Post

Dream Job-1

Posted Updated
Preview Image
By Heland
views 2 min read
Dream Job-1

CHALLENGE DESCRIPTION

In this Sherlock, players will be introduced to the MITRE ATT&CK framework, which is a comprehensive tool used to research and understand advanced persistent threat (APT) groups. Specifically, players will focus on the APT group known as Lazarus Group. As they progress, players will get to explore various tactics, techniques, and procedures (TTPs) associated with Lazarus Group.

SOLUTION

Q1: Who conducted Operation Dream Job?

We go to MITRE ATT&CK and search for Lazarus, we can see we have 2 results, but only one have Dream Job

Answer Lazarus Group

Q2: When was this operation first observed?

Answer September 2019

Q3: There are 2 campaigns associated with Operation Dream Job. One is Operation North Star, what is the other?

Answer Operation Interception

Q4: During Operation Dream Job, there were the two system binaries used for proxy execution. One was Regsvr32, what was the other?

Search for Regsvr32 and we can see the other

Answer Rundll32

Q5: What lateral movement technique did the adversary use?

Click on View

Seach for lateral

Answer Internal Spearphishing

Q6: What is the technique ID for the previous answer?

Answer T1534

Q7: What Remote Access Trojan did the Lazarus Group use in Operation Dream Job?

Remote Access Trojan (RAT) is usually a software, so we can scroll down and see the answer

Answer DRATzarus

Q8: What technique did the malware use for execution?

Click on DRATzarus

Answer Native API

Q9: What technique did the malware use to avoid detection in a sandbox?

Search for detect

Answer Time Based Evasion

Q10: To answer the remaining questions, utilize VirusTotal and refer to the IOCs.txt file. What is the name associated with the first hash provided in the IOC file?

Go to VirusTotal, search for the first hash

Answer IEXPLORE.exe

Q11: When was the file associated with the second hash in the IOC first created?

Search for the second hash and click on tab Detail and scroll down

Answer 2020-05-12 19:26:17

Q12: What is the name of the parent execution file associated with the second hash in the IOC?

On Relations tab, search parent

Answer BAE_HPC_SE.iso

Q13: Examine the third hash provided. What is the file name likely used in the campaign that aligns with the adversary’s known tactics?

Search for third hash, and on Relations tab

Answer Salary_Lockheed_Martin_job_opportunities_confidential.doc

Q14: Which URL was contacted on 2022-08-03 by the file associated with the third hash in the IOC file?

Answer https://markettrendingcenter.com/lk_job_oppor.docx
HTB-sherlock, threat-intelligence, very-easy
CTF writeup APT TTP ATT&CK