Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Internet Storm Center - SANS Internet Storm Center Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

Another .lnk File

Published: 2017-07-23
Last Updated: 2017-07-23 18:50:46 UTC
by Didier Stevens (Version: 1)
0 comment(s)

In diary entry "Office maldoc + .lnk" we analyzed a Windows shortcut file (.lnk) and looked for metadata, but it didn't contain much.

Here is another malicious .lnk file that we analyze with lnkanalyser:

This time we have more metadata, under TrackerDataBlock we can find the machine name (frank), a VolumeID and a MAC address.

The MAC address starts with 00:0C:29, that range is assigned to VMware. So we are dealing with a virtual machine.

The target (cmd.exe) has size 301568: this is cmd.exe on Windows 7.

Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com

Keywords: lnk
0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Black Hat is coming and with it a good reason to update your "Broadcom-based" devices
Jul 22nd 2017
1 day ago by Renato (0 comments)

Malicious .iso Attachments
Jul 21st 2017
1 day ago by DidierStevens (0 comments)

Bots Searching for Keys & Config Files
Jul 19th 2017
4 days ago by Xme (3 comments)

Investigation of BitTorrent Sync (v.2.0) as a P2P Cloud Service (Part 4 ? Windows Thumbnail Cache, Registry, Prefetch Files, and Link Files artefacts)
Jul 18th 2017
5 days ago by Bojan (0 comments)

SMS Phishing induces victims to photograph its own token card
Jul 17th 2017
6 days ago by Renato (2 comments)

View All Diaries →

Latest Discussions

Luxury Sofa for Sale in Dubai | Best Buy Sacs Online | UAE
created Jul 19th 2017
4 days ago by Anonymous (0 replies)

Suspicious URL http://ust-af-com showing up as denied on logs
created Jul 13th 2017
1 week ago by Anonymous (0 replies)

International visitors come in Morocco to discover New Places
created Jul 11th 2017
1 week ago by ericwatson239 (0 replies)

www.sans.org needs IPv6 address
created Jul 10th 2017
1 week ago by Anonymous (0 replies)

Increased traffic hitting TCP Port 10224
created Jun 28th 2017
3 weeks ago by Brad (0 replies)

View All Forums →

Latest News

View All News →

Top Diaries

Wide-scale Petya variant ransomware attack noted
Jun 27th 2017
3 weeks ago by Brad (6 comments)

OAUTH phishing against Google Docs ? beware!
May 3rd 2017
2 months ago by Bojan (6 comments)

Massive wave of ransomware ongoing
May 15th 2017
2 months ago by Xme (10 comments)

Checking out the new Petya variant
Jun 27th 2017
3 weeks ago by Brad (6 comments)

Malspam with password-protected Word documents
Mar 21st 2017
4 months ago by Brad (13 comments)