FiveEyes QUERTY Malware - file 20123.xml

Hunt Hypothesis

The detection identifies potential FiveEyes QUERTY malware activity through the presence of a suspicious XML file, indicating possible adversary persistence or data exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats leveraging known malicious file artifacts.

YARA Rule

rule FiveEyes_QUERTY_Malwareqwerty_20123 
{

    meta:
        description = "FiveEyes QUERTY Malware - file 20123.xml"
        author = "Florian Roth"
        reference = "http://www.spiegel.de/media/media-35668.pdf"
        date = "2015/01/18"
        hash = "edc7228b2e27df9e7ff9286bddbf4e46adb51ed9"

    strings:
        $s0 = "<!-- edited with XMLSPY v5 rel. 4 U (http://www.xmlspy.com) by TEAM (RENEGADE) -" ascii
        $s1 = "<configFileName>20123_cmdDef.xml</configFileName>" fullword ascii
        $s2 = "<name>20123.sys</name>" fullword ascii
        $s3 = "<plugin xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi:noNamespaceS" ascii
        $s4 = "<codebase>/bin/i686-pc-win32/debug</codebase>" fullword ascii
        $s5 = "<platform type=\"1\">" fullword ascii
        $s6 = "</plugin>" fullword ascii
        $s7 = "</pluginConfig>" fullword ascii
        $s8 = "<pluginConfig>" fullword ascii
        $s9 = "</platform>" fullword ascii
        $s10 = "</lpConfig>" fullword ascii
        $s11 = "<lpConfig>" fullword ascii
   
    condition:
        9 of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 12 string patterns in its detection logic.

References

• http://www.spiegel.de/media/media-35668.pdf
• Source Rule

False Positive Guidance

• Scenario: A system administrator is using PowerShell to generate a configuration file named 20123.xml for a legitimate application deployment.
  Filter/Exclusion: Exclude files created by PowerShell scripts with the PowerShell process name and containing known legitimate XML structure.

• Scenario: A scheduled job runs nightly to back up user data and generates a temporary 20123.xml file as part of the backup process.
  Filter/Exclusion: Exclude files created by scheduled tasks with the Backup or BackupService service name, or within a known backup directory.

• Scenario: A configuration management tool like Chef or Ansible is generating a 20123.xml file during a configuration push to multiple servers.
  Filter/Exclusion: Exclude files created by processes associated with configuration management tools (e.g., chef-client, ansible, or puppet).

• Scenario: A database migration tool such as MySQL Workbench or pg_dump is exporting data to an XML file named 20123.xml during a routine export.
  Filter/Exclusion: Exclude files created by known database tools or within database export directories, or filter by process name like mysql or pg_dump.

• Scenario: A log aggregation tool like ELK Stack or Splunk is generating an XML log file named 20123.xml for structured logging purposes.
  Filter/Exclusion: Exclude files created by log aggregation tools (e.g., logstash, splunkd) or within log directories, and filter by file extension or content type.