Goofy Guineapig Backdoor IOC

Detects malicious indicators seen used by the Goofy Guineapig malware

Sigma rule (View on GitHub)

 1title: Goofy Guineapig Backdoor IOC
 2id: f0bafe60-1240-4798-9e60-4364b97e6bad
 3status: test
 4description: Detects malicious indicators seen used by the Goofy Guineapig malware
 5references:
 6    - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2023-05-14
 9tags:
10    - attack.execution
11    - attack.defense-evasion
12    - detection.emerging-threats
13logsource:
14    product: windows
15    category: file_event
16detection:
17    selection:
18        TargetFilename:
19            - 'C:\ProgramData\GoogleUpdate\config.dat'
20            - 'C:\ProgramData\GoogleUpdate\GoogleUpdate.exe'
21            - 'C:\ProgramData\GoogleUpdate\GoogleUpdate\tmp.bat'
22            - 'C:\ProgramData\GoogleUpdate\goopdate.dll'
23    condition: selection
24falsepositives:
25    - Unlikely
26level: high

References

Related rules

to-top