531313033fdb71c44c0791f56679e55c36f06fa6250f90f68ebaf42e7a2a044b

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
20/07/2024, 06:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe
Size

10.6MB
MD5

5f614b3d2a686b4995c38b91324d8fdb
SHA1

72c298fb258d9e318aba64e900e91f3174cb2dbe
SHA256

531313033fdb71c44c0791f56679e55c36f06fa6250f90f68ebaf42e7a2a044b
SHA512

778c0d3ac4a7091cd09a5a9de4b3e41ea7c94c334af6219c85cf2f275feb3345adb42221193f6aac14e84fd1110ff52afb14cf24a7e7333bcbdf60fedb41681c
SSDEEP

196608:NBHC8KwHrU6Ery5NXJZzkl3fP0puCSe3xb1WujMYJroJiPEgI2fPZdms:DC8K6rery5ZDzklPMpuCl50uXozCPZb

Score

8^/10

bootkit discovery persistence

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\bbnetdriver.sys	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	Baidu.exe

Executes dropped EXE 12 IoCs

pid	Process
968	Baidu.exe
2960	Baidu.exe
2516	Baidu.exe
4836	Baidu.exe
5112	Baidu.exe
2176	Baidu.exe
1144	Baidu.exe
1580	BaiduService.exe
3364	BaiduRenderClient.exe
1884	Baidu.exe
3888	BDDockerX64.exe
1160	Baidu.exe

Loads dropped DLL 64 IoCs

pid	Process
4780	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe
4780	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe
4780	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe
4780	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe
4780	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe
4780	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe
4780	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe
4780	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe
4780	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe
4780	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe
4780	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe
4780	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe
968	Baidu.exe
968	Baidu.exe
968	Baidu.exe
2960	Baidu.exe
2960	Baidu.exe
2960	Baidu.exe
968	Baidu.exe
968	Baidu.exe
2960	Baidu.exe
968	Baidu.exe
2960	Baidu.exe
2960	Baidu.exe
2516	Baidu.exe
968	Baidu.exe
2516	Baidu.exe
2516	Baidu.exe
2516	Baidu.exe
2516	Baidu.exe
2516	Baidu.exe
4836	Baidu.exe
4836	Baidu.exe
4836	Baidu.exe
4836	Baidu.exe
4836	Baidu.exe
4836	Baidu.exe
968	Baidu.exe
2516	Baidu.exe
4836	Baidu.exe
2516	Baidu.exe
2960	Baidu.exe
2960	Baidu.exe
5112	Baidu.exe
5112	Baidu.exe
5112	Baidu.exe
5112	Baidu.exe
5112	Baidu.exe
5112	Baidu.exe
5112	Baidu.exe
5112	Baidu.exe
4836	Baidu.exe
5112	Baidu.exe
5112	Baidu.exe
2176	Baidu.exe
2176	Baidu.exe
2176	Baidu.exe
2176	Baidu.exe
2176	Baidu.exe
2176	Baidu.exe
2176	Baidu.exe
2176	Baidu.exe
1144	Baidu.exe
1144	Baidu.exe

Unexpected DNS network traffic destination 64 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	180.76.76.76
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	180.76.76.76
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	180.76.76.76
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	180.76.76.76
Destination IP	114.114.114.114
Destination IP	180.76.76.76
Destination IP	180.76.76.76
Destination IP	180.76.76.76
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	180.76.76.76
Destination IP	180.76.76.76
Destination IP	114.114.114.114
Destination IP	180.76.76.76
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	180.76.76.76
Destination IP	180.76.76.76
Destination IP	180.76.76.76
Destination IP	180.76.76.76
Destination IP	114.114.114.114
Destination IP	180.76.76.76
Destination IP	180.76.76.76
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	180.76.76.76
Destination IP	180.76.76.76
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	180.76.76.76
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	180.76.76.76
Destination IP	114.114.114.114
Destination IP	180.76.76.76
Destination IP	114.114.114.114
Destination IP	180.76.76.76
Destination IP	180.76.76.76
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	180.76.76.76
Destination IP	180.76.76.76
Destination IP	114.114.114.114
Destination IP	180.76.76.76
Destination IP	180.76.76.76
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	180.76.76.76
Destination IP	180.76.76.76
Destination IP	114.114.114.114

