Overview
overview
7Static
static
3JaffaCakes...8a.exe
windows7-x64
3JaffaCakes...8a.exe
windows10-2004-x64
3$PLUGINSDI...64.dll
windows7-x64
3$PLUGINSDI...64.dll
windows10-2004-x64
3$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$PLUGINSDI...LL.dll
windows7-x64
3$PLUGINSDI...LL.dll
windows10-2004-x64
3$PLUGINSDI...ew.dll
windows7-x64
3$PLUGINSDI...ew.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDIR/inetc.dll
windows7-x64
3$PLUGINSDIR/inetc.dll
windows10-2004-x64
3$TEMP/KWMU...te.exe
windows7-x64
7$TEMP/KWMU...te.exe
windows10-2004-x64
7$PLUGINSDI...64.dll
windows7-x64
3$PLUGINSDI...64.dll
windows10-2004-x64
3$PLUGINSDI...ew.dll
windows7-x64
3$PLUGINSDI...ew.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDIR/inetc.dll
windows7-x64
3$PLUGINSDIR/inetc.dll
windows10-2004-x64
3$TEMP/soba...wo.exe
windows7-x64
3$TEMP/soba...wo.exe
windows10-2004-x64
3$PROGRAM_F...er.exe
windows7-x64
3$PROGRAM_F...er.exe
windows10-2004-x64
3$PROGRAM_F...ar.dll
windows7-x64
7$PROGRAM_F...ar.dll
windows10-2004-x64
7$PROGRAM_F...rX.dll
windows7-x64
7$PROGRAM_F...rX.dll
windows10-2004-x64
7Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
15/01/2025, 16:18
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_5bfd9050b9ea3dc1d6e79c909cfc5c8a.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_5bfd9050b9ea3dc1d6e79c909cfc5c8a.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/Base64.dll
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/Base64.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/KillProcDLL.dll
Resource
win7-20241010-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/KillProcDLL.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/KuWoNsis_new.dll
Resource
win7-20241010-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/KuWoNsis_new.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240729-en
Behavioral task
behavioral12
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
$PLUGINSDIR/inetc.dll
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
$PLUGINSDIR/inetc.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
$TEMP/KWMUSIC/DownloadUpdate.exe
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
$TEMP/KWMUSIC/DownloadUpdate.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
$PLUGINSDIR/Base64.dll
Resource
win7-20241023-en
Behavioral task
behavioral18
Sample
$PLUGINSDIR/Base64.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
$PLUGINSDIR/KuWoNsis_new.dll
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
$PLUGINSDIR/KuWoNsis_new.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
$PLUGINSDIR/inetc.dll
Resource
win7-20241010-en
Behavioral task
behavioral24
Sample
$PLUGINSDIR/inetc.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral25
Sample
$TEMP/sobar/Baidu-TB-ASBar-Silent_kuwo.exe
Resource
win7-20240903-en
Behavioral task
behavioral26
Sample
$TEMP/sobar/Baidu-TB-ASBar-Silent_kuwo.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral27
Sample
$PROGRAM_FILES/Baidu/ASBarBroker.exe
Resource
win7-20240903-en
Behavioral task
behavioral28
Sample
$PROGRAM_FILES/Baidu/ASBarBroker.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral29
Sample
$PROGRAM_FILES/Baidu/AddressBar.dll
Resource
win7-20240903-en
Behavioral task
behavioral30
Sample
$PROGRAM_FILES/Baidu/AddressBar.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral31
Sample
$PROGRAM_FILES/Baidu/Toolbar/BaiduBarX_Tmp/BaiduBarX.dll
Resource
win7-20241023-en
General
-
Target
$PROGRAM_FILES/Baidu/Toolbar/BaiduBarX_Tmp/BaiduBarX.dll
-
Size
2.3MB
-
MD5
73e815b7dc46cee5be197dc4f81dd3f1
-
SHA1
610013942da6c1d9db80e9bb2624baf290d7d7bb
-
SHA256
92be55ea5d5eacfc9120467c4fbc2090c824cd8a232fab11e1a83433faf0285d
-
SHA512
b893d52579d99b5a44f69f5dc91d7f3df860409000915df2124bff353fdeb87b7e023fa7572e698b71b271c3e66d2ba65155fd97bc0abd43cf952673d889f246
-
SSDEEP
49152:EDww2rO+skTKEW/+5sgN51uNDqWwTSbSbHUWTDnU9iZoY8:2wwuRskTKX/+5sgN51bLA
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2848 BarBroker.exe -
Loads dropped DLL 5 IoCs
pid Process 2820 regsvr32.exe 2820 regsvr32.exe 2820 regsvr32.exe 2820 regsvr32.exe 2820 regsvr32.exe -
