FiveEyes QUERTY Malware - file 20121.xml

Hunt Hypothesis

The detection identifies potential QUERTY malware activity through the presence of the 20121.xml file, which may indicate adversary persistence or data exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromise by state-sponsored actors associated with FiveEyes.

YARA Rule

rule FiveEyes_QUERTY_Malwareqwerty_20121 
{

    meta:
        description = "FiveEyes QUERTY Malware - file 20121.xml"
        author = "Florian Roth"
        reference = "http://www.spiegel.de/media/media-35668.pdf"
        date = "2015/01/18"
        hash = "8263fb58350f3b1d3c4220a602421232d5e40726"

    strings:
        $s0 = "<configFileName>20121_cmdDef.xml</configFileName>" fullword ascii
        $s1 = "<name>20121.dll</name>" fullword ascii
        $s2 = "<codebase>\"Reserved for future use.\"</codebase>" fullword ascii
        $s3 = "<plugin xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi:noNamespaceS" ascii
        $s4 = "<platform type=\"1\">" fullword ascii
        $s5 = "</plugin>" fullword ascii
        $s6 = "</pluginConfig>" fullword ascii
        $s7 = "<pluginConfig>" fullword ascii
        $s8 = "</platform>" fullword ascii
        $s9 = "</lpConfig>" fullword ascii
        $s10 = "<lpConfig>" fullword ascii
   
    condition:
        9 of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 11 string patterns in its detection logic.

References

• http://www.spiegel.de/media/media-35668.pdf
• Source Rule

False Positive Guidance

• Scenario: A system administrator is using PowerShell to automate the deployment of a configuration file named 20121.xml as part of a routine system update.
  Filter/Exclusion: Check for ProcessName containing powershell.exe and ensure the file path is within a known administrative directory (e.g., C:\Windows\System32\ or C:\inetpub\).

• Scenario: A scheduled task runs a legitimate script that generates a file named 20121.xml as part of a data export process.
  Filter/Exclusion: Filter by ProcessName containing schtasks.exe or Task Scheduler and check if the file is created in a known data export directory (e.g., C:\DataExports\).

• Scenario: A database backup tool (e.g., SQL Server Backup Utility) creates a file named 20121.xml as part of a backup process.
  Filter/Exclusion: Check for ProcessName containing sqlbackup.exe or sqlservr.exe and verify the file path is within a backup directory (e.g., C:\Backups\).

• Scenario: A configuration management tool like Ansible or Chef generates a file named 20121.xml during a configuration push to multiple hosts.
  Filter/Exclusion: Filter by ProcessName containing ansible.exe or chef-client.exe and check the file path against known configuration directories (e.g., C:\Ansible\ or C:\Chef\).

• Scenario: A log aggregation tool (e.g., ELK Stack or Splunk) writes a file named 20121.xml as part of log processing.