{
	"id": "61d9b1be-93e2-4cf7-9626-547835f093db",
	"created_at": "2026-04-06T00:11:26.877989Z",
	"updated_at": "2026-04-10T13:12:10.974753Z",
	"deleted_at": null,
	"sha1_hash": "819c971dcd76c270893cca12b86e41645403a76f",
	"title": "BazarISO Analysis - Loading with Advpack.dll",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 69995,
	"plain_text": "BazarISO Analysis - Loading with Advpack.dll\r\nPublished: 2022-01-22 · Archived: 2026-04-05 21:11:36 UTC\r\nMalware comes in all shapes and sizes, and in the case of BazarISO it comes in the form of an ISO file that contains a\r\nmalicious shortcut and an executable. In this post I’ll tear apart the ISO to show how one of the more recent BazarISO\r\nsamples works. If you want to follow along at home, I’m using the sample from MalwareBazaar here:\r\nhttps://bazaar.abuse.ch/sample/38cf92de5c97f9f79ddfb5632ac92f2670f3aa25414943735ddbe24507ad49f3/\r\nTriage and Unpack the ISO\r\nFirst, let’s make sure the file is an ISO with file .\r\n1\r\n2\r\nremnux@remnux:~/cases/bazariso$ file Documents-17.iso\r\nDocuments-17.iso: ISO 9660 CD-ROM filesystem data ''\r\nAlright, let’s take a stab at unpacking with 7z .\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\nremnux@remnux:~/cases/bazariso$ 7z x Documents-17.iso\r\n7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21\r\np7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,2 CPUs Intel(R) Core(TM) i7-8550U CPU @ 1.80GHz (806EA\r\nScanning the drive for archives:\r\n1 file, 743424 bytes (726 KiB)\r\nExtracting archive: Documents-17.iso\r\n--\r\nPath = Documents-17.iso\r\nType = Iso\r\nPhysical Size = 743424\r\nCreated = 2022-01-21 09:15:47\r\nEverything is Ok\r\nFiles: 2\r\nSize: 689865\r\nCompressed: 743424\r\nAnd 7-zip gave us the very life-affirming message that Everything is OK since both files in the ISO unpacked properly.\r\nLet’s see what files we have.\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\nremnux@remnux:~/cases/bazariso$ ls -lah\r\ntotal 1.4M\r\ndrwxrwxr-x 2 remnux remnux 4.0K Jan 22 17:44 .\r\ndrwxrwxr-x 10 remnux remnux 4.0K Jan 22 17:24 ..\r\n-rw-rw-r-- 1 remnux remnux 673K Jan 21 09:15 autorun.exe\r\n-rw-rw-r-- 1 remnux remnux 1.2K Jan 21 09:15 docs.lnk\r\n-rw-r--r-- 1 remnux remnux 726K Jan 22 2022 Documents-17.iso\r\nIt looks like the ISO contained two files, an autorun.exe and a docs.lnk file.\r\nInspecting the LNK File\r\nhttps://forensicitguy.github.io/bazariso-analysis-advpack/\r\nPage 1 of 4\n\nThinking through the chain of actions a victim is likely to take, the victim will try to double-click the ISO file and Windows\r\nwill mount it as a removable drive. The victim then will click either autorun.exe or docs.lnk . Shortcut LNK files often\r\ncontain shady material because they allow a creator to specify command line arguments in the shortcut to perform arbitrary\r\nactions. We can triage this file and analyze it using file and exiftool .\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\n26\r\n27\r\n28\r\n29\r\n30\r\n31\r\n32\r\nremnux@remnux:~/cases/bazariso$ file docs.lnk\r\ndocs.lnk: MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has command line argum\r\nremnux@remnux:~/cases/bazariso$ exiftool docs.lnk\r\nExifTool Version Number : 12.30\r\nFile Name : docs.lnk\r\nDirectory : .\r\nFile Size : 1225 bytes\r\nFile Modification Date/Time : 2022:01:21 09:15:47-05:00\r\nFile Access Date/Time : 2022:01:22 17:51:01-05:00\r\nFile Inode Change Date/Time : 2022:01:22 17:42:19-05:00\r\nFile Permissions : -rw-rw-r--\r\nFile Type : LNK\r\nFile Type Extension : lnk\r\nMIME Type : application/octet-stream\r\nFlags : IDList, LinkInfo, RelativePath, CommandArgs, IconFile, Unicode, TargetMetadata\r\nFile Attributes : Archive\r\nCreate Date : 2021:12:26 16:31:16-05:00\r\nAccess Date : 2022:01:21 07:35:47-05:00\r\nModify Date : 2021:12:26 16:31:16-05:00\r\nTarget File Size : 71680\r\nIcon Index : 5\r\nRun Window : Normal\r\nHot Key : (none)\r\nTarget File DOS Name : rundll32.exe\r\nDrive Type : Fixed Disk\r\nVolume Label :\r\nLocal Base Path : C:\\Windows\\System32\\rundll32.exe\r\nRelative Path : ..