Threat Hunting Cisco Yanluowang Ransomware IOCs
IOC Cisco Yanluowang Ransomware
Query
// based on https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html
let SHA256_IOC = dynamic ([
'184a2570d71eedc3c77b63fd9d2a066cd025d20ceef0f75d428c6f7e5c6965f3',
'2fc5bf9edcfa19d48e235315e8f571638c99a1220be867e24f3965328fe94a03',
'542c9da985633d027317e9a226ee70b4f0742dcbc59dfd2d4e59977bb870058d',
'61176a5756c7b953bc31e5a53580d640629980a344aa5ff147a20fb7d770b610',
'753952aed395ea845c52e3037f19738cfc9a415070515de277e1a1baeff20647',
'8df89eef51cdf43b2a992ade6ad998b267ebb5e61305aeb765e4232e66eaf79a',
'8e5733484982d0833abbd9c73a05a667ec2d9d005bbf517b1c8cd4b1daf57190',
'99be6e7e31f0a1d7eebd1e45ac3b9398384c1f0fa594565137abb14dc28c8a7f',
'bb62138d173de997b36e9b07c20b2ca13ea15e9e6cd75ea0e8162e0d3ded83b7',
'eb3452c64970f805f1448b78cd3c05d851d758421896edd5dfbe68e08e783d18'
]);
let IP_IOC = dynamic (['104.131.30.201',
'108.191.224.47',
'131.150.216.118',
'134.209.88.140',
'138.68.227.71',
'139.177.192.145',
'139.60.160.20',
'139.60.161.99',
'143.198.110.248',
'143.198.131.210',
'159.65.246.188',
'161.35.137.163',
'162.33.177.27',
'162.33.178.244',
'162.33.179.17',
'165.227.219.211',
'165.227.23.218',
'165.232.154.73',
'166.205.190.23',
'167.99.160.91',
'172.56.42.39',
'172.58.220.52',
'172.58.239.34',
'174.205.239.164',
'176.59.109.115',
'178.128.171.206',
'185.220.100.244',
'185.220.101.10',
'185.220.101.13',
'185.220.101.15',
'185.220.101.16',
'185.220.101.2',
'185.220.101.20',
'185.220.101.34',
'185.220.101.45',
'185.220.101.6',
'185.220.101.65',
'185.220.101.73',
'185.220.101.79',
'185.220.102.242',
'185.220.102.250',
'192.241.133.130',
'194.165.16.98',
'195.149.87.136',
'24.6.144.43',
'45.145.67.170',
'45.227.255.215',
'45.32.141.138',
'45.32.228.189',
'45.32.228.190',
'45.55.36.143',
'45.61.136.207',
'45.61.136.5',
'45.61.136.83',
'46.161.27.117',
'5.165.200.7',
'52.154.0.241',
'64.227.0.177',
'64.4.238.56',
'65.188.102.43',
'66.42.97.210',
'67.171.114.251',
'68.183.200.63',
'68.46.232.60',
'73.153.192.98',
'74.119.194.203',
'74.119.194.4',
'76.22.236.142',
'82.116.32.77',
'87.251.67.41',
'94.142.241.194'
]);
let Domain_IOC = dynamic(['cisco-help.cf',
'cisco-helpdesk.cf',
'ciscovpn1.com',
'ciscovpn2.com',
'ciscovpn3.com',
'devcisco.com',
'devciscoprograms.com',
'helpzonecisco.com',
'kazaboldu.net',
'mycisco.cf',
'mycisco.gq',
'mycisco-helpdesk.ml',
'primecisco.com',
'pwresetcisco.com']);
(union isfuzzy=true
(DeviceFileEvents
| where SHA256 has_any (SHA256_IOC)),
(DeviceNetworkEvents
| where RemoteIP has_any (IP_IOC)),
(DeviceNetworkEvents
| where RemoteUrl has_any (Domain_IOC))
)About this query
Explanation
This query is designed for threat hunting, specifically targeting indicators of compromise (IOCs) related to the Yanluowang ransomware, which is associated with Cisco. The query is based on information from a blog post by Talos Intelligence.
Here's a simple breakdown of what the query does:
-
Indicators of Compromise (IOCs): The query defines three lists of IOCs:
- SHA256_IOC: A list of SHA-256 hash values representing malicious files.
- IP_IOC: A list of IP addresses associated with malicious activity.
- Domain_IOC: A list of domain names linked to malicious activity.
-
Data Sources: The query searches through two types of events:
- DeviceFileEvents: Looks for file events where the file's SHA-256 hash matches any in the SHA256_IOC list.
- DeviceNetworkEvents: Searches for network events where the remote IP address or URL matches any in the IP_IOC or Domain_IOC lists.
-
Union of Results: The query combines the results from these searches to identify any matches across file and network events.
This query is used in both Defender XDR and Sentinel environments to detect potential threats related to the Yanluowang ransomware by checking for known malicious files, IPs, and domains.
Details

Bert-Jan Pals
Released: December 1, 2024
Tables
Keywords
Operators