{
	"id": "b978445b-e82f-4324-967d-cb29e5732b01",
	"created_at": "2026-04-06T00:19:32.76727Z",
	"updated_at": "2026-04-10T13:13:05.165358Z",
	"deleted_at": null,
	"sha1_hash": "54525e6d1360ca979099927fd93009acaa7223fd",
	"title": "Spicy Hot Pot Rootkit: Finding, Hunting, and Eradicating It",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1525970,
	"plain_text": "Spicy Hot Pot Rootkit: Finding, Hunting, and Eradicating It\r\nBy Jai Minton\r\nArchived: 2026-04-05 16:43:40 UTC\r\nIn this blog, we take a look at a recent incident that involved a persistent browser hijacking rootkit dubbed “Spicy\r\nHot Pot.” The name comes from Huorong (Tinder) Security, which first publicly reported on its discovery of this\r\nrootkit. Spicy Hot Pot is a browser hijacking rootkit that changes a user’s homepage to point to a page controlled\r\nby the malware operator, in addition to uploading memory dumps from a machine to a predefined server and\r\nincorporating a local update feature to ensure it can remain updated. Usually a browser hijacker would do this\r\nthrough malicious executables or registry keys that change the user’s homepage; however, Spicy Hot Pot takes\r\nthis one step further by using two kernel-mode drivers that are dropped to disk and installed during the infection\r\nprocess to remain stealthy. These kernel drivers have a number of functions, such as hindering security software\r\nby intercepting their callback functions, collecting any memory dumps created on the system from a specific\r\ndirectory, and giving the malware operator the ability to update the malware as they see fit. In addition, one of the\r\nkernel drivers acts as a minifilter, which gives it the ability to intercept and modify any user input or output\r\nrequests. One of the functions of this driver is to intercept any attempts by a user to display the malicious files,\r\neffectively making them invisible. This particular piece of malware is primarily focused on Chinese users. This is\r\ninferred based on 1) it was found dropped from a number of keygen/activation tools used to “crack” or\r\nillegitimately activate Microsoft products that are developed with Chinese language packs, and 2) this malware is\r\nspecifically targeting common antivirus software used in China. Although more can be said about this piece of\r\nmalware, this blog post aims to give a quick overview of Spicy Hot Pot, its capabilities and how it can be\r\nmanually removed from a host without the need for third-party software.\r\nThe Initial Detection\r\nIn June 2020, the CrowdStrike Falcon® Complete™ team received a machine learning (ML) alert that a\r\nsuspicious binary called “baofeng15.0” attempted to run in a customer's environment. This had the below SHA256\r\nhash:\r\n498ed725195b5ee52e406de237afa9ef268cabc4ef604c363aee2e78b3b13193\r\nAfter analyzing this binary, the determination was made that it is bundled with a browser hijacking rootkit. This\r\nrootkit is known to date back as early as December 2019 and remains prevalent with new variants being\r\ndiscovered to date. Starting with dynamic analysis of the binary in question, it was revealed that it dropped nine\r\nitems of interest (seven executables and two filter drivers) before disabling hibernation mode on the machine. A\r\nrecreation of this activity after disabling preventions can be seen below using CrowdStrike Falcon®’s process\r\nexecution tree.\r\nhttps://www.crowdstrike.com/blog/spicy-hot-pot-rootkit-explained/\r\nPage 1 of 18\n\nFigure 1. Spicy Hot Pot as seen in the CrowdStrike Falcon® process execution tree (click image to enlarge)\r\nThis detection raises a number of questions due to the context and location of dropped binaries when run on a\r\nWindows 10 machine.