\\Windows\\System32\\rundll32.exe\r\nCommand Line Arguments : advpack.dll,RegisterOCX autorun.exe\r\nIcon File Name : %systemroot%\\system32\\imageres.dll\r\nMachine ID : desktop-i8bn9qk\r\nAlright we definitely have a LNK shortcut file! Inspecting with exiftool it looks like the shortcut is fairly small at 1225\r\nbytes. Larger shortcut files may indicate very large PowerShell or scripting command line properties. In this case, it looks\r\nlike the command the shortcut executes is C:\\Windows\\System32\\rundll32.exe advpack.dll,RegisterOCX autorun.exe .\r\nThis command is a way to execute autorun.exe using rundll32.exe as a LOLBIN. The icon is one from a default\r\nWindows installation, but some LNK files I’ve seen have had ones distributed with the files as well. The last bit of detail in\r\nthis output is the Machine ID. This property shows the computer name of the system that created the shortcut. So, the\r\nadversary either created this shortcut on a system named desktop-i8bn9qk or knows how to modify the shortcut file to that\r\nname.\r\nTriage and Estimate Capabilities\r\nAlright, let’s see if we can estimate some of the capabilities of the autorun.exe binary using capa and yara .\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\nremnux@remnux:~/cases/bazariso$ capa autorun.exe\r\n+------------------------+------------------------------------------------------------------------------------+\r\n| md5 | 6d583d7666ffbc439f86f8954cc3e0ec |\r\n| sha1 | d17ff6f48a3e3693ee61b79341ed282087df2e71 |\r\n| sha256 | 667753d0c33cf7874b3d4cf05be4cf245558515e73330e133c60da63554471d8 |\r\n| path | autorun.exe |\r\n+------------------------+------------------------------------------------------------------------------------+\r\n+------------------------+------------------------------------------------------------------------------------+\r\n| ATT\u0026CK Tactic | ATT\u0026CK Technique |\r\nhttps://forensicitguy.github.io/bazariso-analysis-advpack/\r\nPage 2 of 4\n\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\n26\r\n27\r\n28\r\n29\r\n30\r\n31\r\n32\r\n33\r\n34\r\n35\r\n36\r\n37\r\n38\r\n39\r\n40\r\n41\r\n42\r\n43\r\n44\r\n45\r\n46\r\n47\r\n48\r\n49\r\n50\r\n51\r\n52\r\n53\r\n54\r\n55\r\n56\r\n57\r\n58\r\n59\r\n60\r\n61\r\n62\r\n63\r\n64\r\n65\r\n66\r\n67\r\n68\r\n69\r\n70\r\n71\r\n|------------------------+------------------------------------------------------------------------------------|\r\n| COLLECTION | Input Capture::Keylogging T1056.001 |\r\n| DEFENSE EVASION | Modify Registry:: T1112 |\r\n| | Obfuscated Files or Information:: T1027 |\r\n| | Obfuscated Files or Information::Indicator Removal from Tools T1027.005 |\r\n| DISCOVERY | File and Directory Discovery:: T1083 |\r\n| | Query Registry:: T1012 |\r\n| | System Information Discovery:: T1082 |\r\n| EXECUTION | Shared Modules:: T1129 |\r\n+------------------------+------------------------------------------------------------------------------------+\r\n+-----------------------------+-------------------------------------------------------------------------------+\r\n| MBC Objective | MBC Behavior |\r\n|-----------------------------+-------------------------------------------------------------------------------|\r\n| COLLECTION | Keylogging::Polling [F0002.002] |\r\n| DATA | Encode Data::XOR [C0026.002] |\r\n| DEFENSE EVASION | Obfuscated Files or Information::Encoding-Standard Algorithm [E1027.m02] |\r\n| DISCOVERY | Application Window Discovery::Window Text [E1010.m01] |\r\n| FILE SYSTEM | Delete File:: [C0047] |\r\n| | Read File:: [C0051] |\r\n| | Writes File:: [C0052] |\r\n| OPERATING SYSTEM | Environment Variable::Set Variable [C0034.001] |\r\n| | Registry::Create Registry Key [C0036.004] |\r\n| | Registry::Delete Registry Key [C0036.002] |\r\n| | Registry::Open Registry Key [C0036.003] |\r\n| | Registry::Query Registry Value [C0036.006] |\r\n| | Registry::Set Registry Key [C0036.001] |\r\n| PROCESS | Set Thread Local Storage Value:: [C0041] |\r\n| | Terminate Process:: [C0018] |\r\n+-----------------------------+-------------------------------------------------------------------------------+\r\n+------------------------------------------------------+------------------------------------------------------+\r\n| CAPABILITY | NAMESPACE |\r\n|------------------------------------------------------+------------------------------------------------------|\r\n| log keystrokes via polling | collection/keylog |\r\n| encode data using XOR (2 matches) | data-manipulation/encoding/xor |\r\n| contain a resource (.rsrc) section | executable/pe/section/rsrc |\r\n| extract resource via kernel32 functions (8 matches) | executable/resource |\r\n| query environment variable | host-interaction/environment-variable |\r\n| set environment variable | host-interaction/environment-variable |\r\n| get common file path | host-interaction/file-system |\r\n| delete file | host-interaction/file-system/delete |\r\n| enumerate files via kernel32 functions (2 matches) | host-interaction/file-system/files/list |\r\n| get file size | host-interaction/file-system/meta |\r\n| read .ini file (2 matches) | host-interaction/file-system/read |\r\n| read file | host-interaction/file-system/read |\r\n| write file (2 matches) | host-interaction/file-system/write |\r\n| get graphical window text | host-interaction/gui/window/get-text |\r\n| get disk information | host-interaction/hardware/storage |\r\n| set thread local storage value | host-interaction/process |\r\n| terminate process | host-interaction/process/terminate |\r\n| query or enumerate registry value (3 matches) | host-interaction/registry |\r\n| set registry value | host-interaction/registry/create |\r\n| delete registry key (2 matches) | host-interaction/registry/delete |\r\n| access PEB ldr_data (3 matches) | linking/runtime-linking |\r\n| link function at runtime (15 matches) | linking/runtime-linking |\r\n| resolve function by hash (2 matches) | linking/runtime-linking |\r\n| parse PE exports (3 matches) | load-code/pe |\r\n| parse PE header (10 matches) | load-code/pe |\r\n+------------------------------------------------------+------------------------------------------------------+\r\nFrom the capa output there are already some capabilities in here that will likely increase analysis time. These include:\r\naccess PEB ldr_data\r\nlink function at runtime\r\nresolve function by hash\r\nThe PEB ldr_data rule indicates the binary contains some assembly instructions that resolve DLL module lists from the\r\nprocess environment block of the process while it is running. This is a method used by shellcode to resolve DLL imports and\r\nhttps://forensicitguy.github.io/bazariso-analysis-advpack/\r\nPage 3 of 4\n\npain-in-the-can malware to hide their imports. Linking functions at runtime means the sample likely issues LoadLibrary()\r\nor similar calls to import DLLs at runtime instead of when the program first runs. Finally, resolving functions by hash means\r\nit’ll be a hassle to potentially see what functions are being resolved as they’ll be hashed strings rather than the clear strings.\r\nLet’s see what we get from YARA.\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\nremnux@remnux:~/cases/bazariso$ yara-rules autorun.exe\r\nCheck_OutputDebugStringA_iat autorun.exe\r\nanti_dbg autorun.exe\r\nwin_hook autorun.exe\r\nscreenshot autorun.exe\r\nkeylogger autorun.exe\r\nwin_registry autorun.exe\r\nwin_files_operation autorun.exe\r\nIsPE64 autorun.exe\r\nIsWindowsGUI autorun.exe\r\nHasRichSignature autorun.exe\r\nMicrosoft_Visual_Cpp_80_DLL autorun.exe\r\nYARA thinks the sample has some anti-debugging, so that might become a hassle while doing further analysis later. From\r\nhere my analysis style would be to toss this sucker into a sandbox to see what it does because further analysis is going to\r\nproduce diminishing returns for me.\r\nThanks for reading!\r\nSource: https://forensicitguy.github.io/bazariso-analysis-advpack/\r\nhttps://forensicitguy.github.io/bazariso-analysis-advpack/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://forensicitguy.github.io/bazariso-analysis-advpack/"
	],
	"report_names": [
		"bazariso-analysis-advpack"
	],
	"threat_actors": [],
	"ts_created_at": 1775434286,
	"ts_updated_at": 1775826730,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/819c971dcd76c270893cca12b86e41645403a76f.pdf",
		"text": "https://archive.orkl.eu/819c971dcd76c270893cca12b86e41645403a76f.txt",
		"img": "https://archive.orkl.eu/819c971dcd76c270893cca12b86e41645403a76f.jpg"
	}
}