Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZ

Hunt Hypothesis

The hypothesis is that the detection identifies potential adversarial activity associated with the Woolen-Goldfish malware sample, leveraging a shortened URL to exfiltrate data or establish command and control. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromise attempts by malicious actors using this specific malware variant.

YARA Rule

rule WoolenGoldfish_Sample_1 
{

    meta:
        description = "Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZ"
        author = "Florian Roth"
        reference = "http://goo.gl/NpJpVZ"
        date = "2015/03/25"
        score = 60
        hash = "7ad0eb113bc575363a058f4bf21dbab8c8f7073a"
    
    strings:
        $s1 = "Cannot execute (%d)" fullword ascii
        $s16 = "SvcName" fullword ascii
    
    condition:
        all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 2 string patterns in its detection logic.

References

• http://goo.gl/NpJpVZ
• Source Rule

False Positive Guidance

• Scenario: Legitimate scheduled backup job using Veeam
  Description: A backup job initiated by Veeam using the URL http://goo.gl/NpJpVZ as part of a script or configuration.
  Filter/Exclusion: Check for process.name = "veeam.exe" and process.parent.name = "schtasks.exe" or task.name = "Veeam Backup Job"

• Scenario: Admin using PowerShell to download a legitimate script from a public URL
  Description: A system administrator uses PowerShell to download a script from http://goo.gl/NpJpVZ for a legitimate automation task.
  Filter/Exclusion: Filter by process.name = "powershell.exe" and check for user.name = "Administrator" or user.rights = "Administrators"

• Scenario: Web server using IIS to host a static file from a CDN
  Description: A web server running IIS is configured to fetch a file from http://goo.gl/NpJpVZ as part of a CDN setup.
  Filter/Exclusion: Check for process.name = "w3wp.exe" and process.parent.name = "iisexpress.exe" or process.parent.name = "inetinfo.exe"

• Scenario: User accessing a legitimate URL via browser for internal documentation
  Description: An employee opens a document or link from http://goo.gl/NpJpVZ in their browser as part of internal documentation or training.
  Filter/Exclusion: Filter by process.name = "chrome.exe" or process.name = "msedge.exe" and check for url.contains("internal-docs") or url.contains("training")

• Scenario: System update using Windows Update or Microsoft Endpoint Manager
  Description: A system