REVIEWED by Sophos
Here is a specific query identifying SDBot Malware used by the TA505 hacking group:
SELECT DISTINCT
srj.time AS event_timestamp,
srj.keyName,
srj.value,
srj.eventType,
srj.sophosPID,
srj.valueName,
'REG_BINARY' AS valueType,
'SDBbot Remote Access Trojan stores the RAT component in the registry and establishes persistence for the loader component.' AS description
FROM sophos_registry_journal AS srj
WHERE srj.keyName LIKE "\REGISTRY\MACHINE\SOFTWARE\Microsoft\___"
AND srj.time > STRFTIME("%s", "NOW") - 925
AND lower(srj.valueName) = srj.valueName
AND LENGTH(srj.valueName) = 1
-- valueType=3 is Binary
AND srj.valueType = 3
-- eventType=5 is valueSet
AND srj.eventType = 5;
The query is looking inside of the registry for the RAT component of the malware and establishes the persistence for the loader.
The RAT creates a specific indicator in the registry and the query above is designed to identify that indicator.
WHERE srj.keyName LIKE "\REGISTRY\MACHINE\SOFTWARE\Microsoft\___" - This is the location of the registry we will be looking in.
AND LENGTH(srj.valueName) = 1 - Looking for a registry value of 1 character in length.
AND srj.valueType = 3 - Looking for the value type of REG_BINARY.
