I hope to find you well.
This is Ali Alaa and this is GrabThePhisher writeup for CyberDefenders platform’s challenge.
This is a Threat Intel challenge and if you wanna find more about this topic you can try GrabThePhisher challenge.
So, lets start….
First Question: Which wallet is used for asking the seed phrase?
I browsed index.html which is main home page for all wallets but directory “pankewk” has a directory called “metamask” only this wallet and excluded others and when I open directory I found file called “metamask.php” that used to make this phishing. So, he used metamask as wallet
Here we go, the answer is : Metamask
Second Question: What is the file name that has the code for the phishing kit?
I navigated to “metamask” directory before you can see figure in first question you can find file used to make phishing is “metamask.php”.
Here we go, the answer is : metamask.php
Third Question: In which language was the kit written?
Here from extension of file I figured out the language but what if phisher try to destruct investigator by changing extension or manipulated magic header (may not in case like that but take it in consider) so, I opened it and it open normally.
He didn’t destruct me 😃.
Here we go, the answer is : PHP
Forth Question: What service does the kit use to retrieve the victim’s machine information?
Here I opened “metamask.php” file in text editor to see code inside and what phisher used ..
So, he used service called sypexgeo.
Here we go, the answer is : Sypex Geo
Fifth Question: How many seed phrases were already collected?
I analysed php code to know how it works after he sends data to his telegram chat he get content and send it to “log” directory
And store seeds phrases here
By counting all seeds phrases they will be 3 seeds phrases.
Here we go, the answer is : 3
Sixth Question: Write down the seed phrase of the most recent phishing incident?
Most recent seeds phrase it was last one submitted though form.
Here we go, the answer is : father also recycle embody balance concert mechanic believe owner pair muffin hockey
Seventh Question: Which medium had been used for credential dumping?
By analyzing php code here the medium used to dump creds.
Phisher user his id and token for his channel
So, medium is telegram.
Here we go, the answer is : Telegram
Eighth Question: What is the token for the channel?
From function “sendTel” I can figure out channel’s token
Here we go, the answer is : 5457463144:AAG8t4k7e2ew3tTi0IBShcWbSia0Irvxm10
Ninth Question: What is the chat ID of the phisher’s channel?
From function “sendTel” I can figure out channel’s id
Here we go, the answer is : 5442785564
Tenth Questions: What are the allies of the phish kit developer?
In “metamask.php” file, phisher leave a good comment for his brothers so cute 🥺
Here we go, the answer is : j1j1b1s@m3r0
Eleventh Question: What is the full name of the Phish Actor?
Here I stuck with this but after some concentration I saw that he used telegram api to send message and after this he get content of file.
This mean this api will response with some kind of data in json format so, lets try to use all data he used before like id and token to send message and may response contain PII data.
Here we go, the answer is : Marcus Aurelius
Twelfth Question: What is the username of the Phish Actor?
From response json data we can see username of phish actor
Here we go, the answer is : pumpkinboii
At the end ,
I hope you enjoyed this writeup ❤️.