LetsDefend — Email Analysis Challenge Walkthrough
Email Header and Attachment Analysis
Introduction:
Hello — Thanks for joining me for this weekly walkthrough!
This week I am going to tackle the medium difficulty Email Analysis blue team challenge over on LetsDefend.
This one should be good practice for some manual email header and attachment analysis. While there are many solutions that perform automatic header analysis and sandbox detonation of attachments before delivery, it’s always good to practice your manual analysis skills especially if you don’t have these enterprise tools available to you.
As always, this write up will serve as a learning notebook for me and a LetsDefend challenge walkthrough for anyone else who stumbles upon this post. Thanks for reading along, hope it helps!
Challenge Link: https://app.letsdefend.io/challenge/email-analysis
Challenge Scenario:
You recently received an email from someone trying to impersonate a company, your job is to analyze the email to see if it is suspicious.
Setup the REMnux Analysis Environment & Extract the challenge file:
First thing’s first — It’s always a good idea when downloading lab/challenge files from LetsDefend (or any lab/challenge/range) to keep yourself safe by performing these tasks in a dedicated, isolated virtual machine — we are working with malicious files, after all!
For this challenge I am using REMnux, a Linux distro built for malware analysis so we can leverage the available built-in tools to help us with the analysis.
To keep this write-up focused I’m going to skip a step-by-step setup guide of REMnux. Instead, if you want to set up your own REMnux environment please follow the directions provided by REMnux directly. I opted for the virtual appliance method:
Okay! Now that we have our virtual environment created, updated, isolated, and snapshotted, we can download and extract our challenge file and get started!
Question 1: What is the sending email address?
Okay! We have few ways to approach this challenge. Since the file we are doing analysis on is a .eml file which contains the message header, message body, and attachments, we might simply open it in a plain text editor to view the header information. But, for this challenge, let’s jump into CyberChef to view the file in case we need to perform any other operations later. We can use the online version of the tool or the version installed in REMnux.
Now, we can simply drop the extracted .eml file into the CyberChef input window. Then, in the output window we should have all the information that we need to answer the first five questions!
For Question 1, we want to look at the From field which contains the sender’s address information. The challenge states that this email is trying to impersonate a company, right? It’s important to note that in real-world analysis this field can be (and often is) spoofed by the bad guys for phishing or impersonation attempts.
For this one, let’s submit the sender’s address as we see it in the From field.
Question 2: What is the email address of the recipient?
We’re going to do the same thing we did for Question 1; except this time, we’ll look at the To field which contains the recipient’s email address.
Question 3: What is the subject line of the email?
This time let’s look at the Subject field which is just the subject line that the sender entered for the email.
Question 4: What date was the Email sent? Date format: MM/DD/YYYY
Yep, you guessed it — we’re going to focus on the Date field this time. This is a required header in the Simple Mail Transfer Protocol (SMTP). The only trick here is the date format is different in the email than it is for the question submission.
Question 5: What is the originating IP?
Now let’s check the Received field. This field will list all mail servers that the message has gone through before delivery including their IP addresses. Since there is only one IP address in our sample, we should have the answer.
While out of scope for this challenge but useful in the real world, we can check threat intel for the sender IP address against a ton of excellent reputation and intelligence services online. Remember that our challenge scenario told us that the suspicious email was trying to impersonate a company — Threat intel can also help us determine if the originating IP address is related to the company it claims to be.
For this example, let’s take a look at just a couple of these services — the Cisco Talos Intelligence Center, and the SuperTool over on MxToolBox.
Using these types of services can help our analysis by adding context and intelligence to indicators we find during our investigations!
Question 6: What country is the ip address from?
Since we have the IP address from Question 5, we’re going to look for geolocation information about the IP address of the sending infrastructure.
There are any number of geolocation services we can use but it’s always a good idea to check a couple of different ones as the location data can vary depending on the method the provider uses to determine the geolocation. In the real world you might see some inaccurate geolocation data in your logs so double verifying is a good practice.
You may have noticed that we already answered this in the previous question but to highlight more tools, we’ll check two more geolocation databases — ipinfo.io & DomainTools WhoIs Lookup
Now that we have checked three different services, we can more accurately answer Question 6!
Question 7: What is the name of the attachment when you unzip it? (with extension)
Alright, now we are going to move on from analysis of the .eml file directly and check out the attachment — this is a separate file linked in the challenge.
For this question, let’s simply unzip the archive file and see what the name of the file contained inside is:
Okay, we have an executable file and misspelling of the brand in the file name — that’s suspicious…
Question 8: What is the sha256 hash of the File?
Now that we have extracted an executable file from the .zip archive we need to grab the file hash. Fortunately, we can do this directly in the terminal! Since we need to get the SHA-256 hash we can use the sha256sum command to get the right output.
Let’s keep this output handy after we submit it so that we can use it for Question 9.
Question 9: Is the email attachment malicious? Yes/No
Okay, we made it to the last question! Let’s see if we can get any hits on this file from VirusTotal to help us determine if this binary is malicious or not. We’ll copy the file hash from Question 8 into the search bar and see what we can discover about this indicator of compromise (IOC):
There we go! We’ve got a high number of detections on VirusTotal, with the threat labeled as Loki Ransomware. This gives us high confidence that the file is indeed malicious without having to perform our own analysis on the executable.
Let’s check our work and wrap this challenge up!
Conclusion:
Let’s walk through and quickly summarize. Our investigation revealed a social engineering attempt with spearphishing attachment (MITRE ATT&CK T1566.001) by impersonating another organization. If we executed the malicious file (MITRE ATT&CK T1024) in the attached .zip archive, we might have been a victim of the Loki Ransomware! This is just the tip of the iceberg, but this is all the information we need to wrap up this challenge.
We set out to determine if the email we received is suspicious and I think we can conclude that is! Great work on the investigation!
Thank you to LetsDefend.io for the challenge. While this was just a brief scenario, it provided us with a practical context to understand how we, as defenders, can quickly do some manual analysis of email headers and attachments to determine if they are malicious or not.
I hope that you had as much fun as I did and learned something new, too. Stay curious!
Tools & References:
REMnux: https://docs.remnux.org/install-distro/get-virtual-appliance
CyberChef: https://gchq.github.io/CyberChef/
Cisco Talos: https://talosintelligence.com/
MX ToolBox Blacklists Check: https://mxtoolbox.com/blacklists.aspx
DomainTools WhoIs: https://whois.domaintools.com/
ipinfo.io: https://ipinfo.io/
VirusTotal: https://www.virustotal.com/
MITRE ATT&CK Techniques:
