emails one of the most popular methods used by an attacker to achieve initial access specifically using the technique fishing as a stock analyst it is crucial for you to understand how to analyze emails in today's video I'll walk you through a CTF like lab from Blue Team cyber range called the planet's Prestige and I would encourage you to follow along to get the most out of this video let's get started all right heading over to Blue Team labs. online and if you don't have an account yet you can register for one here but if you do you can go ahead and just hit log in and log into your account once you're logged in you want to go and select challenges which is located at the top next you want to search planet and hit enter you should see the planet's Prestige so we'll go ahead and hit start challenge very quickly we'll go over the scenario here so Canda a planet known as the heaven of the universe has been having a bad year A Series of riots have taken place across the planet due to the frequent Abduction of citizens known as candians by a mysterious Force kanda's planetary president arranged a war room with the best brains and military leaders to work on a solution after the meeting concluded the president was informed his daughter had disappeared Canda agents spread across multiple planets were working day and night to locate at her 2 days later and there is no update on the situation no demand for ransom not even a single clue regarding the whereabouts of the missing people on the third day a Canda representative an Army Major on Earth received an email this is a pretty interesting scenario where we will go into the email that the Army Major had received so let's go ahead and start downloading the email itself I'll click on download file and you do want to keep in mind of the password the password is BT all lowercase for my machine I'll be using a Windows Virtual Machine to perform my analysis using notepad++ but you can use whatever text editor you like and I'll also have an application called hxd which is what I'll use to view some files in HEX and lastly I'll have seven zip installed as well once the file is downloaded just right click it and click on extract all there we'll go ahead and extract it using the password BT all lowercase and now we have the email file right here I'll go ahead and right click this email file and click on edit with notepad++ if this is your first time analyzing emails it can be quite confusing especially with the amount of information you see here but let's just take it slow and I'll start from the top the very first field is delivered to now this field is who received the email which in our case it is the major onar gmail.com next we have received or received buy these are email servers that have received the email similar to how post office delivers their mail the mail will end up in multiple post offices before reaching the post office that is closest to the recipient and the first received buy from the top is the closest mail server to the recipient whereas if we were to scroll down just a little bit the very first received field is going to be the one that is closest to the sender and just so we're all on the same page at the bottom the very first received field is going to be the mail server that's closest to the sender whereas all the way at the top the first reced field from the top is going to be closest to the recipient next are headers that have an x appended to the front these are called X headers and they are optional and included by tools or mail servers and then we have what are called Arc headers AKA authenticated received chain headers these are used for verification purposes by having a trusted intermediate email server digitally signed the header scrolling down just a bit passing all of the arc headers we get return path this is the email address that will be used if the email fails to send which is typically used for troubleshooting purposes now I'm sure you you've experienced this once upon a time where you tried to send an email but then you got an email failed to deliver and because you received the email failed to deliver your email address was likely put into the return path moving down just a bit we have authentication results this is where we can see the statuses for email protection such as SPF dkim and dmar as we can see SPF is currently set to fail meaning that the domain of my micro Apple which is this one right here micro apple.com does not permit the mail server of 9399 do1400 as a permitted sender in other words microapp ale.com does not know who the heck 9399 104210 is and when you're performing email analysis looking at the SPF dkim and dmark statuses is a good indicator for suspicious emails if SPF is set to fail you might want to take a deeper look into it and then we have the two which is the recipient the subject and the from so who sent the email now if we were to just scroll down a little bit here we have the importance that is set to normal these are quite self-explanatory but then we have reply to so the reply to email address that is listed here is what will be used the moment moment the recipient clicks on reply to the email and if you notice the email has a domain of pastor.com and then if we look at the from email it is from microa apple.com because there's a discrepancy between the two that is pretty suspicious not only did SPF fail but the email addresses in the from and reply to field are different