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BaiduClient = "\"C:\\Users\\Admin\\AppData\\Local\\Baidu\\BaiduClient\\3.0.0.2873\\Baidu.exe\" --auto-run"	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	BaiduService.exe

Writes to the Master Boot Record (MBR) 1 TTPs 5 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	Baidu.exe
File opened for modification	\??\PhysicalDrive0	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe
File opened for modification	\??\PhysicalDrive0	Baidu.exe
File opened for modification	\??\PhysicalDrive0	Baidu.exe
File opened for modification	\??\PhysicalDrive0	BaiduRenderClient.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	Baidu.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	Baidu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	Baidu.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	Baidu.exe

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPoicy\{73F970DA-48AC-43F1-9848-FB90504CE3E9}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Baidu\\BaiduClient\\3.0.0.2873"	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPoicy\{73F970DA-48AC-43F1-9848-FB90504CE3E9}\Policy = "3"	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPoicy\{73F970DA-48AC-43F1-9848-FB90504CE3E9}	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPoicy	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPoicy\{73F970DA-48AC-43F1-9848-FB90504CE3E9}\AppName = "Baidu.exe"	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4780	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe
4780	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe
4780	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe
4780	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe
4780	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe
4780	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe
4780	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe
4780	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe
4780	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe
4780	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe
4780	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe
4780	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe
4780	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe
4780	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe
4780	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe
4780	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe
4780	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe
4780	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe
4780	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe
4780	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe
4780	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe
4780	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe
3364	BaiduRenderClient.exe
3364	BaiduRenderClient.exe
3464	Explorer.EXE
3464	Explorer.EXE
1144	Baidu.exe
1144	Baidu.exe
1144	Baidu.exe
1144	Baidu.exe
1144	Baidu.exe
1144	Baidu.exe
1144	Baidu.exe
1144	Baidu.exe
1144	Baidu.exe
1144	Baidu.exe
1144	Baidu.exe
1144	Baidu.exe
1144	Baidu.exe
1144	Baidu.exe
1144	Baidu.exe
1144	Baidu.exe
1144	Baidu.exe
1144	Baidu.exe
1144	Baidu.exe
1144	Baidu.exe
1144	Baidu.exe
1144	Baidu.exe
1144	Baidu.exe
1144	Baidu.exe
1144	Baidu.exe
1144	Baidu.exe
1144	Baidu.exe
1144	Baidu.exe
1144	Baidu.exe
1144	Baidu.exe
1144	Baidu.exe
1144	Baidu.exe
1144	Baidu.exe
1144	Baidu.exe
1144	Baidu.exe
1144	Baidu.exe
1144	Baidu.exe
1144	Baidu.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
668	Process not Found

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeDebugPrivilege	4780	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe
Token: SeDebugPrivilege	4780	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe
Token: SeDebugPrivilege	4780	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe
Token: SeDebugPrivilege	4780	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe
Token: SeDebugPrivilege	4780	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe
Token: SeDebugPrivilege	4780	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe
Token: SeDebugPrivilege	4780	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe
Token: SeDebugPrivilege	4780	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe
Token: SeDebugPrivilege	4780	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe
Token: SeDebugPrivilege	4780	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe
Token: SeDebugPrivilege	3888	BDDockerX64.exe
Token: SeShutdownPrivilege	3464	Explorer.EXE
Token: SeCreatePagefilePrivilege	3464	Explorer.EXE
Token: SeShutdownPrivilege	3464	Explorer.EXE
Token: SeCreatePagefilePrivilege	3464	Explorer.EXE
Token: SeShutdownPrivilege	3464	Explorer.EXE
Token: SeCreatePagefilePrivilege	3464	Explorer.EXE
Token: SeShutdownPrivilege	3464	Explorer.EXE
Token: SeCreatePagefilePrivilege	3464	Explorer.EXE
Token: SeShutdownPrivilege	3464	Explorer.EXE
Token: SeCreatePagefilePrivilege	3464	Explorer.EXE
Token: SeShutdownPrivilege	3464	Explorer.EXE
Token: SeCreatePagefilePrivilege	3464	Explorer.EXE
Token: SeShutdownPrivilege	3464	Explorer.EXE
Token: SeCreatePagefilePrivilege	3464	Explorer.EXE
Token: SeShutdownPrivilege	3464	Explorer.EXE
Token: SeCreatePagefilePrivilege	3464	Explorer.EXE

