FiveEyes QUERTY Malware - file 20120.xml

Hunt Hypothesis

The detection identifies potential FiveEyes QUERTY malware activity through the presence of a suspicious XML file, indicating possible adversary persistence or data exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats leveraging known malicious artifacts.

YARA Rule

rule FiveEyes_QUERTY_Malwareqwerty_20120 
{

    meta:
        description = "FiveEyes QUERTY Malware - file 20120.xml"
        author = "Florian Roth"
        reference = "http://www.spiegel.de/media/media-35668.pdf"
        date = "2015/01/18"
        hash = "597082f05bfd3225587d480c30f54a7a1326a892"

    strings:
        $s0 = "<configFileName>20120_cmdDef.xml</configFileName>" fullword ascii
        $s1 = "<name>20120.dll</name>" fullword ascii
        $s2 = "<codebase>\"Reserved for future use.\"</codebase>" fullword ascii
        $s3 = "<plugin xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi:noNamespaceS" ascii
        $s4 = "<platform type=\"1\">" fullword ascii
        $s5 = "</plugin>" fullword ascii
        $s6 = "</pluginConfig>" fullword ascii
        $s7 = "<pluginConfig>" fullword ascii
        $s8 = "</platform>" fullword ascii
        $s9 = "</lpConfig>" fullword ascii
        $s10 = "<lpConfig>" fullword ascii
   
    condition:
        all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 11 string patterns in its detection logic.

References

• http://www.spiegel.de/media/media-35668.pdf
• Source Rule

False Positive Guidance

• Scenario: A system administrator is using PowerShell to automate the deployment of a configuration file named 20120.xml as part of a routine system update.
  Filter/Exclusion: Check for ProcessName containing powershell.exe and ensure the file path is within a known administrative directory (e.g., C:\Windows\System32\ or C:\inetpub\).

• Scenario: A scheduled task runs a legitimate script that generates a file named 20120.xml as part of a data export process.
  Filter/Exclusion: Filter by ProcessName matching the scheduled task’s executable (e.g., taskeng.exe or the specific script interpreter) and verify the file path is in a known data directory (e.g., C:\DataExports\).

• Scenario: A backup tool like Veeam or Commvault creates a temporary XML file named 20120.xml during a backup operation.
  Filter/Exclusion: Filter by ProcessName containing the backup tool’s executable name (e.g., veeam.exe or cvbackup.exe) and check the file path against known backup directories (e.g., C:\Backup\ or D:\Temp\).

• Scenario: A configuration management tool like Ansible or Chef generates a file named 20120.xml as part of a configuration push to managed nodes.
  Filter/Exclusion: Filter by ProcessName containing the configuration tool’s executable (e.g., ansible.exe or chef-client.exe) and verify the file path is within a known configuration directory (e.g., C:\Ansible\ or C:\Chef\).

• Scenario: A development team uses