The hypothesis is that the detection identifies potential APT activity associated with the PutterPanda group, leveraging malware that may execute stealthy, persistent, and data exfiltration behaviors. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats before they cause significant data loss or network compromise.
YARA Rule
rule APT_Malware_PutterPanda_Rel_2
{
meta:
description = "APT Malware related to PutterPanda Group"
author = "Florian Roth"
score = 70
reference = "VT Analysis"
date = "2015-06-03"
hash = "f97e01ee04970d1fc4d988a9e9f0f223ef2a6381"
strings:
$s0 = "http://update.konamidata.com/test/zl/sophos/td/result/rz.dat?" fullword ascii /* PEStudio Blacklist: strings */ /* score: '28.01' */
$s1 = "http://update.konamidata.com/test/zl/sophos/td/index.dat?" fullword ascii /* PEStudio Blacklist: strings */ /* score: '28.01' */
$s2 = "Mozilla/4.0 (Compatible; MSIE 6.0;)" fullword ascii /* PEStudio Blacklist: agent */ /* score: '20.03' */
$s3 = "Internet connect error:%d" fullword ascii /* PEStudio Blacklist: strings */ /* score: '14.035' */
$s4 = "Proxy-Authorization:Basic" fullword ascii /* PEStudio Blacklist: strings */ /* score: '14.02' */
$s5 = "HttpQueryInfo failed:%d" fullword ascii /* PEStudio Blacklist: strings */ /* score: '13.015' */
$s6 = "read file error:%d" fullword ascii /* score: '11.04' */
$s7 = "downdll.dll" fullword ascii /* score: '11.025' */
$s8 = "rz.dat" fullword ascii /* score: '10.005' */
$s9 = "Invalid url" fullword ascii /* PEStudio Blacklist: strings */ /* score: '9.03' */
$s10 = "Create file failed" fullword ascii /* score: '8.045' */
$s11 = "myAgent" fullword ascii /* score: '8.025' */
$s12 = "%s%s%d%d" fullword ascii /* score: '8.005' */
$s13 = "down file success" fullword ascii /* score: '7.035' */
$s15 = "error!" fullword ascii /* score: '6.04' */
$s18 = "Avaliable data:%u bytes" fullword ascii /* score: '5.025' */
condition:
uint16(0) == 0x5a4d and 6 of them
}This YARA rule can be deployed in the following contexts:
This rule contains 16 string patterns in its detection logic.
Scenario: Legitimate scheduled backup job using Veeam Backup & Replication
Filter/Exclusion: Check for process.name containing “Veeam” and process.command_line containing “backup” or “replication”
Scenario: System administrator running PowerShell script for user account management
Filter/Exclusion: Filter by process.name equal to “powershell.exe” and process.command_line containing “Add-LocalUser” or “Set-LocalUser”
Scenario: IT team executing Windows Task Scheduler job for system maintenance
Filter/Exclusion: Check for process.name equal to “schtasks.exe” and process.command_line containing “/create” or “/run”
Scenario: Regular use of Windows Event Viewer to review logs
Filter/Exclusion: Filter by process.name equal to “eventvwr.exe” and process.command_line containing “open” or “log”
Scenario: Deployment of Microsoft Endpoint Configuration Manager (MECM) package
Filter/Exclusion: Check for process.name containing “ccmsetup.exe” or “mpcmdrun.exe” and process.command_line containing “install” or “deploy”