Constellation

Table of Contents

Category: Threat Intelligence
Difficulty: Medium
https://app.hackthebox.com/sherlocks/Constellation

Scenario
#

The SOC team has recently been alerted to the poten tial existence of an insider threat. The suspect employee’s workstation has been secured and examined. During the memory analysis, the Senior DFIR Analyst succeeded in extracting several intriguing URLs from the memory. These are now provided to you for further analysis to uncover any evidence, such as indications of data exfiltration or contact with malicious entities. Should you discover any information regarding the attacking group or individuals involved, you will collaborate closely with the threat intelligence team. Additionally, you will assist the Forensics team in creating a timeline.

Warning : This Sherlock will require an element of OSINT and some answers can be found outside of the provided artifacts to complete fully.

Steps to Solve
#

Step 1: Analyze the Discord URL
#

Description:
Using the tool Unfurl, the Discord URL was deconstructed to extract timestamps and details from its path. The analysis revealed:

The channel ID, indicating it was a direct message (DM) channel.
A timestamp marking the start of communication: 2023-09-16 16:03:37 UTC.
The file upload timestamp: 2023-09-27 05:27:02 UTC.
The filename: NDA_Instructions.pdf.

Commands/Methods Used:

Loaded the Discord URL into Unfurl.
Interpreted the breakdown of host, path, and query parameters.

Step 2: Review the File Metadata
#

Description:
The file “NDA_Instructions.pdf,” shared via Discord, was analyzed for metadata using ExifTool. Key findings included:

The author email: CyberJunkie@AntiCorp.Gr04p.
Malformed creation date: 2054-01-17 22:45:22 UTC.
The title: KarenForela_Instructions.
File producer: AntiCorp PDF FW.

$ exiftool NDA_Instructions.pdf

ExifTool Version Number         : 13.00
File Name                       : NDA_Instructions.pdf
Directory                       : .
File Size                       : 26 kB
File Modification Date/Time     : 2024:03:05 12:02:19+02:00
File Access Date/Time           : 2025:01:18 20:27:48+02:00
File Inode Change Date/Time     : 2024:12:19 17:22:28+02:00
File Permissions                : -rw-rw-r--
File Type                       : PDF
File Type Extension             : pdf
MIME Type                       : application/pdf
PDF Version                     : 1.7
Linearized                      : No
Page Count                      : 1
Producer                        : AntiCorp PDF FW
Create Date                     : 2054:01:17 22:45:22+01:00
Title                           : KarenForela_Instructions
Author                          : CyberJunkie@AntiCorp.Gr04p
Creator                         : AntiCorp
Modify Date                     : 2054:01:17 22:45:22+01:00
Subject                         : Forela_Mining stats and data campaign (Stop destroying env)

Step 3: Decompose the Google URL
#

Description:
The provided Google URL contained a search query. The analysis uncovered:

Search query: how to zip a folder using tar in linux.
Initial input: How to archive a folder using tar i.
Timestamp for the search: 2023-09-27 05:31:45 UTC.

Commands/Methods Used:

Loaded the Google URL into Unfurl.
Decoded query parameters to extract search details and timestamps.

Step 4: Conduct OSINT on the Threat Actor
#

Description:
The email address CyberJunkie@AntiCorp.Gr04p found in the file metadata led to a LinkedIn profile:

Name: Abdullah Al Sajjad.
Location: Bahawalpur, Punjab, Pakistan.

Tools Used
#

Unfurl: To analyze and extract data from URLs.
ExifTool: To retrieve and examine metadata from the PDF file.
OSINT Resources: LinkedIn and search engines to profile the threat actor.

Scenario #

Steps to Solve #

Step 1: Analyze the Discord URL #

Step 2: Review the File Metadata #

Step 3: Decompose the Google URL #

Step 4: Conduct OSINT on the Threat Actor #

Tools Used #