The detection identifies potential FiveEyes QUERTY malware activity through the presence of the 20121_cmdDef.xml file, which may indicate command and control communication. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threat activity early.
YARA Rule
rule FiveEyes_QUERTY_Malwaresig_20121_cmdDef
{
meta:
description = "FiveEyes QUERTY Malware - file 20121_cmdDef.xml"
author = "Florian Roth"
reference = "http://www.spiegel.de/media/media-35668.pdf"
date = "2015/01/18"
hash = "64ac06aa4e8d93ea6063eade7ce9687b1d035907"
strings:
$s0 = "<shortDescription>Keystroke Logger Plugin.</shortDescription>" fullword ascii
$s1 = "<message>Failed to get File Time</message>" fullword ascii
$s2 = "<description>Keystroke Logger Plugin.</description>" fullword ascii
$s3 = "<message>Failed to set File Time</message>" fullword ascii
$s4 = "</commands>" fullword ascii
$s5 = "<commands>" fullword ascii
$s6 = "</version>" fullword ascii
$s7 = "<associatedImplantId>20120</associatedImplantId>" fullword ascii
$s8 = "<message>No Comms. with Driver</message>" fullword ascii
$s9 = "</error>" fullword ascii
$s10 = "<message>Invalid File Size</message>" fullword ascii
$s11 = "<platforms>Windows (User/Win32)</platforms>" fullword ascii
$s12 = "<message>File Size Mismatch</message>" fullword ascii
$s13 = "<projectpath>plugin/Utility</projectpath>" fullword ascii
$s14 = "<pluginsDepend>None</pluginsDepend>" fullword ascii
$s15 = "<dllDepend>None</dllDepend>" fullword ascii
$s16 = "<pluginname>E_QwertyIM</pluginname>" fullword ascii
$s17 = "<rightsRequired>None</rightsRequired>" fullword ascii
$s18 = "<minorType>0</minorType>" fullword ascii
$s19 = "<code>00001002</code>" fullword ascii
$s20 = "<code>00001001</code>" fullword ascii
condition:
12 of them
}This YARA rule can be deployed in the following contexts:
This rule contains 21 string patterns in its detection logic.
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that generates a file named 20121_cmdDef.xml as part of a system configuration or update process.
Filter/Exclusion: Check the file path and parent process. Exclude files created in known system directories like C:\Windows\Temp or C:\ProgramData and filter out processes like schtasks.exe or task scheduler.
Scenario: Configuration Management Tool Deployment
Description: A configuration management tool (e.g., Ansible, Puppet, or Chef) deploys a configuration file named 20121_cmdDef.xml during a deployment or inventory process.
Filter/Exclusion: Exclude files created by known configuration management tools. Use process filters like ansible, puppet, or chef-client to identify legitimate activity.
Scenario: Database Backup or Restore Operation
Description: A database backup or restore operation generates a temporary XML file named 20121_cmdDef.xml as part of a data migration or recovery process.
Filter/Exclusion: Exclude files created by database tools like sqlcmd, mysqldump, or pg_dump. Filter based on the file extension and process context.
Scenario: Log File Rotation or Archiving
Description: A log management tool (e.g., Splunk, ELK Stack, or Logstash) rotates or archives log files, temporarily creating a file named 20121_cmdDef.xml during the process.
Filter/Exclusion: Exclude files located in log directories like C:\var\log or C:\ProgramData\logstash. Filter based on the presence of log-related processes or file extensions.
Scenario: User-Initiated Script Execution
Description: A