531313033fdb71c44c0791f56679e55c36f06fa6250f90f68ebaf42e7a2a044b

Analysis

max time kernel
146s
max time network
150s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
20/07/2024, 06:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe
Size

10.6MB
MD5

5f614b3d2a686b4995c38b91324d8fdb
SHA1

72c298fb258d9e318aba64e900e91f3174cb2dbe
SHA256

531313033fdb71c44c0791f56679e55c36f06fa6250f90f68ebaf42e7a2a044b
SHA512

778c0d3ac4a7091cd09a5a9de4b3e41ea7c94c334af6219c85cf2f275feb3345adb42221193f6aac14e84fd1110ff52afb14cf24a7e7333bcbdf60fedb41681c
SSDEEP

196608:NBHC8KwHrU6Ery5NXJZzkl3fP0puCSe3xb1WujMYJroJiPEgI2fPZdms:DC8K6rery5ZDzklPMpuCl50uXozCPZb

Score

8^/10

bootkit discovery persistence

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\bbnetdriver.sys	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe

Executes dropped EXE 12 IoCs

pid	Process
2548	Baidu.exe
2088	Baidu.exe
264	Baidu.exe
1264	Baidu.exe
2212	Baidu.exe
316	Baidu.exe
1788	Baidu.exe
2476	BaiduService.exe
3004	BDDockerX64.exe
3032	BaiduRenderClient.exe
2964	Baidu.exe
2740	Baidu.exe

Loads dropped DLL 64 IoCs

pid	Process
1476	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe
1476	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe
1476	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe
1476	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe
1476	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe
1476	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe
1476	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe
1476	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe
1476	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe
1476	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe
1476	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe
1476	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe
1476	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe
2548	Baidu.exe
2088	Baidu.exe
264	Baidu.exe
1264	Baidu.exe
2088	Baidu.exe
264	Baidu.exe
2548	Baidu.exe
1264	Baidu.exe
264	Baidu.exe
2548	Baidu.exe
1264	Baidu.exe
2088	Baidu.exe
264	Baidu.exe
2548	Baidu.exe
2088	Baidu.exe
1264	Baidu.exe
264	Baidu.exe
2548	Baidu.exe
2088	Baidu.exe
1264	Baidu.exe
264	Baidu.exe
2548	Baidu.exe
2212	Baidu.exe
264	Baidu.exe
2212	Baidu.exe
2212	Baidu.exe
2212	Baidu.exe
2212	Baidu.exe
2548	Baidu.exe
1264	Baidu.exe
316	Baidu.exe
316	Baidu.exe
316	Baidu.exe
316	Baidu.exe
316	Baidu.exe
2548	Baidu.exe
264	Baidu.exe
2088	Baidu.exe
2212	Baidu.exe
316	Baidu.exe
1264	Baidu.exe
2212	Baidu.exe
2212	Baidu.exe
2088	Baidu.exe
1264	Baidu.exe
316	Baidu.exe
2088	Baidu.exe
1264	Baidu.exe
1264	Baidu.exe
316	Baidu.exe
1264	Baidu.exe

Unexpected DNS network traffic destination 64 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	180.76.76.76
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	180.76.76.76
Destination IP	114.114.114.114
Destination IP	180.76.76.76
Destination IP	114.114.114.114
Destination IP	180.76.76.76
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	180.76.76.76
Destination IP	180.76.76.76
Destination IP	180.76.76.76
Destination IP	180.76.76.76
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	180.76.76.76
Destination IP	114.114.114.114
Destination IP	180.76.76.76
Destination IP	180.76.76.76
Destination IP	114.114.114.114
Destination IP	180.76.76.76
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	180.76.76.76
Destination IP	114.114.114.114
Destination IP	180.76.76.76
Destination IP	180.76.76.76
Destination IP	114.114.114.114
Destination IP	180.76.76.76
Destination IP	180.76.76.76
Destination IP	114.114.114.114
Destination IP	180.76.76.76
Destination IP	114.114.114.114
Destination IP	180.76.76.76
Destination IP	114.114.114.114
Destination IP	180.76.76.76
Destination IP	180.76.76.76
Destination IP	180.76.76.76
Destination IP	180.76.76.76
Destination IP	180.76.76.76
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	180.76.76.76
Destination IP	114.114.114.114
Destination IP	180.76.76.76
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	180.76.76.76
Destination IP	180.76.76.76
Destination IP	114.114.114.114
Destination IP	180.76.76.76
Destination IP	180.76.76.76
Destination IP	114.114.114.114
Destination IP	180.76.76.76
Destination IP	180.76.76.76
Destination IP	114.114.114.114
Destination IP	180.76.76.76
Destination IP	180.76.76.76
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	180.76.76.76

