The detection identifies potential QUERTY malware activity through the presence of the 20123_cmdDef.xml file, which may be used for command and control communication. SOC teams should proactively hunt for this indicator in Azure Sentinel to identify and mitigate early-stage adversarial operations associated with the FiveEyes threat group.
YARA Rule
rule FiveEyes_QUERTY_Malwaresig_20123_cmdDef
{
meta:
description = "FiveEyes QUERTY Malware - file 20123_cmdDef.xml"
author = "Florian Roth"
reference = "http://www.spiegel.de/media/media-35668.pdf"
date = "2015/01/18"
hash = "7b08fc77629f6caaf8cc4bb5f91be6b53e19a3cd"
strings:
$s0 = "<shortDescription>Keystroke Collector</shortDescription>" fullword ascii
$s1 = "This plugin is the E_Qwerty Kernel Mode driver for logging keys.</description>" fullword ascii
$s2 = "<commands/>" fullword ascii
$s3 = "</version>" fullword ascii
$s4 = "<associatedImplantId>20121</associatedImplantId>" fullword ascii
$s5 = "<rightsRequired>System or Administrator (if Administrator, I think the DriverIns" ascii
$s6 = "<platforms>Windows NT, Windows 2000, Windows XP (32/64 bit), Windows 2003 (32/64" ascii
$s7 = "<projectpath>plugin/Collection</projectpath>" fullword ascii
$s8 = "<dllDepend>None</dllDepend>" fullword ascii
$s9 = "<minorType>0</minorType>" fullword ascii
$s10 = "<pluginname>E_QwertyKM</pluginname>" fullword ascii
$s11 = "</comments>" fullword ascii
$s12 = "<comments>" fullword ascii
$s13 = "<majorType>1</majorType>" fullword ascii
$s14 = "<files>None</files>" fullword ascii
$s15 = "<poc>Erebus</poc>" fullword ascii
$s16 = "</plugin>" fullword ascii
$s17 = "<team>None</team>" fullword ascii
$s18 = "<?xml-stylesheet type=\"text/xsl\" href=\"../XSLT/pluginHTML.xsl\"?>" fullword ascii
$s19 = "<pluginsDepend>U_HookManager v1.0, Kernel Covert Store v1.0</pluginsDepend>" fullword ascii
$s20 = "<plugin id=\"20123\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi" ascii
condition:
14 of them
}This YARA rule can be deployed in the following contexts:
This rule contains 21 string patterns in its detection logic.
Scenario: A system administrator is using PowerShell to execute a scheduled job that generates a file named 20123_cmdDef.xml as part of a routine configuration export.
Filter/Exclusion: Check for the presence of powershell.exe in the process tree and filter out files created by scheduled tasks with known administrative scripts.
Scenario: A Windows Update process creates a temporary file named 20123_cmdDef.xml during a system patch installation.
Filter/Exclusion: Exclude files created by processes associated with wuauclt.exe or svchost.exe related to Windows Update.
Scenario: A SQL Server backup job generates a file named 20123_cmdDef.xml as part of a data export process.
Filter/Exclusion: Filter out files created by SQL Server services (sqlservr.exe) or through SQL Agent jobs.
Scenario: A third-party configuration management tool (e.g., Ansible, Chef, or Puppet) generates a file named 20123_cmdDef.xml during a configuration push.
Filter/Exclusion: Exclude files created by known configuration management tools or processes associated with those tools.
Scenario: A custom application used for internal reporting generates a file named 20123_cmdDef.xml as part of its data processing pipeline.
Filter/Exclusion: Exclude files created by the application’s process ID or by known internal tools used for reporting or data aggregation.