The answers for Urlscan.io are found in the picture above with the colored highlights.
Yellow = Cisco Umbrella rank
Red = Number of Domains
Green = main domain registrar
Blue = main IP address identified
Abuse.ch
Question 1:
Open ThreatFox and from the website browse the database and enter “ioc:212.192.246.30:5555” into the search bar to show the results associated with the ip address.
From there click on the link with the ip address where you will see the malware.
Question 2:
Open SSL Blacklist and click on the “view details” under JA3 fingerprints
Then enter the hashvalue “51c64c77e60f3980eea90869b68c58a8” in the search bar for the malware associated to it.
Question 3:
From the URLhas webpage, click on statistics in the top right corner
Then scroll down to “Top Malware Hosting Networks” where you will see the hosting network that has the ASN number AS14061.
Question 4:
From the Feodo tracker website, click on “view details” on Betnet C&Cs.
Then search the ip address 178.134.47.166 where you will find the answer “GE” which doesn’t tell us much.
Go to https://www.talosintelligence.com/ and enter the ip address there and it will tell us the country name in full.
PhishTool
Question 1:
From the desktop in the open the email folder and open the file Email1.eml
Click on more option on the top right, click on view source and copy paste the whole document. Open up notepad and save it as email.eml on your computer somewhere.
Open the file from Phishtool to analyze the email.
After opening the file we can see the answers for q1–3. For Q4 we will click on recived files to see the number of hops.
Cisco Talos Intelligence
Search the ip address 204.93.183.11 on talosintelligence.com to find the domain
Scroll down a bit and click on “WHOIS”
Scroll down to find the Customer
Scenario 1
From the vpn open the email folder and the Email2.eml file to find who it was sent to.
From the same email save the file to the downloads folder
Go to the downloads folder in the machine and open a terminal
Type ls in the terminal and copy paste the download file name, then type sha256sum followed by the file name to receive the hash
Copy the code and go back to talosintelligence.com and go to Talos File Reputation under Reputation Center.
Enter the hash code to find the alias name
Scenario 2:
Open the Email3.eml from the email folder and download the attachment to the download folder
Go to the download folder to see the file name for Q1. Next open a terminal and type md5sum and the filename to receive the hash code
Copy the code and go to virustotal.com and search the code
From there you can find the name of the family the malware is associated to.
Summary
Threat Intelligence is the analysis of data and information using tools and techniques to generate meaningful patterns on how to mitigate against potential risks associated with existing or emerging threats targeting organisations, industries, sectors or governments.
Threat Intelligence Classifications
- Strategic Intel: High-level intel that looks into the organisation’s threat landscape and maps out the risk areas based on trends, patterns and emerging threats that may impact business decisions.
- Technical Intel: Looks into evidence and artefacts of attack used by an adversary. Incident Response teams can use this intel to create a baseline attack surface to analyse and develop defence mechanisms
- Tactical Intel: Assesses adversaries’ tactics, techniques, and procedures (TTPs). This intel can strengthen security controls and address vulnerabilities through real-time investigations.
- Operational Intel: Looks into an adversary’s specific motives and intent to perform an attack. Security teams may use this intel to understand the critical assets available in the organisation (people, processes, and technologies) that may be targeted.
UrlScan.io is a free service developed to assist in scanning and analysing websites. It is used to automate the process of browsing and crawling through websites to record activities and interactions.
Abuse.ch is a research project hosted by the Institue for Cybersecurity and Engineering at the Bern University of Applied Sciences in Switzerland. It was developed to identify and track malware and botnets through several operational platforms developed under the project. These platforms are:
- Malware Bazaar: A resource for sharing malware samples.
- Feodo Tracker: A resource used to track botnet command and control (C2) infrastructure linked with Emotet, Dridex and TrickBot.
- SSL Blacklist: A resource for collecting and providing a blocklist for malicious SSL certificates and JA3/JA3s fingerprints.
- URL Haus: A resource for sharing malware distribution sites.
- Threat Fox: A resource for sharing indicators of compromise (IOCs).
PhishTool seeks to elevate the perception of phishing as a severe form of attack and provide a responsive means of email security. Through email analysis, security analysts can uncover email IOCs, prevent breaches and provide forensic reports that could be used in phishing containment and training engagements.
The core features include:
- Perform email analysis: PhishTool retrieves metadata from phishing emails and provides analysts with the relevant explanations and capabilities to follow the email’s actions, attachments, and URLs to triage the situation.
- Heuristic intelligence: OSINT is baked into the tool to provide analysts with the intelligence needed to stay ahead of persistent attacks and understand what TTPs were used to evade security controls and allow the adversary to social engineer a target.
- Classification and reporting: Phishing email classifications are conducted to allow analysts to take action quickly. Additionally, reports can be generated to provide a forensic record that can be shared.
Cisco Talos provides actionable intelligence, visibility on indicators, and protection against emerging threats through data collected from their products.
Cisco Talos encompasses six key teams:
- Threat Intelligence & Interdiction: Quick correlation and tracking of threats provide a means to turn simple IOCs into context-rich intel.
- Detection Research: Vulnerability and malware analysis is performed to create rules and content for threat detection.
- Engineering & Development: Provides the maintenance support for the inspection engines and keeps them up-to-date to identify and triage emerging threats.
- Vulnerability Research & Discovery: Working with service and software vendors to develop repeatable means of identifying and reporting security vulnerabilities.
- Communities: Maintains the image of the team and the open-source solutions.
- Global Outreach: Disseminates intelligence to customers and the security community through publications.