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\BaiduClient = "\"C:\\Users\\Admin\\AppData\\Local\\Baidu\\BaiduClient\\3.0.0.2873\\Baidu.exe\" --auto-run"	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	BaiduService.exe

Writes to the Master Boot Record (MBR) 1 TTPs 5 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	Baidu.exe
File opened for modification	\??\PhysicalDrive0	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe
File opened for modification	\??\PhysicalDrive0	Baidu.exe
File opened for modification	\??\PhysicalDrive0	Baidu.exe
File opened for modification	\??\PhysicalDrive0	BaiduRenderClient.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPoicy	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPoicy\{73F970DA-48AC-43F1-9848-FB90504CE3E9}\AppName = "Baidu.exe"	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPoicy\{73F970DA-48AC-43F1-9848-FB90504CE3E9}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Baidu\\BaiduClient\\3.0.0.2873"	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPoicy\{73F970DA-48AC-43F1-9848-FB90504CE3E9}\Policy = "3"	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPoicy\{73F970DA-48AC-43F1-9848-FB90504CE3E9}	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1476	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe
1476	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe
1476	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe
1476	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe
1476	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe
1476	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe
1476	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe
1476	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe
1476	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe
1476	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe
1476	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe
1476	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe
1184	Explorer.EXE
3032	BaiduRenderClient.exe
1788	Baidu.exe
1788	Baidu.exe
1788	Baidu.exe
1788	Baidu.exe
1788	Baidu.exe
1788	Baidu.exe
1788	Baidu.exe
1788	Baidu.exe
1788	Baidu.exe
1788	Baidu.exe
1788	Baidu.exe
1788	Baidu.exe
1788	Baidu.exe
1788	Baidu.exe
1788	Baidu.exe
1788	Baidu.exe
1788	Baidu.exe
1788	Baidu.exe
1788	Baidu.exe
1788	Baidu.exe
1788	Baidu.exe
1788	Baidu.exe
1788	Baidu.exe
1788	Baidu.exe
1788	Baidu.exe
1788	Baidu.exe
1788	Baidu.exe
1788	Baidu.exe
1788	Baidu.exe
1788	Baidu.exe
1788	Baidu.exe
1788	Baidu.exe
1788	Baidu.exe
1788	Baidu.exe
1788	Baidu.exe
1788	Baidu.exe
1788	Baidu.exe
1788	Baidu.exe
1788	Baidu.exe
1788	Baidu.exe
1788	Baidu.exe
1788	Baidu.exe
1788	Baidu.exe
1788	Baidu.exe
1788	Baidu.exe
1788	Baidu.exe
1788	Baidu.exe
1788	Baidu.exe
1788	Baidu.exe
1788	Baidu.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1184	Explorer.EXE
1788	Baidu.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
476	Process not Found