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1144	Baidu.exe
1144	Baidu.exe
1144	Baidu.exe
1144	Baidu.exe
3888	BDDockerX64.exe
1144	Baidu.exe
1144	Baidu.exe
1144	Baidu.exe
3464	Explorer.EXE
1144	Baidu.exe
1144	Baidu.exe
1144	Baidu.exe
1144	Baidu.exe
1144	Baidu.exe
1144	Baidu.exe
1144	Baidu.exe
1144	Baidu.exe
1144	Baidu.exe
1144	Baidu.exe
1144	Baidu.exe
1144	Baidu.exe
1144	Baidu.exe
1144	Baidu.exe
1144	Baidu.exe
1144	Baidu.exe
1144	Baidu.exe
1144	Baidu.exe
1144	Baidu.exe
1144	Baidu.exe
1144	Baidu.exe
1144	Baidu.exe
1144	Baidu.exe
1144	Baidu.exe
1144	Baidu.exe
1144	Baidu.exe
1144	Baidu.exe
1144	Baidu.exe
1144	Baidu.exe
1144	Baidu.exe
1144	Baidu.exe
1144	Baidu.exe
1144	Baidu.exe
1144	Baidu.exe
1144	Baidu.exe
1144	Baidu.exe
1144	Baidu.exe
1144	Baidu.exe
1144	Baidu.exe
1144	Baidu.exe
1144	Baidu.exe
1144	Baidu.exe
1144	Baidu.exe
1144	Baidu.exe
1144	Baidu.exe
1144	Baidu.exe
1144	Baidu.exe
1144	Baidu.exe
1144	Baidu.exe
1144	Baidu.exe
1144	Baidu.exe
1144	Baidu.exe
1144	Baidu.exe
1144	Baidu.exe
1144	Baidu.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1144	Baidu.exe
1144	Baidu.exe
1144	Baidu.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1144	Baidu.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 4780 wrote to memory of 968	4780	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe	87
PID 4780 wrote to memory of 968	4780	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe	87
PID 4780 wrote to memory of 968	4780	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe	87
PID 4780 wrote to memory of 2960	4780	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe	88
PID 4780 wrote to memory of 2960	4780	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe	88
PID 4780 wrote to memory of 2960	4780	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe	88
PID 4780 wrote to memory of 2516	4780	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe	89
PID 4780 wrote to memory of 2516	4780	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe	89
PID 4780 wrote to memory of 2516	4780	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe	89
PID 4780 wrote to memory of 4836	4780	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe	90
PID 4780 wrote to memory of 4836	4780	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe	90
PID 4780 wrote to memory of 4836	4780	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe	90
PID 4780 wrote to memory of 2176	4780	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe	91
PID 4780 wrote to memory of 2176	4780	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe	91
PID 4780 wrote to memory of 2176	4780	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe	91
PID 4780 wrote to memory of 5112	4780	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe	92
PID 4780 wrote to memory of 5112	4780	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe	92
PID 4780 wrote to memory of 5112	4780	5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe	92
PID 1144 wrote to memory of 3364	1144	Baidu.exe	96
PID 1144 wrote to memory of 3364	1144	Baidu.exe	96
PID 1144 wrote to memory of 3364	1144	Baidu.exe	96
PID 1144 wrote to memory of 3888	1144	Baidu.exe	97
PID 1144 wrote to memory of 3888	1144	Baidu.exe	97
PID 1144 wrote to memory of 1884	1144	Baidu.exe	98
PID 1144 wrote to memory of 1884	1144	Baidu.exe	98
PID 1144 wrote to memory of 1884	1144	Baidu.exe	98
PID 1144 wrote to memory of 1160	1144	Baidu.exe	99
PID 1144 wrote to memory of 1160	1144	Baidu.exe	99
