Leftover Lunch: Finding, Hunting and Eradicating Spicy Hot Pot, a Persistent Browser Hijacking Rootkit

December 22, 2020

| | From The Front Lines
In this blog, we take a look at a recent incident that involved a persistent browser hijacking rootkit dubbed “Spicy Hot Pot.” The name comes from Huorong (Tinder) Security, which first publicly reported on its discovery of this rootkit. Spicy Hot Pot is a browser hijacking rootkit that changes a user’s homepage to point to a page controlled by the malware operator, in addition to uploading memory dumps from a machine to a predefined server and incorporating a local update feature to ensure it can remain updated. Usually a browser hijacker would do this through malicious executables or registry keys that change the user’s homepage; however, Spicy Hot Pot takes this one step further by using two kernel-mode drivers that are dropped to disk and installed during the infection process to remain stealthy. These kernel drivers have a number of functions, such as hindering security software by intercepting their callback functions, collecting any memory dumps created on the system from a specific directory, and giving the malware operator the ability to update the malware as they see fit. In addition, one of the kernel drivers acts as a minifilter, which gives it the ability to intercept and modify any user input or output requests. One of the functions of this driver is to intercept any attempts by a user to display the malicious files, effectively making them invisible.

 

This particular piece of malware is primarily focused on Chinese users. This is inferred based on 1) it was found dropped from a number of keygen/activation tools used to “crack” or illegitimately activate Microsoft products that are developed with Chinese language packs, and 2) this malware is specifically targeting common antivirus software used in China. Although more can be said about this piece of malware, this blog post aims to give a quick overview of Spicy Hot Pot, its capabilities and how it can be manually removed from a host without the need for third-party software.

The Initial Detection

In June 2020, the CrowdStrike Falcon® Complete™ team received a machine learning (ML) alert that a suspicious binary called “baofeng15.0” attempted to run in a customer's environment. This had the below SHA256 hash:
  •  

    498ed725195b5ee52e406de237afa9ef268cabc4ef604c363aee2e78b3b13193
After analyzing this binary, the determination was made that it is bundled with a browser hijacking rootkit. This rootkit is known to date back as early as December 2019 and remains prevalent with new variants being discovered to date. Starting with dynamic analysis of the binary in question, it was revealed that it dropped nine items of interest (seven executables and two filter drivers) before disabling hibernation mode on the machine. A recreation of this activity after disabling preventions can be seen below using CrowdStrike Falcon®’s process execution tree.
Figure 1. Spicy Hot Pot as seen in the CrowdStrike Falcon® process execution tree (click image to enlarge)
This detection raises a number of questions due to the context and location of dropped binaries when run on a Windows 10 machine.
  • %localappdata%\Microsoft\Event Viewer\wccenter.exe
  • %localappdata%\Microsoft\Event Viewer\wdlogin.exe
  • %localappdata%\Microsoft\Event Viewer\wrme.exe
  • %localappdata%\Microsoft\Event Viewer\wuhost.exe
  • %localappdata%\Microsoft\WindowsApps\DvLayout.exe
  • %localappdata%\Temp\_J861.exe
  • %localappdata%\Temp\baofeng15.0.exe
  • %localappdata%\Microsoft\WindowsApps\KMDF_LOOK.sys
  • %localappdata%\Microsoft\WindowsApps\KMDF_Protect.sys
On Windows 7, the drivers fall into “Media Player” instead of “WindowsApps.” In addition, this made a number of registry modifications to the local machine’s software hive:
  • Software\Microsoft\Helicarrier\st\stemp
  • Software\Microsoft\Helicarrier\Channel
  • Software\Microsoft\DirectX\DvVersion
  • Software\Microsoft\DirectX\PvVersion
  • Software\Microsoft\DirectX\RvVersion
  • Software\Microsoft\Helicarrier\dp
  • Software\Microsoft\Helicarrier\ca
  • Software\Microsoft\Helicarrier\dr
  • Software\Microsoft\Helicarrier\eu
  • Software\Microsoft\Helicarrier\fd
  • Software\Microsoft\Helicarrier\ap
One important item to note is the presence of a new baofeng15.0.exe binary with a different hash. This was far more widespread than the binary that was just run and had a creation timestamp dating back four years:

 