\r\n%localappdata%\\Microsoft\\Event Viewer\\wccenter.exe\r\n%localappdata%\\Microsoft\\Event Viewer\\wdlogin.exe\r\n%localappdata%\\Microsoft\\Event Viewer\\wrme.exe\r\n%localappdata%\\Microsoft\\Event Viewer\\wuhost.exe\r\n%localappdata%\\Microsoft\\WindowsApps\\DvLayout.exe\r\n%localappdata%\\Temp\\_J861.exe\r\n%localappdata%\\Temp\\baofeng15.0.exe\r\n%localappdata%\\Microsoft\\WindowsApps\\KMDF_LOOK.sys\r\n%localappdata%\\Microsoft\\WindowsApps\\KMDF_Protect.sys\r\nOn Windows 7, the drivers fall into “Media Player” instead of “WindowsApps.” In addition, this made a number\r\nof registry modifications to the local machine’s software hive:\r\nSoftware\\Microsoft\\Helicarrier\\st\\stemp\r\nSoftware\\Microsoft\\Helicarrier\\Channel\r\nSoftware\\Microsoft\\DirectX\\DvVersion\r\nSoftware\\Microsoft\\DirectX\\PvVersion\r\nhttps://www.crowdstrike.com/blog/spicy-hot-pot-rootkit-explained/\r\nPage 2 of 18\n\nSoftware\\Microsoft\\DirectX\\RvVersion\r\nSoftware\\Microsoft\\Helicarrier\\dp\r\nSoftware\\Microsoft\\Helicarrier\\ca\r\nSoftware\\Microsoft\\Helicarrier\\dr\r\nSoftware\\Microsoft\\Helicarrier\\eu\r\nSoftware\\Microsoft\\Helicarrier\\fd\r\nSoftware\\Microsoft\\Helicarrier\\ap\r\nOne important item to note is the presence of a new baofeng15.0.exe binary with a different hash. This was far\r\nmore widespread than the binary that was just run and had a creation timestamp dating back four years:\r\n2016-01-13 13:19:34\r\nBased on this, it’s likely that an older cracking tool has been repackaged with this malware and distributed online\r\nby the malware operator. The other eight files dropped are signed by a few different signing certificates issued to\r\n“Beijing JoinHope Image Technology Ltd.” Unique samples found have different validity timeframes for their\r\nsigning certificates, showing validity issued anywhere from 1 minute to 10 years ago. At the time of writing, all\r\nhad expired; however, they were still able to be successfully installed due to exceptions to driver signing\r\nenforcement.\r\nFile Name Signing Certificate\r\nDvLayout.exe Valid From 12:00 AM 05/16/2014 Valid To 11:59 PM 05/16/2015\r\nwccenter.exe Valid From 12:00 AM 05/16/2014 Valid To 11:59 PM 05/16/2015\r\nwrme.exe Valid From 12:00 AM 02/08/2010 Valid To 11:59 PM 02/07/2020\r\nwuhost.exe Valid From 12:00 AM 02/08/2010 Valid To 11:59 PM 02/07/2020\r\nwdlogin.exe Valid From 04:23 AM 08/22/2020 Valid To 04:23 AM 08/22/2020\r\n_J861.exe Valid From 12:00 AM 02/08/2010 Valid To 11:59 PM 02/07/2020\r\nbaofeng15.0.exe Not Signed\r\nKMDF_LOOK.sys Valid From 02:21 AM 06/13/2020 Valid To 02:21 AM 06/13/2020\r\nKMDF_Protect.sys Valid From 12:00 AM 05/16/2014 Valid To 11:59 PM 05/16/2015\r\nTable 1. Validity timeframes for the files dropped by Spicy Hot Pot Comparing this signing certificate to a public\r\nrepository of malware samples reveals hundreds of unique malware samples, indicating that the creator of this\r\nmalware (or someone with access to these signing certificates) is in no rush to stop using certificates issued to this\r\nentity. Many pieces of malware signed by this entity contained similar debugging (pdb) locations in their debug\r\nstrings.\r\nBinary PDB\r\nKMDF_LOOK.sys G:\\SVN\\源码\\驱动\\LookFile\\KMDF_LOOK\\Release\\KMDF_LOOK_64.pdb\r\nhttps://www.crowdstrike.com/blog/spicy-hot-pot-rootkit-explained/\r\nPage 3 of 18\n\nKMDF_Protect.sys G:\\SVN\\源码\\驱动\\protect\\KMDF_Protect\\Release\\KMDF_Protect_64.pdb\r\nwdlogin.exe D:\\Work\\Install_Driver\\Driver_helper\\Release\\wdlogin.pdb\r\nwrme.exe D:\\Work\\Install_Driver\\Driver_helper\\Release\\wrme.pdb\r\nwccenter.exe D:\\Work\\Install_Driver\\Driver_helper\\Release\\wccenter.pdb\r\n_J861.exe E:\\work\\Icon_Report\\Release\\_service.pdb\r\nwuhost.exe D:\\Work\\Install_Driver\\Driver_helper\\Release\\wuhost.pdb\r\nTable 2. Debugging locations found in Spicy Hot Pot malware To a normal user, the kernel drivers dropped to disk\r\nare completely invisible. This is because not only are they renamed and installed on infection, but through their\r\ninstallation they begin to act as a rootkit — and one of the drivers hides the malware files from being shown on\r\ndisk. This extends to making the executables dropped to disk invisible. We can see the different filtering\r\ncapabilities of this driver from analyzing pseudo-code of the file KMDF_Protect.sys.