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	1476	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe
Token: SeDebugPrivilege	1476	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe
Token: SeDebugPrivilege	1476	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe
Token: SeDebugPrivilege	1476	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe
Token: SeDebugPrivilege	1476	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe
Token: SeDebugPrivilege	1476	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe
Token: SeDebugPrivilege	1476	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe
Token: SeDebugPrivilege	1476	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe
Token: SeDebugPrivilege	1476	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe
Token: SeDebugPrivilege	1476	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe
Token: SeDebugPrivilege	3004	BDDockerX64.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1788	Baidu.exe
1788	Baidu.exe
1788	Baidu.exe
3004	BDDockerX64.exe
1184	Explorer.EXE
1788	Baidu.exe
1788	Baidu.exe
1788	Baidu.exe
1788	Baidu.exe
1184	Explorer.EXE
1184	Explorer.EXE
1788	Baidu.exe
1788	Baidu.exe
1788	Baidu.exe
1788	Baidu.exe
1788	Baidu.exe
1788	Baidu.exe
1788	Baidu.exe
1788	Baidu.exe
1788	Baidu.exe
1788	Baidu.exe
1788	Baidu.exe
1788	Baidu.exe
1788	Baidu.exe
1788	Baidu.exe
1788	Baidu.exe
1788	Baidu.exe
1788	Baidu.exe
1788	Baidu.exe
1788	Baidu.exe
1788	Baidu.exe
1788	Baidu.exe
1788	Baidu.exe
1788	Baidu.exe
1788	Baidu.exe
1788	Baidu.exe
1788	Baidu.exe
1788	Baidu.exe
1788	Baidu.exe
1788	Baidu.exe
1788	Baidu.exe
1788	Baidu.exe
1788	Baidu.exe
1788	Baidu.exe
1788	Baidu.exe
1788	Baidu.exe
1788	Baidu.exe
1788	Baidu.exe
1788	Baidu.exe
1788	Baidu.exe
1788	Baidu.exe
1788	Baidu.exe
1788	Baidu.exe
1788	Baidu.exe
1788	Baidu.exe
1788	Baidu.exe
1788	Baidu.exe
1788	Baidu.exe
1788	Baidu.exe
1788	Baidu.exe
1788	Baidu.exe
1788	Baidu.exe
1788	Baidu.exe
1788	Baidu.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1788	Baidu.exe
1788	Baidu.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1788	Baidu.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
1184	Explorer.EXE

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 1476 wrote to memory of 2548	1476	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe	30
PID 1476 wrote to memory of 2548	1476	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe	30
PID 1476 wrote to memory of 2548	1476	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe	30
PID 1476 wrote to memory of 2548	1476	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe	30
PID 1476 wrote to memory of 2088	1476	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe	31
PID 1476 wrote to memory of 2088	1476	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe	31
PID 1476 wrote to memory of 2088	1476	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe	31
PID 1476 wrote to memory of 2088	1476	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe	31
PID 1476 wrote to memory of 264	1476	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe	32
PID 1476 wrote to memory of 264	1476	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe	32
PID 1476 wrote to memory of 264	1476	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe	32
PID 1476 wrote to memory of 264	1476	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe	32
PID 1476 wrote to memory of 1264	1476	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe	33
PID 1476 wrote to memory of 1264	1476	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe	33
PID 1476 wrote to memory of 1264	1476	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe	33
PID 1476 wrote to memory of 1264	1476	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe	33
PID 1476 wrote to memory of 2212	1476	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe	34
PID 1476 wrote to memory of 2212	1476	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe	34
PID 1476 wrote to memory of 2212	1476	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe	34
PID 1476 wrote to memory of 2212	1476	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe	34
PID 1476 wrote to memory of 316	1476	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe	35
PID 1476 wrote to memory of 316	1476	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe	35
PID 1476 wrote to memory of 316	1476	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe	35
PID 1476 wrote to memory of 316	1476	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe	35
PID 1788 wrote to memory of 3004	1788	Baidu.exe	39
PID 1788 wrote to memory of 3004	1788	Baidu.exe	39
PID 1788 wrote to memory of 3004	1788	Baidu.exe	39
PID 1788 wrote to memory of 3004	1788	Baidu.exe	39
PID 1788 wrote to memory of 3032	1788	Baidu.exe	40
PID 1788 wrote to memory of 3032	1788	Baidu.exe	40
PID 1788 wrote to memory of 3032	1788	Baidu.exe	40
PID 1788 wrote to memory of 3032	1788	Baidu.exe	40
PID 3004 wrote to memory of 1184	3004	BDDockerX64.exe	21
PID 1788 wrote to memory of 2964	1788	Baidu.exe	41
PID 1788 wrote to memory of 2964	1788	Baidu.exe	41
PID 1788 wrote to memory of 2964	1788	Baidu.exe	41
PID 1788 wrote to memory of 2964	1788	Baidu.exe	41
PID 1788 wrote to memory of 2740	1788	Baidu.exe	42
PID 1788 wrote to memory of 2740	1788	Baidu.exe	42
PID 1788 wrote to memory of 2740	1788	Baidu.exe	42
PID 1788 wrote to memory of 2740	1788	Baidu.exe	42

