{"id":1961,"date":"2026-01-16T16:14:24","date_gmt":"2026-01-16T21:14:24","guid":{"rendered":"https:\/\/www.peteonsoftware.com\/?p=1961"},"modified":"2026-01-16T16:14:24","modified_gmt":"2026-01-16T21:14:24","slug":"hack-the-box-walkthrough-dream-job-2","status":"publish","type":"post","link":"https:\/\/www.peteonsoftware.com\/index.php\/2026\/01\/16\/hack-the-box-walkthrough-dream-job-2\/","title":{"rendered":"Hack the Box Walkthrough: Dream Job-2"},"content":{"rendered":"

\"DreamToday, I’m going to tackle Dream Job-2<\/a> on Hack the Box, a follow-up to Dream Job-1<\/a>, which I previously walked through. Dream Job-2 is another Sherlock, which means that we’re doing Blue Team work to investigate. In this case, our story is this: “As a Threat Intelligence Analyst investigating Operation Dream Job, you have identified that the Lazarus Group utilized a variety of custom-built malware and tools to facilitate their operations. Your task is to analyze and gather intelligence on the malware utilized by this APT.<\/em>“.<\/p>\n

We need to download the .zip file and unzip it using the password of hacktheblue<\/em>. Inside the .zip file is another zip file. When you attempt to unzip it, a text file comes out, but then you are prompted for more passwords to get the other files. The text file says this:<\/p>\n

\r\nDear User,\r\n\r\nThis text file is to warn you that the ZIP file contains software that is going to interact with your computer and files. This software has been intentionally included for educational purposes and is NOT intended to be executed or used otherwise. Always handle such files in isolated, controlled, and secure environments.\r\n\r\nIt is strongly recommend you proceed by:\r\n\r\n1 - Running the sample in a controlled environment, for example EP Pwnbox or an isolated virtual machine.\r\n2 - Only unzip the software in this controlled environment, using the password provided.\r\n3 - Unzip the file in the VM and enjoy analysing!\r\n\r\nPLEASE EXERCISE EXTREME CAUTION!\r\n\r\nThe ZIP file containing the software is password-protected for your safety. The password is \"Dvn62WlNrt09\". It is strongly recommended that you do NOT extract or execute the contents of this ZIP file unless you understand the risks involved.\r\n\r\nBy reading this file and using the provided password to unzip the file, you acknowledge and fully understand the risks as detailed in this warning.\r\n<\/pre>\n
Being very duly warned, we’ll move on.<\/p>\n
Task 1: According to MITRE ATT&CK, what previously known malware does DRATzarus share similarities with?<\/strong><\/p>\n
If we search for DRATzarus on the MITRE ATT&CK site, we land on the page here<\/a>.  The page opens with “DRATzarus is a remote access tool (RAT) that has been used by Lazarus Group to target the defense and aerospace organizations globally since at least summer 2020. DRATzarus shares similarities with Bankshot, which was used by Lazarus Group in 2017 to target the Turkish financial sector.<\/em>”<\/p>\n
Task 1 Answer: Bankshot<\/strong><\/em><\/p>\n
Task 2: Which Windows API function does DRATzarus use to detect the presence of a debugger?<\/strong><\/p>\n
On the same page, under Enterprise -> Debugger Evasion, it says “DRATzarus can use IsDebuggerPresent to detect whether a debugger is present on a victim<\/em>”<\/p>\n
Task 2 Answer: IsDebuggerPresent<\/strong><\/em><\/p>\n
Task 3: Torisma is another piece of malware used by the Lazarus Group. According to MITRE, it has encrypted its C2 communications using XOR and which other method?<\/strong><\/p>\n
Looking up Torisma on the MITRE site, we land here<\/a>.  Under the section Enterprise -> Encrypted Channel: Symmetric Cryptography, it says “Torisma has encrypted its C2 communications using XOR and VEST-32<\/em>“.<\/p>\n
