Phoenix
Sigma IntelligenceBeta
Back to Rules
Emerging Threathightest

Kapeka Backdoor Loaded Via Rundll32.EXE

Detects the Kapeka Backdoor binary being loaded by rundll32.exe. The Kapeka loader drops a backdoor, which is a DLL with the '.wll' extension masquerading as a Microsoft Word Add-In.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Swachchhanda Shrawan PoudelCreated Wed Jul 03a7e6b1f9-8d2c-4f1e-9a7d-63e4c8a2bf4c2024
Emerging Threat
Active Threat

Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.

Log Source
WindowsImage Load (DLL)
ProductWindows← raw: windows
CategoryImage Load (DLL)← raw: image_load
Detection Logic
Detection Logic1 selector
detection:
    selection:
        Image|endswith: '\rundll32.exe'
        ImageLoaded|contains:
            - ':\ProgramData'
            - '\AppData\Local\'
        ImageLoaded|re: '[a-zA-Z]{5,6}\.wll'
    condition: selection
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
labs.withsecure.com
2
Resolving title…
app.any.run
MITRE ATT&CK

Other

detection.emerging-threats
Rule Metadata
Rule ID
a7e6b1f9-8d2c-4f1e-9a7d-63e4c8a2bf4c
Status
test
Level
high
Type
Emerging Threat
Created
Wed Jul 03
Author
Swachchhanda Shrawan Poudel
Path
rules-emerging-threats/2024/Malware/kapeka/image_load_malware_kapeka_backdoor_wll.yml
Raw Tags
attack.executionattack.t1204.002attack.defense-evasionattack.t1218.011detection.emerging-threats
View on GitHub