  • 2016-01-13 13:19:34
Based on this, it’s likely that an older cracking tool has been repackaged with this malware and distributed online by the malware operator. The other eight files dropped are signed by a few different signing certificates issued to “Beijing JoinHope Image Technology Ltd.” Unique samples found have different validity timeframes for their signing certificates, showing validity issued anywhere from 1 minute to 10 years ago. At the time of writing, all had expired; however, they were still able to be successfully installed due to exceptions to driver signing enforcement.
File NameSigning Certificate
DvLayout.exeValid From

 

12:00 AM 05/16/2014 Valid To

 

 

 

11:59 PM 05/16/2015
wccenter.exeValid From

 

12:00 AM 05/16/2014 Valid To

 

 

 

11:59 PM 05/16/2015
wrme.exeValid From

 

12:00 AM 02/08/2010 Valid To

 

 

 

11:59 PM 02/07/2020
wuhost.exeValid From

 

12:00 AM 02/08/2010 Valid To

 

 

 

11:59 PM 02/07/2020
wdlogin.exeValid From

 

04:23 AM 08/22/2020 Valid To

 

 

 

04:23 AM 08/22/2020
_J861.exeValid From

 

12:00 AM 02/08/2010 Valid To

 

 

 

11:59 PM 02/07/2020
baofeng15.0.exeNot Signed
KMDF_LOOK.sysValid From

 

02:21 AM 06/13/2020 Valid To

 

 

 

02:21 AM 06/13/2020
KMDF_Protect.sysValid From

 

12:00 AM 05/16/2014 Valid To

 

 

 

11:59 PM 05/16/2015

 

 

Table 1. Validity timeframes for the files dropped by Spicy Hot Pot
Comparing this signing certificate to a public repository of malware samples reveals hundreds of unique malware samples, indicating that the creator of this malware (or someone with access to these signing certificates) is in no rush to stop using certificates issued to this entity. Many pieces of malware signed by this entity contained similar debugging (pdb) locations in their debug strings.
BinaryPDB
KMDF_LOOK.sysG:\SVN\源码\驱动\LookFile\KMDF_LOOK\Release\KMDF_LOOK_64.pdb
KMDF_Protect.sysG:\SVN\源码\驱动\protect\KMDF_Protect\Release\KMDF_Protect_64.pdb
wdlogin.exeD:\Work\Install_Driver\Driver_helper\Release\wdlogin.pdb
wrme.exeD:\Work\Install_Driver\Driver_helper\Release\wrme.pdb
wccenter.exeD:\Work\Install_Driver\Driver_helper\Release\wccenter.pdb
_J861.exeE:\work\Icon_Report\Release\_service.pdb
wuhost.exeD:\Work\Install_Driver\Driver_helper\Release\wuhost.pdb
Table 2. Debugging locations found in Spicy Hot Pot malware To a normal user, the kernel drivers dropped to disk are completely invisible. This is because not only are they renamed and installed on infection, but through their installation they begin to act as a rootkit — and one of the drivers hides the malware files from being shown on disk. This extends to making the executables dropped to disk invisible. We can see the different filtering capabilities of this driver from analyzing pseudo-code of the file KMDF_Protect.sys.
Figure 2. Minifilter being registered
Figure 3. Searching for.sys and .exe files to filter on
In addition to this, KMDF_Protect.sys checks for any executables running with known binary names from Qihoo 360 software.
Figure 4. Checking for antivirus software attempting to run
Figure 5. Strings used in preventing antivirus software from loading scanning modules
This also adds a shutdown callback for persistence. At shutdown, the driver attempts to write back the location of wccenter.exe to the system’s “RunOnce” key so that it runs again on boot. As this is performed by the kernel-mode driver, this modification isn’t shown by common registry monitoring tools.
Figure 6. Persistence through a shutdown function callback
If we compare this to KMDF_LOOK.sys, we can see that its primary function is to hijack the user’s homepage and delete process callbacks to security software.
Figure 7. Hardcoded URLs for the browser hijacking component
It should be noted that both drivers masquerade as legitimate service names to remain stealthy:
DriverMalicious Service NameMasqueraded Legitimate Service Name
KMDF_Protect.sysiaLPSS1ziaLPSSi*: Intel Serial IO Driver
KMDF_LOOK.sysLSI_SAS2lLSI_SAS2: LSI SAS GEN 2 Driver (StorPort)

 

Briefing over other components of this malware:
  • DVLayout.exe is used to install the rootkit. This creates the Mutex “DVLayout.”
  • _J861.exe is used to gather system information of the infected client, including serial number, and has a number of networking functions that support the operation of this malware. This temporarily creates a service called “R.”
  • wccenter.exe communicates with KMDF_Protect.sys using a named device created called \\Device\\iaLPSS1z and is used to run wdlogin.exe, wuhost.exe and wrme.exe.

