pandora
pandora copied to clipboard
Published
20 hours ago •
pandora-analysis
pandora-analysis
[Worker] Adding a lnk parser
Hey,
With malware using lnk file, it should be nice to have a worker to parse the lnk (for information only)
Python 3.9.2 (default, Feb 28 2021, 17:03:44)
[GCC 10.2.1 20210110] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import LnkParse3
>>> with open('1.lnk', 'rb') as indata:
... lnk = LnkParse3.lnk_file(indata)
... lnk.print_json()
...
{
"data": {
"description": "only",
"icon_location": "C:\\Windows\\System32\\shell32.dll",
"relative_path": "..\\..\\them\\worker.cmd"
},
"extra": {
"ICON_LOCATION_BLOCK": {
"size": 788,
"target_ansi": "%SystemRoot%\\System32\\shell32.dll",
"target_unicode": "%SystemRoot%\\System32\\shell32.dll"
}
},
"header": {
"accessed_time": null,
"creation_time": null,
"file_flags": [],
"file_size": 0,
"guid": "00021401-0000-0000-C000-000000000046",
"hotkey": "UNSET - UNSET {0x0000}",
"icon_index": 4,
"link_flags": [
"HasTargetIDList",
"HasName",
"HasRelativePath",
"HasIconLocation",
"IsUnicode",
"HasExpIcon"
],
"modified_time": null,
"r_file_flags": 0,
"r_hotkey": 0,
"r_link_flags": 16589,
"windowstyle": "SW_SHOWMINNOACTIVE"
},
"link_info": {},
"target": {
"items": [
{
"class": "Root Folder",
"guid": "20D04FE0-3AEA-1069-A2D8-08002B30309D",
"sort_index": "My Computer"
},
{
"class": "Volume Item",
"data": null,
"flags": "0xf"
},
{
"class": "File entry",
"file_attribute_flags": 16,
"file_size": 0,
"flags": "Is directory",
"primary_name": "them"
},
{
"class": "File entry",
"file_attribute_flags": 0,
"file_size": 0,
"flags": "Is file",
"primary_name": "worker.cmd"
}
]
}
}
Best regards,