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of UnmapMainImage
PID:1184
- C:\Users\Admin\AppData\Local\Temp\5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Adds Run key to start application
  - Writes to the Master Boot Record (MBR)
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1476
- - C:\Users\Admin\AppData\Local\Baidu\BaiduClient\3.0.0.2873\Baidu.exe
    "C:\Users\Admin\AppData\Local\Baidu\BaiduClient\3.0.0.2873\Baidu.exe" -p 1 --inst-task 12#0
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2548
- - C:\Users\Admin\AppData\Local\Baidu\BaiduClient\3.0.0.2873\Baidu.exe
    "C:\Users\Admin\AppData\Local\Baidu\BaiduClient\3.0.0.2873\Baidu.exe" -p 1 --inst-task 12#1
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2088
- - C:\Users\Admin\AppData\Local\Baidu\BaiduClient\3.0.0.2873\Baidu.exe
    "C:\Users\Admin\AppData\Local\Baidu\BaiduClient\3.0.0.2873\Baidu.exe" -p 1 --inst-task 11
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:264
- - C:\Users\Admin\AppData\Local\Baidu\BaiduClient\3.0.0.2873\Baidu.exe
    "C:\Users\Admin\AppData\Local\Baidu\BaiduClient\3.0.0.2873\Baidu.exe" --inst-task 5 -p 1
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1264
- - C:\Users\Admin\AppData\Local\Baidu\BaiduClient\3.0.0.2873\Baidu.exe
    "C:\Users\Admin\AppData\Local\Baidu\BaiduClient\3.0.0.2873\Baidu.exe" --inst-task 2#"C:\Users\Admin\AppData\Local\Baidu\BaiduClient\3.0.0.2873" -p 1
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2212
- - C:\Users\Admin\AppData\Local\Baidu\BaiduClient\3.0.0.2873\Baidu.exe
    "C:\Users\Admin\AppData\Local\Baidu\BaiduClient\3.0.0.2873\Baidu.exe" -p 5 -t 0
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Writes to the Master Boot Record (MBR)
    PID:316
- C:\Users\Admin\AppData\Local\Baidu\BaiduClient\3.0.0.2873\Baidu.exe
  "C:\Users\Admin\AppData\Local\Baidu\BaiduClient\3.0.0.2873\Baidu.exe" --main-frame 0 --search-bar 2 --tray 1
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1788
- - C:\Users\Admin\AppData\Local\Baidu\BaiduClient\3.0.0.2873\BDDockerX64.exe
    "C:\Users\Admin\AppData\Local\Baidu\BaiduClient\3.0.0.2873\BDDockerX64.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:3004
- - C:\Users\Admin\AppData\Local\Baidu\BaiduClient\3.0.0.2873\wrs\BaiduRenderClient.exe
    "C:\Users\Admin\AppData\Local\Baidu\BaiduClient\3.0.0.2873\wrs\BaiduRenderClient.exe" --breakpad="\\.\pipe\crashservice.1788.0.7162" --humming-dir="C:\Users\Admin\AppData\Roaming\Baidu\Baidu\plugin" --main-frame="" --search-bar="" --service-exe="BaiduRenderClient.exe" --tray="" --xchannel="\\.\pipe\ipc.1788.0.7162" --xtype="service" /prefetch:1
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - Suspicious behavior: EnumeratesProcesses
    PID:3032
- - C:\Users\Admin\AppData\Local\Baidu\BaiduClient\3.0.0.2873\Baidu.exe
    "C:\Users\Admin\AppData\Local\Baidu\BaiduClient\3.0.0.2873\Baidu.exe" -p 3 -r 1788 -c 3 -m 7679401527536 --magic-number 7679401527536
    3⤵
    - Executes dropped EXE
    PID:2964
- - C:\Users\Admin\AppData\Local\Baidu\BaiduClient\3.0.0.2873\Baidu.exe
    "C:\Users\Admin\AppData\Local\Baidu\BaiduClient\3.0.0.2873\Baidu.exe" -p 2 -r 1788 -c 4 -m 7679401527536 --magic-number 7679401527536
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    PID:2740

