Query Details

Threat Hunting Cisco Yanluowang Ransomware IOCs

IOC Cisco Yanluowang Ransomware

Query

// based on https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html
let SHA256_IOC = dynamic ([
     '184a2570d71eedc3c77b63fd9d2a066cd025d20ceef0f75d428c6f7e5c6965f3',
     '2fc5bf9edcfa19d48e235315e8f571638c99a1220be867e24f3965328fe94a03',
     '542c9da985633d027317e9a226ee70b4f0742dcbc59dfd2d4e59977bb870058d',
     '61176a5756c7b953bc31e5a53580d640629980a344aa5ff147a20fb7d770b610',
     '753952aed395ea845c52e3037f19738cfc9a415070515de277e1a1baeff20647',
     '8df89eef51cdf43b2a992ade6ad998b267ebb5e61305aeb765e4232e66eaf79a',
     '8e5733484982d0833abbd9c73a05a667ec2d9d005bbf517b1c8cd4b1daf57190',
     '99be6e7e31f0a1d7eebd1e45ac3b9398384c1f0fa594565137abb14dc28c8a7f',
     'bb62138d173de997b36e9b07c20b2ca13ea15e9e6cd75ea0e8162e0d3ded83b7',
     'eb3452c64970f805f1448b78cd3c05d851d758421896edd5dfbe68e08e783d18'
     ]);
let IP_IOC = dynamic (['104.131.30.201',
     '108.191.224.47',
     '131.150.216.118',
     '134.209.88.140',
     '138.68.227.71',
     '139.177.192.145',
     '139.60.160.20',
     '139.60.161.99',
     '143.198.110.248',
     '143.198.131.210',
     '159.65.246.188',
     '161.35.137.163',
     '162.33.177.27',
     '162.33.178.244',
     '162.33.179.17',
     '165.227.219.211',
     '165.227.23.218',
     '165.232.154.73',
     '166.205.190.23',
     '167.99.160.91',
     '172.56.42.39',
     '172.58.220.52',
     '172.58.239.34',
     '174.205.239.164',
     '176.59.109.115',
     '178.128.171.206',
     '185.220.100.244',
     '185.220.101.10',
     '185.220.101.13',
     '185.220.101.15',
     '185.220.101.16',
     '185.220.101.2',
     '185.220.101.20',
     '185.220.101.34',
     '185.220.101.45',
     '185.220.101.6',
     '185.220.101.65',
     '185.220.101.73',
     '185.220.101.79',
     '185.220.102.242',
     '185.220.102.250',
     '192.241.133.130',
     '194.165.16.98',
     '195.149.87.136',
     '24.6.144.43',
     '45.145.67.170',
     '45.227.255.215',
     '45.32.141.138',
     '45.32.228.189',
     '45.32.228.190',
     '45.55.36.143',
     '45.61.136.207',
     '45.61.136.5',
     '45.61.136.83',
     '46.161.27.117',
     '5.165.200.7',
     '52.154.0.241',
     '64.227.0.177',
     '64.4.238.56',
     '65.188.102.43',
     '66.42.97.210',
     '67.171.114.251',
     '68.183.200.63',
     '68.46.232.60',
     '73.153.192.98',
     '74.119.194.203',
     '74.119.194.4',
     '76.22.236.142',
     '82.116.32.77',
     '87.251.67.41',
     '94.142.241.194'
     ]);
let Domain_IOC = dynamic(['cisco-help.cf',
     'cisco-helpdesk.cf',
     'ciscovpn1.com',
     'ciscovpn2.com',
     'ciscovpn3.com',
     'devcisco.com',
     'devciscoprograms.com',
     'helpzonecisco.com',
     'kazaboldu.net',
     'mycisco.cf',
     'mycisco.gq',
     'mycisco-helpdesk.ml',
     'primecisco.com',
     'pwresetcisco.com']);
(union isfuzzy=true
     (DeviceFileEvents
     | where SHA256 has_any (SHA256_IOC)),
     (DeviceNetworkEvents
     | where RemoteIP has_any (IP_IOC)),
     (DeviceNetworkEvents
     | where RemoteUrl has_any (Domain_IOC))
)

About this query

Explanation

This query is designed for threat hunting, specifically targeting indicators of compromise (IOCs) related to the Yanluowang ransomware, which is associated with Cisco. The query is based on information from a blog post by Talos Intelligence.

Here's a simple breakdown of what the query does:

  1. Indicators of Compromise (IOCs): The query defines three lists of IOCs:

    • SHA256_IOC: A list of SHA-256 hash values representing malicious files.
    • IP_IOC: A list of IP addresses associated with malicious activity.
    • Domain_IOC: A list of domain names linked to malicious activity.
  2. Data Sources: The query searches through two types of events:

    • DeviceFileEvents: Looks for file events where the file's SHA-256 hash matches any in the SHA256_IOC list.
    • DeviceNetworkEvents: Searches for network events where the remote IP address or URL matches any in the IP_IOC or Domain_IOC lists.
  3. Union of Results: The query combines the results from these searches to identify any matches across file and network events.

This query is used in both Defender XDR and Sentinel environments to detect potential threats related to the Yanluowang ransomware by checking for known malicious files, IPs, and domains.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: December 1, 2024

Tables

DeviceFileEventsDeviceNetworkEvents

Keywords

DeviceFileEventsNetworkSHA256RemoteIPUrl

Operators

letdynamicunionisfuzzywherehas_any

Actions

GitHub