Evasion by Annoyance: When LNK Payloads Are Too Long
Introduction
I was analyzing this sample from the Malware Hunter Team and ran into hours of trouble trying to parse the full payload out of the LNK file because it is unusually long. I will go through my troubleshooting process and showcase how I managed to finally pull the whole payload out. (I should have known something was up when MHT indicated the LNK was 40+ MB)
The Analysis
The ISO file appears to have been uploaded to VT roughly a week or two after initial creation.
Downloading and mounting the ISO file on a Windows machine shows a LNK and EXE file (the EXE file is marked as “hidden”).
If we look at the LNK properties, we see a bunch of blank space.
By copying the contents of “Target:” to CyberChef, we see the blank space is actually preceded by a cmd.exe
invocation.
Surely this is not the actual payload. So lets keep digging.
The next thing I tried was parsing it with PowerShell, using this post as a reference and this is what I got: CyberChef
Sweet, we have some PowerShell. But decoding the base64 leaves you with a PowerShell comment that appears to be lorem ipsum style text.
The next thing I did here was assume I misunderstood something about text encoding and use the “Decode text” operation in CyberChef to try all of the encodings and see if something resembled a payload. That was not the case (and it took a long time to try all of them).
After that, I opened the LNK file in Notepad and noticed a much larger payload staring me in the face.
I was not satisfied with this answer though, because I “stumbled across” it. I wanted to find a tool to use in the future for this stuff. So I did some research and found out there is a Linux utility that can be used to parse LNK files. Thanks to this post.
So I started a REMnux VM, mounted the ISO image to it, and used lnkinfo
to pull the payload out. This time it worked, we got the whole payload!
After decoding it from Base64 we see 2 lines. The first one (above the red mark on the left) is the PowerShell comment from earlier, and the second one (below the red mark) is the actual payload.
Focusing on the second line, it runs the EXE that was shipped with the ISO file.
Conclusion
The main point of this post is to showcase the unique instance where a LNK payload can be too long to pull just by looking at the file properties and provide a solution for that. In this case I used REMnux (you will need to install the necessary package mentioned in the SuperUser post; sudo apt install liblnk-utils
)
For a Windows-based solution, Mandiant has a blog where they reference LECmd but I have not tried it.