Threat Level: green Handler on Duty: Renato Marinho

SANS ISC: Internet Storm Center - SANS Internet Storm Center Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

Another .lnk File

Published: 2017-07-23
Last Updated: 2017-07-23 18:50:46 UTC
by Didier Stevens (Version: 1)
0 comment(s)

In diary entry "Office maldoc + .lnk" we analyzed a Windows shortcut file (.lnk) and looked for metadata, but it didn't contain much.

Here is another malicious .lnk file that we analyze with lnkanalyser:

This time we have more metadata, under TrackerDataBlock we can find the machine name (frank), a VolumeID and a MAC address.

The MAC address starts with 00:0C:29, that range is assigned to VMware. So we are dealing with a virtual machine.

The target (cmd.exe) has size 301568: this is cmd.exe on Windows 7.

Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com

Keywords: lnk
0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

View All Diaries →

Latest Discussions

Luxury Sofa for Sale in Dubai | Best Buy Sacs Online | UAE
created Jul 19th 2017
5 days ago by Anonymous (0 replies)

Suspicious URL http://ust-af-com showing up as denied on logs
created Jul 13th 2017
1 week ago by Anonymous (0 replies)

International visitors come in Morocco to discover New Places
created Jul 11th 2017
1 week ago by ericwatson239 (0 replies)

www.sans.org needs IPv6 address
created Jul 10th 2017
2 weeks ago by Anonymous (0 replies)

Increased traffic hitting TCP Port 10224
created Jun 28th 2017
3 weeks ago by Brad (0 replies)

View All Forums →

Latest News

View All News →

Top Diaries

Wide-scale Petya variant ransomware attack noted
Jun 27th 2017
3 weeks ago by Brad (6 comments)

OAUTH phishing against Google Docs ? beware!
May 3rd 2017
2 months ago by Bojan (6 comments)

Massive wave of ransomware ongoing
May 15th 2017
2 months ago by Xme (10 comments)

Checking out the new Petya variant
Jun 27th 2017
3 weeks ago by Brad (6 comments)

Malspam with password-protected Word documents
Mar 21st 2017
4 months ago by Brad (13 comments)