Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
5JaffaCakes...31.exe
windows7-x64
3JaffaCakes...31.exe
windows10-2004-x64
3$PLUGINSDI...sh.dll
windows7-x64
3$PLUGINSDI...sh.dll
windows10-2004-x64
3$PLUGINSDI...ar.exe
windows7-x64
7$PLUGINSDI...ar.exe
windows10-2004-x64
3$PROGRAM_F...er.exe
windows7-x64
3$PROGRAM_F...er.exe
windows10-2004-x64
3$PROGRAM_F...ar.dll
windows7-x64
7$PROGRAM_F...ar.dll
windows10-2004-x64
7$PROGRAM_F...rX.dll
windows7-x64
7$PROGRAM_F...rX.dll
windows10-2004-x64
7$PROGRAM_F...er.exe
windows7-x64
3$PROGRAM_F...er.exe
windows10-2004-x64
3$PROGRAM_F...rc.dll
windows7-x64
3$PROGRAM_F...rc.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...pt.exe
windows7-x64
7$PLUGINSDI...pt.exe
windows10-2004-x64
7$PLUGINSDI...an.exe
windows7-x64
7$PLUGINSDI...an.exe
windows10-2004-x64
7$PLUGINSDI...an.exe
windows7-x64
7$PLUGINSDI...an.exe
windows10-2004-x64
7$PLUGINSDI...st.exe
windows7-x64
7$PLUGINSDI...st.exe
windows10-2004-x64
3$PLUGINSDIR/v9fft.exe
windows7-x64
10$PLUGINSDIR/v9fft.exe
windows10-2004-x64
10$TEMP/AskPIP_FF_.exe
windows7-x64
3$TEMP/AskPIP_FF_.exe
windows10-2004-x64
3$TEMP/AskT...IC.dll
windows7-x64
8$TEMP/AskT...IC.dll
windows10-2004-x64
3Analysis
-
max time kernel
93s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
21/02/2025, 20:16
Behavioral task
behavioral1
Sample
JaffaCakes118_1501f2ea21bf8b38b5ad8bd8219bec31.exe
Resource
win7-20250207-en
windows7-x64
Behavioral task
behavioral2
Sample
JaffaCakes118_1501f2ea21bf8b38b5ad8bd8219bec31.exe
Resource
win10v2004-20250217-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
$PLUGINSDIR/AdvSplash.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral4
Sample
$PLUGINSDIR/AdvSplash.dll
Resource
win10v2004-20250217-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
$PLUGINSDIR/Baidu-TB-ASBar.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral6
Sample
$PLUGINSDIR/Baidu-TB-ASBar.exe
Resource
win10v2004-20250217-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
$PROGRAM_FILES/Baidu/ASBarBroker.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral8
Sample
$PROGRAM_FILES/Baidu/ASBarBroker.exe
Resource
win10v2004-20250217-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
$PROGRAM_FILES/Baidu/AddressBar.dll
Resource
win7-20241023-en
windows7-x64
Behavioral task
behavioral10
Sample
$PROGRAM_FILES/Baidu/AddressBar.dll
Resource
win10v2004-20250217-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
$PROGRAM_FILES/Baidu/Toolbar/BaiduBarX_Tmp/BaiduBarX.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral12
Sample
$PROGRAM_FILES/Baidu/Toolbar/BaiduBarX_Tmp/BaiduBarX.dll
Resource
win10v2004-20250217-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
$PROGRAM_FILES/Baidu/Toolbar/BaiduBarX_Tmp/BarBroker.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral14
Sample
$PROGRAM_FILES/Baidu/Toolbar/BaiduBarX_Tmp/BarBroker.exe
Resource
win10v2004-20250217-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
$PROGRAM_FILES/Baidu/Toolbar/BaiduBarX_Tmp/rc.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral16
Sample
$PROGRAM_FILES/Baidu/Toolbar/BaiduBarX_Tmp/rc.dll
Resource
win10v2004-20250217-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
$PLUGINSDIR/System.dll
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral18
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20250217-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
$PLUGINSDIR/hao123inst-egypt.exe
Resource
win7-20241023-en
windows7-x64
Behavioral task
behavioral20
Sample
$PLUGINSDIR/hao123inst-egypt.exe
Resource
win10v2004-20250217-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
$PLUGINSDIR/hao123inst-japan.exe
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral22
Sample
$PLUGINSDIR/hao123inst-japan.exe
Resource
win10v2004-20250217-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
