Threat Level: green Handler on Duty: Jim Clausing

SANS ISC: Another .lnk File SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Another .lnk File

In diary entry "Office maldoc + .lnk" we analyzed a Windows shortcut file (.lnk) and looked for metadata, but it didn't contain much.

Here is another malicious .lnk file that we analyze with lnkanalyser:

This time we have more metadata, under TrackerDataBlock we can find the machine name (frank), a VolumeID and a MAC address.

The MAC address starts with 00:0C:29, that range is assigned to VMware. So we are dealing with a virtual machine.

The target (cmd.exe) has size 301568: this is cmd.exe on Windows 7.

Didier Stevens
Microsoft MVP Consumer Security


449 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!