\r\nFigure 2. Minifilter being registered\r\nhttps://www.crowdstrike.com/blog/spicy-hot-pot-rootkit-explained/\r\nPage 4 of 18\n\nFigure 3. Searching for .sys and .exe files to filter on\r\nIn addition to this, KMDF_Protect.sys checks for any executables running with known binary names from Qihoo\r\n360 software.\r\nFigure 4. Checking for antivirus software attempting to run\r\nhttps://www.crowdstrike.com/blog/spicy-hot-pot-rootkit-explained/\r\nPage 5 of 18\n\nFigure 5. Strings used in preventing antivirus software from loading scanning modules\r\nThis also adds a shutdown callback for persistence. At shutdown, the driver attempts to write back the location of\r\nwccenter.exe to the system’s “RunOnce” key so that it runs again on boot. As this is performed by the kernel-mode driver, this modification isn’t shown by common registry monitoring tools.\r\nhttps://www.crowdstrike.com/blog/spicy-hot-pot-rootkit-explained/\r\nPage 6 of 18\n\nFigure 6. Persistence through a shutdown function callback\r\nIf we compare this to KMDF_LOOK.sys , we can see that its primary function is to hijack the user’s homepage and\r\ndelete process callbacks to security software.\r\nhttps://www.crowdstrike.com/blog/spicy-hot-pot-rootkit-explained/\r\nPage 7 of 18\n\nFigure 7. Hardcoded URLs for the browser hijacking component\r\nIt should be noted that both drivers masquerade as legitimate service names to remain stealthy:\r\nDriver Malicious Service Name Masqueraded Legitimate Service Name\r\nKMDF_Protect.sys iaLPSS1z iaLPSSi*: Intel Serial IO Driver\r\nKMDF_LOOK.sys LSI_SAS2l LSI_SAS2: LSI SAS GEN 2 Driver (StorPort)\r\nBriefing over other components of this malware:\r\nDVLayout.exe is used to install the rootkit. This creates the Mutex “DVLayout.”\r\n_J861.exe is used to gather system information of the infected client, including serial number, and\r\nhas a number of networking functions that support the operation of this malware. This temporarily\r\ncreates a service called “R.”\r\nwccenter.exe communicates with KMDF_Protect.sys using a named device created called\r\n\\\\Device\\\\iaLPSS1z and is used to run wdlogin.exe , wuhost.exe and wrme.exe .\r\nhttps://www.crowdstrike.com/blog/spicy-hot-pot-rootkit-explained/\r\nPage 8 of 18\n\nFigure 8. wccenter.exe startup execution\r\nwuhost.exe is used to update the rootkit drivers and modules as required. It creates the Mutex “Update” and\r\ncontacts one of the following domains to fetch this update:\r\nhttps\u003c:\u003e//du\u003c.\u003etestjj\u003c.\u003ecom\r\nhttps\u003c:\u003e//da\u003c.\u003etestiu\u003c.\u003ecom\r\nhttps\u003c:\u003e//db\u003c.\u003etestyk\u003c.\u003ecom\r\nwrme.exe is used to download and start or install modules such as wuhost.exe and wdlogin.exe in addition to\r\ngathering information about the operating system. It creates the Mutex “DLreport.” wdlogin.exe is used to find\r\nany dump file ending with dmp in the %SystemRoot%\\minidump directory, compress it, and upload it to one of\r\nthe above servers at the endpoint /api/v1/post_dump. This is likely for troubleshooting any blue screen errors that\r\nmay be caused by the rootkit. It creates the Mutex “dumping.”\r\nInvestigation with Endpoint Detection and Response Data\r\nUsing CrowdStrike Falcon®’s telemetry via our Endpoint Activity Monitoring (EAM) application, we’re able to\r\nsee the infection actions taking place when protections are disabled. This includes file writes of _J861.exe,\r\nKMDF_Protect.sys, KMDF_LOOK.sys , and their associated driver loads.\r\nhttps://www.crowdstrike.com/blog/spicy-hot-pot-rootkit-explained/\r\nPage 9 of 18\n\nFigure 9.