The hypothesis is that the detection identifies potential PutterPanda malware activity, which is associated with advanced persistent threats and lateral movement capabilities. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromises before significant damage occurs.
YARA Rule
rule APT_Malware_PutterPanda_Gen4
{
meta:
description = "Detects Malware related to PutterPanda"
author = "Florian Roth"
score = 70
reference = "VT Analysis"
date = "2015-06-03"
super_rule = 1
hash0 = "71a8378fa8e06bcf8ee9f019c807c6bfc58dca0c"
hash1 = "8fdd6e5ed9d69d560b6fdd5910f80e0914893552"
hash2 = "3c4a762175326b37035a9192a981f7f4cc2aa5f0"
hash3 = "598430b3a9b5576f03cc4aed6dc2cd8a43324e1e"
hash4 = "6522b81b38747f4aa09c98fdaedaed4b00b21689"
strings:
$x1 = "rz.dat" fullword ascii /* score: '10.00' */
$s0 = "Mozilla/4.0 (Compatible; MSIE 6.0;)" fullword ascii /* PEStudio Blacklist: agent */ /* score: '20.03' */
$s1 = "Internet connect error:%d" fullword ascii /* PEStudio Blacklist: strings */ /* score: '14.04' */
$s2 = "Proxy-Authorization:Basic " fullword ascii /* PEStudio Blacklist: strings */ /* score: '14.02' */
$s5 = "Invalid url" fullword ascii /* PEStudio Blacklist: strings */ /* score: '9.03' */
$s6 = "Create file failed" fullword ascii /* score: '8.04' */
$s7 = "myAgent" fullword ascii /* score: '8.03' */
$z1 = "%s%s%d%d" fullword ascii /* score: '8.00' */
$z2 = "HttpQueryInfo failed:%d" fullword ascii /* PEStudio Blacklist: strings */ /* score: '13.02' */
$z3 = "read file error:%d" fullword ascii /* score: '11.04' */
$z4 = "down file success" fullword ascii /* score: '7.04' */
$z5 = "kPStoreCreateInstance" fullword ascii /* score: '5.03' */
$z6 = "Avaliable data:%u bytes" fullword ascii /* score: '5.03' */
$z7 = "abe2869f-9b47-4cd9-a358-c22904dba7f7" fullword ascii /* PEStudio Blacklist: guid */ /* score: '5.00' */ /* Goodware String - occured 2 times */
condition:
filesize < 300KB and (( uint16(0) == 0x5a4d and $x1 and 3 of ($s*) ) or ( 3 of ($s*) and 4 of ($z*) ))
}This YARA rule can be deployed in the following contexts:
This rule contains 14 string patterns in its detection logic.
Scenario: A system administrator is using PowerShell to run a legitimate script for system cleanup or patch management.
Filter/Exclusion: Exclude processes initiated by powershell.exe with command lines containing Cleanup, Patch, or Update.
Scenario: A scheduled job is running Task Scheduler to perform routine maintenance tasks, such as log rotation or temporary file cleanup.
Filter/Exclusion: Exclude tasks with names containing Cleanup, LogRotate, or TempCleanup and associated with the Task Scheduler service.
Scenario: A developer is using Wireshark to analyze network traffic for debugging or security analysis purposes.
Filter/Exclusion: Exclude processes initiated by wireshark.exe or tshark.exe with command lines containing analyze, debug, or network.
Scenario: A system is running a Windows Update or Group Policy client service that is performing background configuration changes.
Filter/Exclusion: Exclude processes related to wuauclt.exe or gpolusr.exe and filter out events associated with Windows Update or Group Policy.
Scenario: A user is executing a PowerShell script from a shared network drive for a legitimate automation task, such as report generation.
Filter/Exclusion: Exclude processes where the command line includes paths from known internal shared drives (e.g., \\fileserver\scripts\) and filter by script names like generate_report.ps1.