and then we have content type this field is to instruct the mail server on how to render the content of the email with it being multi-art SL miixed that means there are multiple formats and it also has a boundary set for it where the boundary is bound uncore 600 a boundary is used to let the mail server know when to start and stop rendering the contents using a certain format next we have message ID which is a unique identifier to help keep track of this email and finally we have the date when the the recipient received the email now do keep in mind that the date field can be spoofed we then see our first boundary which will tell the mail server to start rendering the content using the following format if we look at the content type it says text slpl so it's telling the mail server to hey render this content using plain text format but at the bottom we see an encoding as well you want to encode it using B 64 so then the mail server is like sure why not let me render this using plain text and I'll encode it using B 64 and anytime we get hit with a B 64 we want to start decoding it to see the contents of it so we can highlight it right click go ahead and copy that and then we'll use a trusty tool called cyberchef over on cyberchef I'll go ahead and just paste that over into the inputs and then you can either search for base 64 or if you look at the bottom you can see from base 64 so I'll go ahead and just drag that over and immediately at the bottom from the outputs let me zoom in just a little bit we can see the outputs here and it says hi the major on Earth the abducted candians are with me including the president's daughter don't worry they are safe in a secret location send me 1 billion candies in cash with a spaceship and my autonomous Bots will safely bring back your citizens I heard that candians have the best brains in the universe solve the puzzle I sent as an attachment for the next step I'm approximately 12.8 light minutes away from the Sun and my advice for the puzzle is don't trust your eyes then we can go ahead and click on Save output to file and I'll just call this as email. text click on okay and we got that saved out now in the body of this email they mentioned something about an attachment so let's head back over to to our notepad++ and then we see the boundary again which will tell the mail server that this is the end for that particular piece of content now if we scroll down we do see a content type of application SL PDF with the name of puzzle to ca. PDF so this is going to be the attachment that was mentioned in the body of the email we do see the content transfering coding as base 64 and we do see the base 64 content here so just like previously I'll go ahead and copy this out head over to cyberchef I'll add a new tab by clicking on the plus button then let's go ahead and paste that in now once we have the decoded base 64 we can go ahead and save out the output if we want but before we do that I'm actually going to select two hex and convert this into hexad decimal now the reason I am doing this is because if we take a look at the first couple bytes which is 50 4B 030 04 the first bite of a file makes up what is called a file signature AKA a magic number or file header and just because the file name right here is called puzzle to ca. PDF doesn't necessarily mean it is a PDF file we want to always take a look at the file signature for a file to determine exactly what that file is now going back over to cyberchef and copying the first couple bytes I am going to use a site called Gary Kesler file signature and I'll click on this one right here where is Gary kessler. net and then just do a crlf and paste in those first couple bytes now we quickly see that the first couple bytes relate to a zip extension interesting now it did say PDF over to the file name however if we took a look at the file signature it has a file extension of zip what if we did PDF instead so if I were to just search up pdf looking at the file extension I am looking for PDF and not drmz let's just keep on clicking next and finally we have the PDF extension now the first couple bytes for the PDF is 25 50 44 46 and if we were to go back over to our cyberchef that is not the first couple bites pretty interesting right we can go and remove the two hex to have it all decoded and I will save this file and call it attachment. zip click on okay and now we have our zipped file now remember whenever you're doing any kind of analysis especially one that might contain mware always use a virtual machine and not your host I'll go ahead and open this up right click it and extract all click on extract and we get a puzzle to Canda directory so let's go ahead and open that up and we see two files here but just in case there are any hidden files I'm going to click click on view and check off hidden items and now we see an additional file called money. xlsx which is a file extension for Microsoft Excel now is that actually Excel that is something for us to figure out now because I do have a tool called hxd again link down below if you want to download it I can view these files in their hex format so I'll go ahead and drag daughter's Crown over to hxd and let's take a look at the first couple bytes so the first one here is FF d8 FF e0 let's go ahead and copy that head over to file signatures from Gary kler crlf and paste that in we can see that the first couple bytes relate to a JPEG file I am going to go back to the file and I'll click on rename and let's just add a JPEG extension to it and once that's added double click it and we get a picture nice let's do the same for the other one now just as an FYI you want to always enable file name extension because if you don't you won't be able to manually change the file extension here now sometimes you can it's kind of odd but just to make sure everything works properly always have file name extension checked open the hxt and then I'll click on new and let's drag over the good job major take a look at the first couple bites again we have 25 50 44 and 46 now if that sounded familiar to you that is because we checked this earlier which turned out to be a PDF so I'll go ahead and change good job major and I'll add the extension. PDF now we can double click it we see that it says Hey candians are safe the proof is in the file named daughter's Crown location to send 1 billion candies is in the money. xlsx file okay head over to the directory I'll open up another hxd and I'll drag in the money. xlsx the first couple bytes is 504b 0304 copy that out head over to file signatures and I'll paste that in now we do see azip file which is what we saw earlier however if we just kept going down just a little bit we do see Microsoft open Office XML format we can safely say that this is an Excel document now what if we don't have Excel installed on a virtual machine which I do not have now we can go ahead and install Excel or open office or what I'll do is use a tool called Square X they have a file viewer that you can use to drag and drop your files and then it will open it for you now you can go ahead and sign up with the link down below it is a tool that I always use during my analysis now that I opened up the file viewer I'll go ahead and just drag the money. xlsx file and into square x with this file it says whatever you have seen or read till now is fake Our intention was not for money it is the beginning of the war with Candian it's not that easy to find this major I will also stay in the same location but I bet candians can't do anything in my Planet find and come ASAP I'm waiting okay with this Excel file we do have two sheets so this one is sheet one this one is sheet three and Sheet three appears to have nothing in it and because this lab is like a CTF lab there might be some trickery in here where the text is Blended in using the colored white so what I'll do is I'll select everything right click and then I'll click on clear format that way if there's any kind of formatting happening I will see it right here so sheet one seems like it's all good but what what about sheet three because it's blank and there's a sheet it's kind of suspicious here so clear format and we do see a base 64 so go ahead and copy that head over to our cyberchef open up another tab by clicking on the plus and let's go ahead and paste that in so it says the Martian Colony nice okay I'll go ahead and copy that out and put that into our notes now let's do a quick recap before we head over to the questions because we just went over a a lot of things so we take a look at our email and scrolling back up the malicious actor sent an email from Bill jobs at micro.com to the major onar gmail.com with the subject of a hope to Canda on January 26 2021 at 14118 Eastern Standard Time the return path if we scroll up is set to Bill JW at micro apple.com so this email is going to receive any emails that were failed to deliver however if we take a look at the reply to it is a completely different email one that is ending in pastor.com if we scroll up just a little bit we can see that the malicious actor used an email service called mk. CZ and if we were to just search that up to see what that is and we can see that it is a fake mailer mk's fake mailer is a web-based tool that allows you to create and send fake emails so we know that the thread actor used an email service called MK and the contents of the email was a threat to the major on Earth demanding 1 billion in cash along with an attachment that was supposedly a PDF file but it actually turned out to be a zip file and within that zip it contained three files one jpeg one PDF and one Excel file the next thing I'm I'm about to say is extremely important so make sure that you take a note of it when performing email analysis there are some important fields that you should put more focus on and those are the following first and foremost received so these are the mail servers that received the email what you want to do is perform ENT on these mail servers so for example taking a look at the sender IP you want to check out the IP reputation you also want to check out the domain reputation as well and of course what we just did the email service this will provide you with some context when you're doing your analysis the next thing is return path look at the email address itself because if you recall the return path is the email address that will receive a failed or error in email delivery and then we have authentication results this is where you can find the status of SPF dkm and dmark remember any time you see SPF failed that is pretty weird and you should put more effort into investigating that email and then we have the two so this is the recipient who received that email then the subject itself which is the subject of the email if you have an email security Gateway or if you have the ability to search emails across your organization you can