\r\nFile events as seen in CrowdStrike Falcon®’s EAM Application (click image to enlarge)\r\nFigure 10. DriverLoad events as seen in the CrowdStrike Falcon® EAM application (click image to enlarge)\r\nBy checking the registry and filter drivers on this host through CrowdStrike Falcon®’s Real Time Response\r\n(RTR) capability, we can locate the kernel drivers running and the dropped binaries to prove they reside on disk,\r\ngiven that we know their name and location. This works even though Spicy Hot Pot filters user input and output\r\nrequests to make the files invisible to a normal user of Windows.\r\nFigure 11. Rootkit drivers as seen through Real Time Response (RTR)\r\nhttps://www.crowdstrike.com/blog/spicy-hot-pot-rootkit-explained/\r\nPage 10 of 18\n\nFigure 12. Rootkit service as seen through Real Time Response (RTR)\r\nFigure 13. Rootkit service as seen through Real Time Response (RTR)\r\nThe Remediation\r\nSpicy Hot Pot, like many other rootkits, utilizes kernel filter drivers that once started cannot be stopped by a user.\r\nThese filter drivers prevent removal of registry keys, services or the kernel drivers themselves that are associated\r\nwith the infection. Due to this, removing Spicy Hot Pot malware remotely can be quite challenging. Remediating\r\na rootkit often requires doing so from a machine that is powered off or booted into safe mode; however, we can\r\nremove a rootkit such as Spicy Hot Pot without going to these extremes by making sure it cannot run at startup.\r\nSpicy Hot Pot places the malicious filter drivers within the “WindowsApps” folder, which, in addition to the\r\n“Event Viewer” or “Media Player” folder, is what is being filtered on. If you rename the folder, the filter drivers\r\nimmediately become visible.\r\nhttps://www.crowdstrike.com/blog/spicy-hot-pot-rootkit-explained/\r\nPage 11 of 18\n\nFigure 14. Rootkit drivers visible after renaming WindowsApps folder\r\nThis can be done even when the kernel filters are running, but the filter drivers cannot be removed by a user as\r\nthey’re still running and protected.\r\nFigure 15. Protected in-use kernel drivers that cannot be removed\r\nAfter renaming the folder, if you restart an infected system, the path that is referenced by the kernel filter driver\r\nservices no longer exists, and the drivers will fail to load. At this point, the drivers and associated malicious\r\nexecutables can be removed, and the folder renamed to “WindowsApps” once more. The services and registry\r\nkeys associated with the rootkit can also be removed now.\r\nFigure 16. Rootkit driver removal as seen through Real Time Response (RTR)\r\nhttps://www.crowdstrike.com/blog/spicy-hot-pot-rootkit-explained/\r\nPage 12 of 18\n\nConclusion\r\nThis post touched on a common browser hijacker being distributed with tools designed to illegitimately activate\r\nMicrosoft products. It highlights some of the concerns associated with running “cracking” tools on a machine, and\r\nwhy it’s important to monitor and prevent not only unknown executables that are running, but also drivers that are\r\nloaded by an operating system and any minifilters present. By fusing CrowdStrike Falcon®’s detection and\r\nprevention capabilities, enriched endpoint telemetry, Real Time Response capability and the expertise of the\r\nCrowdStrike Falcon® Complete team, you’re uniquely positioned with the capability to detect, investigate,\r\nunderstand and respond to unknown threats within your environment 24/7, 365 days of the year.