C:\Users\Admin\AppData\Local\Baidu\BaiduClient\3.0.0.2873\BaiduService.exe
C:\Users\Admin\AppData\Local\Baidu\BaiduClient\3.0.0.2873\BaiduService.exe
1⤵
- Executes dropped EXE
- Enumerates connected drives
PID:2476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Baidu\BaiduClient\3.0.0.2873\brp.exe

Filesize
905KB

MD5
f3482cb7643db3dfe3e78dd32514277c

SHA1
93c4f50c18128bc4a77b5d85826f3f29ce56f68a

SHA256
c8c300ab2b4bdebd6fdfe4e92b46be4977f851261677b5bd2500a10ce00771c7

SHA512
45c7a13b9781d87dd93b537d2589b53f13879ef7b78cb0c1a82622f256232cddb10cc93f43dfae96101d929b19676d538711c91731da37b0a122120acc8df16d

Download Submit
C:\Users\Admin\AppData\Local\Temp\mb_setup.log

Filesize
1KB

MD5
10f7df6d159ae3c7334f7d80ed890eb7

SHA1
cce3cd9c31a306a04bbbd4970fe49212985e8a6f

SHA256
c2ed7ab25c83b28d9a64911d58783b72bc2f2af6d372bd99fc4af3c7eb6bd4be

SHA512
b62c304b3c501c2e63423e9dc6f622d4d91f2ad17c2a5b7d1487c694779466fec134e11c7eebdb9512533692da7582d8d84924a08c99fc5214f21495f0bc3039

Download Submit
C:\Users\Admin\AppData\Local\Temp\mb_setup.log

Filesize
1KB

MD5
c24c3f8c95f5a3f8b8bf1a06fa91a469

SHA1
8758530843e7af229854c0efbaeff9cbf9ff11dd

SHA256
6ad57e079a1a8595b2e04b4a387fb66be31c156cab3b7bf3120185090e722d45

SHA512
e9a71f64a862bfc9e6e70fe3944d4da7f54efb7eed157684bc7a25442e0d179f6a528367aaa552814cd7edcdf2e3ed71e1315163b1693d1437a35ceb612862af

Download Submit
C:\Users\Admin\AppData\Roaming\Baidu\Baidu\pb\100.pb

Filesize
115B

MD5
0a046fc4ac62ca3278450db3c4d14330

SHA1
8d4cec6518773caab72c4ff79d138b62ea6c1337

SHA256
02fe395561c74e117eedd1ac5f9c5d9d2be407affde144421199623ac83da6b7

SHA512
0dd7829970f5406b5466017359eff58e70dd33f36092e9073ae68f2d4543cf2494dad39012705841286cbab6dcd9f84c603582e97dfaaea416e756741d419ba0

Download Submit
C:\Users\Admin\AppData\Roaming\Baidu\Baidu\plugin\extends\LocalPluginInfo.xml

Filesize
2KB

MD5
6490060dad9933a77452e9485f773f3b

SHA1
b64330f4bf670385b2dcd03493ec8e34071b1815

SHA256
f4a28b882e04982c6de7eca8f63cf6329261b22cd2f5a136bc25097d5063dc64

SHA512
1e0d844db7bde7ab27af64b050fb6a4c31ac6732c349c5b9fa5f92241ba3fe2cadce5bff7f294fd4843c7e2bb368038dc3c47f29466413811830f4a045c7f9e1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\百度\百度.lnk

