HTB Sherlock Write-Up FortySeven-1
Profiling the Mysterious Elephant APT Through OSINT and Threat Intelligence Correlation
Challenge Information
| Field | Detail |
|---|---|
| Platform | Hack The Box |
| Category | Sherlock |
| Challenge Name | FortySeven-1 |
| Difficulty | Very Easy |
Scenario
The challenge focuses on an APT group that uses Hajj-themed phishing lures to target government and diplomatic officials. The attackers aim to steal sensitive WhatsApp-related data from victims.
To solve this Sherlock, several intelligence reports and threat research articles were provided as evidence. The task was to correlate information from multiple sources in order to identify the threat actor, their malware, attack techniques, persistence methods, and exfiltration behavior.
Evidence Sources:
Task 1
Question
What is the primary name of the APT group described in the SecureList report?
Analysis
For the first question, I opened the first evidence from the Kaspersky SecureList report. In the introduction section, the report clearly mentions the name of the threat actor being analyzed.
The report states that the APT group is called Mysterious Elephant.
Answer
Mysterious Elephant
Task 2
Question
According to the Knownsec 404 team's analysis (Evidence-3), since which year has this group's attack activity been dated back to?
Analysis
The question already provided a clue that the answer could be found in Evidence-3. I opened the Asyncshell analysis article and checked the overview/background section.
The report mentions that the organization's activities date back as far as 2022.
Answer
2022
Task 3
Question
The group uses a custom backdoor that communicates via Office Remote Procedure Call (ORPCBackdoor). According to the Knownsec 404 team's analysis (Evidence-2), what is the name of the first malicious exported entry function?
Analysis
This task specifically pointed to Evidence-2, so I searched inside the ORPCBackdoor analysis section.
In the section describing exported functions, the report explains that there are two malicious entries used by the malware. The first malicious exported entry function is listed as GetFileVersionInfoByHandleEx(void).
Answer
GetFileVersionInfoByHandleEx(void)
Task 4
Question
The previously mentioned backdoor checks for a file before creating persistence. What is the name of the file?
Analysis
Still inside Evidence-2, I continued reading the persistence section of ORPCBackdoor.
The malware checks whether a file exists before creating persistence in order to avoid duplicate persistence creation. The report mentions that the malware checks for a file named ts.dat. If the file does not exist, the malware creates persistence and then creates the file afterward.
Answer
ts.dat
Task 5
Question
The use of the backdoor links the APT to another well-known South Asian APT group. What is the name of this other group?
Analysis
In the homology analysis section of Evidence-2, the report compares ORPCBackdoor techniques with other South Asian threat actors.
The article repeatedly references similarities with the BITTER APT group, including overlapping attack chains, CHM structures, and infrastructure. This strongly links the activity to the Bitter group.
Answer
Bitter
Task 6
Question
The APT group we are currently investigating has consistently used and updated another backdoor since 2023, with its C2 communication evolving from TCP to HTTPS. What is the name of this tool?
Analysis
To solve this task, I reviewed Evidence-3 which discusses the evolution of the Asyncshell malware family.
The report explains that during version updates, the malware communication method changed from TCP to HTTPS. The article specifically labels this updated version as Asyncshell-v2.
Answer
Asyncshell-v2
Task 7
Question
To evade sandbox analysis, the MemLoader HidenDesk tool checks the number of active processes before running. What is the minimum number of processes required for it to proceed?
Analysis
This answer can be found in the Kaspersky report under the "Customized open-source tools" section.
The report states that MemLoader HidenDesk terminates itself if there are fewer than 40 running processes. Therefore, the malware requires at least 40 active processes before continuing execution.
Answer
40
Task 8
Question
The MemLoader HidenDesk tool creates a covert environment for its activities by creating and switching to a specific environment. What is the name of this hidden desktop?
Analysis
In the same MemLoader HidenDesk analysis section, the report explains that the malware creates a hidden desktop for stealth purposes. The hidden desktop name is explicitly mentioned as MalwareTech_Hidden.
Answer
MalwareTech_Hidden
Task 9
Question
The MemLoader HidenDesk tool achieves persistence by placing a shortcut in the autostart folder to ensure it runs after a system reboot. What is the MITRE ATT&CK ID for the 'Registry Run Keys / Startup Folder' technique?
Analysis
The question refers to the MITRE ATT&CK technique related to persistence through startup folders and registry run keys. I searched the MITRE ATT&CK framework and found the corresponding technique ID.
Answer
T1547.001
Task 10
Question
The actor uses several custom exfiltration tools targeting WhatsApp. What is the name of the tool that recursively searches specific directories, including the "Desktop" and "Downloads" folders?
Analysis
In Evidence-1, under the "WhatsApp-specific exfiltration tools" section, the report discusses several custom exfiltration malware families.
One of them is called Stom Exfiltrator, which recursively searches directories such as Desktop and Downloads to collect files.
Answer
Stom Exfiltrator
Task 11
Question
Kaspersky's analysis highlights the actor's heavy use of scripts for execution and deploying payloads. What is the MITRE ATT&CK ID for the 'PowerShell' technique?
Analysis
The report heavily mentions PowerShell scripts being used for execution, payload deployment, and persistence. The MITRE ATT&CK ID for PowerShell execution is T1059.001.
Answer
T1059.001
Task 12
Question
In their early attack chains, Mysterious Elephant used a downloader that was previously associated with the Origami Elephant group. What was the name of this downloader?
Analysis
In the "Emergence of Mysterious Elephant" section from the Kaspersky report, the article explains that the actor previously used a downloader connected to Origami Elephant. The downloader is named Vtyrei.
Answer
Vtyrei
Task 13
Question
In a January 2024 campaign delivering an Asyncshell payload, which CVE was exploited in the malicious archive file?
Analysis
In Evidence-3, the "Discover Asyncshell for the first time" section explains that attackers exploited a vulnerability through a malicious archive file. The exploited vulnerability was CVE-2023-38831.
Answer
CVE-2023-38831
Task 14
Question
What is the MD5 hash of the ChromeStealer Exfiltrator sample named WhatsAppOB.exe?
Analysis
Inside the Indicators of Compromise section of the Kaspersky report, there is a list of malware hashes. Under the ChromeStealer Exfiltrator section, the MD5 hash for WhatsAppOB.exe is listed.
Answer
9e50adb6107067ff0bab73307f5499b6
Task 15
Question
The intelligence describes multiple custom tools designed to upload stolen data to the actor's servers. According to the MITRE ATT&CK framework, what is the ID for the 'Exfiltration Over C2 Channel' technique?
Analysis
The question refers to the MITRE ATT&CK technique for sending stolen data through command-and-control communication channels.
Answer
T1041
Conclusion
This Sherlock challenge focused on threat intelligence analysis and APT profiling using multiple public research reports.
During this investigation, I learned how to correlate threat intelligence from different cybersecurity vendors and researchers in order to identify:
Threat actor attribution
Malware families and backdoors
Persistence mechanisms
Sandbox evasion techniques
Exfiltration methods
MITRE ATT&CK mappings
Infrastructure and operational behavior
The challenge also provided a good understanding of how modern APT groups continuously evolve their malware, infrastructure, and attack chains to avoid detection.
Overall, FortySeven-1 was an excellent beginner-friendly Sherlock for improving OSINT analysis, threat hunting, and malware intelligence correlation skills.
