WSL2, Docker, & CyberChef

WSL2 is here for Windows 10 version 2004. The big difference is that Docker containers can now be run from within WSL2. I’ve never been much of a docker aficionado but thought I’d take a look to see how it all worked. Installation: WSL2 WSL2 isn’t yet at an automatic install or upgrade. There are still some manual steps detailed here. Essentially in an Administrator PowerShell instance: dism.exe /online /enable-feature /featurename:VirtualMachinePlatform /all /norestart Restart your machine wsl --set-default-version 2 Install a linux distribution: I chose Ubuntu 20.

YouTube is my C2

A couple of days back I tweeted about some interesting LNK file samples I had found on Virus Total. They were interesting due to their endless Russian Doll-esque style of behaviour which involed extracting VBE script upon VBE script, patching headers and reversing bytes. As of 31 May 2020, I’ve identified eleven samples dating between 2020-03-02 to 2020-05-29 as uploaded to Virus Total. They are all consistently created from the same VMWare host using the same account, and the same base LNK template as seen by the output of LECMD:

Forensic Freebie with

So, I have an old domain that I haven’t used: I could keep paying for ownership, and wait and wait for some reason to come up for me to use it. Or, I could use it now by giving it away to someone else who wants to start a digital forensics blog! So that’s what I’m going to do. The Competition Update 2020/05/18! It’s with great pleasure that I annouce I have transferred ownership of digitalforensics.

"Say Cheese!" An analysis of foto.lnk

In Australia, a platypus is colloquially called the ‘spare parts animal’. It’s an egg-laying mammal, with a duck bill, beaver tail and webbed feet. It’s perfectly adapted to its environment despite looking like a Frankenstien of the animal world. What does this have to do with a malicious LNK file? Well, apart from the fact I like platypuses (or is it platypi?), malware using LNK files stitch together the world between the attacker and the victim.

Deriving intelligence from LNK files

LNK files have a healthy life in DFIR. There is good reason: they are so awesome for analysis. Whether it be linking a user to knowledge of a file, as part of a jump list, or in their use for malicious purposes. In regards to the latter, The MITRE ATT&CK framework describes this as the specific technique: ‘shortcut modification’ (T1023) which is summarised as follows: Shortcuts or symbolic links are ways of referencing other files or programs that will be opened or executed when the shortcut is clicked or executed by a system startup process.

Base64 Encoded File Signatures

Inspired by a post by John Lambert and others who contributed, I’ve put together a table of Base64 encodings for certain file signatures and script elements often encountered in malware analysis. Due to the nature of Base64 encoding, there are different possibilities of the encoding result depending on the placement of the bytes in the overall structure of the blob. Using CyberChef all the possible Base64 offsets can be determined. However, in the below tables for ease I’ve only included the fixed bytes as if the header was at the start of the blob of Base64.