     

Figure 8. wccenter.exe startup execution
wuhost.exe is used to update the rootkit drivers and modules as required. It creates the Mutex “Update” and contacts one of the following domains to fetch this update:
  • https<:>//du<.>testjj<.>com
  • https<:>//da<.>testiu<.>com
  • https<:>//db<.>testyk<.>com
wrme.exe is used to download and start or install modules such as wuhost.exe and wdlogin.exe in addition to gathering information about the operating system. It creates the Mutex “DLreport.” wdlogin.exe is used to find any dump file ending with dmp in the %SystemRoot%\minidump directory, compress it, and upload it to one of the above servers at the endpoint /api/v1/post_dump. This is likely for troubleshooting any blue screen errors that may be caused by the rootkit. It creates the Mutex “dumping.”

Investigation with Endpoint Detection and Response Data

Using CrowdStrike Falcon®’s telemetry via our Endpoint Activity Monitoring (EAM) application, we’re able to see the infection actions taking place when protections are disabled. This includes file writes of _J861.exe, KMDF_Protect.sys, KMDF_LOOK.sys, and their associated driver loads.
Figure 9. File events as seen in CrowdStrike Falcon®’s EAM Application (click image to enlarge)
Figure 10. DriverLoad events as seen in the CrowdStrike Falcon® EAM application (click image to enlarge)
By checking the registry and filter drivers on this host through CrowdStrike Falcon®’s Real Time Response (RTR) capability, we can locate the kernel drivers running and the dropped binaries to prove they reside on disk, given that we know their name and location. This works even though Spicy Hot Pot filters user input and output requests to make the files invisible to a normal user of Windows.
Figure 11. Rootkit drivers as seen through Real Time Response (RTR)
Figure 12. Rootkit service as seen through Real Time Response (RTR)
Figure 13. Rootkit service as seen through Real Time Response (RTR)

The Remediation

Spicy Hot Pot, like many other rootkits, utilizes kernel filter drivers that once started cannot be stopped by a user. These filter drivers prevent removal of registry keys, services or the kernel drivers themselves that are associated with the infection. Due to this, removing Spicy Hot Pot malware remotely can be quite challenging. Remediating a rootkit often requires doing so from a machine that is powered off or booted into safe mode; however, we can remove a rootkit such as Spicy Hot Pot without going to these extremes by making sure it cannot run at startup. Spicy Hot Pot places the malicious filter drivers within the “WindowsApps” folder, which, in addition to the “Event Viewer” or “Media Player” folder, is what is being filtered on. If you rename the folder, the filter drivers immediately become visible.

 

Figure 14. Rootkit drivers visible after renaming WindowsApps folder
This can be done even when the kernel filters are running, but the filter drivers cannot be removed by a user as they’re still running and protected.
Figure 15. Protected in-use kernel drivers that cannot be removed
After renaming the folder, if you restart an infected system, the path that is referenced by the kernel filter driver services no longer exists, and the drivers will fail to load. At this point, the drivers and associated malicious executables can be removed, and the folder renamed to “WindowsApps” once more. The services and registry keys associated with the rootkit can also be removed now.
Figure 16. Rootkit driver removal as seen through Real Time Response (RTR)

Conclusion

This post touched on a common browser hijacker being distributed with tools designed to illegitimately activate Microsoft products. It highlights some of the concerns associated with running “cracking” tools on a machine, and why it’s important to monitor and prevent not only unknown executables that are running, but also drivers that are loaded by an operating system and any minifilters present. By fusing CrowdStrike Falcon®’s detection and prevention capabilities, enriched endpoint

 

telemetry, Real Time Response capability and the expertise of the
CrowdStrike Falcon® Complete team, you’re uniquely positioned with the capability to detect, investigate, understand and respond to unknown threats within your environment 24/7, 365 days of the year.

