Tags: malware
Rating: 4.0
I did not think that I could complete this challenge since I've never done Malware analysis but I thought that I would give it a try since it's was just a shortcut file (ಠ_ಠ)
```
**First I did the obvious things, like file and strings to see what kind of information I can find. Not much**.
```
![](https://cdn.discordapp.com/attachments/970123167530110986/970123293904502794/step1.PNG)
```
**Second, I thought about getting the md5 hash of the shortcut file and using VirusTotal to see if it finds anything, which it did.**
```
![](https://cdn.discordapp.com/attachments/970123167530110986/970123294126788648/step2.PNG)
![](https://cdn.discordapp.com/attachments/970123167530110986/970123294370041876/step3.PNG)
```
**I knew that I was on the right path since the date on VirusTotal was very very recent for this file. I immediately went to the 'Community' tab and found a link for Joe Sandbox Analysis**.
```
![](https://cdn.discordapp.com/attachments/970123167530110986/970123294621724672/step4.PNG)
```
**Opening the Link I noticed the 'Found URL in windows shortcut file (LNK)' under 'Signatures' section. This caught my eye and I started to look for links in the report**.
```
![](https://cdn.discordapp.com/attachments/970123167530110986/970123294848212992/step5.PNG)
```
**Under 'Static Windows Shortcut Info' section I was able to find a tinyurl link (tinyurl.com/a7ba6ma),**
```
![](https://cdn.discordapp.com/attachments/970123167530110986/970123295091478538/step6.PNG)
```
**which redirected me to a Google Drive page that had a usb.txt file, and what looked like a Base64 encoded data**.
```
![](https://cdn.discordapp.com/attachments/970123167530110986/970123295313768579/step7.PNG)
```
**Copying the data and trying to decode it in Cyberchef did not work. The data looked too scrambled and did not make sense. I tried Base85, Base62, Base58, Base45, and finally with Base32 I was able to correctly decode the data. At first I did not know if it was an .EXE file or a .DLL because I read a few articles and got confused.. so we will call it an EXE/DLL file**.
```
![](https://cdn.discordapp.com/attachments/970123167530110986/970123295552847882/step8.PNG)
```
**Under the 'Output' section for Cyberchef I noticed the mentioning of MessageBox, so I thought that maybe when I execute the file a MessageBox would appear. Also I noticed that there was a xml code at the bottom, but did not understand why it was there, maybe it's default by default for all .exe :?**
```
![](https://cdn.discordapp.com/attachments/970123167530110986/970123295783546920/step9.PNG)
![](https://cdn.discordapp.com/attachments/970123167530110986/970123296031002685/step10.PNG)
```
**I then saved the output to a file and tried to use the command strings to see if I can catch an easy flag :P, but it was not that easy.**
```
![](https://cdn.discordapp.com/attachments/970123167530110986/970123324380282910/step11.PNG)
```
**Opening the file in ghidra did not reveal too much. Just bunch of code that I do not understand**
```
![](https://cdn.discordapp.com/attachments/970123167530110986/970123324673912932/step12.PNG)
```
**Moving over to Windows, I tried to run the .exe file but was presented with "This app can't run on your PC", the end**.
```
![](https://cdn.discordapp.com/attachments/970123167530110986/970123325303062548/step13.PNG)
```
**I tried a few different things like using different disassemblers but nothing was catching my eyes. I then thought about changing the extension to .dll and then using rundll32 to run it, it did nothing..**
```
```
**Running it again with rundll32 but with a parameter shows a MessageBox with the flag (╯°□°)╯︵ ┻━┻, Don't know how, Don't know why ¯\_(ツ)_/¯**
```
![](https://cdn.discordapp.com/attachments/970123167530110986/970123325533728798/step14.PNG)