121. Detecting Earth Kasha's ROAMINGMOUSE

Hello everyone!

Reading Trend Micro's report on Earth Kasha, I spotted a curious behavior marker of ROAMINGMOUSE: it abuses WMI to execute JSLNTOOL.EXE via explorer.exeJSLNTOOL.EXE is a legitimate application used by the adversary to sideload JSFC.dll - a malicious loader.

It means we can hunt for suspicious executions of explorer.exe via wmiprvse.exe:

event_type: "processcreatewin"

AND

proc_file_path: "explorer.exe"

AND

proc_p_file_path: "wmiprvse.exe"

As for JSLNTOOL.EXE, you can also hunt for related execution events, focusing on uncommon locations:

event_type: "processcreatewin"

AND

proc_file_originalfilename: "jslntool.exe"

AND NOT

proc_file_path: "justsystems"

See you tomorrow!

Comments

Popular posts from this blog

033. Free Google Threat Intelligence Course

082. Huniting for Malicious Browser Extensions

001. The Zeltser Challenge