forensicsfreemedium

Dream Job-2 Sherlock Scenario

hackthebox

As a Threat Intelligence Analyst investigating **Operation Dream Job**, you have identified that the **Lazarus Group** utilized a variety of custom-built malware and tools to facilitate their operations. Your task is to analyze and gather intelligence on the malware utilized by this APT.

$ ls tags/ techniques/

pe_analysis apt upx vba_macro phishing lazarus_group threat_intelligence mitre_attack iso_malware ole_metadata virustotal operation_dream_job dratzarus torisma

vba_macro_extractionmitre_attack_researchiso_forensic_analysispe_metadata_extractionupx_packer_identificationole_metadata_forensicsvirustotal_osintdll_dropper_analysisshellcode_loader_analysis

$ cat /etc/rate-limit

Rate limit reached (20 reads/hour per IP). Showing preview only — full content returns at the next hour roll-over.

Dream Job-2 Sherlock Scenario — HackTheBox

Description

As a Threat Intelligence Analyst investigating Operation Dream Job, you have identified that the Lazarus Group utilized a variety of custom-built malware and tools to facilitate their operations. Your task is to analyze and gather intelligence on the malware utilized by this APT.

Files provided:

17.dotm — Malicious Word template with VBA macro
BAE_HPC_SE.iso — ISO file containing trojanized SumatraPDF
Salary_Lockheed_Martin_job_opportunities_confidential.doc — Phishing document with VBA macro
Password for inner ZIP: Dvn62WlNrt09

Analysis

This is a 13-task Sherlock scenario combining MITRE ATT&CK threat intelligence research, malware artifact forensics, and OSINT to investigate the Lazarus Group's Operation Dream Job campaign. The challenge requires analyzing two custom malware families (DRATzarus, Torisma) via MITRE ATT&CK, performing forensic analysis on an ISO-delivered trojanized executable, and extracting intelligence from malicious VBA macros in Office documents.

Attack Overview

Operation Dream Job is a Lazarus Group campaign targeting defense and aerospace employees with fake job offers. The attack chain:

Phishing — Victims receive documents like Salary_Lockheed_Martin_job_opportunities_confidential.doc with embedded VBA macros
Payload delivery — Macros fetch remote templates or drop DLLs; ISO files deliver trojanized legitimate software
Execution — Trojanized SumatraPDF (InternalViewer.exe), DLL sideloading via wsuser.db
C2 — Custom malware (DRATzarus, Torisma) with encrypted communications

Key Malware Families

Malware	MITRE ID	Key Trait
DRATzarus	S0694	Similar to Bankshot; uses `IsDebuggerPresent` for anti-debug
Torisma	S0678	C2 encrypted with XOR + VEST-32; packed with LZ4 compression

Solution

Part 1: MITRE ATT&CK Intelligence (Tasks 1-4)

Task 1: What previously known malware does DRATzarus share similarities with?

Answer: Bankshot

...

$ grep --similar

Similar writeups

[forensics][Pro]oBfsC4t10n— HackTheBox
[forensics][Pro]Stockpile Breach— 0xl4ugh
[forensics][free]Diagnostic— hackthebox
[forensics][free]oBfsC4t10n2— hackthebox
[forensics][free]TrueSecrets— hackthebox