Скачать или смотреть MALWARE on WordPress site | LNK file MALWARE ANALYSIS and HTA Deobfuscation

Analysis of a malicious LNK file which uses a compromised Uzbekistan website to launch a malicious HTA file, that in turn downloads and runs FormBook malware.

** Find me at **
Twitter/X -   / cyberraiju  
Blog - https://www.jaiminton.com/
Mastodon - https://infosec.exchange/@CyberRaiju

** Tools **
FLARE VM - https://github.com/mandiant/flare-vm
Notepad++ - https://notepad-plus-plus.org/
HxD - https://mh-nexus.de/en/hxd/
Urlscan - https://urlscan.io/
CyberChef - https://github.com/gchq/CyberChef
Detect-It-Easy - https://github.com/horsicq/Detect-It-...
LECmd - https://ericzimmerman.github.io/#!ind...
Link Parser - https://code.google.com/archive/p/lin...

** Sample **
https://bazaar.abuse.ch/sample/77e14c...
https://bazaar.abuse.ch/sample/075d39...
https://urlscan.io/responses/c1fb5c13...

** Website Scans **
https://urlscan.io/result/5271d468-79...
https://urlscan.io/result/fc3a005d-ec...
https://urlscan.io/result/de9ff7fe-e1...

** Further Reading **
https://learn.microsoft.com/en-us/win...
https://attack.mitre.org/software/S1074/

** Timestamps **
00:00 - Intro
00:13 - LNK shortcut file overview
01:02 - Analysing LNK files
02:04 - Mshta.exe running malicious .hta
02:42 - Parsing malicious LNK files
03:15 - LNK Parser Cmd
03:51 - Understanding Security Identifiers
04:30 - Tracking overlap between malicious LNK files
04:52 - LECmd
05:35 - Demonstrating useful LNK attributes
07:00 - Analysing compromised Wordpress website
07:54 - Analysing malicious HTA file
09:12 - Deobfuscating HTA with CyberChef
12:15 - Analysing 3rd stage payload
13:28 - Malware author mistake
14:56 - Deobfuscating PowerShell with CyberChef
15:48 - Locating final payload
16:56 - Outro

Credits:
SFX by Pixabay