Phishing Analysis Tools | TryHackMe | Solution
Phishing Analysis Tools
Learn the tools used to aid an analyst to investigate suspicious emails.
Task1
1.1)Read the above.
Correct Answer: No answer needed
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
Task2
2.1) Read the above.
Correct Answer: No answer needed
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
Task3
3.1) What is the official site name of the bank that capitai-one.com tried to resemble?
Correct Answer: capitalone.com
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
Task4:
4.1) How can you manually get the location of a hyperlink?
Correct Answer: copy link location
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
Task5:
5.1) Read the above.
Correct Answer: No answer needed
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
Task6:
6.1) Look at the Strings output. What is the name of the EXE file?
454326_PDF.exe
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
Task7:
7.1)What brand was this email tailored to impersonate?
Correct Answer: netflix
7.2)What is the From email address?
Correct Answer: JGQ47wazXe1xYVBrkeDg-JOg7ODDQwWdR@JOg7ODDQwWdR-yVkCaBkTNp.gogolecloud.com
7.3)What is the originating IP? Defang the IP address.
Correct Answer: 209[.]85[.]167[.]226
7.4)From what you can gather, what do you think will be a domain of interest? Defang the domain.
Correct Answer: etekno[.]xyz
7.5)What is the shortened URL? Defang the URL.
Correct Answer: hxxps[://]t[.]co/yuxfZm8KPg?amp=1
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
Task8:
8.1)What does AnyRun classify this email as?
Correct Answer: Suspicious activity
8.2)What is the name of the PDF file?
Correct Answer: Payment-updateid.pdf
8.3)What is the SHA 256 hash for the PDF file?
Correct Answer: CC6F1A04B10BCB168AEEC8D870B97BD7C20FC161E8310B5BCE1AF8ED420E2C24
8.4)What two IP addresses are classified as malicious? Defang the IP addresses. (answer: IP_ADDR,IP_ADDR)
Correct Answer: 2[.]16[.]107[.]24,2[.]16[.]107[.]83
8.5)What Windows process was flagged as Potentially Bad Traffic?
Correct Answer: svchost.exe
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
Task9:
9.1)What is this analysis classified as?
Correct Answer: Malicious activity
9.2)What is the name of the Excel file?
Correct Answer: CBJ200620039539.xlsx
9.3)What is the SHA 256 hash for the file?
Correct Answer: 5f94a66e0ce78d17afc2dd27fc17b44b3ffc13ac5f42d3ad6a5dcfb36715f3eb
9.4)What domains are listed as malicious? Defang the URLs & submit answers in alphabetical order. (answer: URL1,URL2,URL3)
Correct Answer: biz9holdings[.]com,findresults[.]site,ww38[.]findresults[.]site
9.5)What IP addresses are listed as malicious? Defang the IP addresses & submit answers from lowest to highest. (answer: IP1,IP2,IP3)
Correct Answer: 75[.]2[.]11[.]242,103[.]224[.]182[.]251,204[.]11[.]56[.]48
9.6)What vulnerability does this malicious attachment attempt to exploit?
Correct Answer: CVE-2017–11882
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
Task10:
10.1)Read the above
Correct Answer: No answer needed
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —