The Planet's Prestige
Last updated
Last updated
To find the email service used by the malicious actor we need to check the Received
field after opening the email in a text-editor.
If we open the file using Thunderbird, we can find the Reply-To
email address.
Let's open the PDF file attached to the email.
So the file isn't opening. Maybe it is not really a PDF.
Using the file
utility we can check the actual format of the file.
Now that we know it is a ZIP file, we can rename it to PuzzleToCoCanDa.zip
and then unzip it.
We can see that the ZIP file contains a file called GoodJobMajor
.
If we use the exiftool
utility on that file to check the metadata we can find the name of the malicious actor.
On opening the Money.xlsx
file, we can see that there are two sheets: Sheet1
and Sheet3
.
Let's covert both the sheets to text files so that we can view the content better.
If we open the Sheet3.txt
file we can see some text that appears to be encrypted.
The ==
at the end indicates that the encryption is Base64.
We can use Cyberchef to decrypt the text.
The attacker's name is Pestero Negeja
and the reply-to email is negeja3921@pashter.com
so we can guess the C&C domain used by the attacker.