Dream Job

This post documents my notes for the Dream Job Sherlock scenario.

Scenario prompt: You are a junior threat intelligence analyst investigating Operation Dream Job and need to extract key intelligence points from ATT&CK and IOC analysis.

Answers and notes

Who conducted Operation Dream Job?
Lazarus Group
When was this operation first observed?
September 2019
Two campaigns are associated with Operation Dream Job. One is Operation North Star; what is the other?
Operation Interception
Two system binaries were used for proxy execution. One was Regsvr32; what was the other?
Rundll32
What lateral movement technique did the adversary use?
Internal Spearphishing
What is the ATT&CK technique ID for that lateral movement technique?
T1534
What Remote Access Trojan did Lazarus use in Operation Dream Job?
DRATzarus
What technique did the malware use for execution?
Native API
What technique did the malware use to evade sandbox detection?
Time Based Evasion
Using VirusTotal with the provided IOCs, what name is associated with the first hash?
IEXPLORE.exe
When was the file associated with the second hash first created?
2020-05-12 19:26:17
What is the parent execution file associated with the second hash?
BAE_HPC_SE.iso
For the third hash, what likely campaign-aligned filename appears?
Salary_Lockheed_Martin_job_opportunities_confidential.doc
Which URL was contacted on 2022-08-03 by the file tied to the third hash?
https://markettrendingcenter.com/lk_job_oppor.docx

Quick methodology

Reviewed MITRE ATT&CK entries related to Operation Dream Job and Lazarus activity.
Mapped behavior to execution, lateral movement, and evasion techniques.
Enriched IOC hashes in VirusTotal to extract filenames, parent artifacts, and contacted URLs.

Takeaways

Threat intel challenges are best solved by combining ATT&CK context with IOC enrichment.
Campaign naming overlaps can be confusing, so timeline and software mapping matters.
Parent-child execution artifacts in VirusTotal are often the fastest path to scenario answers.