Reverse Engineering of File Folders Honeyfiles

 

Reverse engineering and the process of uncovering how something is developed is truly fascinating. Personally, I'm not just interested in what a service provider shows me through a dashboard. What really captures my attention is how things actually work behind the scenes, especially when it comes to mechanisms like IoC (Indicators of Compromise) feeds.

Recently, I came across something interesting: when I opened a specific folder, it immediately triggered an alert to my email. It turned out to be a folder-based honeyfile, and naturally, I wanted to dig deeper and understand how it was created and how it functions.

After some investigation, I discovered that it relies on a .ini configuration file, which is bundled inside a ZIP archive. When the ZIP is extracted and the folder is accessed, the .ini file executes or triggers the alert mechanism resulting in a notification being sent to my email.

So how can we identify and detect setups like this in a simple and efficient way? Stick with me, and I’ll walk you through a full step-by-step guide on how to spot these kinds of honeyfiles and handle similar situations.

Tools of the Trade:

1. WinRAR

2. Command Prompt (CMD)

Now, here's the interesting part when we open the extracted ZIP file using WinRAR or just explore it normally, we don’t see any .ini files! That might seem confusing at first, but it's part of the trick. These files could be hidden or placed in a way that they're not immediately visible to the user, yet still capable of triggering an alert once the folder is accessed.

let me guide you through the process. First, open Command Prompt, then type cd "My Documents" and press Enter to navigate to the folder. After that, type dir /a this command displays all files in the directory, including hidden and system files. At this point, you’ll notice the presence of a file called desktop.ini. Although it wasn’t visible when browsing the folder normally, it’s actually there, hidden by default. This small configuration file can play a key role in folder-based honeyfiles by triggering actions or alerts when the folder is accessed. You can refer to the image below to see what it looks like in practice.

You don’t need to open Notepad to view the contents of the desktop.ini file. Instead, you can simply use the Command Prompt. Just type more < desktop.ini and press Enter this will display the contents directly in the terminal. Alternatively, you can redirect the output into a text file by typing more < desktop.ini > dump_ini.txt. After running this command, you'll find a new file named dump_ini.txt in the same folder where you executed it. You can check the image below to see the result in action.

You can see the result of the pipe command in the picture below it shows how the contents of desktop.ini were successfully redirected into the dump_ini.txt file.

If you're not interested in using the command-line to view the output, you can simply type notepad dump_ini.txt or replace it with the filename you used in the previous command and press Enter to open the file directly in Notepad and view the result, as shown in the image below.

Well, we’ve already covered a complete guide using the Command Prompt, so now let’s move on to WinRAR. In this case, working with WinRAR is very straightforward. You just need to open WinRAR, navigate to the ZIP file, and open the folder from inside the archive. Once you do that, you’ll see the result just like what’s shown in the picture below .