\r\nIndicators\r\nType Name/Purpose Indicator\r\nSHA256 baofeng15.0 498ed725195b5ee52e406de237afa9ef268cabc4ef604c363aee2e78b3b13193\r\nSHA256 DvLayout.exe 551c4564d5ff537572fd356fe96df7c45bf62de9351fae5bb4e6f81dcbe34ae5\r\nSHA256 wccenter.exe 17095beda4afeabb7f41ff07cf866ddc42e49da1a4ed64b9c279072caab354f6\r\nSHA256 wrme.exe 7e489f1f72cac9f1c88bdc6be554c78b5a14197d63d1bae7e41de638e903af21\r\nSHA256 wuhost.exe eb54cd2d61507b9e98712de99834437224b1cef31a81544a47d93e470b8613fc\r\nSHA256 wdlogin.exe 7c0fdee3670cc53a22844d691307570a21ae3be3ce4b66e46bb6d9baad1774b8\r\nSHA256 _J861.exe c83e6b96ee3aa1a580157547eae88d112d2202d710218f2ed496f7fe3d861abc\r\nSHA256 baofeng15.0.exe c5802c7fbad5cdf257bcc0f71e8b1c8853e06da411133b5dc78bd6c891f27500\r\nSHA256 KMDF_LOOK.sys 39764e887fd0b461d86c1be96018a4c2a670b1de90d05f86ed0acb357a683318\r\nSHA256 KMDF_Protect.sys ab0418eb1863c8a2211d06c764f45884c9b7dbd6d1943137fc010b8f3b8d14ae\r\nDomain Update/C2 du\u003c.\u003etestjj\u003c.\u003ecom\r\nDomain Update/C2 da\u003c.\u003etestiu\u003c.\u003ecom\r\nDomain Update/C2 db\u003c.\u003etestyk\u003c.\u003ecom\r\nDomain Hijacking Domain gndh333\u003c.\u003etop\r\nMutex wrme.exe DLreport\r\nMutex wdlogin dumping\r\nMutex wuhost Update\r\nMutex DVLayout DVLayout\r\nhttps://www.crowdstrike.com/blog/spicy-hot-pot-rootkit-explained/\r\nPage 13 of 18\n\nMITRE ATT\u0026CK\r\n® Mapping\r\nTactic Technique Sub-Technique ID\r\nReconnaissance Search Open Websites/Domains Search Engines T1593.002\r\nResource\r\nDevelopment\r\nAcquire Infrastructure Domains T1583.001\r\nResource\r\nDevelopment\r\nObtain Capabilities Digital Certificates T1588.004\r\nInitial Access Supply Chain Compromise\r\nCompromise Software Supply\r\nChain\r\nT1195.002\r\nPersistence\r\nBoot or Logon Autostart\r\nExecution\r\nRegistry Run Keys / Startup\r\nFolder\r\nT1547.001\r\nPersistence\r\nCreate or Modify System\r\nProcess\r\nWindows Service T1543.003\r\nDefense Evasion Rootkit - T1014\r\nDefense Evasion Impair Defenses Disable or Modify Tools T1562.001\r\nDefense Evasion Masquerading Invalid Code Signature T1036.001\r\nDefense Evasion Masquerading Masquerade Task or Service T1036.004\r\nDefense Evasion Masquerading\r\nMatch Legitimate Name or\r\nLocation\r\nT1036.005\r\nCollection Automated Collection - T1119\r\nCommand and\r\nControl\r\nEncrypted Channel Asymmetric Cryptography T1573.002\r\nExfiltration Automated Exfiltration - T1020\r\nExfiltration Exfiltration Over C2 Channel - T1041\r\nImpact Defacement Internal Defacement T1491.001\r\nImpact Service Stop - T1489\r\nYara Rules\r\n/* YARA Rule Set Author: jai-minton Date: 2020-11-01 Identifier: SpicyHotPot Reference: /content/crowdstrike-www/language-masters/global/en/blog/author.jai-minton/ copyright = \"(c) 2020 CrowdStrike Inc.\" *//* Rule Set --\r\nhttps://www.crowdstrike.com/blog/spicy-hot-pot-rootkit-explained/\r\nPage 14 of 18\n\n--------------------------------------------------------------- */ rule SpicyHotPot_wdlogin { meta: description =\r\n\"SpicyHotPot - wdlogin.exe: Used to identify memory dump uploading component\" author = \"jai-minton\"\r\nreference = \"/content/crowdstrike-www/locale-sites/us/en-us/blog/author.jai-minton.html\" copyright\r\n= \"(c) 2020 CrowdStrike Inc.\" date = \"2020-11-01\" hash1 =\r\n\"7c0fdee3670cc53a22844d691307570a21ae3be3ce4b66e46bb6d9baad1774b8\" strings: $x1 =\r\n\"D:\\\\Work\\\\Install_Driver\\\\Driver_helper\\\\Release\\\\wdlogin.pdb\" fullword ascii $x2 =\r\n\"kmdf_protect.sys\" fullword ascii $x3 = \"kmdf_look.sys\" fullword ascii $x4 = \"/api/v1/post_dump\"\r\nfullword ascii $s1 = \"Negotiate: noauthpersist -\u003e %d, header part: %s\" fullword ascii $s2 =\r\n\"https://db.testyk.com\" fullword ascii $s3 = \"https://da.testiu.com\" fullword ascii $s4 =\r\n\"https://du.testjj.com\" fullword ascii $s5 = \"schannel: CertGetNameString() failed to match\r\nconnection hostname (%s) against server certificate names\" fullword ascii $s6 = \"No more connections\r\nallowed to host %s: %zu\" fullword ascii $s7 = \"RESOLVE %s:%d is - old addresses discarded!\" fullword\r\nascii $s8 = \"Content-Disposition: %s%s%s%s%s%s%s\" fullword ascii $s9 = \"dumping\" fullword wide\r\ncondition: uint16(0) == 0x5a4d and filesize \u003c 2000KB and 1 of ($x*) and 3 of ($s*) } rule\r\nSpicyHotPot__J861 { meta: description = \"SpicyHotPot - _J861.exe: Used to identify system\r\nfingerprinting, enumeration and networking component\" author = \"jai-minton\" reference =\r\n\"/content/crowdstrike-www/locale-sites/us/en-us/blog/author.jai-minton.html\" copyright = \"(c) 2020\r\nCrowdStrike Inc.