Beyond good ol’ Run key, Part 68
December 8, 2017 in Anti-*, Anti-Forensics, Autostart (Persistence), Compromise Detection, Forensic Analysis, Incident Response, Malware Analysis
Modification of Software\Classes\CLSID branches is a well-known trick used by malware for ages. It is important to recognize though that there are many variants of the trick – the keys are used by different applications and libraries, and for really different purposes – there is no end to possibilities they offer to malware authors.
Here’s a probably less-known CLSID branch that could be used to execute malware anytime you press WIN+E to open a new Windows Explorer window.
Example for calculator (tested on win10):
HKCU\Software\Classes\CLSID\ {52205fd8-5dfb-447d-801a-d0b52f2e83e1}\ shell\opennewwindow\command "DelegateExecute"="" @="c:\\windows\\system32\\calc.exe"
Update
There is a side-effect to this setting; launching explorer.exe – whether via WIN+E or directly via clicking explorer.exe inside Windows Explorer, or running it via WIN+R will always end up with calc.exe being executed. The malware would need to handle these situation with an appropriate action.
Comments are closed.