The detection identifies potential HTML-based FAKEM malware activity by analyzing suspicious script patterns in web content, which may indicate an adversary leveraging this variant for initial access. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate early-stage compromises that could lead to broader network infiltration.
YARA Rule
rule HTMLVariant : FakeM Family HTML Variant
{
meta:
description = "Identifier for html variant of FAKEM"
author = "Katie Kleemola"
last_updated = "2014-05-20"
strings:
// decryption loop
$s1 = { 8B 55 08 B9 00 50 00 00 8D 3D ?? ?? ?? 00 8B F7 AD 33 C2 AB 83 E9 04 85 C9 75 F5 }
//mov byte ptr [ebp - x] y, x: 0x10-0x1 y: 0-9,A-F
$s2 = { C6 45 F? (3?|4?) }
condition:
$s1 and #s2 == 16
}This YARA rule can be deployed in the following contexts:
This rule contains 2 string patterns in its detection logic.
Scenario: A system administrator is using PowerShell to generate a temporary HTML file for testing a web application’s response.
powershell.exe and the command line contains New-Item or Out-File with a .html extension.Scenario: A scheduled job runs nightly to generate HTML reports using Python and Pandas for data export.
python.exe and the command line includes pandas or to_html() in the script.Scenario: A CI/CD pipeline (e.g., Jenkins or GitHub Actions) is generating HTML artifacts as part of a build process.
jenkins.exe, github-runner, or any known CI/CD tool, and the output is directed to a known artifact directory.Scenario: A web server (e.g., Apache or Nginx) is generating HTML logs or temporary files during normal operation.
httpd.exe, nginx.exe, or any web server process, and the file path is within the server’s log or temp directories.Scenario: A database administrator is using SQL Server Management Studio (SSMS) to export query results to an HTML file for reporting.
ssms.exe or sqlcmd.exe and the output file is saved to a known reporting or export directory.