The detection identifies potential adversary use of a malicious sample associated with the operation Woolen-Goldfish, likely indicating initial compromise or reconnaissance activity. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage threats before they escalate into full-scale attacks.
YARA Rule
rule WoolenGoldfish_Generic_1
{
meta:
description = "Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZ"
author = "Florian Roth"
reference = "http://goo.gl/NpJpVZ"
date = "2015/03/25"
score = 90
super_rule = 1
hash0 = "5d334e0cb4ff58859e91f9e7f1c451ffdc7544c3"
hash1 = "d5b2b30fe2d4759c199e3659d561a50f88a7fb2e"
hash2 = "a42f1ad2360833baedd2d5f59354c4fc3820c475"
strings:
$x0 = "Users\\Wool3n.H4t\\"
$x1 = "C-CPP\\CWoolger"
$x2 = "NTSuser.exe" fullword wide
$s1 = "107.6.181.116" fullword wide
$s2 = "oShellLink.Hotkey = \"CTRL+SHIFT+F\"" fullword
$s3 = "set WshShell = WScript.CreateObject(\"WScript.Shell\")" fullword
$s4 = "oShellLink.IconLocation = \"notepad.exe, 0\"" fullword
$s5 = "set oShellLink = WshShell.CreateShortcut(strSTUP & \"\\WinDefender.lnk\")" fullword
$s6 = "wlg.dat" fullword
$s7 = "woolger" fullword wide
$s8 = "[Enter]" fullword
$s9 = "[Control]" fullword
condition:
( 1 of ($x*) and 2 of ($s*) ) or ( 6 of ($s*) )
}This YARA rule can be deployed in the following contexts:
This rule contains 12 string patterns in its detection logic.
Scenario: A system administrator is using PowerShell to automate a scheduled job that downloads a legitimate update from the same URL.
Filter/Exclusion: Check for ProcessName == "powershell.exe" and CommandLine contains "Invoke-WebRequest" with a known update URL.
Scenario: A Windows Task Scheduler job is configured to fetch a configuration file from the URL as part of a regular maintenance process.
Filter/Exclusion: Filter by ProcessName == "schtasks.exe" or CommandLine contains "schtasks /run" and verify the URL is part of the organization’s internal or known external trusted sources.
Scenario: A Log Management Tool like Splunk or ELK Stack is configured to pull logs from an external server using the same URL.
Filter/Exclusion: Check for ProcessName == "splunkd.exe" or ProcessName == "logstash" and verify the URL is part of the organization’s monitoring infrastructure.
Scenario: A CI/CD pipeline (e.g., Jenkins, GitHub Actions) is using the URL to fetch a dependency or artifact during a build process.
Filter/Exclusion: Filter by ProcessName == "java.exe" (for Jenkins) or CommandLine contains "github.com" and validate the URL is part of the organization’s repository or artifact registry.
Scenario: A Network Monitoring Tool like Wireshark or tcpdump is capturing traffic to the URL as part of a network analysis task.
Filter/Exclusion: Check for ProcessName == "wireshark.exe" or ProcessName == "tcpdump" and ensure the URL is part of the organization’s network analysis tools or known traffic patterns.