Files with the specified MD5 hash are likely in-memory artifacts without persistent storage, indicating potential evasion of traditional file-based detection mechanisms. SOC teams should proactively hunt for this behavior to identify in-memory adversaries that may be operating undetected in Azure Sentinel environments.
YARA Rule
rule apt_c16_win_swisyn
{
meta:
author = "@dragonthreatlab"
md5 = "a6a18c846e5179259eba9de238f67e41"
description = "File matching the md5 above tends to only live in memory, hence the lack of MZ header check."
date = "2015/01/11"
reference = "http://blog.dragonthreatlabs.com/2015/01/dtl-12012015-01-hong-kong-swc-attack.html"
strings:
$mz = {4D 5A}
$str1 = "/ShowWU" ascii
$str2 = "IsWow64Process"
$str3 = "regsvr32 "
$str4 = {8A 11 2A 55 FC 8B 45 08 88 10 8B 4D 08 8A 11 32 55 FC 8B 45 08 88 10}
condition:
$mz at 0 and all of ($str*)
}This YARA rule can be deployed in the following contexts:
This rule contains 5 string patterns in its detection logic.
Scenario: Memory dump analysis by a forensic tool
Description: A memory dump is being analyzed using a tool like Volatility or Rekall, which often loads files into memory without writing them to disk.
Filter/Exclusion: Exclude processes associated with memory analysis tools (e.g., volatility, vol.py, mmap, or gdb).
Scenario: Scheduled system cleanup task
Description: A scheduled task (e.g., via Task Scheduler or cron) is temporarily loading a file into memory to perform a cleanup or configuration change.
Filter/Exclusion: Exclude processes with known system cleanup or configuration tasks (e.g., schtasks.exe, crontab, or specific service names like CleanupService).
Scenario: In-memory file processing by a database tool
Description: A database tool like MySQL or PostgreSQL may load data files into memory for processing, especially during large query operations or data import.
Filter/Exclusion: Exclude processes related to database engines (e.g., mysqld, postgres, or sqlservr.exe) or specific data import utilities.
Scenario: Temporary in-memory file used by an admin tool
Description: An administrative tool (e.g., PowerShell, cmd.exe, or wmi) may load a file into memory for processing, such as during script execution or configuration updates.
Filter/Exclusion: Exclude processes associated with administrative tools or scripts (e.g., powershell.exe, cmd.exe, or specific command-line arguments like -File or -Script).
Scenario: In-memory file used by a virtualization or container tool
Description: A virtualization tool like VMware or a container runtime like Docker may load files into memory for temporary operations (e.g., image processing or configuration).