\" date = \"2020-11-01\" hash1 =\r\n\"c83e6b96ee3aa1a580157547eae88d112d2202d710218f2ed496f7fe3d861abc\" strings: $x1 =\r\n\"E:\\\\work\\\\Icon_Report\\\\Release\\\\_service.pdb\" fullword ascii $x2 = \"RESOLVE %s:%d is - old\r\naddresses discarded!\" fullword ascii $x3 = \"https://du.testjj.com/api/v1/id\" fullword ascii $s1 =\r\n\"SEC_E_ILLEGAL_MESSAGE (0x%08X)\" ascii $s2 = \"Failed reading the chunked-encoded stream\" fullword\r\nascii $s3 = \"Negotiate: noauthpersist -\u003e %d, header part: %s\" fullword ascii $s4 =\r\n\"AppPolicyGetProcessTerminationMethod\" fullword ascii $s5 = \"schannel: CertGetNameString() failed to\r\nmatch connection hostname (%s) against server certificate names\" fullword ascii $s6 = \"failed to\r\nload WS2_32.DLL (%u)\" fullword ascii $s7 = \"/c ping -n 3 127.1 \u003enul \u0026 del /q %s\" fullword ascii $s8\r\n= \"No more connections allowed to host %s: %zu\" fullword ascii $s9 = \"%d\r\nReadPhysicalDriveInNTUsingSmart ERROR DeviceIoControl(%d, SMART_GET_VERSION) returned 0, error is %d\"\r\nfullword ascii $s10 = \"%d ReadPhysicalDriveInNTWithAdminRights ERROR DeviceIoControl() %d,\r\nDFP_GET_VERSION) returned 0, error is %d\" fullword ascii $s11 = \"Content-Disposition:\r\n%s%s%s%s%s%s%s\" fullword ascii $s12 = \"Content-Type: %s%s%s\" fullword ascii $s13 = \"SOCKS4%s:\r\nconnecting to HTTP proxy %s port %d\" fullword ascii $s14 = \"No valid port number in connect to host\r\nstring (%s)\" fullword ascii $s15 = \"Excess found in a read: excess = %zu, size = %I64d, maxdownload\r\n= %I64d, bytecount = %I64d\" fullword ascii condition: uint16(0) == 0x5a4d and filesize \u003c 3000KB\r\nand 2 of ($x*) and 8 of ($s*) } rule SpicyHotPot_wuhost { meta: description = \"SpicyHotPot -\r\nwuhost.exe: Used to identify rootkit and module updating component\" author = \"jai-minton\" reference\r\n= \"/content/crowdstrike-www/locale-sites/us/en-us/blog/author.jai-minton.html\" copyright = \"(c) 2020\r\nCrowdStrike Inc.\" date = \"2020-11-01\" hash1 =\r\n\"eb54cd2d61507b9e98712de99834437224b1cef31a81544a47d93e470b8613fc\" strings: $x1 = \"wdlogin.exe\"\r\nfullword ascii $x2 = \"UpdateTemp.exe\" fullword ascii $x3 = \"UpdateSelf.exe\" fullword ascii $x4 =\r\n\"wrme.exe\" fullword ascii $x5 = \"wccenter.exe\" fullword ascii $x6 =\r\n\"D:\\\\Work\\\\Install_Driver\\\\Driver_helper\\\\Release\\\\wuhost.pdb\" fullword ascii $x7 = \"wuhost.exe\"\r\nhttps://www.crowdstrike.com/blog/spicy-hot-pot-rootkit-explained/\r\nPage 15 of 18\n\nfullword ascii $s1 = \"SEC_E_ILLEGAL_MESSAGE (0x%08X) - This error usually occurs when a fatal\r\nSSL/TLS alert is received (e.g. handshake failed). More \" ascii $s2 = \"Failed reading the chunked-encoded stream\" fullword ascii $s3 = \"Negotiate: noauthpersist -\u003e %d, header part: %s\" fullword\r\nascii $s4 = \"https://db.testyk.com\" fullword ascii $s5 = \"https://da.testiu.com\" fullword ascii\r\n$s6 = \"https://du.testjj.com\" fullword ascii $s7 = \"dump_temp\" fullword ascii $s8 =\r\n\"AppPolicyGetProcessTerminationMethod\" fullword ascii $s9 = \"schannel: CertGetNameString() failed to\r\nmatch connection hostname (%s) against server certificate names\" fullword ascii $s10 = \"failed to\r\nload WS2_32.DLL (%u)\" fullword ascii $s11 = \"No more connections allowed to host %s: %zu\" fullword\r\nascii $s12 = \"RESOLVE %s:%d is - old addresses discarded!\" fullword ascii condition: uint16(0) ==\r\n0x5a4d and filesize \u003c 2000KB and 2 of ($x*) and 4 of them } rule SpicyHotPot_wrme { meta:\r\ndescription = \"SpicyHotPot - wrme.exe: Used to identify module starting and reporting component\"\r\nauthor = \"jai-minton\" reference = \"/content/crowdstrike-www/locale-sites/us/en-us/blog/author.jai-minton.html\" copyright = \"(c) 2020 CrowdStrike Inc.