PID 1144 wrote to memory of 1160	1144	Baidu.exe	99
PID 3888 wrote to memory of 3464	3888	BDDockerX64.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3464
- C:\Users\Admin\AppData\Local\Temp\5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\5f614b3d2a686b4995c38b91324d8fdb_JaffaCakes118.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Adds Run key to start application
  - Writes to the Master Boot Record (MBR)
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4780
- - C:\Users\Admin\AppData\Local\Baidu\BaiduClient\3.0.0.2873\Baidu.exe
    "C:\Users\Admin\AppData\Local\Baidu\BaiduClient\3.0.0.2873\Baidu.exe" -p 1 --inst-task 12#0
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:968
- - C:\Users\Admin\AppData\Local\Baidu\BaiduClient\3.0.0.2873\Baidu.exe
    "C:\Users\Admin\AppData\Local\Baidu\BaiduClient\3.0.0.2873\Baidu.exe" -p 1 --inst-task 12#1
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2960
- - C:\Users\Admin\AppData\Local\Baidu\BaiduClient\3.0.0.2873\Baidu.exe
    "C:\Users\Admin\AppData\Local\Baidu\BaiduClient\3.0.0.2873\Baidu.exe" -p 1 --inst-task 11
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2516
- - C:\Users\Admin\AppData\Local\Baidu\BaiduClient\3.0.0.2873\Baidu.exe
    "C:\Users\Admin\AppData\Local\Baidu\BaiduClient\3.0.0.2873\Baidu.exe" --inst-task 5 -p 1
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4836
- - C:\Users\Admin\AppData\Local\Baidu\BaiduClient\3.0.0.2873\Baidu.exe
    "C:\Users\Admin\AppData\Local\Baidu\BaiduClient\3.0.0.2873\Baidu.exe" --inst-task 2#"C:\Users\Admin\AppData\Local\Baidu\BaiduClient\3.0.0.2873" -p 1
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2176
- - C:\Users\Admin\AppData\Local\Baidu\BaiduClient\3.0.0.2873\Baidu.exe
    "C:\Users\Admin\AppData\Local\Baidu\BaiduClient\3.0.0.2873\Baidu.exe" -p 5 -t 0
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Writes to the Master Boot Record (MBR)
    PID:5112
- C:\Users\Admin\AppData\Local\Baidu\BaiduClient\3.0.0.2873\Baidu.exe
  "C:\Users\Admin\AppData\Local\Baidu\BaiduClient\3.0.0.2873\Baidu.exe" --main-frame 0 --search-bar 2 --tray 1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1144
- - C:\Users\Admin\AppData\Local\Baidu\BaiduClient\3.0.0.2873\wrs\BaiduRenderClient.exe
    "C:\Users\Admin\AppData\Local\Baidu\BaiduClient\3.0.0.2873\wrs\BaiduRenderClient.exe" --breakpad="\\.\pipe\crashservice.1144.0.7162" --humming-dir="C:\Users\Admin\AppData\Roaming\Baidu\Baidu\plugin" --main-frame="" --search-bar="" --service-exe="BaiduRenderClient.exe" --tray="" --xchannel="\\.\pipe\ipc.1144.0.7162" --xtype="service" /prefetch:1
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - Suspicious behavior: EnumeratesProcesses
    PID:3364
- - C:\Users\Admin\AppData\Local\Baidu\BaiduClient\3.0.0.2873\BDDockerX64.exe
    "C:\Users\Admin\AppData\Local\Baidu\BaiduClient\3.0.0.2873\BDDockerX64.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:3888
- - C:\Users\Admin\AppData\Local\Baidu\BaiduClient\3.0.0.2873\Baidu.exe
    "C:\Users\Admin\AppData\Local\Baidu\BaiduClient\3.0.0.2873\Baidu.exe" -p 3 -r 1144 -c 3 -m 4913442588168 --magic-number 4913442588168
    3⤵
    - Executes dropped EXE
    PID:1884
- - C:\Users\Admin\AppData\Local\Baidu\BaiduClient\3.0.0.2873\Baidu.exe
    "C:\Users\Admin\AppData\Local\Baidu\BaiduClient\3.0.0.2873\Baidu.exe" -p 2 -r 1144 -c 4 -m 4913442588168 --magic-number 4913442588168
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    PID:1160

