Scenario
An attacker compromised a server and impersonated https://pancakeswap.finance/, a decentralized exchange native to BNB Chain, to host a phishing kit at https://apankewk.soup.xyz/mainpage.php.
The attacker set it as an open directory with the file name “pankewk.zip”.
Provided the phishing kit, you are requested to analyze it and do your threat intel homework.
Intro
Alright, another day, another challenge. Today we tackle a phishing challenge, we get a few hostnames and the zip of the phishing kit.
Tooling
For this challenge, I used Tsurugi Linux, a DFIR Linux Distro containing all the tools we probably need.
1: Which wallet is used for asking the seed phrase?
Let’s start by viewing the contents of the index.html page. As the malicious page may contain some external URLs or possible exploits, I make sure my environment is properly sandboxed (at least make sure no outside connections are allowed) and have a snapshot ready to revert to after the investigation.
When the page is opened, we see some HTML, but no stylesheet is applied. WE can already answer the question now but let’s try to fix the stylesheet by pointing the index.html to the style.css file, located in the src folder

After changing we get the phishing page with the style applied:

And the first answer is shown 🙂
A quicker way to get the answer is by using grep
for the word seed:
surugi@lab:~/Desktop/pankewk$ grep -ir seed *
There are a lot of seed entries in a folder from a specific wallet.
2: What is the file name that has the code for the phishing kit?
From the first question, we know what the wallet is. This wallet also has a folder at the root of our package. By enumerating we observe a .PHP file in that subfolder.

3: In which language was the kit written?
We know the file is a .php file, and the language of .php files is: …
4: What service does the kit use to retrieve the victim’s machine information?
Let’s dive into the .php code, a plaintext file, which is readable by probably all text editors.
The third line in the file is a variable that retrieves contents from an API service, the service is unknown to me but upon googling it appears to be Russian. This service is our answer.

5: How many seed phrases were already collected?
During further enumeration of the included folders, a file called log.txt is observed. this log contains a few rows of wallet seeds.

Each row presents a seed.
6: Write down the seed phrase of the most recent phishing incident?
Log entries fill up from top to bottom, so the most recent entry is the last line in the log file we observed in file 5. The last line(s) of a log file can also be obtained by tail -n1 log.txt

7: Which medium had been used for credential dumping?
Looking at the next question and knowing how certain mediums works, you might guess the answer to this question. but let’s dive into the code to find the answer there, starting with the PHP file from question 2. In the file, we observe a variable called $filename containing the API URL for a popular messaging service. The service is our answer.

8: What is the token for the channel?
Above the $filename variable, a $token variable is present in our PHP file. which is the token to the channel.
9: What is the chat ID of the phisher’s channel?
And right above the $token, is an $id. the chat ID of the channel.

10: What are the allies of the phish kit developer?
We stay in the same PHP file, there’s a comment, a message from the developer. the message ends with the answer to our question.

11: What is the full name of the Phish Actor?
A bit tricky question with no initial lead. I tried several searches through files, which didn’t turn into an answer. Since we have the telegram token and a chat ID, we can maybe enumerate the chat for the full name of our actor. The telegram API is widely documented and looking through their API documentation, there is an interesting endpoint to be found:

We struct the curl command as specified in the API documentation:
$ tsurugi@lab:~$ curl https://api.telegram.org/bot5457463144:AAG8t4k7e2ew3tTi0IBShcWbSia0Irvxm10/getChat?chat_id=5442785564
{"ok":true,"result":{"id":5442785564,"first_name":"<>","last_name":"<>","username":"<>","type":"private","photo":{"small_file_id":"AQADBQADCbQxG1rVIVYACAIAAxxRakQBAAM7fQl4M-jTyikE","small_file_unique_id":"AQADCbQxG1rVIVYAAQ","big_file_id":"AQADBQADCbQxG1rVIVYACAMAAxxRakQBAAM7fQl4M-jTyikE","big_file_unique_id":"AQADCbQxG1rVIVYB"}}}
The output is “ok”, meaning that a chat was found. The output also contains a first_name and last_name field, being the first and last name of our actor.
12: What is the username of the Phish Actor?
The API response from question 11 also contained the username of our actor. No extra commands are needed 😉
Conclusion
Fun but an easy challenge. I had some help by already knowing some ins and outs of the telegram API, which definitely helped me solve these questions a lot quicker. I’m curious if you found the questions the same way or used different methods, please let me know in the comments or drop me a DM on Twitter!