Monday, 27 November 2017

IRIS-H (alpha): Updated LNK file parser / Command line arguments deobfuscation added

Quick Summary

Build Version: 0.0.1(alpha)
Change Type: feature update
Affected Components: API & UI (clear browser cache for 'iris-h.service' to see the changes)
Short Description: Parser for LNK files has been updated. Command line arguments string deobfuscation and URL extraction code have been added. UI Report page has been updated to display the new data.
Outstanding Tasks: None

Detailed Summary

IRIS-H Shell Link (.LNK) file parser has been updated and now attempts to deobfuscate the command line arguments string. When the command line arguments string is present, the service will attempt the following:

  • detect environment variables assignments with 'set' command
  • detect environment variables usage with ' ' and ' ' special characters
  • replace referenced environment variables with their corresponding values
  • remove escaping characters ' ' and ' '
  • detect and extract URL strings
  • detect string concatenation operations and perform them

Below is a report example showing the new feature in action.

LNK file analysis results showing deobfuscated command line arguments string and extracted URL

More examples can be found here:

IRIS-H UI changes might require your Internet browser cache clean up for website to take effect.

No comments:

Post a Comment