๐๐๐ ๐๐ฑ๐๐๐ฎ๐ญ๐ข๐จ๐ง ๐๐ข๐ฆ๐๐ฌ๐ญ๐๐ฆ๐ฉ ๐๐ฉ๐จ๐จ๐๐ข๐ง๐ ๐ฏ๐ข๐ ๐
๐ข๐ฅ๐๐ง๐๐ฆ๐ ๐๐จ๐ฅ๐ฅ๐ข๐ฌ๐ข๐จ๐ง
I made two different files: Husam.exe, and Husam.exe in different paths (or instead you can make two MalDoc files with the same name in two paths).
The first Husam.exe is the real malware, while the second Husam.exe is just a benign compiled executable printing "Hello World!" statement.
So, after running both executables, what do you think has happened?!
Two LNK files were generated for Husam.exe and Husam (1).exe
Only one LNK file of Husam.exe was generated.
Choose one. โบ๏ธ
Ok, the right answer may be suprising, but it is 2.
Only one LNK file was generated for Husam.exe
Ok, then guess what I did..
I run first Husam.exe (real malware) and waited a few minutes then run the benign executable..
The LNK file of Husam.exe timestamp was referring to the most recent execution of the benign instance of Husam.exe instead of the first one.
I believe, we can do further research that, but we can use it to spoof the execution timestamp of the real malware producted by LNK files.
So, basically it is anti-forensic timestamp manipulation of LNK artifacts, and I call it: ๐๐๐ ๐๐ฑ๐๐๐ฎ๐ญ๐ข๐จ๐ง ๐๐ข๐ฆ๐๐ฌ๐ญ๐๐ฆ๐ฉ ๐๐ฉ๐จ๐จ๐๐ข๐ง๐ ๐ฏ๐ข๐ ๐
๐ข๐ฅ๐๐ง๐๐ฆ๐ ๐๐จ๐ฅ๐ฅ๐ข๐ฌ๐ข๐จ๐ง