Beyond good ol’ Run key, Part 58

January 28, 2017 in Anti-Forensics, Autostart (Persistence), Compromise Detection, Forensic Analysis, Incident Response, Malware Analysis

I stumbled upon this persistence mechanism by chance and its nature is similar to the many I have covered before – the preset applications that are executed when a certain event happens. This time I was checking the Bluetooth Stack applications on a laptop and discovered it could be easily configured to run arbitrary programs. We can assume that many other similar Bluetooth configuration utilities developed by other companies offer similar capabilities.

I don’t know how many people use Bluetooth on their PC laptops nowadays, but as long as the Bluetooth stack is installed, radio is enabled and applications are installed – the specific events should trigger the execution of preset applications…

There are at least two places I found where one could add persistent malware to the Bluetooth configuration settings.

The first one is under the SMART tab in General Options:

Despite efforts I didn’t manage to trigger it, but I don’t have many Bluetooth devices at hand. Perhaps someone will be able to run a QC on this one.

The setting is located inside the Registry under the following location:

  • HKCU\Software\Toshiba\BluetoothStack\
    V1.0\Mng\IasStartAplPath= EXE Path

The second, is not just one, but it’s actually a group of individual settings assigned to each connection – here is an example of properties of such one connection where I added the c:\windows\system32\notepad.exe to execute anytime the connection is established:

This one works for sure and it was easy to test it.

The location of these settings is as follows:

  • HKCU\Software\Toshiba\BluetoothStack\
    V1.0\EZC\DATA\1001\SCORIGINAL
    APPEXECUTE=hex:01
    APPFILEPATHBYTECNT=dword:<Path Length in bytes>
    APPFILEPATH=hex:<Path expressed as a sequence of hexadecimal numbers>
    APPFILEPATH2=EXE Path represented as a string
    PSM=dword:0000000f
    SECURITY=dword:00000001

The key DATA\1001\SCORIGINAL changes to DATA\1002\SCORIGINAL for the second connection and increases for subsequent connections. This is how it looks like inside the Registry:

It’s pretty simple, but it’s also not very convincing – I don’t think we should expect a flood of malware using it. Still, worth documenting.

Share this :)

Comments are closed.