The hypothesis is that the detection identifies potential Putter Panda malware activity, which is associated with advanced persistent threats and lateral movement capabilities. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromises before significant damage occurs.
YARA Rule
rule APT_Malware_PutterPanda_WUAUCLT
{
meta:
description = "Detects a malware related to Putter Panda"
author = "Florian Roth"
score = 70
reference = "VT Analysis"
date = "2015-06-03"
hash = "fd5ca5a2d444865fa8320337467313e4026b9f78"
strings:
$x0 = "WUAUCLT.EXE" fullword wide /* PEStudio Blacklist: strings */ /* score: '20.01' */
$x1 = "%s\\tmp%d.exe" fullword ascii /* score: '14.01' */
$x2 = "Microsoft Corporation. All rights reserved." fullword wide /* score: '8.04' */
$s1 = "Microsoft Windows Operating System" fullword wide /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 4 times */
$s2 = "InternetQueryOptionA" fullword ascii /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 166 times */
$s3 = "LookupPrivilegeValueA" fullword ascii /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 336 times */
$s4 = "WNetEnumResourceA" fullword ascii /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 29 times */
$s5 = "HttpSendRequestExA" fullword ascii /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 87 times */
$s6 = "PSAPI.DLL" fullword ascii /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 420 times */
$s7 = "Microsoft(R) Windows(R) Operating System" fullword wide /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 128 times */
$s8 = "CreatePipe" fullword ascii /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 222 times */
$s9 = "EnumProcessModules" fullword ascii /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 410 times */
condition:
all of ($x*) or (1 of ($x*) and all of ($s*) )
}This YARA rule can be deployed in the following contexts:
This rule contains 12 string patterns in its detection logic.
Scenario: A system administrator is using PowerShell to automate the deployment of a legitimate software update.
Filter/Exclusion: Check for the presence of Update.exe or Setup.exe in the command line, or use a filter like process.name != "powershell.exe" or process.name contains "Update".
Scenario: A scheduled job runs Task Scheduler to perform routine disk cleanup using a legitimate tool like Disk Cleanup or CCleaner.
Filter/Exclusion: Exclude processes associated with taskhost.exe or filter based on the command line arguments containing cleanmgr.exe or ccleaner.exe.
Scenario: An IT admin is using Windows Event Viewer to investigate logs and manually runs a script to parse event logs.
Filter/Exclusion: Exclude processes with eventvwr.exe or filter based on the command line containing wevtutil or eventlog.
Scenario: A developer is using Visual Studio to debug a script that interacts with system files, which may trigger file system monitoring.
Filter/Exclusion: Exclude processes with devenv.exe or filter based on the command line containing Visual Studio or Debug.
Scenario: A backup job is running using Veeam Backup & Replication to back up system files, which may trigger file access alerts.
Filter/Exclusion: Exclude processes with veeam.exe or filter based on the command line containing backup or replication.