C:\Users\Admin\AppData\Local\Baidu\BaiduClient\3.0.0.2873\BaiduService.exe
C:\Users\Admin\AppData\Local\Baidu\BaiduClient\3.0.0.2873\BaiduService.exe
1⤵
- Executes dropped EXE
- Enumerates connected drives
PID:1580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Baidu\BaiduClient\3.0.0.2873\BDZebraSDK.dll

Filesize
5.2MB

MD5
886bba974f16c61dd0334c57f29f3115

SHA1
d88e5adc88a25308f70f6dc9419b011406041301

SHA256
5a8d383f4978a0f2f42666cb9dc5f156373200ff0ea54e650af07e2c5a5f2646

SHA512
fc90ca9a37dddfa07683f7d2e25740a1d3b9324df8313ca0009703555ae144ce2f31324aadc7976c95b7633ff5d18ef58da7db84461e95ba84c4eeb81a925826

Download Submit
C:\Users\Admin\AppData\Local\Baidu\BaiduClient\3.0.0.2873\Baidu.exe

Filesize
691KB

MD5
ba4c5f1d1bcfcb2ffd973415b7975399

SHA1
84859acf0e413a4feb037b2e51ba8aa42d6ceb7f

SHA256
8c31b32dfdb39274475ca2a061ad2280e91cd47425edeeb9a136909aa26c8df4

SHA512
e05549af52276b3c3bf1eee871c723d74da3d91350ce9c01da231101b61d8815cb4956e0f9a90c04dd08fc96a66eeb885ddf5819010f6f289e7df478c37ce11c

Download Submit
C:\Users\Admin\AppData\Local\Baidu\BaiduClient\3.0.0.2873\BaiduReport.dll

Filesize
64KB

MD5
1ff6574d1406cddb05c20b41984c76f2

SHA1
d94c1991719a7e8745459ef2ee59baf3c2d80b72

SHA256
54271a03e8feca3ade1ebc75207fe29636115210247e895aad371ebb6cc1b5ef

SHA512
1bbe6ada115d5d1e508f2babab68afda96db31477e43f969bc8f60f91b336ae1bbb19e232cc0a7b50aea8577cbc7f8931bda6f7e792bc20fb308296414c68383

Download Submit
C:\Users\Admin\AppData\Local\Baidu\BaiduClient\3.0.0.2873\CommonWorker.dll

Filesize
54KB

MD5
d03ed968e344179761906e692764a23d

SHA1
9b060eb5db716eb91fb0a419a1179691c0c44593

SHA256
c9c6e7e2fb2197ab9fc47d4a6a7b88656aa22257ba8caf7fa0f5145434e1a3db

SHA512
6aa313d2d6c7200ef84686d48740df43348463566c5a39cffba77a545c000963e7d975617186ca079f68f3eb90079329b733efb46266dde4d9a7a2f9eead95c4

Download Submit
C:\Users\Admin\AppData\Local\Baidu\BaiduClient\3.0.0.2873\Utils.dll

Filesize
256KB

MD5
379a2975c9e06ac8b533bc9efc1cfc0a

SHA1
a171f4c707bd3870d6e4bef184cb66903ab2e8f8

SHA256
8c0adb58a7bf819ecef2fd5bca9447255790603567425e590f77275a0b2216a0

SHA512
626a86e8db4258e97dfafcbb13acdf891355ee58dd82333127e304532ad73ee5fd1ec6132b49306c5a1522c298d15afbe3d633cdac489b503c02debd4ac58a23

Download Submit
C:\Users\Admin\AppData\Local\Baidu\BaiduClient\3.0.0.2873\bdlog.dll