Task 3 Answer: VEST-32<\/em><\/strong><\/p>\n
Task 4: Which packing method has been used to obfuscate Torisma?<\/strong><\/p>\n
Same page as Task 3, under Enterprise -> Obfuscated Files or Information: Software Packing, it says “Torisma has been packed with lz4 compression<\/em>“.<\/p>\n
Task 4 Answer: lz4 compression<\/em><\/strong><\/p>\n
Task 5: Analyze the provided ISO file and identify the executable contained within it?<\/strong><\/p>\n
So this requires us to delve in to the “dangerous” part of that zip file.  I’m doing this on a Kali snapshot that I have for this task.  I ran these commands to mount the .iso and see its contents.<\/p>\n
\r\n$ sudo mkdir -p \/mnt\/bae                  \r\n[sudo] password for kali: \r\n                                                                             \r\n$ sudo mount -o loop BAE_HPC_SE.iso \/mnt\/bae\r\nmount: \/mnt\/bae: WARNING: source write-protected, mounted read-only.\r\n                                                                             \r\n$ ls \/mnt\/bae                 \r\nBAE_HPC_SE.pdf  InternalViewer.exe\r\n<\/pre>\n
Task 5 Answer: InternalViewer.exe<\/strong><\/em><\/p>\n
Task 6: The executable found in the previous question was renamed. Can you identify its original name?<\/strong><\/p>\n
This only works if the metadata is kept on the file.  I can use exiftool to read that metadata and get our answer.<\/p>\n
\r\n$ exiftool \/mnt\/bae\/InternalViewer.exe \r\nExifTool Version Number         : 13.36\r\nFile Name                       : InternalViewer.exe\r\nDirectory                       : \/mnt\/bae\r\nFile Size                       : 11 MB\r\nFile Modification Date\/Time     : 2020:06:05 03:00:44-04:00\r\nFile Access Date\/Time           : 2020:06:05 03:00:44-04:00\r\nFile Inode Change Date\/Time     : 2020:06:05 03:00:44-04:00\r\nFile Permissions                : -r-xr-xr-x\r\nFile Type                       : Win64 EXE\r\nFile Type Extension             : exe\r\nMIME Type                       : application\/octet-stream\r\nMachine Type                    : AMD AMD64\r\nTime Stamp                      : 2020:05:12 15:26:17-04:00\r\nImage File Characteristics      : Executable, Large address aware\r\nPE Type                         : PE32+\r\nLinker Version                  : 14.21\r\nCode Size                       : 10465280\r\nInitialized Data Size           : 45056\r\nUninitialized Data Size         : 34689024\r\nEntry Point                     : 0x2b10580\r\nOS Version                      : 6.0\r\nImage Version                   : 0.0\r\nSubsystem Version               : 6.0\r\nSubsystem                       : Windows GUI\r\nFile Version Number             : 3.2.0.0\r\nProduct Version Number          : 3.2.0.0\r\nFile Flags Mask                 : 0x0000\r\nFile Flags                      : (none)\r\nFile OS                         : Windows NT 32-bit\r\nObject File Type                : Executable application\r\nFile Subtype                    : 0\r\nLanguage Code                   : English (U.S.)\r\nCharacter Set                   : Windows, Latin1\r\nFile Description                : SumatraPDF\r\nFile Version                    : 3.2\r\nLegal Copyright                 : Copyright 2006-2020 all authors (GPLv3)\r\nOriginal File Name              : SumatraPDF.exe\r\nProduct Name                    : SumatraPDF\r\nProduct Version                 : 3.2\r\nCompany Name                    : Krzysztof Kowalczyk\r\n\r\n<\/pre>\n
Task 6 Answer: SumatraPDF.exe<\/strong><\/em><\/p>\n
Task 7: According to VirusTotal, when was the EXE from the previous question First Seen In The Wild?(UTC)<\/strong><\/p>\n
So, in order to get the information from VirusTotal, the easiest thing for us to do is get the MD5 hash of this file and then search it.<\/p>\n
