The detection identifies potential adversary activity involving the Kraken Bot sample file ‘inf.bin’, which may indicate the presence of a malicious botnet framework. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threats leveraging botnet infrastructure.
YARA Rule
rule Kraken_Bot_Sample : bot {
meta:
description = "Kraken Bot Sample - file inf.bin"
author = "Florian Roth"
reference = "https://blog.gdatasoftware.com/blog/article/dissecting-the-kraken.html"
date = "2015-05-07"
hash = "798e9f43fc199269a3ec68980eb4d91eb195436d"
score = 90
strings:
$s2 = "%s=?getname" fullword ascii
$s4 = "&COMPUTER=^" fullword ascii
$s5 = "xJWFwcGRhdGElAA=" fullword ascii /* base64 encoded string '%appdata%' */
$s8 = "JVdJTkRJUi" fullword ascii /* base64 encoded string '%WINDIR' */
$s20 = "btcplug" fullword ascii
condition:
uint16(0) == 0x5a4d and all of them
}This YARA rule can be deployed in the following contexts:
This rule contains 5 string patterns in its detection logic.
Scenario: System update or patch installation using Windows Update or WSUS
Filter/Exclusion: file.name != "inf.bin" or process.name != "wusa.exe"
Scenario: Scheduled backup job using Veeam Backup & Replication or Commvault
Filter/Exclusion: process.name != "veeam.exe" or process.name != "cvbackup.exe"
Scenario: Administrative task involving Group Policy Management Console (GPMC) or PowerShell scripting
Filter/Exclusion: process.name != "gpmc.exe" or process.name != "powershell.exe" and file.name != "inf.bin"
Scenario: Deployment of a legitimate software package using Chocolatey or Ninite
Filter/Exclusion: process.name != "choco.exe" or process.name != "ninite.exe" and file.name != "inf.bin"
Scenario: Legitimate use of Microsoft Configuration Manager (SCCM) for software distribution
Filter/Exclusion: process.name != "ccmexec.exe" or file.name != "inf.bin"