| Source | Type | Category | Difficulty |
|---|---|---|---|
| HackTheBox | Sherlock | Threat Intelligence | Very Easy |
Sherlock scenario #
You are a junior threat intelligence analyst at a Cybersecurity firm. You have been tasked with investigating a Cyber espionage campaign known as Operation Dream Job. The goal is to gather crucial information about this operation.
Note : this sherlock provides a text file called IOCs.text with hashes that I will search on Virus Total.
Who conducted Operation Dream Job? #
The Mitre website has a section about campaigns, where I find that this cyber espionage operation was likely conducted by Lazarus Group.
When was this operation first observed ? #
It was first observed in September 2019.
There are 2 campaigns associated with Operation Dream Job. One is Operation North Star, what is the other? #
The other operation was Operation Interception.
During Operation Dream Job, there were the two system binaries used for proxy execution. One was Regsvr32, what was the other? #
First, I look at Regsvr32 to find that this tool is used as part of a technique called “System Binary Proxy Execution”. Attackers use some legitimate and signed Windows binaries to execute their own malicious tools. The other system binary is rundll32.
What lateral movement technique did the adversary use? #
I remember that in the MITRE framework, Lateral Movement is tactics category. I use the ATT&CK Navigator layers view. I can search and find easily the “Lateral Movement” category and see that they used Internal Spearphishing techniques.
What is the technique ID for the previous answer? #
The technique ID for Internal Spearphishing is T1534.
What Remote Access Trojan did the Lazarus Group use in Operation Dream Job? #
I find this info on the ClearSky report, linked from the MITRE page. The Remote Access Trojan (RAT) developped by Lazarus is DRATzarus.
What technique did the malware use for execution? #
I continue to look for info about DRATzarus on the MITRE website, listing all techniques used by the malware. I find here that DRATzarus can use Native API calls to see if it is running in a sandbox. The Native API technique allows attackers to call low-level OS services, and also allows them to avoid being executed on virtual machine or sandbox (like the IsDebuggerPresent to avoid debugging)
What technique did the malware use to avoid detection in a sandbox? #
I find that this is a subtechnique of Sandbox evasion called time based evasion . DRATzarus can use the GetTickCount and GetSystemTimeAsFileTime Windows API calls to measure function timing.
To answer the remaining questions, utilize VirusTotal and refer to the IOCs.txt file. What is the name associated with the first hash provided in the IOC file? #
The first hash is associated with file name IEXPLORE.EXE on VirusTotal
When was the file associated with the second hash in the IOC first created? #
I find this information on the Virus Total page: 2020-05-12 19:26:17.
What is the name of the parent execution file associated with the second hash in the IOC? #
I look up on VT for “Execution Parents” in the relations tab : BAE_HPC_SE.iso
Examine the third hash provided. What is the file name likely used in the campaign that aligns with the adversary’s known tactics? #
Salary_Lockheed_Martin_job_opportunities_confidential.doc : this files looks like part of spearphishing campaigns.
Which URL was contacted on 2022-08-03 by the file associated with the third hash in the IOC file? #
I see VT here that is markettrendingcenter[.]com/lk_job_oppor[.]docx
