The detection identifies potential QUERTY malware activity through the presence of the 20120_cmdDef.xml file, which may be used for command and control communication. SOC teams should proactively hunt for this indicator in Azure Sentinel to detect early-stage adversarial behavior associated with state-sponsored malware campaigns.
YARA Rule
rule FiveEyes_QUERTY_Malwaresig_20120_cmdDef
{
meta:
description = "FiveEyes QUERTY Malware - file 20120_cmdDef.xml"
author = "Florian Roth"
reference = "http://www.spiegel.de/media/media-35668.pdf"
date = "2015/01/18"
hash = "cda9ceaf0a39d6b8211ce96307302a53dfbd71ea"
strings:
$s0 = "This PPC gets the current keystroke log." fullword ascii
$s1 = "This command will add the given WindowTitle to the list of Windows to log keys f" ascii
$s2 = "This command will remove the WindowTitle corresponding to the given window title" ascii
$s3 = "This command will return the current status of the Keyboard Logger (Whether it i" ascii
$s4 = "This command Toggles logging of all Keys. If allkeys is toggled all keystrokes w" ascii
$s5 = "<definition>Turn logging of all keys on|off</definition>" fullword ascii
$s6 = "<name>Get Keystroke Log</name>" fullword ascii
$s7 = "<description>Keystroke Logger Lp Plugin</description>" fullword ascii
$s8 = "<definition>display help for this function</definition>" fullword ascii
$s9 = "This command will switch ON Logging of keys. All keys taht are entered to a acti" ascii
$s10 = "Set the log limit (in number of windows)" fullword ascii
$s11 = "<example>qwgetlog</example>" fullword ascii
$s12 = "<aliasName>qwgetlog</aliasName>" fullword ascii
$s13 = "<definition>The title of the Window whose keys you wish to Log once it becomes a" ascii
$s14 = "This command will switch OFF Logging of keys. No keystrokes will be captured" fullword ascii
$s15 = "<definition>The title of the Window whose keys you no longer whish to log</defin" ascii
$s16 = "<command id=\"32\">" fullword ascii
$s17 = "<command id=\"3\">" fullword ascii
$s18 = "<command id=\"7\">" fullword ascii
$s19 = "<command id=\"1\">" fullword ascii
$s20 = "<command id=\"4\">" fullword ascii
condition:
10 of them
}This YARA rule can be deployed in the following contexts:
This rule contains 21 string patterns in its detection logic.
Scenario: A system administrator is using PowerShell to execute a legitimate scheduled job that generates a file named 20120_cmdDef.xml as part of a configuration export.
Filter/Exclusion: Check for process.name containing powershell.exe and file.name containing 20120_cmdDef.xml with a process.parent.name of schtasks.exe or task scheduler.
Scenario: A Windows Update or Microsoft Endpoint Manager (MEM) task creates a temporary file named 20120_cmdDef.xml during a policy deployment or configuration sync.
Filter/Exclusion: Filter events where file.name is 20120_cmdDef.xml and process.name is wuauclt.exe or setup.exe, or where the file is located in a known update directory like C:\Windows\Temp.
Scenario: A database backup tool (e.g., SQL Server Backup Utility) generates a file named 20120_cmdDef.xml as part of a backup or configuration process.
Filter/Exclusion: Exclude files created by sqlbackup.exe or sqlservr.exe and located in a backup directory such as C:\Program Files\Microsoft SQL Server\MSSQL15.MSSQLSERVER\MSSQL\Backup.
Scenario: A configuration management tool like Ansible or Chef generates a file named 20120_cmdDef.xml during a playbook execution or inventory sync.
Filter/Exclusion: Exclude files created by ansible.exe or chef-client.exe and check for presence in a known configuration directory like C:\ProgramData\Ansible or C:\ProgramData\chef.
Scenario: A custom script or