.png)
1 day ago
9 BOOK THIS SPACE FOR AD
ARTICLE AD
On April 2, 2025, I encountered an interesting adware case involving a digitally signed executable that initially appeared legitimate, but upon further investigation, revealed malicious behavior. This post outlines how I identified, analyzed, and proactively blocked the threat using YARA, custom IOA rules, and IOC management.
Earlier in the day, I observed two separate endpoint detections involving the same executable:
C:\Program Files (x86)\BJCA\Update\BJCAUpdate.exeThe file was digitally signed by a Chinese organization, [REDACTED], which raised concerns due to its reputation in public OSINT sources and community threat intel platforms. Despite the valid signature, the file’s behavior matched that of typical adware or potentially unwanted applications.
/ua /installsource schedulerThe stealthy execution, combined with network activity and its persistence mechanism, confirmed my suspicion: this was more than just a harmless updater.
I created a custom IOC entry with the known SHA256 hash:
4b6539eaebc10c14605f61e709be08f0246cec46f2662c496db8b2847aa4c887This IOC was added with a “Prevent” policy across all Windows hosts to immediately block further execution.
To cover any repacked or renamed variants of the same behavior, I wrote a Custom IOA rule targeting:
Image name: BJCAUpdate.exeCommand line containing: /ua, installsource, and schedulerThis behavior-based approach ensured broader protection against future modifications of the executable.
I also crafted a YARA rule to detect the threat based on its file path, command-line behavior, certificate string, and hash — giving me layered defense.
// Muhammet Alganrule BJCA_Adware_Detector
{
meta:
description = "Detects potentially malicious BJCA updater with adware-like behavior"
author = "Muhammet Algan"
date = "2025-04-02"
hash_sha256 = "4b6539eaebc10c14605f61e709be08f0246cec46f2662c496db8b2847aa4c887"
severity = "high"
category = "adware/malware"
reference = "https://help.bjca.cn / OSINT sources"
strings:
$s1_path = "C:\\Program Files (x86)\\BJCA\\Update\\BJCAUpdate.exe" nocase ascii
$s2_cmd = "/ua /installsource scheduler" nocase ascii
$s3_url = "https://help.bjca.cn" ascii
$s4_sig = "北京数字认证股份有限公司" ascii
condition:
uint16(0) == 0x5A4D and
(
hash.sha256(0, filesize) == "4b6539eaebc10c14605f61e709be08f0246cec46f2662c496db8b2847aa4c887" or
(2 of ($s1_path, $s2_cmd, $s3_url, $s4_sig))
) and
filesize < 20MB
}
I implemented a Falcon Workflow that automatically:
Tags the hostQuarantines the fileSends alert notificationsShortly after deploying the IOC and IOA, two new detections were logged, both of which were blocked successfully. This confirmed that the controls were working as intended.
Stay vigilant, automate what you can, and never underestimate seemingly “signed” executables.
Bengali (Bangladesh) · 
English (United States) ·