use the subject field to see who else received a similar email and then we have the from so who sent that email in this case we have the name Bill and the email of Bill jobs micro.com you always want to focus on the email address itself rather than the name now this can be spoofed of course but it's always a good idea to keep note of it because again you can always search your emails across your organization searching specifically emails that are sent from this user and then we have reply to so this is the email address that will be used if the recipient clicks on reply it is a quick win if you notice that the from email address and the reply to email address is different because if you think about this logically if I send you an email and you reply I want to get that reply why is that reply going to somebody else's email something like that which is a question that you should ask yourself and then we have content type this is how the mail server is going to render the content if you do see boundary that means you'll see multiple formats and then you have message ID this is incredibly useful again if you're searching emails across the organization this keeps track of where that email went and finally you have the date do keep in mind that the date can be spoofed but take note of it nonetheless as it is a good starting point again anytime you receive an email you want to focus on these fields as they can provide you with quick wins now in my course we go into more detail about email analysis and I'll also show you some other tools that you can use my course is going to be a paid course but it will be absolutely worth it trust me I'll leave a link down for you to sign up for the wait list if you're interested now let's move on to the questions so it says what is the email service used by the malicious actor now we know this by going back over we saw a fake email service that was used which is mk. CZ so I'll go ahead and copy that and I'll paste it here click on submit perfect what is the reply to email address that's pretty easy I'll go ahead and copy this one out now remember reply to is whenever the recipient clicks on reply that is going to be the email address for that paste that in hit submit what is the file type of the received attachment that helped to continue the investigation if we look at our email scrolling down we do see the content type as PDF but when we did our analysis it wasn't actually a PDF right it was azip file what is the name of the malicious actor hm this one's quite interesting if we take a look at the email let's see if there's a name here so we see the from field and it is from Bill but it's asking for a last name as well so bill is probably not the one unless you put in Bill jobs but if we think about it the reply to field is a different email address and because it is a different email address it makes me believe that this is actually the threat actor or the malicious actor here what we can do is use a tool called exit f tool and take a look at the metadata of the attachment itself because if the thread actor was responsible for creating it they might leave some clues in there to take a look at the metadata I'm going to be using a tool called XF tool and again I'll leave the download links down below so I'll use XF tool DF to specify my files and I am going to take a look at the attachments so I'll go ahead and just copy the path and I'll paste it in here back slash with an ASX and using except tool will show us all the interesting metadata for these files here so we have the zip file name the mime type let's see file modification access and creation but nothing about a name and oh right here author so we can see a name Pasto nea I I don't know if that's how you pronounce it but there you go first and last name I'm going to assume that that is the one because it does match our reply to email right the last name Nea is right here paste that in hit submit and we got it perfect what is the location of the attacker in this universe H what is the location of the attacker in this universe okay um I do recall seeing this the Martian Colony this is the decoded Bas 64 that we we found in the Excel document called money so I'll go ahead and just copy that cuz this sounds like a location to me paste that in here and submit nice what could be the probable CNC so command and control domain to control the attacker's autonomous Bots taking a look at the email we do see pure.com from this malicious actors and there weren't any other URLs that we've seen other than the fake email service here but because this domain is tied to the malicious actor I'm going to assume that this is going to be the C2 domain going to go ahead and pasted it and submit and awesome we just completed it email analysis is something that you should frequently expect to see as a sock analyst and by learning what the important fields are will definitely help you in your investigations again if you're interested in my course the weit list to the link is down below I'll provide the pricing to you shortly once I have finalized all of the content and my goal here is to try and release it in sometime in May or by June but in the meantime continue to level up your skills and get better every single day that is it for the video and I hope you found that informative if you did please share this with other aspiring sock analysts And subscribe if you want to remember to stay curious and do things differently