\r\n$ md5sum \/mnt\/bae\/InternalViewer.exe \r\n38032a4d12d9e3029f00b120200e8e68  \/mnt\/bae\/InternalViewer.exe\r\n<\/pre>\n
Searching that hash brings us here<\/a>.  From there, we go to the Details tab and then scroll down to history to find our answer.<\/p>\n
\"Sumatra<\/p>\n
Task 7 Answer: 2020-08-13 08:44:50<\/strong><\/em><\/p>\n
Task 8: What packer was used to pack the executable from Question 6? (Full name)<\/strong><\/p>\n
Still on that details tab in VirusTotal, look up a bit<\/p>\n
\"Sumatra<\/p>\n
But they want the full name.  What does UPX stand for?  A quick Google lands us here<\/a>, where we learn it is Ultimate Packer for Executables<\/p>\n
Task 8 Answer: Ultimate Packer for Executables<\/strong><\/em><\/p>\n
Task 9: What is the full URL found within the macro in the document Salary_Lockheed_Martin_job_opportunities_confidential.doc?<\/strong><\/p>\n
Okay, now we are being very careful.  I’m on Linux and not running Office, so I’m at a little less risk than someone who is investigating this with Windows, but tread lightly here.  There are ways of extracting macros on Linux, but I cheated a little here and used the strings utility and then grepped for things that looked like a URL and that gave me the answer.<\/p>\n
\r\n$ strings Salary_Lockheed_Martin_job_opportunities_confidential.doc | grep \"http\"\r\nhttps:\/\/markettrendingcenter.com\/lk_job_oppor.docx\r\n\r\n<\/pre>\n
Task 9 Answer: https:\/\/markettrendingcenter.com\/lk_job_oppor.docx<\/strong><\/em><\/p>\n
Task 10: Who is the author of the document Salary_Lockheed_Martin_job_opportunities_confidential.doc?<\/strong><\/p>\n
More exiftool<\/em> fun.<\/p>\n
\r\n$ exiftool Salary_Lockheed_Martin_job_opportunities_confidential.doc \r\nExifTool Version Number         : 13.36\r\nFile Name                       : Salary_Lockheed_Martin_job_opportunities_confidential.doc\r\nDirectory                       : .\r\nFile Size                       : 1294 kB\r\nFile Modification Date\/Time     : 2025:03:05 06:40:08-05:00\r\nFile Access Date\/Time           : 2026:01:16 15:26:03-05:00\r\nFile Inode Change Date\/Time     : 2026:01:16 15:07:03-05:00\r\nFile Permissions                : -rw-rw-r--\r\nFile Type                       : DOC\r\nFile Type Extension             : doc\r\nMIME Type                       : application\/msword\r\nIdentification                  : Word 8.0\r\nLanguage Code                   : English (US)\r\nDoc Flags                       : Has picture, 1Table, ExtChar\r\nSystem                          : Windows\r\nWord 97                         : No\r\nTitle                           : \r\nSubject                         : \r\nAuthor                          : Mickey\r\nKeywords                        : \r\nComments                        : \r\nTemplate                        : Normal.dotm\r\nLast Modified By                : Challenger\r\nSoftware                        : Microsoft Office Word\r\nCreate Date                     : 2020:04:24 03:18:00\r\nModify Date                     : 2021:10:18 13:06:00\r\nSecurity                        : None\r\nCode Page                       : Windows Latin 1 (Western European)\r\nCompany                         : \r\nChar Count With Spaces          : 32\r\nApp Version                     : 16.0000\r\nScale Crop                      : No\r\nLinks Up To Date                : No\r\nShared Doc                      : No\r\nHyperlinks Changed              : No\r\nTitle Of Parts                  : \r\nHeading Pairs                   : Title, 1\r\nComp Obj User Type Len          : 32\r\nComp Obj User Type              : Microsoft Word 97-2003 Document\r\nLast Printed                    : 0000:00:00 00:00:00\r\nRevision Number                 : 83\r\nTotal Edit Time                 : 37 minutes\r\nWords                           : 4\r\nCharacters                      : 29\r\nPages                           : 1\r\nParagraphs                      : 1\r\nLines                           : 1\r\n<\/pre>\n