Filesize
1KB

MD5
3c6e884730e4da0aeb7a7f979bf5d8d0

SHA1
4f54504a3236d513bc05064d9032f4228acc65ab

SHA256
71acec8bb8582fd7c53f3eac9119b3fdf4798db3a7c9114a5dd8d055ac9a614d

SHA512
47a1b8742029ae2d60e5fb1c70ab73a53488fc211293d570710b25e11aabc80fcdbf6b0aeca0826c6f458cc724cfe7787469ad71028d4b973e124006f642716f

Download Submit
\Users\Admin\AppData\Local\Baidu\BaiduClient\3.0.0.2873\Baidu.exe

Filesize
691KB

MD5
ba4c5f1d1bcfcb2ffd973415b7975399

SHA1
84859acf0e413a4feb037b2e51ba8aa42d6ceb7f

SHA256
8c31b32dfdb39274475ca2a061ad2280e91cd47425edeeb9a136909aa26c8df4

SHA512
e05549af52276b3c3bf1eee871c723d74da3d91350ce9c01da231101b61d8815cb4956e0f9a90c04dd08fc96a66eeb885ddf5819010f6f289e7df478c37ce11c

Download Submit
\Users\Admin\AppData\Local\Baidu\BaiduClient\3.0.0.2873\CommonWorker.dll

Filesize
54KB

MD5
d03ed968e344179761906e692764a23d

SHA1
9b060eb5db716eb91fb0a419a1179691c0c44593

SHA256
c9c6e7e2fb2197ab9fc47d4a6a7b88656aa22257ba8caf7fa0f5145434e1a3db

SHA512
6aa313d2d6c7200ef84686d48740df43348463566c5a39cffba77a545c000963e7d975617186ca079f68f3eb90079329b733efb46266dde4d9a7a2f9eead95c4

Download Submit
\Users\Admin\AppData\Local\Baidu\BaiduClient\3.0.0.2873\bdlog.dll

Filesize
37KB

MD5
56d1d9be11aec8560139c779f353155c

SHA1
b28a2b5b348fb49cd3222e6a804ab934d293bcf2

SHA256
cba98b57e8c9b5d9f34b68b2b9433187705c3ef65b11b0f20373ce5e05859c96

SHA512
33f65c8af6937cc680e95d3f638d6fd861ce4aedb3595c9cc16afdd072e63a36b9b6ee28aed033e5779679d2c73c943b81759abb96a6a31e5d823c9dbd27f247

Download Submit
\Users\Admin\AppData\Local\Temp\nst82D.tmp\BDMSkin.dll

Filesize
1.8MB

MD5
3f6dc271f034861cb4be850a816105e3

SHA1
d83f7a11d47d4668737ff64139870bad8a8722a0

SHA256
4f5d4dc959ccb0f201b2f2c761c74f6284ec90fe4d05e11813c63f584356205a

SHA512
2149b342a8bb8486faf3e7ffe43b6fe66bad4b93512ed668caccdf63399a48411b92b31c99a018c92e4590584d8c0111a483f8161ec179d5f92aba2e398fa76a

Download Submit
\Users\Admin\AppData\Local\Temp\nst82D.tmp\BaiduReport.dll

Filesize
355KB

MD5
33ac85604ff109e2a297c03fc1037bf1

SHA1
02be88a95fc04ec73c4ed33601f832e86d5f0bb3

SHA256
47c64647fe2ef3215e919295fd3627b25e85877a690d2ba940f4177cfef2678c

SHA512
80c3428e0bd0585f2c4076fc814b638aeab637b2a56b37febef08f75fad426b268fcc2409cc8d09738c23ffc7d56250683b157a5e452b4b43a2bf88d4f489826

