The detection identifies potential adversary activity associated with the Woolen-Goldfish malware sample, likely indicating a targeted compromise or data exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced threats before they cause significant damage.
YARA Rule
rule WoolenGoldfish_Generic_3
{
meta:
description = "Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZ"
author = "Florian Roth"
reference = "http://goo.gl/NpJpVZ"
date = "2015/03/25"
score = 90
hash1 = "86222ef166474e53f1eb6d7e6701713834e6fee7"
hash2 = "e8dbcde49c7f760165ebb0cb3452e4f1c24981f5"
strings:
$x1 = "... get header FATAL ERROR !!! %d bytes read > header_size" fullword ascii
$x2 = "index.php?c=%S&r=%x&u=1&t=%S" fullword wide
$x3 = "connect_back_tcp_channel#do_connect:: Error resolving connect back hostname" fullword ascii
$s0 = "kernel32.dll GetProcAddressLoadLibraryAws2_32.dll" fullword ascii
$s1 = "Content-Type: multipart/form-data; boundary=%S" fullword wide
$s2 = "Attempting to unlock uninitialized lock!" fullword ascii
$s4 = "unable to load kernel32.dll" fullword ascii
$s5 = "index.php?c=%S&r=%x" fullword wide
$s6 = "%s len:%d " fullword ascii
$s7 = "Encountered error sending syscall response to client" fullword ascii
$s9 = "/info.dat" fullword ascii
$s10 = "Error entering thread lock" fullword ascii
$s11 = "Error exiting thread lock" fullword ascii
$s12 = "connect_back_tcp_channel_init:: socket() failed" fullword ascii
condition:
( 1 of ($x*) ) or ( 8 of ($s*) )
}This YARA rule can be deployed in the following contexts:
This rule contains 14 string patterns in its detection logic.
Scenario: Legitimate scheduled backup job using Veeam
Description: A backup job initiated by Veeam using the URL http://goo.gl/NpJpVZ as part of a script or configuration.
Filter/Exclusion: Check for process.name = "veeam.exe" and process.parent.name = "taskeng.exe" or use a custom field like custom_field = "backup_job".
Scenario: Admin manually testing a script using PowerShell
Description: A system administrator is testing a script that includes the URL http://goo.gl/NpJpVZ for validation or debugging purposes.
Filter/Exclusion: Filter by process.name = "powershell.exe" and check for process.args containing "test" or "debug".
Scenario: Legitimate software update via Microsoft Intune
Description: A software update package hosted on a Microsoft Intune server includes a reference to the URL http://goo.gl/NpJpVZ as part of its metadata or configuration.
Filter/Exclusion: Use process.name = "msiexec.exe" or check for process.parent.name = "intunewin.exe".
Scenario: Internal tool using a hardcoded URL for API testing
Description: An internal development tool or API testing utility includes the URL http://goo.gl/NpJpVZ as part of its configuration for testing purposes.
Filter/Exclusion: Filter by process.name = "api_test_tool.exe" or check for a custom tag like custom_field = "internal_test".
Scenario: User accessing a legitimate phishing simulation link
Description: A user clicks on a phishing simulation link that uses the URL http://goo.gl/NpJpVZ as part of a security training