Advent of Cyber 4 (2022): Day 6 Write-up [TryHackMe]

5 min readDec 7, 2022

Don’t get spooked by spooky mails! 😱

Welcome to Day 6 of Advent of Cyber 4 (2022) write-up. To check the room, click here.

If you haven’t solved Day 5, click here.

[Day 6] Email Analysis It’s beginning to look a lot like phishing

Today’s task discusses email analysis. We will discuss how to identify spooky suspicious emails and how to extract data from them. Also, we are going to perform the further investigation using different tools.

Learning Objectives

Learn what email analysis is and why it still matters.
Learn the email header sections.
Learn the essential questions to ask in email analysis.
Learn how to use email header sections to evaluate an email.
Learn to use additional tools to discover email attachments and conduct further investigation.
Help the Elf team investigate the suspicious email received.

What is Email Analysis?

Email analysis extracts the email header information to expose the email file details. The email header contains the technical details of the email, like sender, recipient, path, return address and attachments. Usually, these details are enough to determine if there is something suspicious/abnormal in the email and decide on further actions on the email, like filtering/quarantining or delivering. This process can be done manually and with the help of tools.

A common security issue regarding emails is Phishing attacks.

Phishing: Phishing is a sub-section of social engineering delivered through email to trick someone into either revealing personal information and credentials or executing malicious code on their computer.

Important Email Header Fields for Quick Analysis

emlAnalyzer

Now use the given sample and execute the given command.

emlAnalyzer -i Urgent\:.eml --header --html -u --text --extract-all

Tools for further investigations

IMPORTANT NOTES:

Given the email, the sample contains a malicious attachment.
Never directly interact with unknown email attachments outside of an isolated environment.

To learn more, check out the Day 6.

Let’s get started!

What is the email address of the sender?

Using the following command:

emlAnalyzer -i ./Desktop/Urgent:.eml --header --html -u --text --extract-all

Answer: chief.elf@santaclaus.thm

2. What is the return address?

From the previous output, you can find the Return address.

Answer: murphy.evident@bandityeti.thm

3. On whose behalf was the email sent?

From the previous output, you can check the From field value.

Answer: chief elf

4. What is the X-spam score?

Answer: 3

5. What is hidden in the value of the Message-ID field?

Since Message ID cannot be in Base64 format, we must decode it and find the hidden value.

QW9DMjAyMl9FbWFpbF9BbmFseXNpcw==

To decode, we can use this website: https://www.base64decode.org/

Answer: AoC2022_Email_Analysis

6. Visit the email reputation check website provided in the task. What is the reputation result of the sender’s email address?

We can check the reputation of the sender’s email address using the following website:

Simple Email Reputation

Illuminate the reputation behind an email address.

emailrep.io

Answer: RISKY

7. Check the attachments. What is the filename of the attachment?

From the earlier output, we can check for the extracted attachments.

Answer: Division_of_labour-Load_share_plan.doc

8. What is the hash value of the attachment?

The attachment file is stored in the eml_attachments folder in the current directory. We can confirm this using the ls command and navigate to this folder, and you can use the cd command.

Using the following command:

sha256sum Division_of_labour-Load_share_plan.doc

Answer: 0827bb9a2e7c0628b82256759f0f888ca1abd6a2d903acdb8e44aca6a1a03467

9. Visit the Virus Total website and use the hash value to search. Navigate to the behaviour section. What is the second tactic marked in the MITRE ATT&CK section?

Open the VirusTotal website, paste the hash value we found, and click on search.