Boogeyman 2

After having a severe attack from the Boogeyman, Quick Logistics LLC improved its security defences. However, the Boogeyman returns with new and improved tactics, techniques and procedures. 

In this room, you will be tasked to analyse the new tactics, techniques, and procedures (TTPs) of the threat group named Boogeyman. 

Prerequisites

This room may require the combined knowledge gained from the SOC L1 Path. We recommend going through the following rooms before attempting this challenge.

• Phishing Analysis Fundamentals
• Phishing Analysis Tools
• Boogeyman 1
• Volatility

Investigation Platform

Before we proceed, deploy the attached machine by clicking the Start Machine button in the upper-right-hand corner of the task. It may take up to 3-5 minutes to initialise the services.

The machine will start in a split-screen view. If the VM is not visible, use the blue Show Split View button at the top-right of the page.

Artefacts

For the investigation, you will be provided with the following artefacts:

• Copy of the phishing email.
• Memory dump of the victim's workstation.

You may find these files in the /home/ubuntu/Desktop/Artefacts directory.

Tools

The provided VM contains the following tools at your disposal:

• Volatility - an open-source framework (opens in new tab) for extracting digital artefacts from volatile memory (RAM) samples.

  ubuntu@tryhackme:~

  ubuntu@tryhackme$ # Volatility usage:
  ubuntu@tryhackme$ vol -f memorydump.raw <plugin>
  
  # To list all available plugins
  ubuntu@tryhackme$ vol -f memorydump.raw -h
  

  Note: Volatility may take a few minutes to parse the memory dump and run the plugin. For plugin reference, check the Volatility 3 documentation (opens in new tab).

• Olevba - a tool for analysing and extracting VBA macros from Microsoft Office documents. This tool is also a part of the Oletools suite (opens in new tab).

  ubuntu@tryhackme:~

  ubuntu@tryhackme$ # Olevba usage:
  ubuntu@tryhackme$ olevba document.doc