kapeka
kapeka is tracked here as a malware family or toolset with 7 Sigma detections spanning 2024. Coverage centers on windows / process_creation, windows / registry_set, windows / file_event +2.
Kapeka Backdoor Autorun Persistence
Detects the setting of a new value in the Autorun key that is used by the Kapeka backdoor for persistence.
Kapeka Backdoor Configuration Persistence
Detects registry set activity of a value called "Seed" stored in the "\Cryptography\Providers\" registry key. The Kapeka backdoor leverages this location to register a new SIP provider for backdoor configuration persistence.
Kapeka Backdoor Execution Via RunDLL32.EXE
Detects Kapeka backdoor process execution pattern, where the dropper launch the backdoor binary by calling rundll32 and passing the backdoor's first export ordinal (#1) with a "-d" argument.
Kapeka Backdoor Loaded Via Rundll32.EXE
Detects the Kapeka Backdoor binary being loaded by rundll32.exe. The Kapeka loader drops a backdoor, which is a DLL with the '.wll' extension masquerading as a Microsoft Word Add-In.
Kapeka Backdoor Persistence Activity
Detects Kapeka backdoor persistence activity. Depending on the process privileges, the Kapeka dropper then sets persistence for the backdoor either as a scheduled task (if admin or SYSTEM) or autorun registry (if not). For the scheduled task, it creates a scheduled task called "Sens Api" via schtasks command, which is set to run upon system startup as SYSTEM. To establish persistence through the autorun utility, it adds an autorun entry called "Sens Api" under HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run via the "reg add" command. Both persistence mechanisms are set to launch the binary by calling rundll32 and passing the backdoor's first export ordinal (#1) without any additional argument.
Kapeka Backdoor Scheduled Task Creation
Detects Kapeka backdoor scheduled task creation based on attributes such as paths, commands line flags, etc.
Potential Kapeka Decrypted Backdoor Indicator
Detects the presence of a file that is decrypted backdoor binary dropped by the Kapeka Dropper, which disguises itself as a hidden file under a folder named "Microsoft" within "CSIDL_COMMON_APPDATA" or "CSIDL_LOCAL_APPDATA", depending on the process privileges. The file, typically 5-6 characters long with a random combination of consonants and vowels followed by a ".wll" extension to pose as a legitimate file to evade detection.