Installs/modifies Browser Helper Object 2 TTPs 3 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{77FEF28E-EB96-44FF-B511-3185DEA48697} regsvr32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{77FEF28E-EB96-44FF-B511-3185DEA48697}\NoExplorer = "1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{77FEF28E-EB96-44FF-B511-3185DEA48697}\id = "bdbar" regsvr32.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files (x86)\Baidu\Toolbar\BaiduBarX.dll regsvr32.exe File opened for modification C:\Program Files (x86)\Baidu\Toolbar\BaiduBarX.dll regsvr32.exe File created C:\Program Files (x86)\Baidu\Toolbar\rc.dll regsvr32.exe File created C:\Program Files (x86)\Baidu\Toolbar\BarBroker.exe regsvr32.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BarBroker.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7A33CE9E-4F33-4B4E-B263-6AEEAB6C3DC2} BarBroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7A33CE9E-4F33-4B4E-B263-6AEEAB6C3DC2}\AppName = "BarBroker.exe" BarBroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7A33CE9E-4F33-4B4E-B263-6AEEAB6C3DC2}\AppPath = "%ProgramFiles(x86)%\\Baidu\\Toolbar" BarBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7A33CE9E-4F33-4B4E-B263-6AEEAB6C3DC2}\Policy = "3" BarBroker.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Toolbar regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{B580CF65-E151-49C3-B73F-70B13FCA8E86} = "12" regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\Enable Browser Extensions = "yes" regsvr32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3A8C9D89-3271-45F4-98C0-56B0F5A16172} BarBroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarX.ToolBand\CurVer\ = "BaiduBarX.ToolBand.1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E5D5D4A1-17F0-41D7-B1C6-0979F91E6F46}\InprocServer32\ = "C:\\Program Files (x86)\\Baidu\\Toolbar\\BaiduBarX.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7EF05EFF-0E62-4040-8D81-73A10D8DE60F} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2923508C-9425-4A61-B9CE-A98239055916}\TypeLib\Version = "1.0" BarBroker.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{77FEF28E-EB96-44FF-B511-3185DEA48697} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarEx.BDHomePage.5\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E5D5D4A1-17F0-41D7-B1C6-0979F91E6F46}\VersionIndependentProgID\ = "BaiduBarEx.BDHomePage" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E5D5D4A1-17F0-41D7-B1C6-0979F91E6F46}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4C2BFEC9-F03C-4F74-932E-5723E603B4AC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4C2BFEC9-F03C-4F74-932E-5723E603B4AC}\ = "ITool" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BarBroker.BDBroker\ = "BDBroker Class" BarBroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarX.ToolBand.1\ = "Baidu Toolbar" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBar.Tool.1\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarX.BandIE\CLSID\ = "{77FEF28E-EB96-44FF-B511-3185DEA48697}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarEx.BDHomePage.4\CLSID\ = "{E5D5D4A1-17F0-41D7-B1C6-0979F91E6F46}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B580CF65-E151-49C3-B73F-70B13FCA8E86}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A7F05EE4-0426-454F-8013-C41E3596E9E9}\ProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E5D5D4A1-17F0-41D7-B1C6-0979F91E6F46}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D12F94FA-FC9A-41F7-B808-7FBB419DD7A6}\1.0\0\win32\ = "C:\\Program Files (x86)\\Baidu\\Toolbar\\BaiduBarX.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D158174C-004B-4A2E-9410-5442C10C60D2}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5BECD27B-DCF5-4DEF-B066-486A47245C03}\AppID = "{7A33CE9E-4F33-4B4E-B263-6AEEAB6C3DC2}" BarBroker.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2923508C-9425-4A61-B9CE-A98239055916}\ProxyStubClsid32 BarBroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarX.ToolBand\ = "Baidu Toolbar" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{77FEF28E-EB96-44FF-B511-3185DEA48697}\InprocServer32\ = "C:\\Program Files (x86)\\Baidu\\Toolbar\\BaiduBarX.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E5D5D4A1-17F0-41D7-B1C6-0979F91E6F46}\ = "°Ù¶È¹¤¾ßÀ¸¸öÐÔ»¯Ê×Ò³Ö§³Ö×é¼þ" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D158174C-004B-4A2E-9410-5442C10C60D2}\TypeLib\ = "{D12F94FA-FC9A-41F7-B808-7FBB419DD7A6}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarX.ToolBand.1\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBar.Tool\CurVer\ = "BaiduBar.Tool.1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{77FEF28E-EB96-44FF-B511-3185DEA48697}\VersionIndependentProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarEx.BDHomePage\CurVer regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B580CF65-E151-49C3-B73F-70B13FCA8E86}\VersionIndependentProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D158174C-004B-4A2E-9410-5442C10C60D2}\ = "IBandIE" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A7F05EE4-0426-454F-8013-C41E3596E9E9}\InprocServer32\ = "C:\\Program Files (x86)\\Baidu\\Toolbar\\BaiduBarX.