Task 10 Answer: Mickey<\/strong><\/em><\/p>\n
Task 11: Who last modified the above document?<\/strong><\/p>\n
Exiftool output above.<\/p>\n
Task 11 Answer: Challenger<\/strong><\/em><\/p>\n
Task 12: Analyze the “17.dotm” document. What is the directory where a suspicious folder was created? (Format: Give the path starting immediately after . Please pay attention to placeholder.)<\/strong><\/p>\n
For this one, I’m going to use a package called OleTools<\/a> and a specific tool called olevba<\/em>.<\/p>\n
$ olevba --decode 17.dotm > macros.txt<\/pre>\n
This exports a long file (~325 lines) that is formatted pretty well.  The line we want is<\/p>\n
workDir = Environ(\"UserProfile\") & \"\\AppData\\Local\\Microsoft\\Notice\"<\/pre>\n
Task 12 Answer: \\AppData\\Local\\Microsoft\\Notice<\/strong><\/em><\/p>\n
Task 13: Which suspicious file was checked for existence in that directory?<\/strong><\/p>\n
I did this probably a caveman way, but knowing that this directory is stored in the variable workDir<\/em>, I searched the file for workDir<\/em>.  Then I noticed that it is checking for a file in that directory stored in the binName<\/em> variable.  So I searched the file again to find where binName<\/em> was defined.  Bingo.<\/p>\n
\r\n$ cat macros.txt | grep workDir\r\n    workDir = Environ(\"UserProfile\") & \"\\AppData\\Local\\Microsoft\\Notice\"\r\n    If Not FolderExist(workDir) Then\r\n        MkDir (workDir)\r\n    dllPath = workDir & \"\\\" & binName\r\n        workDir = workDir & \"\\\" & binDir\r\n        If Not FolderExist(workDir) Then\r\n            MkDir (workDir)\r\n        dllPath = workDir & \"\\\" & binName\r\n                                                                             \r\n$ cat macros.txt | grep binName  \r\n    binName = \"wsuser.db\"\r\n    dllPath = workDir & \"\\\" & binName\r\n        dllPath = workDir & \"\\\" & binName\r\n<\/pre>\n
Task 13 Answer: wsuser.db<\/strong><\/em><\/p>\n
\"Dream<\/p>\n
That’s it.  Some good stuff here practicing ATT&CK research, Virus Total research, and some Macro Virus investigation.  Any questions, let me know!<\/p>\n","protected":false},"excerpt":{"rendered":"
Today, I’m going to tackle Dream Job-2 on Hack the Box, a follow-up to Dream Job-1, which I previously walked through. Dream Job-2 is another Sherlock, which means that we’re doing Blue Team work to …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[153],"tags":[159,141,142],"class_list":["post-1961","post","type-post","status-publish","format-standard","hentry","category-capture-the-flag","tag-blue-team","tag-information-security","tag-infosec"],"_links":{"self":[{"href":"https:\/\/www.peteonsoftware.com\/index.php\/wp-json\/wp\/v2\/posts\/1961","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.peteonsoftware.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.peteonsoftware.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.peteonsoftware.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.peteonsoftware.com\/index.php\/wp-json\/wp\/v2\/comments?post=1961"}],"version-history":[{"count":0,"href":"https:\/\/www.peteonsoftware.com\/index.php\/wp-json\/wp\/v2\/posts\/1961\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.peteonsoftware.com\/index.php\/wp-json\/wp\/v2\/media?parent=1961"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.peteonsoftware.com\/index.php\/wp-json\/wp\/v2\/categories?post=1961"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.peteonsoftware.com\/index.php\/wp-json\/wp\/v2\/tags?post=1961"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}