rule kamikakabot_loader { meta: threat_actor = "Dark Pink APT" description = "Detects KamiKakaBot Loader" Author = "EclecticIQ Threat Research Team" creation_date = "2023-02-15" classification = "TLP:WHITE" hash = "3f38860d0f6f0ff1b65219379f8793383cba85b11de1c853192fb2d2ba99e481" strings: $xor_decryption_function = {0F 11 45 A0 48 8D 45 90 48 89 44 24 20 45 33 C9 45 8B C5 48 8B D6 48 8B CB FF 15 59 27 00 00 48 8B CB FF 15 C0 26 00 00 41 8B FE 41 8D 45 FF 48 63 C8 48 83 F9 01 7E 24 48 03 CE 0F 1F 44 00 00 0F B6 01 84 C0 74 15 34 CA 88 01 FF C7 48 FF C9 48 8B C1 48 2B C6 48 83 F8 01 7F E4} $xor_decryption_function_1 = {B8 8C 31 00 10 8D 50 01 8D 64 24 00 8A 08 40 84 C9 75 F9 2B C2 8B F8 33 D2 8B C6 F7 F7 8D 0C 1E 8A 82 8C 31 00 10 8B 54 24 10 32 04 0A 46} $ = "E:\\research\\BypassAV\\Offic_signed_dll\\DismCore\\ext\\submodules\\wil\\include\\wil\\resource.h" fullword ascii $ = "MSBuild.exe " fullword wide $ = "Local\\SM0:%d:%d:%hs" fullword wide $ = "WilError_03" fullword ascii $ = "D$0f9(t" fullword ascii $ = "cmd /c \"start /max winword.exe \"" fullword wide $ = "SOFTWARE\\Microsoft\\MSBuild\\ToolsVersions\\4.0" fullword wide $ = "DINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING" fullword ascii $ = "DINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPAD" ascii $ = "SCHTASKS /CREATE /f /TN \"Microsoft Idle\" /TR \"shutdown /l /f\" /SC WEEKLY /d WED,FRI /ST 23:00" fullword wide $ = "QSUVWh41" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 150KB and 4 of them or ( all of them ) } rule kamikakabot_malware { meta: threat_actor = "Dark Pink APT" description = "Detects KamiKakaBot Malware" Author = "EclecticIQ Threat Resear Team" creation_date = "2023-02-15" classification = "TLP:WHITE" hash1 = "06ecb4ae52acd132706830e3f1d4885dfb1a89b2925130d62a55b635e8ef36fd" strings: $ = "C:\\Users\\xioi\\Desktop\\Work\\DLL_XML\\Kami_Full.pdb" fullword ascii $ = {44 4B 65 79} $ = {4B 61 6D 69 2E 4B 61 6B 61 2B 3C 67 65 74 4D 65 73 73 61 67 65 41 73 79 6E 63 3E} $ = {67 65 74 54 65 6C 70 69} $ = {43 4D 44 5F 42 52 4F 57 53} $ = {43 4D 44 5F 55 50 44 41 54 45 58 4D 4C} $ = {43 4D 44 5F 55 50 44 41 54 45 54 4F 4B 45 4E} $ = {43 4D 44 5F 53 48 4F 57 55 50} $ = {1f 18 8d e6 00 00 01 25 d0 44 00 00 04 28 a7 00 00 0a 80 03 00 00 04} $ = "Kami.dll" fullword wide $ = "%temp%\\207ee439-2ebd-ba42-2f6f-ea02adb4a830.tmp" fullword wide $ = "%temp%\\wctF3AB.tmp" fullword wide $ = "%TEMP%\\wdat{0}.dat" fullword wide $= "Kami_Full.dll" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 3000KB and 4 of them or ( all of them ) }