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarX.BandIE\CurVer regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E5D5D4A1-17F0-41D7-B1C6-0979F91E6F46}\ProgID\ = "BaiduBarEx.BDHomePage.5" regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B580CF65-E151-49C3-B73F-70B13FCA8E86}\ProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7EF05EFF-0E62-4040-8D81-73A10D8DE60F}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarX.BandIE.1\CLSID\ = "{77FEF28E-EB96-44FF-B511-3185DEA48697}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarX.BandIE regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarEx.BDHomePage.5 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BarBroker.BDBroker.1\CLSID BarBroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5BECD27B-DCF5-4DEF-B066-486A47245C03}\VersionIndependentProgID\ = "BarBroker.BDBroker" BarBroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5BECD27B-DCF5-4DEF-B066-486A47245C03}\LocalServer32\ = "\"C:\\Program Files (x86)\\Baidu\\Toolbar\\BarBroker.exe\"" BarBroker.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A7F05EE4-0426-454F-8013-C41E3596E9E9} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarX.BandIE.1\ = "Baidu Toolbar BHO" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarEx.BDHomePage.2\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7EF05EFF-0E62-4040-8D81-73A10D8DE60F}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D158174C-004B-4A2E-9410-5442C10C60D2}\TypeLib\ = "{D12F94FA-FC9A-41F7-B808-7FBB419DD7A6}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D12F94FA-FC9A-41F7-B808-7FBB419DD7A6}\1.0 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7EF05EFF-0E62-4040-8D81-73A10D8DE60F}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D158174C-004B-4A2E-9410-5442C10C60D2}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2923508C-9425-4A61-B9CE-A98239055916}\TypeLib\ = "{3A8C9D89-3271-45F4-98C0-56B0F5A16172}" BarBroker.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B580CF65-E151-49C3-B73F-70B13FCA8E86} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{77FEF28E-EB96-44FF-B511-3185DEA48697}\ProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{77FEF28E-EB96-44FF-B511-3185DEA48697}\InprocServer32\ThreadingModel = "both" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E5D5D4A1-17F0-41D7-B1C6-0979F91E6F46}\ProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BarBroker.BDBroker.1\ = "BDBroker Class" BarBroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BarBroker.BDBroker.1\CLSID\ = "{5BECD27B-DCF5-4DEF-B066-486A47245C03}" BarBroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7EF05EFF-0E62-4040-8D81-73A10D8DE60F}\ = "IBDHomePage" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7EF05EFF-0E62-4040-8D81-73A10D8DE60F} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7EF05EFF-0E62-4040-8D81-73A10D8DE60F}\ = "IBDHomePage" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BarBroker.BDBroker BarBroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5BECD27B-DCF5-4DEF-B066-486A47245C03}\ = "BDBroker Class" BarBroker.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 308 wrote to memory of 2820 308 regsvr32.exe 30 PID 308 wrote to memory of 2820 308 regsvr32.exe 30 PID 308 wrote to memory of 2820 308 regsvr32.exe 30 PID 308 wrote to memory of 2820 308 regsvr32.exe 30 PID 308 wrote to memory of 2820 308 regsvr32.exe 30 PID 308 wrote to memory of 2820 308 regsvr32.exe 30 PID 308 wrote to memory of 2820 308 regsvr32.exe 30 PID 2820 wrote to memory of 2848 2820 regsvr32.exe 31 PID 2820 wrote to memory of 2848 2820 regsvr32.exe 31 PID 2820 wrote to memory of 2848 2820 regsvr32.exe 31 PID 2820 wrote to memory of 2848 2820 regsvr32.exe 31
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\$PROGRAM_FILES\Baidu\Toolbar\BaiduBarX_Tmp\BaiduBarX.dll1⤵
- Suspicious use of WriteProcessMemory
PID:308 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\$PROGRAM_FILES\Baidu\Toolbar\BaiduBarX_Tmp\BaiduBarX.dll2⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Program Files (x86)\Baidu\Toolbar\BarBroker.exe"C:\Program Files (x86)\Baidu\Toolbar\BarBroker.exe" -RegServer3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
PID:2848
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.3MB
MD573e815b7dc46cee5be197dc4f81dd3f1
SHA1610013942da6c1d9db80e9bb2624baf290d7d7bb
SHA25692be55ea5d5eacfc9120467c4fbc2090c824cd8a232fab11e1a83433faf0285d
SHA512b893d52579d99b5a44f69f5dc91d7f3df860409000915df2124bff353fdeb87b7e023fa7572e698b71b271c3e66d2ba65155fd97bc0abd43cf952673d889f246
-
Filesize
229KB
MD5f87f4f7c0278667dc2d88ec6d7b6022d
SHA15650e64099f23359dfcc7c8c9380d7157e236c61
SHA25606d7a9d5379d303aa0498757fea75fdfe7c8bdb922a2c5672b0fbe8726460bdd
SHA512777c0c9d000495be084bb0127840c5b175d556d2da8ddbe30b04a99c8e271796cb1ce0ee2eac4c7b6d938fc17abdcba85fd1e4320620ca45b5a1fd31fa9cc8ae
-
Filesize
369KB
MD5989404e09f568db722a978f0cddc2d91
SHA1b4144e15cb05c125cf06d63203e8ad4b889b9b12
SHA256f97d8a7717605f48441b01bbbaf54952553787a9cdd394c0efbde870897c5f12
SHA512c05eba31bfb2cd201043defa809399252a185d76c7815abf58146bee18b265e8113966dd6cc1b5fff714d45d293b8424c0ba2459e7e6a893a3575c7c4813a638