Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Another .lnk File - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Another .lnk File

In diary entry "Office maldoc + .lnk" we analyzed a Windows shortcut file (.lnk) and looked for metadata, but it didn't contain much.

Here is another malicious .lnk file that we analyze with lnkanalyser:

This time we have more metadata, under TrackerDataBlock we can find the machine name (frank), a VolumeID and a MAC address.

The MAC address starts with 00:0C:29, that range is assigned to VMware. So we are dealing with a virtual machine.

The target (cmd.exe) has size 301568: this is cmd.exe on Windows 7.

Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com

DidierStevens

174 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!