Indicators

TypeName/PurposeIndicator
SHA256baofeng15.0498ed725195b5ee52e406de237afa9ef268cabc4ef604c363aee2e78b3b13193
SHA256DvLayout.exe551c4564d5ff537572fd356fe96df7c45bf62de9351fae5bb4e6f81dcbe34ae5
SHA256wccenter.exe17095beda4afeabb7f41ff07cf866ddc42e49da1a4ed64b9c279072caab354f6
SHA256wrme.exe7e489f1f72cac9f1c88bdc6be554c78b5a14197d63d1bae7e41de638e903af21
SHA256wuhost.exeeb54cd2d61507b9e98712de99834437224b1cef31a81544a47d93e470b8613fc
SHA256wdlogin.exe7c0fdee3670cc53a22844d691307570a21ae3be3ce4b66e46bb6d9baad1774b8
SHA256_J861.exec83e6b96ee3aa1a580157547eae88d112d2202d710218f2ed496f7fe3d861abc
SHA256baofeng15.0.exec5802c7fbad5cdf257bcc0f71e8b1c8853e06da411133b5dc78bd6c891f27500
SHA256KMDF_LOOK.sys39764e887fd0b461d86c1be96018a4c2a670b1de90d05f86ed0acb357a683318
SHA256KMDF_Protect.sysab0418eb1863c8a2211d06c764f45884c9b7dbd6d1943137fc010b8f3b8d14ae
DomainUpdate/C2du<.>testjj<.>com
DomainUpdate/C2da<.>testiu<.>com
DomainUpdate/C2db<.>testyk<.>com
DomainHijacking Domaingndh333<.>top
Mutexwrme.exeDLreport
Mutexwdlogindumping
MutexwuhostUpdate
MutexDVLayoutDVLayout

MITRE ATT&CK® Mapping

TacticTechniqueSub-TechniqueID
ReconnaissanceSearch Open Websites/DomainsSearch EnginesT1593.002
Resource DevelopmentAcquire InfrastructureDomainsT1583.001
Resource DevelopmentObtain CapabilitiesDigital CertificatesT1588.004
Initial AccessSupply Chain CompromiseCompromise Software Supply ChainT1195.002
PersistenceBoot or Logon Autostart ExecutionRegistry Run Keys / Startup FolderT1547.001
PersistenceCreate or Modify System ProcessWindows ServiceT1543.003
Defense EvasionRootkit-T1014
Defense EvasionImpair DefensesDisable or Modify ToolsT1562.001
Defense EvasionMasqueradingInvalid Code SignatureT1036.001
Defense EvasionMasqueradingMasquerade Task or ServiceT1036.004
Defense EvasionMasqueradingMatch Legitimate Name or LocationT1036.005
CollectionAutomated Collection-T1119
Command and ControlEncrypted ChannelAsymmetric CryptographyT1573.002
ExfiltrationAutomated Exfiltration-T1020
ExfiltrationExfiltration Over C2 Channel-T1041
ImpactDefacementInternal DefacementT1491.001
ImpactService Stop-T1489

Yara Rules

/*

 

 

 

YARA Rule Set

 

 

 

Author: jai-minton

 

 

 

Date: 2020-11-01

 

 

 

Identifier: SpicyHotPot

 

 

 

Reference: /content/crowdstrike-www/language-masters/global/en/blog/author.jai-minton/

 

 

 

