This rule try to detects Spy.Banker AVITO-MMS Variant

Hunt Hypothesis

The hypothesis is that the detection identifies potential lateral movement or data exfiltration behavior associated with the Spy.Banker AVITO-MMS variant, which may indicate unauthorized access or data theft. A SOC team should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats that could compromise sensitive data.

YARA Rule

rule Android_AVITOMMS_Rule2
{
	meta:
		author = "Jacob Soo Lead Re"
		date = "01-July-2016"
		description = "This rule try to detects Spy.Banker AVITO-MMS Variant"
		source = "https://blog.avast.com/android-banker-trojan-preys-on-credit-card-information"

	condition:
		androguard.service(/IMService/) and 
		androguard.receiver(/BootReciv/) and 
		androguard.permission(/android.permission.RECEIVE_BOOT_COMPLETED/i) and 
		androguard.permission(/android.permission.KILL_BACKGROUND_PROCESSES/i) and 
		androguard.permission(/android.permission.SEND_SMS/i) and
		androguard.permission(/android.permission.INTERNET/i)
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints
• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate scheduled task runs a script that performs system cleanup or disk defragmentation, which may trigger file system activity similar to the malware.
  Filter/Exclusion: Exclude tasks associated with Task Scheduler or Windows Cleanup tools by checking the TaskName field for known maintenance tasks.

• Scenario: Antivirus Scan Using Bitdefender
  Description: Bitdefender or another antivirus tool performs a full system scan, which may generate similar behavior to the malware (e.g., file access, memory scanning).
  Filter/Exclusion: Exclude processes with ProcessName matching Bitdefender or avgscan.exe, or use a ParentProcess filter to identify scans initiated by the antivirus UI.

• Scenario: Database Backup Job Using SQL Server Agent
  Description: A SQL Server Agent job is performing a backup, which may involve reading and writing files in a manner that resembles the malware’s behavior.
  Filter/Exclusion: Exclude processes with ProcessName matching sqlservr.exe or use a ProcessCommandLine filter to identify backup-related commands.

• Scenario: PowerShell Script for Log Analysis Using Splunk
  Description: A PowerShell script runs as part of a log analysis process using Splunk, which may access system files or memory in a way that triggers the rule.
  Filter/Exclusion: Exclude processes with ProcessName matching powershell.exe and check the CommandLine for Splunk-related arguments like -Command or -File.

• Scenario: System File Integrity Check Using Microsoft Defender
  Description: Microsoft Defender performs a system integrity check, which may involve scanning files and memory, leading to false positives.
  Filter/Exclusion: Exclude processes with ProcessName matching MsMpEng.exe or use a