Filesize
37KB

MD5
56d1d9be11aec8560139c779f353155c

SHA1
b28a2b5b348fb49cd3222e6a804ab934d293bcf2

SHA256
cba98b57e8c9b5d9f34b68b2b9433187705c3ef65b11b0f20373ce5e05859c96

SHA512
33f65c8af6937cc680e95d3f638d6fd861ce4aedb3595c9cc16afdd072e63a36b9b6ee28aed033e5779679d2c73c943b81759abb96a6a31e5d823c9dbd27f247

Download Submit
C:\Users\Admin\AppData\Local\Baidu\BaiduClient\3.0.0.2873\brp.exe

Filesize
905KB

MD5
f3482cb7643db3dfe3e78dd32514277c

SHA1
93c4f50c18128bc4a77b5d85826f3f29ce56f68a

SHA256
c8c300ab2b4bdebd6fdfe4e92b46be4977f851261677b5bd2500a10ce00771c7

SHA512
45c7a13b9781d87dd93b537d2589b53f13879ef7b78cb0c1a82622f256232cddb10cc93f43dfae96101d929b19676d538711c91731da37b0a122120acc8df16d

Download Submit
C:\Users\Admin\AppData\Local\Temp\mb_setup.log

Filesize
1KB

MD5
c4a6d1a86c9021a1758aa506469dc939

SHA1
ac89f6fa915a7ab230d2101571b51f8d4d3beb44

SHA256
ea9bcb5931196b2cff7fa4c555ba28401557d00a0fb9f84a7033d71659a86fb7

SHA512
5c0ba14da69eca03e72c02ad9d03e824d80168a1eaa1df8d3061d1d7ffbefa96bec225876adbe948f7e42c62a2f31570b12cf2a213ec2cb3cf8e85c0659c8618

Download Submit
C:\Users\Admin\AppData\Local\Temp\mb_setup.log

Filesize
479B

MD5
35c7f94b3987af7e54b61609d0836da9

SHA1
202b622d365f4c160a99d6c96431d9a7bae19f06

SHA256
a9a63ed52d89eea36adfefece316a97381ef5c542653708affb11bf5de07dc6b

SHA512
bd9ca76902e5d40a004b236d03364e56cad515dba8df50c3dc3c95ea0db69361d9662d993d7585593bd376f718317d18b4a4078dc3f9f4e27c103746b4e23359

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC3EE.tmp\BDMSkin.dll

Filesize
1.8MB

MD5
3f6dc271f034861cb4be850a816105e3

SHA1
d83f7a11d47d4668737ff64139870bad8a8722a0

SHA256
4f5d4dc959ccb0f201b2f2c761c74f6284ec90fe4d05e11813c63f584356205a

SHA512
2149b342a8bb8486faf3e7ffe43b6fe66bad4b93512ed668caccdf63399a48411b92b31c99a018c92e4590584d8c0111a483f8161ec179d5f92aba2e398fa76a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC3EE.tmp\BaiduReport.dll

Filesize
355KB

MD5
33ac85604ff109e2a297c03fc1037bf1

SHA1
02be88a95fc04ec73c4ed33601f832e86d5f0bb3

SHA256
47c64647fe2ef3215e919295fd3627b25e85877a690d2ba940f4177cfef2678c

SHA512
80c3428e0bd0585f2c4076fc814b638aeab637b2a56b37febef08f75fad426b268fcc2409cc8d09738c23ffc7d56250683b157a5e452b4b43a2bf88d4f489826

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC3EE.tmp\Base.dll

Filesize
777KB

MD5
6fdcd6d9faf849ecd71d4fa329969780

SHA1
3480193f5e7a37bf8a01f728566b48d56850749b

SHA256
a31fbc3014712fca12637400897816c41f65627434bdde1f4c8c0c025f08bad2

SHA512
5a3ddbd1abda841bc06c210f612cfde3a48016991ea6a8dc5ee00574aee1904c70695226490986465c950bf09564bf56715d2c25fcee9931f33b82dcefc2c111