copyright = "(c) 2020 CrowdStrike Inc."
*//* Rule Set ----------------------------------------------------------------- */ rule SpicyHotPot_wdlogin { meta: description = "SpicyHotPot - wdlogin.exe: Used to identify memory dump uploading component" author = "jai-minton" reference = "/content/crowdstrike-www/locale-sites/us/en-us/blog/author.jai-minton.html" copyright = "(c) 2020 CrowdStrike Inc." date = "2020-11-01" hash1 = "7c0fdee3670cc53a22844d691307570a21ae3be3ce4b66e46bb6d9baad1774b8" strings: $x1 = "D:\\Work\\Install_Driver\\Driver_helper\\Release\\wdlogin.pdb" fullword ascii $x2 = "kmdf_protect.sys" fullword ascii $x3 = "kmdf_look.sys" fullword ascii $x4 = "/api/v1/post_dump" fullword ascii $s1 = "Negotiate: noauthpersist -> %d, header part: %s" fullword ascii $s2 = "https://db.testyk.com" fullword ascii $s3 = "https://da.testiu.com" fullword ascii $s4 = "https://du.testjj.com" fullword ascii $s5 = "schannel: CertGetNameString() failed to match connection hostname (%s) against server certificate names" fullword ascii $s6 = "No more connections allowed to host %s: %zu" fullword ascii $s7 = "RESOLVE %s:%d is - old addresses discarded!" fullword ascii $s8 = "Content-Disposition: %s%s%s%s%s%s%s" fullword ascii $s9 = "dumping" fullword wide condition: uint16(0) == 0x5a4d and filesize < 2000KB and 1 of ($x*) and 3 of ($s*) } rule SpicyHotPot__J861 { meta: description = "SpicyHotPot - _J861.exe: Used to identify system fingerprinting, enumeration and networking component" author = "jai-minton" reference = "/content/crowdstrike-www/locale-sites/us/en-us/blog/author.jai-minton.html" copyright = "(c) 2020 CrowdStrike Inc." date = "2020-11-01" hash1 = "c83e6b96ee3aa1a580157547eae88d112d2202d710218f2ed496f7fe3d861abc" strings: $x1 = "E:\\work\\Icon_Report\\Release\\_service.pdb" fullword ascii $x2 = "RESOLVE %s:%d is - old addresses discarded!" fullword ascii $x3 = "https://du.testjj.com/api/v1/id" fullword ascii $s1 = "SEC_E_ILLEGAL_MESSAGE (0x%08X)" ascii $s2 = "Failed reading the chunked-encoded stream" fullword ascii $s3 = "Negotiate: noauthpersist -> %d, header part: %s" fullword ascii $s4 = "AppPolicyGetProcessTerminationMethod" fullword ascii $s5 = "schannel: CertGetNameString() failed to match connection hostname (%s) against server certificate names" fullword ascii $s6 = "failed to load WS2_32.DLL (%u)" fullword ascii $s7 = "/c ping -n 3 127.1 >nul & del /q %s" fullword ascii $s8 = "No more connections allowed to host %s: %zu" fullword ascii $s9 = "%d ReadPhysicalDriveInNTUsingSmart ERROR DeviceIoControl(%d, SMART_GET_VERSION) returned 0, error is %d" fullword ascii $s10 = "%d ReadPhysicalDriveInNTWithAdminRights ERROR DeviceIoControl() %d, DFP_GET_VERSION) returned 0, error is %d" fullword ascii $s11 = "Content-Disposition: %s%s%s%s%s%s%s" fullword ascii $s12 = "Content-Type: %s%s%s" fullword ascii $s13 = "SOCKS4%s: connecting to HTTP proxy %s port %d" fullword ascii $s14 = "No valid port number in connect to host string (%s)" fullword ascii $s15 = "Excess found in a read: excess = %zu, size = %I64d, maxdownload = %I64d, bytecount = %I64d" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 3000KB and 2 of ($x*) and 8 of ($s*) } rule SpicyHotPot_wuhost { meta: description = "SpicyHotPot - wuhost.exe: Used to identify rootkit and module updating component" author = "jai-minton" reference = "/content/crowdstrike-www/locale-sites/us/en-us/blog/author.jai-minton.html" copyright = "(c) 2020 CrowdStrike Inc." date = "2020-11-01" hash1 = "eb54cd2d61507b9e98712de99834437224b1cef31a81544a47d93e470b8613fc" strings: $x1 = "wdlogin.exe" fullword ascii $x2 = "UpdateTemp.exe" fullword ascii $x3 = "UpdateSelf.exe" fullword ascii $x4 = "wrme.exe" fullword ascii $x5 = "wccenter.exe" fullword ascii $x6 = "D:\\Work\\Install_Driver\\Driver_helper\\Release\\wuhost.pdb" fullword ascii $x7 = "wuhost.exe" fullword ascii $s1 = "SEC_E_ILLEGAL_MESSAGE (0x%08X) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More " ascii $s2 = "Failed reading the chunked-encoded stream" fullword ascii $s3 = "Negotiate: noauthpersist -> %d, header part: %s" fullword ascii $s4 = "https://db.testyk.com" fullword ascii $s5 = "https://da.testiu.com" fullword ascii $s6 = "https://du.testjj.com" fullword ascii $s7 = "dump_temp" fullword ascii $s8 = "AppPolicyGetProcessTerminationMethod" fullword ascii $s9 = "schannel: CertGetNameString() failed to match connection hostname (%s) against server certificate names" fullword ascii $s10 = "failed to load WS2_32.DLL (%u)" fullword ascii $s11 = "No more connections allowed to host %s: %zu" fullword ascii $s12 = "RESOLVE %s:%d is - old addresses discarded!" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 2000KB and 2 of ($x*) and 4 of them } rule SpicyHotPot_wrme { meta: description = "SpicyHotPot - wrme.exe: Used to identify module starting and reporting component" author = "jai-minton" reference = "/content/crowdstrike-www/locale-sites/us/en-us/blog/author.jai-minton.html" copyright = "(c) 2020 CrowdStrike Inc." date = "2020-11-01" hash1 = "7e489f1f72cac9f1c88bdc6be554c78b5a14197d63d1bae7e41de638e903af21" strings: $x1 = "DvUpdate.exe" fullword ascii $x2 = "D:\\Work\\Install_Driver\\Driver_helper\\Release\\wrme.pdb" fullword ascii $x3 = "No more connections allowed to host %s: %zu" fullword ascii $s1 = "SEC_E_ILLEGAL_MESSAGE (0x%08X) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More " ascii $s2 = "Failed reading the chunked-encoded stream" fullword ascii $s3 = "Content-Type: %s%s%s" fullword ascii $s4 = "Excess found in a read: excess = %zu, size = %I64d, maxdownload = %I64d, bytecount = %I64d" fullword ascii $s5 = "Negotiate: noauthpersist -> %d, header part: %s" fullword ascii $s6 = "https://db.testyk.com" fullword ascii $s7 = "https://da.testiu.com" fullword ascii $s8 = "https://du.testjj.com" fullword ascii $s9 = "AppPolicyGetProcessTerminationMethod" fullword ascii $s10 = "schannel: CertGetNameString() failed to match connection hostname (%s) against server certificate names" fullword ascii $s11 = "failed to load WS2_32.DLL (%u)" fullword ascii $s12 = "Content-Disposition: %s%s%s%s%s%s%s" fullword ascii $s13 = "RESOLVE %s:%d is - old addresses discarded!" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 2000KB and 2 of ($x*) and 7 of ($s*) } rule SpicyHotPot_DvLayout { meta: description = "SpicyHotPot - DvLayout.exe: Used to identify rootkit installation component" author = "jai-minton" reference = "/content/crowdstrike-www/locale-sites/us/en-us/blog/author.jai-minton.html" copyright = "(c) 2020 CrowdStrike Inc." date = "2020-11-01" hash1 = "551c4564d5ff537572fd356fe96df7c45bf62de9351fae5bb4e6f81dcbe34ae5" strings: $x1 = "KMDF_LOOK.sys" fullword ascii $x2 = "KMDF_Protect.sys" fullword ascii $x3 = "StartService Error, errorode is : %d ." fullword ascii $x4 = "Software\\Microsoft\\%s\\st" fullword wide $s1 = "AppPolicyGetProcessTerminationMethod" fullword ascii $s2 = "@api-ms-win-core-synch-l1-2-0.dll" fullword wide $s3 = "Genealogy.ini" fullword wide $s4 = "powercfg /h off" fullword ascii $s5 = " Type Descriptor'" fullword ascii $s6 = "find %s failed , errorcode : %d" fullword ascii $s7 = "find %s failed , errorcode : %d" fullword ascii $s8 = "Delete %s failed , errorcode : %d" fullword wide $s9 = "Delete %s failed , errorcode : %d" fullword wide $s10 = "OpenService failed , errorcode : %d" fullword wide $s11 = "&Beijing JoinHope Image Technology Ltd.1/0-" fullword ascii $s12 = "/c del /q %s" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 800KB and 1 of ($x*) and 5 of ($s*) } rule SpicyHotPot_wccenter { meta: description = "SpicyHotPot - wccenter.exe: Used to identify malware that communicates with the rootkit component" author = "jai-minton" reference = "/content/crowdstrike-www/locale-sites/us/en-us/blog/author.jai-minton.html" copyright = "(c) 2020 CrowdStrike Inc." date = "2020-11-01" hash1 = "17095beda4afeabb7f41ff07cf866ddc42e49da1a4ed64b9c279072caab354f6" strings: $x1 = "D:\\Work\\Install_Driver\\Driver_helper\\Release\\wccenter.pdb" fullword ascii $x2 = "wdlogin.exe" fullword wide $x3 = "wuhost.exe" fullword wide $x4 = "wrme.exe" fullword wide $s1 = "AppPolicyGetProcessTerminationMethod" fullword ascii $s2 = " Type Descriptor'" fullword ascii $s3 = "&Beijing JoinHope Image Technology Ltd.1/0-" fullword ascii $s4 = "operator co_await" fullword ascii $s5 = "&Beijing JoinHope Image Technology Ltd.0" fullword ascii $s6 = "RvVersion" fullword wide $s7 = " Class Hierarchy Descriptor'" fullword ascii $s8 = "Base Class Descriptor" ascii $s9 = "Beijing1" fullword ascii $s10 = " Complete Object Locator'" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 400KB and 2 of ($x*) and 4 of ($s*) } rule SpicyHotPot_KMDF_LOOK { meta: description = "SpicyHotPot - KMDF_LOOK.sys: Used to identify browser hijacking component" author = "jai-minton" reference = "/content/crowdstrike-www/locale-sites/us/en-us/blog/author.jai-minton.html" copyright = "(c) 2020 CrowdStrike Inc." date = "2020-11-01" hash1 = "39764e887fd0b461d86c1be96018a4c2a670b1de90d05f86ed0acb357a683318" strings: $x1 = "G:\\SVN\\" ascii $s1 = "TSWebDownLoadProtect.dll" fullword wide $s2 = "ShellIco.dll" fullword wide $s3 = "QMLogEx.dll" fullword wide $s4 = "SSOCommon.dll" fullword wide $s5 = "TsService.exe" fullword ascii $s6 = "Hookport.sys" fullword wide $s7 = "SafeWrapper32.dll" fullword wide $s8 = "safemon.dll" fullword wide $s9 = "iNetSafe.dll" fullword wide $s10 = "ieplus.dll" fullword wide $s11 = "wdui2.dll" fullword wide $s12 = "ExtBhoIEToSe.dll" fullword wide $s13 = "360NetBase.dll" fullword wide $s14 = "urlproc.dll" fullword wide $s15 = "360sdbho.dll" fullword wide $s16 = "360base.dll" fullword wide $s17 = "360UDiskGuard.dll" fullword wide $s18 = "TSClinicWebFix.dll" fullword wide $s19 = "QMEmKit.dll" fullword wide $s20 = "WdHPFileSafe.dll" fullword wide condition: uint16(0) == 0x5a4d and filesize < 1000KB and 8 of them } rule SpicyHotPot_KMDF_Protect { meta: description = "SpicyHotPot - KMDF_Protect.sys: Used to identify driver protection and filtering component" author = "jai-minton" reference = "/content/crowdstrike-www/locale-sites/us/en-us/blog/author.jai-minton.html" copyright = "(c) 2020 CrowdStrike Inc." date = "2020-11-01" hash1 = "ab0418eb1863c8a2211d06c764f45884c9b7dbd6d1943137fc010b8f3b8d14ae" strings: $x1 = "wdlogin.exe" fullword wide $x2 = "\\Windows\\System32\\cmd.exe" fullword wide $x3 = "wuhost.exe" fullword wide $x4 = "wrme.exe" fullword wide $x5 = "UpdateSelf.exe" fullword ascii $x6 = "wccenter.exe" fullword wide $s1 = "jCloudScan.dll" fullword wide $s2 = "DSFScan.dll" fullword wide $s3 = "avescan.dll" fullword wide $s4 = "\\Cloudcom2.dll" fullword wide $s5 = "\\Cloudcom264.dll" fullword wide $s6 = "AVEIEngine.dll" fullword wide $s7 = "AVEI.dll" fullword wide $s8 = "BAPI.dll" fullword wide $s9 = "BAPI64.dll" fullword wide $s10 = "360Tray.exe" fullword ascii $s11 = "360Safe.exe" fullword ascii $s12 = "\\jCloudScan.dll" fullword wide $s13 = "\\deepscan64.dll" fullword wide $s14 = "\\deepscan.dll" fullword wide condition: uint16(0) == 0x5a4d and filesize < 1000KB and 2 of ($x*) and 6 of ($s*) }

Additional Resources

Breaches Stop Here