Skip to content

Latest commit

 

History

History
70 lines (48 loc) · 4.52 KB

readme.md

File metadata and controls

70 lines (48 loc) · 4.52 KB
Raw

DarkPink - KamiKakaBot Malware

The following IOCs are based on the analysis and research described in the following blog post

IOCs

New Variant

Type Indicator
Commandline SCHTASKS /CREATE /f /TN "OneDriver Reporting Task" /TR "shutdown /l /f" /SC WEEKLY /d TUE,FRI /ST 12:35
Path %localappdata%\Temp\wctA91F.tmp
Path %localappdata%\Temp\3f88dd57-6ce606be-54c358fb-c566587a.tmp
C2 hxxps[://]api[.]telegram[.]org/bot6860236203:AAFrlFzcLuyXU4HxKisFUhvhwKucyL4rDS0

Old Variant

Type Indicator
Commandline SCHTASKS /CREATE /f /TN "Health Check" /TR "shutdown /l /f" /SC WEEKLY /d WED,FRI /ST 13:15
Commandline SCHTASKS /CREATE /f /TN "Microsoft Idle" /TR "shutdown /l /f" /SC WEEKLY /d WED,FRI /ST 23:00
Path %localappdata%\Temp\wctF3AB.tmp
Path %localappdata%\Temp\207ee439-2ebd-ba42-2f6f-ea02adb4a830.tmp
Path %localappdata%\desktop.ini.dat
C2 hxxps[://]api[.]telegram[.]org/bot6236700491:AAEcSXSg2mYbr8ydVVlOaJXJloWVRzoMwdM

Hashes

You can grab the list of all the samples we currently track related to DarkPink / KamiKakaBot from our Valhalla website

Registry

New Variant

  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\

    • Value: Shell Data: explorer.exe, explorer.exe /e,/root,%Pyps% -nop -w h "Start-Process -N -F $env:Msbd -A $env:Temprd"

Old Variant

  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\

    • Value: Shell Data: "explorer.exe, %SYSPS% -nop -w h \"Start-Process -N -F $env:OSBuild -A $env:STMP\""
    • Value: Shell Data: "explorer.exe, %WINSYSPS% -nop -w h \"Start-Process -WindowStyle Hidden -FilePath $env:SYSS -ArgumentList $env:STMP\""
    • Value: Shell Data: "explorer.exe, explorer.exe /e,/root,%PSH% -nop -w h \"Start-Process -N -F $env:SYSB -A $env:TPM\""
    • Value: Shell Data: explorer.exe, %PSS% -nop -w h \"Start-Process -N -F $env:MS -A $env:TMPT\""

Additional Resources

Sigma

Scripts