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC3EE.tmp\InstallHelper.dll

Filesize
242KB

MD5
f497a1c6f5f1faca1a05fbee72abc07a

SHA1
3af6939afd2cdfc3eb7e9f6ff4cf26d254f97923

SHA256
ec6a6f16902d84802d0a744a6537d7bebe40b4ad9c8bce4de012c3224c98030c

SHA512
3a523e91cf7e4bd3c83f4eb9a861f410fb2be7367514cb7cf9c47f9f6aa3bcf200640c53bd96acf11f2177938b27cad033f361d67eb6098cb40eb3538292d8ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC3EE.tmp\Protocol.dll

Filesize
355KB

MD5
a0ec723d41810478bb659a85e4e92f3d

SHA1
24cc9fc77abcafe0dd1c5a4e547a8b4efd63c85f

SHA256
dd57149bfa1348e482afddbbe79187527cbd358cdb3036fdf4e8b9f446d020cf

SHA512
ed98dff026eff8501a526dc36c5f68b63adc5a1704881015d6a9f7af53e5a3a47da6aad8d054b7f7cf0821f479a016f45ad20a1b201c263a09cf8265cd772c4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC3EE.tmp\Report.dll

Filesize
108KB

MD5
4ed3f52e01ac04d6b1fa05ff8a41c2fe

SHA1
9c363a2658db7deffe5358634320671ef6fc7664

SHA256
542440c178b553d4a1b01d83f05df6a1ba842571f4a9f90b06fdceab06336fe1

SHA512
8fcc515adc959c5b07b4c94400f6e39d75d9ba8a9556d7f4df8891a642b967f13b9f8302ff56bebac505a8a73a3bd4980e29406ccc918fb1dd3d7acc69f776ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC3EE.tmp\System.dll

Filesize
17KB

MD5
bdb492684b7a99ee0aa1d10c1f8bf702

SHA1
c7b8a53cf1481df2a4a7eb11aeb824ff8b3a4698

SHA256
4919ffc0acdada4f18469d7fc76abaec4584b99709bbd276c6e9a8043be76481

SHA512
479f996f7dfbad9fff8f4bf3493dcaaa680390919233fb875d08efc0e6b71a94db9eae510091496a4c99e09ed793aae87ef64bd80e55cbf94823848d2edc0d20

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC3EE.tmp\Utils.dll

Filesize
928KB

MD5
9ac5812dbee6e04f5d818dc5afb46480

SHA1
5232fb8d2ecb4cbbd52054741282cfb86fdd6e9d

SHA256
77ec589230c246ff136b9abe22691e978c30aff7c3e222be34195a671c8b3d8d

SHA512
970dd347a9d1a22dc02fba0ad1d8f7ac16c00dfca97045de5453ef8c7f64fac019d89aa2e1c69fb10ea3a29388a52c163da904d7b5abec95c18f0981a054c0e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC3EE.tmp\msvcp100.dll

Filesize
411KB

MD5
bc83108b18756547013ed443b8cdb31b

SHA1
79bcaad3714433e01c7f153b05b781f8d7cb318d

SHA256
b2ad109c15eaa92079582787b7772ba0a2f034f7d075907ff87028df0eaea671

SHA512
6e72b2d40e47567b3e506be474dafa7cacd0b53cd2c2d160c3b5384f2f461fc91bb5fdb614a351f628d4e516b3bbdabc2cc6d4cb4710970146d2938a687dd011

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC3EE.tmp\msvcr100.dll

Filesize
755KB

MD5
0e37fbfa79d349d672456923ec5fbbe3

SHA1
4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

SHA256
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

SHA512
2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

Download Submit
C:\Users\Admin\AppData\Roaming\Baidu\Baidu\pb\100.pb

Filesize
115B

MD5
0a046fc4ac62ca3278450db3c4d14330

SHA1
8d4cec6518773caab72c4ff79d138b62ea6c1337

SHA256
02fe395561c74e117eedd1ac5f9c5d9d2be407affde144421199623ac83da6b7

SHA512
0dd7829970f5406b5466017359eff58e70dd33f36092e9073ae68f2d4543cf2494dad39012705841286cbab6dcd9f84c603582e97dfaaea416e756741d419ba0

Download Submit
C:\Users\Admin\AppData\Roaming\Baidu\Baidu\plugin\extends\LocalPluginInfo.xml

