The detection identifies the creation of a JPG file that is actually a payload used to execute Bazarloader via regsvr32.exe, indicating potential email-based malware delivery. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate early-stage phishing campaigns leveraging disguised payloads.
KQL Query
DeviceImageLoadEvents
| where InitiatingProcessFileName =~ "regsvr32.exe" and InitiatingProcessCommandLine has ".jpg" and FileName endswith ".jpg"
| summarize by FileName, SHA256, DeviceId, bin(Timestamp, 1d)
id: b760519d-392b-4baf-a2d6-087dc302de1c
name: Zip-Doc - Creation of JPG Payload File
description: |
In the campaign where Bazarloader is delivered via emails containing pw protected zip attachments, regsvr32.exe is used to launch a malicious payload that is disguised as a JPG file.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceImageLoadEvents
tactics:
- Execution
query: |
DeviceImageLoadEvents
| where InitiatingProcessFileName =~ "regsvr32.exe" and InitiatingProcessCommandLine has ".jpg" and FileName endswith ".jpg"
| summarize by FileName, SHA256, DeviceId, bin(Timestamp, 1d)
| Sentinel Table | Notes |
|---|---|
DeviceImageLoadEvents | Ensure this data connector is enabled |
Scenario: Scheduled Job Generating JPG Files
Description: A legitimate scheduled job (e.g., Task Scheduler or cron job) generates .jpg files as part of report generation or image processing.
Filter/Exclusion: Check for process.name = reportgenerator.exe or imageprocessor.exe and filter by process.parent.name = task scheduler or cron.
Scenario: Admin Task for File Conversion
Description: An administrator uses a tool like ImageMagick or convert.exe to convert image formats, inadvertently creating .jpg files.
Filter/Exclusion: Filter by process.name = convert.exe or imagick.exe and check for process.parent.name = powershell.exe or cmd.exe with known admin scripts.
Scenario: User-Generated JPG Files via Email
Description: A user receives a legitimate email with a .jpg attachment and saves it to the file system, triggering the rule.
Filter/Exclusion: Filter by file.name = *.jpg and check for process.name = outlook.exe or msoutlk.exe with file.source = email attachment.
Scenario: Malware Analysis Lab Environment
Description: In a sandboxed environment, a security tool like Cuckoo Sandbox or Joe Sandbox generates .jpg files as part of malware analysis.
Filter/Exclusion: Check for process.name = cuckoo.exe or joe_sandbox.exe and filter by file.path containing sandbox or analysis.
Scenario: Document Conversion Using Microsoft Office
Description: A user converts a document (e.g., .docx) to a .jpg using Microsoft Office or