\" date = \"2020-11-01\" hash1 =\r\n\"7e489f1f72cac9f1c88bdc6be554c78b5a14197d63d1bae7e41de638e903af21\" strings: $x1 = \"DvUpdate.exe\"\r\nfullword ascii $x2 = \"D:\\\\Work\\\\Install_Driver\\\\Driver_helper\\\\Release\\\\wrme.pdb\" fullword ascii\r\n$x3 = \"No more connections allowed to host %s: %zu\" fullword ascii $s1 = \"SEC_E_ILLEGAL_MESSAGE\r\n(0x%08X) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed).\r\nMore \" ascii $s2 = \"Failed reading the chunked-encoded stream\" fullword ascii $s3 = \"Content-Type:\r\n%s%s%s\" fullword ascii $s4 = \"Excess found in a read: excess = %zu, size = %I64d, maxdownload =\r\n%I64d, bytecount = %I64d\" fullword ascii $s5 = \"Negotiate: noauthpersist -\u003e %d, header part: %s\"\r\nfullword ascii $s6 = \"https://db.testyk.com\" fullword ascii $s7 = \"https://da.testiu.com\" fullword\r\nascii $s8 = \"https://du.testjj.com\" fullword ascii $s9 = \"AppPolicyGetProcessTerminationMethod\"\r\nfullword ascii $s10 = \"schannel: CertGetNameString() failed to match connection hostname (%s)\r\nagainst server certificate names\" fullword ascii $s11 = \"failed to load WS2_32.DLL (%u)\" fullword\r\nascii $s12 = \"Content-Disposition: %s%s%s%s%s%s%s\" fullword ascii $s13 = \"RESOLVE %s:%d is - old\r\naddresses discarded!\" fullword ascii condition: uint16(0) == 0x5a4d and filesize \u003c 2000KB and 2\r\nof ($x*) and 7 of ($s*) } rule SpicyHotPot_DvLayout { meta: description = \"SpicyHotPot -\r\nDvLayout.exe: Used to identify rootkit installation component\" author = \"jai-minton\" reference =\r\n\"/content/crowdstrike-www/locale-sites/us/en-us/blog/author.jai-minton.html\" copyright = \"(c) 2020\r\nCrowdStrike Inc.\" date = \"2020-11-01\" hash1 =\r\n\"551c4564d5ff537572fd356fe96df7c45bf62de9351fae5bb4e6f81dcbe34ae5\" strings: $x1 = \"KMDF_LOOK.sys\"\r\nfullword ascii $x2 = \"KMDF_Protect.sys\" fullword ascii $x3 = \"StartService Error, errorode is : %d\r\n.\" fullword ascii $x4 = \"Software\\\\Microsoft\\\\%s\\\\st\" fullword wide $s1 =\r\n\"AppPolicyGetProcessTerminationMethod\" fullword ascii $s2 = \"@api-ms-win-core-synch-l1-2-0.dll\"\r\nfullword wide $s3 = \"Genealogy.ini\" fullword wide $s4 = \"powercfg /h off\" fullword ascii $s5 = \"\r\nType Descriptor'\" fullword ascii $s6 = \"find %s failed , errorcode : %d\" fullword ascii $s7 = \"find\r\n%s failed , errorcode : %d\" fullword ascii $s8 = \"Delete %s failed , errorcode : %d\" fullword wide\r\n$s9 = \"Delete %s failed , errorcode : %d\" fullword wide $s10 = \"OpenService failed , errorcode :\r\n%d\" fullword wide $s11 = \"\u0026Beijing JoinHope Image Technology Ltd.1/0-\" fullword ascii $s12 = \"/c\r\ndel /q %s\" fullword ascii condition: uint16(0) == 0x5a4d and filesize \u003c 800KB and 1 of ($x*) and\r\n5 of ($s*) } rule SpicyHotPot_wccenter { meta: description = \"SpicyHotPot - wccenter.exe: Used\r\nto identify malware that communicates with the rootkit component\" author = \"jai-minton\" reference =\r\nhttps://www.crowdstrike.com/blog/spicy-hot-pot-rootkit-explained/\r\nPage 16 of 18\n\n\"/content/crowdstrike-www/locale-sites/us/en-us/blog/author.jai-minton.html\" copyright = \"(c) 2020\r\nCrowdStrike Inc.\" date = \"2020-11-01\" hash1 =\r\n\"17095beda4afeabb7f41ff07cf866ddc42e49da1a4ed64b9c279072caab354f6\" strings: $x1 =\r\n\"D:\\\\Work\\\\Install_Driver\\\\Driver_helper\\\\Release\\\\wccenter.pdb\" fullword ascii $x2 = \"wdlogin.exe\"\r\nfullword wide $x3 = \"wuhost.exe\" fullword wide $x4 = \"wrme.exe\" fullword wide $s1 =\r\n\"AppPolicyGetProcessTerminationMethod\" fullword ascii $s2 = \" Type Descriptor'\" fullword ascii $s3\r\n= \"\u0026Beijing JoinHope Image Technology Ltd.1/0-\" fullword ascii $s4 = \"operator co_await\" fullword\r\nascii $s5 = \"\u0026Beijing JoinHope Image Technology Ltd.0\" fullword ascii $s6 = \"RvVersion\" fullword\r\nwide $s7 = \" Class Hierarchy Descriptor'\" fullword ascii $s8 = \"Base Class Descriptor\" ascii $s9\r\n= \"Beijing1\" fullword ascii $s10 = \" Complete Object Locator'\" fullword ascii condition:\r\nuint16(0) == 0x5a4d and filesize \u003c 400KB and 2 of ($x*) and 4 of ($s*) } rule\r\nSpicyHotPot_KMDF_LOOK { meta: description = \"SpicyHotPot - KMDF_LOOK.sys: Used to identify browser\r\nhijacking component\" author = \"jai-minton\" reference = \"/content/crowdstrike-www/locale-sites/us/en-us/blog/author.jai-minton.html\" copyright = \"(c) 2020 CrowdStrike Inc.