Potential Goofy Guineapig GoolgeUpdate Process Anomaly
Detects "GoogleUpdate.exe" spawning a new instance of itself in an uncommon location as seen used by the Goofy Guineapig backdoor
Sigma rule (View on GitHub)
1title: Potential Goofy Guineapig GoolgeUpdate Process Anomaly
2id: bdbab15a-3826-48fa-a1b7-723cd8f32fcc
3status: test
4description: Detects "GoogleUpdate.exe" spawning a new instance of itself in an uncommon location as seen used by the Goofy Guineapig backdoor
5references:
6 - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf
7author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
8date: 2023/05/15
9tags:
10 - attack.defense_evasion
11 - detection.emerging_threats
12logsource:
13 category: process_creation
14 product: windows
15detection:
16 selection:
17 ParentImage|endswith: '\GoogleUpdate.exe'
18 Image|endswith: '\GoogleUpdate.exe'
19 filter_main_legit_paths:
20 - Image|startswith:
21 - 'C:\Program Files\Google\'
22 - 'C:\Program Files (x86)\Google\'
23 - Image|contains: '\AppData\Local\Google\Update\'
24 condition: selection and not 1 of filter_main_*
25falsepositives:
26 - Unknown
27level: high
References
Related rules
- Goofy Guineapig Backdoor IOC
- Potential Devil Bait Malware Reconnaissance
- Potential Devil Bait Related Indicator
- Potential Qakbot Rundll32 Execution
- Qakbot Rundll32 Exports Execution