Dream Job-1 HTB Sherlock Writeup

Hello everyone, I am Nirmal and I have stared to write blogs on HTB Machine, Sherlocks, THM Challenges and Tools etc. Today, we will see the new HTB Sherlock Dream Job-1

Prerequisite:

1. Open MIRE ATT&CK Framework.

2. Open VirusTotal.

Download the zip file provided in the Sherlock. After extracting, you can see a file named IOC.txt containing some hashes.

Sherlock Description:

You are a junior threat intelligence analyst at a Cybersecurity firm. You have been tasked with investigating a Cyber espionage campaign known as Operation Dream Job. The goal is to gather crucial information about this operation.

Task 1:

Who conducted Operation Dream Job?

→ Open MTRE ATT&CK Framework → Search for Operation Dream Job.

→ On the description of the Operation, you can find the Group name.

Lazarus Group

Task 2:

When was this operation first observed?

→ On the right side of the page, you'll find a section displaying the operation ID, the dates it was first and last observed, along with related campaigns.

September 2019

Task 3:

There are 2 campaigns associated with Operation Dream Job. One is Operation North Star, what is the other?

→ On the same right hand site, on the campaigns you can find the other campaigns.

Operation Interception

Task 4:

During Operation Dream Job, there were the two system binaries used for proxy execution. One was Regsvr32, what was the other?

Below, you can see an option to see the ATT&CK Navigation Layer. Click on the link and you will the layers used in this Campaign.

On the Defense Evasion Technique → System Binary Proxy Execution, you can see the other System Binary.

Rundll32

Task 5:

What lateral movement technique did the adversary use?

→ See the Lateral Movement Technique and you can find the adversary used.

Internal Spearphishing

Task 6:

What is the technique ID for the previous answer?

→ Click on the technique and you can find the techniques ID.

T1534

Task 7:

What Remote Access Trojan did the Lazarus Group use in Operation Dream Job?

→ Move to the Software section of the Page and you can see the Trojan used in the operation.

DRATzarus

Task 8:

What technique did the malware use for execution?

→ Click on DRATzarus and go to its ATT&CK navigate layer. You will find the answer under the Execution Technique.

Native API

Task 9:

What technique did the malware use to avoid detection in a sandbox?

→ In the navigate layer, look under the Discovery Technique, the answer is in the Virtualization/Sandbox Evasion section.

Time Based Evasion

Task 10:

To answer the remaining questions, utilize VirusTotal and refer to the IOCs.txt file. What is the name associated with the first hash provided in the IOC file?

→ Copy the first hash and paste it in the VirusTotal. You will find the the name of the hash.

IEXPLORE.exe

Task 11:

When was the file associated with the second hash in the IOC first created?

→ On the same VirusTotal Page, paste the second hash and look in the Details tab in the history section we will find our answer.

2020-05-12 19:26:17

Task 12:

What is the name of the parent execution file associated with the second hash in the IOC?

On the same page, look in the Relations tab under the Execution Parent section we will find our answer.

BAE_HPC_SE.iso

Task 13:

Examine the third hash provided. What is the file name likely used in the campaign that aligns with the adversary's known tactics?

Copy and Paste the third hash in VirusTotal and under the Details tab under the Names section, we can find the answer. As we know, the victims of this operation were job seekers so the most appropriate answer would be.

Salary_Lockheed_Martin_job_opportunities_confidential.doc

Task 14:

Which URL was contacted on 2022-08-03 by the file associated with the third hash in the IOC file?

→ In the same page, you will find the answer in the Relations tab under Contacted URLs section.

https://markettrendingcenter.com/lk_job_oppor.docx

From this sherlock, you will learn about

1. Threat Intelligence

2. MITRE ATT&CK Framework

3. VirusTotal

I hope everyone understood how to solve this sherlock.

Follow my socials

Linkedin

Thank you. Have a good day……..