWT_#09674321____PDF__.CAB
400.3 KiB (409868 bytes)namun masih salah mungkin ada perbedaan di system operasi lain.
- https://www.virustotal.com/gui/file/2e91c533615a9bb8929ac4bb76707b2444597ce063d84a4b33525e25074fff3f
- What is the attachments file size? (Don't forget to add "KB" to your answer, NUM KB)
409.86 KB
- What is the actual file extension of the attachment?
rar