Potential KamiKakaBot Activity - Lure Document Execution | Community Portal

Date: 08/07/2024

Severity: Medium

Summary

Identifies when a Word document is executed through the WinWord Start Menu shortcut. This activity was seen in KamiKakaBot samples as a method to trigger the second stage of the infection.

Indicators of Compromise (IOC) List

Image

\cmd.exe

CommandLine

'/c '

'.lnk ~'

'Start Menu\Programs\Word'

'.doc'

Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

Detection Query 1	(((resourceName = "Sysmon" AND eventtype = "1" ) AND imagepath in ("\cmd.exe" ) ) AND commandline in ("/c" , ".lnk ~" , "Start Menu\Programs\Word" , ".doc" ) )
Detection Query 2	(((technologygroup = "EDR" ) AND imagepath in ("\cmd.exe" ) ) AND commandline in ("/c" , ".lnk ~" , "Start Menu\Programs\Word" , ".doc" ) )

Reference:

https://github.com/SigmaHQ/sigma/blob/master/rules-emerging-threats/2024/Malware/KamiKakaBot/proc_creation_win_malware_kamikakabot_lnk_lure_execution.yml

https://www.nextron-systems.com/2024/03/22/unveiling-kamikakabot-malware-analysis/

Potential KamiKakaBot Activity - Lure Document Execution

Summary

Indicators of Compromise (IOC) List

Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

Tags

Comments

Potential KamiKakaBot Activity - Lure Document Execution

Summary

Indicators of Compromise (IOC) List

Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

Tags

Share This

Comments