Kapeka Backdoor Loaded Via Rundll32EXE

Last updated on:

About the rule

Rule Type

Standard

Rule Description

Detects the Kapeka Backdoor binary being loaded by rundll32.exe.

Severity

Trouble

Rule Requirement

Criteria

Action1: actionname = "Image Loaded" AND (PROCESSNAME endswith "\rundll32.exe" AND OBJECTNAME contains ":\ProgramData,\AppData\Local" AND OBJECTNAME endswith ".wll") select Action1.HOSTNAME,Action1.MESSAGE,Action1.PROCESSNAME,Action1.PRODUCT_NAME,Action1.OBJECTNAME,Action1.SIGNATURE,Action1.SIGNATURESTATUS

Detection

Execution Mode

realtime

Log Sources

Windows

Author

@Swachchhanda Shrawan Poudel