Filesize
2KB

MD5
6490060dad9933a77452e9485f773f3b

SHA1
b64330f4bf670385b2dcd03493ec8e34071b1815

SHA256
f4a28b882e04982c6de7eca8f63cf6329261b22cd2f5a136bc25097d5063dc64

SHA512
1e0d844db7bde7ab27af64b050fb6a4c31ac6732c349c5b9fa5f92241ba3fe2cadce5bff7f294fd4843c7e2bb368038dc3c47f29466413811830f4a045c7f9e1

Download Submit
memory/968-488-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/968-531-0x0000000075C00000-0x0000000075C63000-memory.dmp

Filesize
396KB

Download
memory/968-530-0x00000000769A0000-0x0000000076BB5000-memory.dmp

Filesize
2.1MB

Download
memory/968-489-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1144-541-0x0000000006B10000-0x0000000006B24000-memory.dmp

Filesize
80KB

Download
memory/1144-622-0x0000000005050000-0x0000000005063000-memory.dmp

Filesize
76KB

Download
memory/1144-628-0x0000000075C00000-0x0000000075C63000-memory.dmp

Filesize
396KB

Download
memory/1144-539-0x00000000061F0000-0x0000000006239000-memory.dmp

Filesize
292KB

Download
memory/1144-627-0x00000000769A0000-0x0000000076BB5000-memory.dmp

Filesize
2.1MB

Download
memory/1160-636-0x00000000769A0000-0x0000000076BB5000-memory.dmp

Filesize
2.1MB

Download
memory/1160-637-0x0000000075C00000-0x0000000075C63000-memory.dmp

Filesize
396KB

Download
memory/1580-630-0x00000000769A0000-0x0000000076BB5000-memory.dmp

Filesize
2.1MB

Download
memory/1884-634-0x0000000075C00000-0x0000000075C63000-memory.dmp

Filesize
396KB

Download
memory/1884-633-0x00000000769A0000-0x0000000076BB5000-memory.dmp

Filesize
2.1MB

Download
memory/2176-586-0x00000000769A0000-0x0000000076BB5000-memory.dmp

Filesize
2.1MB

Download
memory/2176-587-0x0000000075C00000-0x0000000075C63000-memory.dmp

Filesize
396KB

Download
memory/2516-590-0x0000000075C00000-0x0000000075C63000-memory.dmp

Filesize
396KB

Download
memory/2516-589-0x00000000769A0000-0x0000000076BB5000-memory.dmp

Filesize
2.1MB

Download
memory/2960-593-0x0000000075C00000-0x0000000075C63000-memory.dmp

Filesize
396KB

Download
memory/2960-592-0x00000000769A0000-0x0000000076BB5000-memory.dmp

Filesize
2.1MB

Download
memory/3364-544-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/3364-576-0x00000000038E0000-0x0000000003911000-memory.dmp

Filesize
196KB

Download
memory/3364-543-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/3364-547-0x00000000028B0000-0x0000000002943000-memory.dmp

Filesize
588KB

Download
memory/3364-565-0x0000000000E80000-0x0000000000E94000-memory.dmp

Filesize
80KB

Download
memory/3364-578-0x0000000003930000-0x00000000039DB000-memory.dmp

Filesize
684KB

Download
memory/3364-549-0x0000000002950000-0x00000000029F6000-memory.dmp

Filesize
664KB

Download
memory/3364-551-0x0000000002A00000-0x0000000002A64000-memory.dmp

Filesize
400KB

Download
memory/3364-574-0x00000000031B0000-0x0000000003301000-memory.dmp

Filesize
1.3MB

Download
memory/4780-64-0x0000000005900000-0x0000000005901000-memory.dmp

Filesize
4KB

Download
memory/4836-605-0x0000000075C00000-0x0000000075C63000-memory.dmp

Filesize
396KB

Download
memory/4836-604-0x00000000769A0000-0x0000000076BB5000-memory.dmp

Filesize
2.1MB

Download
memory/5112-624-0x00000000769A0000-0x0000000076BB5000-memory.dmp

Filesize
2.1MB

Download
memory/5112-625-0x0000000075C00000-0x0000000075C63000-memory.dmp

Filesize
396KB

Download