Download Submit
\Users\Admin\AppData\Local\Temp\nst82D.tmp\Base.dll

Filesize
777KB

MD5
6fdcd6d9faf849ecd71d4fa329969780

SHA1
3480193f5e7a37bf8a01f728566b48d56850749b

SHA256
a31fbc3014712fca12637400897816c41f65627434bdde1f4c8c0c025f08bad2

SHA512
5a3ddbd1abda841bc06c210f612cfde3a48016991ea6a8dc5ee00574aee1904c70695226490986465c950bf09564bf56715d2c25fcee9931f33b82dcefc2c111

Download Submit
\Users\Admin\AppData\Local\Temp\nst82D.tmp\InstallHelper.dll

Filesize
242KB

MD5
f497a1c6f5f1faca1a05fbee72abc07a

SHA1
3af6939afd2cdfc3eb7e9f6ff4cf26d254f97923

SHA256
ec6a6f16902d84802d0a744a6537d7bebe40b4ad9c8bce4de012c3224c98030c

SHA512
3a523e91cf7e4bd3c83f4eb9a861f410fb2be7367514cb7cf9c47f9f6aa3bcf200640c53bd96acf11f2177938b27cad033f361d67eb6098cb40eb3538292d8ba

Download Submit
\Users\Admin\AppData\Local\Temp\nst82D.tmp\Protocol.dll

Filesize
355KB

MD5
a0ec723d41810478bb659a85e4e92f3d

SHA1
24cc9fc77abcafe0dd1c5a4e547a8b4efd63c85f

SHA256
dd57149bfa1348e482afddbbe79187527cbd358cdb3036fdf4e8b9f446d020cf

SHA512
ed98dff026eff8501a526dc36c5f68b63adc5a1704881015d6a9f7af53e5a3a47da6aad8d054b7f7cf0821f479a016f45ad20a1b201c263a09cf8265cd772c4d

Download Submit
\Users\Admin\AppData\Local\Temp\nst82D.tmp\Report.dll

Filesize
108KB

MD5
4ed3f52e01ac04d6b1fa05ff8a41c2fe

SHA1
9c363a2658db7deffe5358634320671ef6fc7664

SHA256
542440c178b553d4a1b01d83f05df6a1ba842571f4a9f90b06fdceab06336fe1

SHA512
8fcc515adc959c5b07b4c94400f6e39d75d9ba8a9556d7f4df8891a642b967f13b9f8302ff56bebac505a8a73a3bd4980e29406ccc918fb1dd3d7acc69f776ff

Download Submit
\Users\Admin\AppData\Local\Temp\nst82D.tmp\System.dll

Filesize
17KB

MD5
bdb492684b7a99ee0aa1d10c1f8bf702

SHA1
c7b8a53cf1481df2a4a7eb11aeb824ff8b3a4698

SHA256
4919ffc0acdada4f18469d7fc76abaec4584b99709bbd276c6e9a8043be76481

SHA512
479f996f7dfbad9fff8f4bf3493dcaaa680390919233fb875d08efc0e6b71a94db9eae510091496a4c99e09ed793aae87ef64bd80e55cbf94823848d2edc0d20

Download Submit
\Users\Admin\AppData\Local\Temp\nst82D.tmp\Utils.dll

Filesize
928KB

MD5
9ac5812dbee6e04f5d818dc5afb46480

SHA1
5232fb8d2ecb4cbbd52054741282cfb86fdd6e9d

SHA256
77ec589230c246ff136b9abe22691e978c30aff7c3e222be34195a671c8b3d8d

SHA512
970dd347a9d1a22dc02fba0ad1d8f7ac16c00dfca97045de5453ef8c7f64fac019d89aa2e1c69fb10ea3a29388a52c163da904d7b5abec95c18f0981a054c0e0

Download Submit
\Users\Admin\AppData\Local\Temp\nst82D.tmp\msvcp100.dll

Filesize
411KB

MD5
bc83108b18756547013ed443b8cdb31b

SHA1
79bcaad3714433e01c7f153b05b781f8d7cb318d

SHA256
b2ad109c15eaa92079582787b7772ba0a2f034f7d075907ff87028df0eaea671

SHA512
6e72b2d40e47567b3e506be474dafa7cacd0b53cd2c2d160c3b5384f2f461fc91bb5fdb614a351f628d4e516b3bbdabc2cc6d4cb4710970146d2938a687dd011

