Beyond good ol’ Run key, Part 80

July 6, 2018 in Anti-*, Autostart (Persistence), Compromise Detection, Incident Response, Malware Analysis

I talked about remapping keys a number of times (e.g. remapping Win+E, adding sneaky hotkeys, adding more sneaky hotkeys).

Today I am describing one more Registry entry that is a subject to remapping, and as such, may be used as yet another persistence mechanism…

Modern keyboards come with a variety of ‘media’ buttons. Their assignment seems to be hardcoded, but in reality, one can change it by modifying the following entries in the Registry:

HKCU or HKLM\software\microsoft\windows\
currentversion\explorer\appkey\<number>\
ShellExecute=<program>

The <number> is the crucial bit – e.g. the calculator button is number 18 so if you change it, anytime someone presses the Calc media button that chosen program will be launched instead.

All the mappings are listed in MSDN.

You may notice that 18 that belongs to Calculator is named as APPCOMMAND_LAUNCH_APP2, but such is life. Don’t trust the documentation 🙂

Note:

I didn’t discover it, but I don’t recall seeing it mentioned in a context of persistence, so documenting it for the sake of it… Having said that, I must mention that googling around led me to this blog post where the very same trick is described as being used to deliver a clever evasion – courtesy of PlugX.

Note2:

Turns out there is a good post from Jan 2018 describing 2 additional registry entries that you may find under the same location:

  • Association – the application associated with a particular file type will be opened
  • RegisteredApp – the application registered for that function will be called.
Share this :)

Comments are closed.