Goofy Guineapig Backdoor IOC
Detects malicious indicators seen used by the Goofy Guineapig malware
Sigma rule (View on GitHub)
1title: Goofy Guineapig Backdoor IOC
2id: f0bafe60-1240-4798-9e60-4364b97e6bad
3status: test
4description: Detects malicious indicators seen used by the Goofy Guineapig malware
5references:
6 - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2023/05/14
9tags:
10 - attack.execution
11 - attack.defense_evasion
12 - detection.emerging_threats
13logsource:
14 product: windows
15 category: file_event
16detection:
17 selection:
18 TargetFilename:
19 - 'C:\ProgramData\GoogleUpdate\config.dat'
20 - 'C:\ProgramData\GoogleUpdate\GoogleUpdate.exe'
21 - 'C:\ProgramData\GoogleUpdate\GoogleUpdate\tmp.bat'
22 - 'C:\ProgramData\GoogleUpdate\goopdate.dll'
23 condition: selection
24falsepositives:
25 - Unlikely
26level: high
References
-
%PDF-1.7 %µµµµ 1 0 obj /Metadata 2177 0 R/ViewerPreferences 2178 0 R>> endobj 2 0 obj endobj 3 0 obj /ExtGState /XObject /ProcSet[/PDF/Text/ImageB/ImageC/ImageI] >>/MediaBox[ 0 0 594.96 842.04] /Co...
Read More
Related rules
- Potential Qakbot Rundll32 Execution
- Qakbot Rundll32 Exports Execution
- Qakbot Rundll32 Fake DLL Extension Execution
- Qakbot Regsvr32 Calc Pattern
- Potential Raspberry Robin CPL Execution Activity