Download Submit
\Users\Admin\AppData\Local\Temp\nst82D.tmp\msvcr100.dll

Filesize
755KB

MD5
0e37fbfa79d349d672456923ec5fbbe3

SHA1
4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

SHA256
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

SHA512
2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

Download Submit
memory/264-504-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/264-503-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/264-544-0x0000000076EA0000-0x0000000076ED5000-memory.dmp

Filesize
212KB

Download
memory/264-543-0x0000000077230000-0x0000000077277000-memory.dmp

Filesize
284KB

Download
memory/316-643-0x0000000076EA0000-0x0000000076ED5000-memory.dmp

Filesize
212KB

Download
memory/316-642-0x0000000077230000-0x0000000077277000-memory.dmp

Filesize
284KB

Download
memory/1184-590-0x0000000002580000-0x0000000002581000-memory.dmp

Filesize
4KB

Download
memory/1264-576-0x0000000076EA0000-0x0000000076ED5000-memory.dmp

Filesize
212KB

Download
memory/1264-575-0x0000000077230000-0x0000000077277000-memory.dmp

Filesize
284KB

Download
memory/1476-520-0x0000000004C90000-0x0000000004C92000-memory.dmp

Filesize
8KB

Download
memory/1476-58-0x0000000001F40000-0x0000000001F41000-memory.dmp

Filesize
4KB

Download
memory/1788-579-0x0000000005550000-0x00000000055F6000-memory.dmp

Filesize
664KB

Download
memory/1788-646-0x0000000076EA0000-0x0000000076ED5000-memory.dmp

Filesize
212KB

Download
memory/1788-581-0x0000000005090000-0x00000000050F4000-memory.dmp

Filesize
400KB

Download
memory/1788-585-0x0000000003350000-0x0000000003364000-memory.dmp

Filesize
80KB

Download
memory/1788-577-0x0000000003F30000-0x0000000003F79000-memory.dmp

Filesize
292KB

Download
memory/1788-640-0x0000000003980000-0x0000000003993000-memory.dmp

Filesize
76KB

Download
memory/1788-645-0x0000000077230000-0x0000000077277000-memory.dmp

Filesize
284KB

Download
memory/2088-552-0x0000000076EA0000-0x0000000076ED5000-memory.dmp

Filesize
212KB

Download
memory/2088-548-0x0000000077230000-0x0000000077277000-memory.dmp

Filesize
284KB

Download
memory/2212-549-0x0000000076EA0000-0x0000000076ED5000-memory.dmp

Filesize
212KB

Download
memory/2212-547-0x0000000077230000-0x0000000077277000-memory.dmp

Filesize
284KB

Download
memory/2476-648-0x0000000077230000-0x0000000077277000-memory.dmp

Filesize
284KB

Download
memory/2548-545-0x0000000077230000-0x0000000077277000-memory.dmp

Filesize
284KB

Download
memory/2548-546-0x0000000076EA0000-0x0000000076ED5000-memory.dmp

Filesize
212KB

Download
memory/3032-593-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/3032-617-0x0000000002A50000-0x0000000002AFB000-memory.dmp

Filesize
684KB

Download
memory/3032-609-0x0000000000BF0000-0x0000000000C21000-memory.dmp

Filesize
196KB

Download
memory/3032-607-0x0000000002CA0000-0x0000000002DF1000-memory.dmp

Filesize
1.3MB

Download
memory/3032-605-0x0000000000190000-0x00000000001A4000-memory.dmp

Filesize
80KB

Download
memory/3032-598-0x0000000000A60000-0x0000000000AC4000-memory.dmp

Filesize
400KB

Download
memory/3032-594-0x0000000000200000-0x0000000000293000-memory.dmp

Filesize
588KB

Download
memory/3032-596-0x00000000009B0000-0x0000000000A56000-memory.dmp

Filesize
664KB

Download
memory/3032-591-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download