Sneh Bavarva

Dream Job-1

March 6, 2025☕︎ 4 min read
Machine Image
Release Date06 Mar 2025
Retire Date06 Mar 2025
DifficultyVery Easy
CreatorArthurWho

What we gain?

  • Threat Intelligence
  • MITRE ATT&ACK

Scenario

You are a junior threat intelligence analyst at a Cybersecurity firm. You have been tasked with investigating a Cyber espionage campaign known as Operation Dream Job. The goal is to gather crucial information about this operation.

Provided artifacts

3 MD5 hashes in form of IOCs

  1. 7bb93be636b332d0a142ff11aedb5bf0ff56deabba3aa02520c85bd99258406f
  2. adce894e3ce69c9822da57196707c7a15acee11319ccc963b84d83c23c3ea802
  3. 0160375e19e606d06f672be6e43f70fa70093d2a30031affd2929a5c446d07c1

Task 1

Question: Who conducted Operation Dream Job?

By reading the sherlock info we can answer this question easily

Answer: Lazarus Group

Task 2

Question: When was this operation first observed?

just simple google dorking let us to the MITRE attack website and we can read more about the group and understand their TTPs. Under campaigns we can see “Operation Dream Job” and when it’s first seen

Lazarus Group

campaign

Answer: September 2019

Task 3

Question: There are 2 campaigns associated with Operation Dream Job. One is Operation North Star, what is the other?

Just visiting the page can give us this answer

interception

Lazarus Campaign

Answer: Operation Interception

Task 4

Question: During Operation Dream Job, there were the two system binaries used for proxy execution. One was Regsvr32, what was the other?

We can read through various different TTPs methods used under this particular campaign and we see mention of those two binaries under T1218

rundll32

Answer: Rundll32

Task 5

Question: What lateral movement technique did the adversary use?

Upon mapping on layer we can clearly see lateral movement techniques, which can also be found on the same campaign page too.

internal

Answer: Internal Spearphishing

Task 6

Question: What is the technique ID for the previous answer?

On the same image we can see the technique ID.

Answer: T1534

Task 7

Question: What Remote Access Trojan did the Lazarus Group use in Operation Dream Job?

In the MITRE page scroll down to the Software section reveals with the answer.

DRATzarus

Answer: DRATzarus

Task 8

Question: What technique did the malware use for execution?

Click on DRATzarus and go to its ATT&CK navigate layer. You will find the answer under the Execution Technique

native

Answer: Native API

Task 9

Question: What technique did the malware use to avoid detection in a sandbox?

Reading the techniques on the campaign page reveals us with sandbox bypass techniques

sandbox

Answer: Time Based Evasion

Task 10

Question: To answer the remaining questions, utilize VirusTotal and refer to the IOCs.txt file. What is the name associated with the first hash provided in the IOC file?

For this we will copy the hash from the file and look it up on VirusTotal .

VirusTotal is an online service that analyzes files and URLs for potential threats by scanning them with multiple antivirus engines. It helps users quickly identify malware, phishing sites, and other malicious content.

IEXPLORE

Answer: IEXPLORE.EXE

Task 11

Question: When was the file associated with the second hash in the IOC first created?

Same process we will search the hash on virus total. Look in the Details tab in the history section we will find our answer.

timestamp

Answer: 2020-05-12 19:26:17

Task 12

Question: What is the name of the parent execution file associated with the second hash in the IOC?

Again same process search the hash in VirusTotal, this time look in the Relations tab under the Execution Parent section we will find our answer.

BAE_HPC_SE.iso

Answer: BAE_HPC_SE.iso

Task 13

Question: Examine the third hash provided. What is the file name likely used in the campaign that aligns with the adversary’s known tactics?

We will find this answer in the Details tab under the Names section. As we know, the victims of this operation were job seekers so the most appropriate answer would be related to that.

salarydoc

Answer: Salary_Lockheed_Martin_job_opportunities_confidential.doc

Task 14

Question: Which URL was contacted on 2022-08-03 by the file associated with the third hash in the IOC file?

Again, utilizing VirusTotal we will find the answer in the Relations tab under Contacted URLs section.

urldoc

Answer: https://markettrendingcenter.com/lk_job_oppor.docx

What’s next and connect?

Few more sherlock writeups by me and HTB CDSA exam blog! Feel free to check it out and below are couple of ways to conect me!

🔗 Contact Me

📅 Schedule via Calendly