|
In diary entry "Office maldoc + .lnk" we analyzed a Windows shortcut file (.lnk) and looked for metadata, but it didn't contain much. Here is another malicious .lnk file that we analyze with lnkanalyser:
This time we have more metadata, under TrackerDataBlock we can find the machine name (frank), a VolumeID and a MAC address. The MAC address starts with 00:0C:29, that range is assigned to VMware. So we are dealing with a virtual machine. The target (cmd.exe) has size 301568: this is cmd.exe on Windows 7. Didier Stevens |
DidierStevens 652 Posts ISC Handler Jul 23rd 2017 |
| Thread locked Subscribe |
Jul 23rd 2017 4 years ago |
Sign Up for Free or Log In to start participating in the conversation!
https://www.sans.edu