$PLUGINSDIR/hao123inst-taiwan.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral24
Sample
$PLUGINSDIR/hao123inst-taiwan.exe
Resource
win10v2004-20250217-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
$PLUGINSDIR/hao123inst.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral26
Sample
$PLUGINSDIR/hao123inst.exe
Resource
win10v2004-20250217-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
$PLUGINSDIR/v9fft.exe
Resource
win7-20250207-en
windows7-x64
Behavioral task
behavioral28
Sample
$PLUGINSDIR/v9fft.exe
Resource
win10v2004-20250217-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
$TEMP/AskPIP_FF_.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral30
Sample
$TEMP/AskPIP_FF_.exe
Resource
win10v2004-20250217-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
$TEMP/AskToolbarTemp/ApnIC.dll
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral32
Sample
$TEMP/AskToolbarTemp/ApnIC.dll
Resource
win10v2004-20250217-en
windows10-2004-x64
General
-
Target
$PROGRAM_FILES/Baidu/Toolbar/BaiduBarX_Tmp/BaiduBarX.dll
-
Size
2.7MB
-
MD5
9929bf8efb3087a1a832fc09ac97bef4
-
SHA1
4df24505648dec56488d68cd1ce5265c4c31e5bb
-
SHA256
2867243b3b6584986098d5e5f921f2dff5dfe5fe605725b263371bc8ff3fa279
-
SHA512
a172e659ac803bf8ed260af80caf6e94ab076e6759a8f77e30e0cf8dd99fb0db690db7b0656bfeb3bae324082665d6ca219d775591df988f90be0d5633054cdb
-
SSDEEP
49152:5WiPPqsRfBqN7+PBHWNUhDGJRmO+HJT99zxy+BQ9AwiTgTnklMV:5W+qsdBqN7+PBHWNUyJRDw9EUQ9Au
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2092 BarBroker.exe -
Loads dropped DLL 4 IoCs
pid Process 2292 regsvr32.exe 2292 regsvr32.exe 2292 regsvr32.exe 2292 regsvr32.exe -
Installs/modifies Browser Helper Object 2 TTPs 3 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{77FEF28E-EB96-44FF-B511-3185DEA48697}\NoExplorer = "1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{77FEF28E-EB96-44FF-B511-3185DEA48697}\id = "bdbar" regsvr32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{77FEF28E-EB96-44FF-B511-3185DEA48697} regsvr32.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files (x86)\Baidu\Toolbar\BaiduBarX.dll regsvr32.exe File opened for modification C:\Program Files (x86)\Baidu\Toolbar\BaiduBarX.dll regsvr32.exe File created C:\Program Files (x86)\Baidu\Toolbar\rc.dll regsvr32.exe File created C:\Program Files (x86)\Baidu\Toolbar\BarBroker.exe regsvr32.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BarBroker.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7A33CE9E-4F33-4B4E-B263-6AEEAB6C3DC2}\AppName = "BarBroker.exe" BarBroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7A33CE9E-4F33-4B4E-B263-6AEEAB6C3DC2}\AppPath = "%ProgramFiles(x86)%\\Baidu\\Toolbar" BarBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7A33CE9E-4F33-4B4E-B263-6AEEAB6C3DC2}\Policy = "3" BarBroker.exe Key created \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Software\Microsoft\Internet Explorer\Main regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Enable Browser Extensions = "yes" regsvr32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Toolbar regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{B580CF65-E151-49C3-B73F-70B13FCA8E86} = "12" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7A33CE9E-4F33-4B4E-B263-6AEEAB6C3DC2} BarBroker.exe -
Modifies registry class 64 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23A2B2B7-21DE-4B88-AFBA-5A918ABBF463}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4C2BFEC9-F03C-4F74-932E-5723E603B4AC} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4C2BFEC9-F03C-4F74-932E-5723E603B4AC}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6C773CA2-F142-4B2C-981A-FD3B1BEC1578}\TypeLib\ = "{D12F94FA-FC9A-41F7-B808-7FBB419DD7A6}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7F05EE4-0426-454F-8013-C41E3596E9E9}\ProgID\ = "BaiduBar.Tool.1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarEx.BDHomePage\CLSID\ = "{E5D5D4A1-17F0-41D7-B1C6-0979F91E6F46}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E5D5D4A1-17F0-41D7-B1C6-0979F91E6F46}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7EF05EFF-0E62-4040-8D81-73A10D8DE60F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarEx.BDHomePage.1\CLSID\ = "{E5D5D4A1-17F0-41D7-B1C6-0979F91E6F46}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBar.Tool.1\CLSID\ = "{A7F05EE4-0426-454F-8013-C41E3596E9E9}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B580CF65-E151-49C3-B73F-70B13FCA8E86}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BarBroker.BDBroker\CurVer\ = "BarBroker.BDBroker.1" BarBroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3A8C9D89-3271-45F4-98C0-56B0F5A16172}\1.0\FLAGS\ = "0" BarBroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BarBroker.BDBroker.1\ = "BDBroker Class" BarBroker.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BarBroker.BDBroker.1\CLSID BarBroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5BECD27B-DCF5-4DEF-B066-486A47245C03}\TypeLib\ = "{3A8C9D89-3271-45F4-98C0-56B0F5A16172}" BarBroker.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarX.BDLogin\CLSID regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B580CF65-E151-49C3-B73F-70B13FCA8E86}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7EF05EFF-0E62-4040-8D81-73A10D8DE60F}\TypeLib\ = "{D12F94FA-FC9A-41F7-B808-7FBB419DD7A6}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7EF05EFF-0E62-4040-8D81-73A10D8DE60F}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D158174C-004B-4A2E-9410-5442C10C60D2}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarEx.BDHomePage\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\BarBroker.EXE\AppID = "{7A33CE9E-4F33-4B4E-B263-6AEEAB6C3DC2}" BarBroker.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D158174C-004B-4A2E-9410-5442C10C60D2} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5BECD27B-DCF5-4DEF-B066-486A47245C03}\VersionIndependentProgID BarBroker.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B580CF65-E151-49C3-B73F-70B13FCA8E86} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3A8C9D89-3271-45F4-98C0-56B0F5A16172}\1.0\HELPDIR BarBroker.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23A2B2B7-21DE-4B88-AFBA-5A918ABBF463}\VersionIndependentProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D12F94FA-FC9A-41F7-B808-7FBB419DD7A6}\1.0\HELPDIR regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{7A33CE9E-4F33-4B4E-B263-6AEEAB6C3DC2}\ = "BarBroker" BarBroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarX.ToolBand.1\CLSID\ = "{B580CF65-E151-49C3-B73F-70B13FCA8E86}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBar.Tool.1 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BarBroker.BDBroker.1 BarBroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5BECD27B-DCF5-4DEF-B066-486A47245C03}\VersionIndependentProgID\ = "BarBroker.BDBroker" BarBroker.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarEx.BDHomePage.4 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarX.BDLogin.1\ = "BDLogin Class" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarX.BDLogin regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarEx.BDHomePage.4\ = "°Ù¶È¹¤¾ßÀ¸¸öÐÔ»¯Ê×Ò³Ö§³Ö×é¼þ" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23A2B2B7-21DE-4B88-AFBA-5A918ABBF463}\TypeLib\ = "{D12F94FA-FC9A-41F7-B808-7FBB419DD7A6}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D12F94FA-FC9A-41F7-B808-7FBB419DD7A6}\1.0\FLAGS regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7EF05EFF-0E62-4040-8D81-73A10D8DE60F}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4C2BFEC9-F03C-4F74-932E-5723E603B4AC}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D158174C-004B-4A2E-9410-5442C10C60D2}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{77FEF28E-EB96-44FF-B511-3185DEA48697}\InprocServer32\ThreadingModel = "both" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2923508C-9425-4A61-B9CE-A98239055916}\ = "IBDBroker" BarBroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2923508C-9425-4A61-B9CE-A98239055916}\TypeLib\Version = "1.0" BarBroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarEx.BDHomePage\CurVer\ = "BaiduBarEx.BDHomePage.5" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B580CF65-E151-49C3-B73F-70B13FCA8E86}\ProgID\ = "BaiduBarX.ToolBand.1" regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B580CF65-E151-49C3-B73F-70B13FCA8E86}\ProgID regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23A2B2B7-21DE-4B88-AFBA-5A918ABBF463} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D12F94FA-FC9A-41F7-B808-7FBB419DD7A6}\1.0\ = "BaiduBarX 1.0 Type Library" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D158174C-004B-4A2E-9410-5442C10C60D2}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B580CF65-E151-49C3-B73F-70B13FCA8E86}\ = "°Ù¶È¹¤¾ßÀ¸" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarX.ToolBand\CurVer regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B580CF65-E151-49C3-B73F-70B13FCA8E86}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6C773CA2-F142-4B2C-981A-FD3B1BEC1578}\ = "IBDLogin" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23A2B2B7-21DE-4B88-AFBA-5A918ABBF463}\ = "BDLogin Class" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23A2B2B7-21DE-4B88-AFBA-5A918ABBF463}\VersionIndependentProgID\ = "BaiduBarX.BDLogin" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B580CF65-E151-49C3-B73F-70B13FCA8E86}\ProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7F05EE4-0426-454F-8013-C41E3596E9E9}\ProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarEx.BDHomePage.3 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3A8C9D89-3271-45F4-98C0-56B0F5A16172}\1.0 BarBroker.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D12F94FA-FC9A-41F7-B808-7FBB419DD7A6}\1.0 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7F05EE4-0426-454F-8013-C41E3596E9E9} regsvr32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1652 wrote to memory of 2292 1652 regsvr32.exe 84 PID 1652 wrote to memory of 2292 1652 regsvr32.exe 84 PID 1652 wrote to memory of 2292 1652 regsvr32.exe 84 PID 2292 wrote to memory of 2092 2292 regsvr32.exe 88 PID 2292 wrote to memory of 2092 2292 regsvr32.exe 88 PID 2292 wrote to memory of 2092 2292 regsvr32.exe 88
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\$PROGRAM_FILES\Baidu\Toolbar\BaiduBarX_Tmp\BaiduBarX.dll1⤵
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\$PROGRAM_FILES\Baidu\Toolbar\BaiduBarX_Tmp\BaiduBarX.dll2⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Program Files (x86)\Baidu\Toolbar\BarBroker.exe"C:\Program Files (x86)\Baidu\Toolbar\BarBroker.exe" -RegServer3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
PID:2092
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.7MB
MD59929bf8efb3087a1a832fc09ac97bef4
SHA14df24505648dec56488d68cd1ce5265c4c31e5bb
SHA2562867243b3b6584986098d5e5f921f2dff5dfe5fe605725b263371bc8ff3fa279
SHA512a172e659ac803bf8ed260af80caf6e94ab076e6759a8f77e30e0cf8dd99fb0db690db7b0656bfeb3bae324082665d6ca219d775591df988f90be0d5633054cdb
-
Filesize
232KB
MD56b224c78c4b3433e754676dfab012142
SHA10ef3ad9248de0f4cef24ff110c87157c8433cc83
SHA256567ea2b8aee289f74b5affd5ff6e22ca0fd68d03071670ae060359fc5dae2e88
SHA5129561fa4efe992781a5692c7da7eb9b765668b7592f41417c3de9e1841f8e85f6dfc3fcd0233842489da54157c81c31211123bda45798539efa696f8cae6149d7
-
Filesize
496KB
MD551e4f617d2ad241171f437001565ac71
SHA11af01b7428e3493825451980e25306941ca50e31
SHA256ca30dd00c9586efc075376c4b53fdcc2dcee6c1ad3ee83eb8f801e95d1dd250a
SHA51293044c79020a710dc85a848fef030084b41e12334492e7a11973107c7d79e352c1ea7b9f8fc0f116d5fce341cb6d3317acd4fa8fb5396765cc3724773f571e6f