\" date = \"2020-\r\n11-01\" hash1 = \"39764e887fd0b461d86c1be96018a4c2a670b1de90d05f86ed0acb357a683318\" strings: $x1 =\r\n\"G:\\\\SVN\\\\\" ascii $s1 = \"TSWebDownLoadProtect.dll\" fullword wide $s2 = \"ShellIco.dll\" fullword\r\nwide $s3 = \"QMLogEx.dll\" fullword wide $s4 = \"SSOCommon.dll\" fullword wide $s5 = \"TsService.exe\"\r\nfullword ascii $s6 = \"Hookport.sys\" fullword wide $s7 = \"SafeWrapper32.dll\" fullword wide $s8 =\r\n\"safemon.dll\" fullword wide $s9 = \"iNetSafe.dll\" fullword wide $s10 = \"ieplus.dll\" fullword wide\r\n$s11 = \"wdui2.dll\" fullword wide $s12 = \"ExtBhoIEToSe.dll\" fullword wide $s13 = \"360NetBase.dll\"\r\nfullword wide $s14 = \"urlproc.dll\" fullword wide $s15 = \"360sdbho.dll\" fullword wide $s16 =\r\n\"360base.dll\" fullword wide $s17 = \"360UDiskGuard.dll\" fullword wide $s18 = \"TSClinicWebFix.dll\"\r\nfullword wide $s19 = \"QMEmKit.dll\" fullword wide $s20 = \"WdHPFileSafe.dll\" fullword wide\r\ncondition: uint16(0) == 0x5a4d and filesize \u003c 1000KB and 8 of them } rule\r\nSpicyHotPot_KMDF_Protect { meta: description = \"SpicyHotPot - KMDF_Protect.sys: Used to identify\r\ndriver protection and filtering component\" author = \"jai-minton\" reference = \"/content/crowdstrike-www/locale-sites/us/en-us/blog/author.jai-minton.html\" copyright = \"(c) 2020 CrowdStrike Inc.\" date\r\n= \"2020-11-01\" hash1 = \"ab0418eb1863c8a2211d06c764f45884c9b7dbd6d1943137fc010b8f3b8d14ae\" strings:\r\n$x1 = \"wdlogin.exe\" fullword wide $x2 = \"\\\\Windows\\\\System32\\\\cmd.exe\" fullword wide $x3 =\r\n\"wuhost.exe\" fullword wide $x4 = \"wrme.exe\" fullword wide $x5 = \"UpdateSelf.exe\" fullword ascii\r\n$x6 = \"wccenter.exe\" fullword wide $s1 = \"jCloudScan.dll\" fullword wide $s2 = \"DSFScan.dll\"\r\nfullword wide $s3 = \"avescan.dll\" fullword wide $s4 = \"\\\\Cloudcom2.dll\" fullword wide $s5 =\r\n\"\\\\Cloudcom264.dll\" fullword wide $s6 = \"AVEIEngine.dll\" fullword wide $s7 = \"AVEI.dll\" fullword\r\nwide $s8 = \"BAPI.dll\" fullword wide $s9 = \"BAPI64.dll\" fullword wide $s10 = \"360Tray.exe\"\r\nfullword ascii $s11 = \"360Safe.exe\" fullword ascii $s12 = \"\\\\jCloudScan.dll\" fullword wide $s13 =\r\n\"\\\\deepscan64.dll\" fullword wide $s14 = \"\\\\deepscan.dll\" fullword wide condition: uint16(0) ==\r\n0x5a4d and filesize \u003c 1000KB and 2 of ($x*) and 6 of ($s*) }\r\nAdditional Resources\r\nLearn more by visiting the Falcon Complete product webpage.\r\nRead a white paper: CrowdStrike Falcon® Complete: Instant Cybersecurity Maturity for Organizations of\r\nAll Sizes.\r\nhttps://www.crowdstrike.com/blog/spicy-hot-pot-rootkit-explained/\r\nPage 17 of 18\n\nTest CrowdStrike next-gen AV for yourself: Start your free trial of Falcon Prevent™.\r\nSource: https://www.crowdstrike.com/blog/spicy-hot-pot-rootkit-explained/\r\nhttps://www.crowdstrike.com/blog/spicy-hot-pot-rootkit-explained/\r\nPage 18 of 18",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.crowdstrike.com/blog/spicy-hot-pot-rootkit-explained/"
	],
	"report_names": [
		"spicy-hot-pot-rootkit-explained"
	],
	"threat_actors": [],
	"ts_created_at": 1775434772,
	"ts_updated_at": 1775826785,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/54525e6d1360ca979099927fd93009acaa7223fd.pdf",
		"text": "https://archive.orkl.eu/54525e6d1360ca979099927fd93009acaa7223fd.txt",
		"img": "https://archive.orkl.eu/54525e6d1360ca979099927fd93009acaa7223fd.jpg"
	}
}