This rule try to detects Spy.Banker AVITO-MMS Variant

Hunt Hypothesis

The hypothesis is that the detection rule identifies potential activity associated with the Spy.Banker AVITO-MMS variant, which may indicate the presence of a financially motivated adversary leveraging stealthy persistence mechanisms. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromise attempts by advanced persistent threats targeting financial data.

YARA Rule

rule Android_AVITOMMS_Variant
{
	meta:
		author = "Jacob Soo Lead Re"
		date = "28-May-2016"
		description = "This rule try to detects Spy.Banker AVITO-MMS Variant"
		source = "https://blog.avast.com/android-banker-trojan-preys-on-credit-card-information"

	condition:
		(androguard.receiver(/AlarmReceiverKnock/) and 
		 androguard.receiver(/BootReciv/) and 
		 androguard.receiver(/AlarmReceiverAdm/))
		
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints
• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate system maintenance task, such as Windows Update or disk cleanup, may trigger the rule due to similar network behavior or file access patterns.
  Filter/Exclusion: Exclude processes associated with svchost.exe, taskhost.exe, or tasks scheduled via Task Scheduler with known maintenance IDs.

• Scenario: Antivirus Software Performing a Full System Scan
  Description: Antivirus tools like Kaspersky, Bitdefender, or Malwarebytes may trigger the rule during a full system scan due to high disk I/O or file access.
  Filter/Exclusion: Exclude processes with parent process avp.exe, mbam.exe, or kavsvc.exe, and filter by process names known to be part of antivirus tools.

• Scenario: Database Backup Job Running
  Description: A scheduled database backup job (e.g., using SQL Server Agent, MySQL Backup Tool, or Oracle Data Pump) may exhibit similar network activity to the malware.
  Filter/Exclusion: Exclude processes with names like sqlservr.exe, mysqld.exe, or oracle.exe, and filter by IP addresses associated with internal backup servers.

• Scenario: Log File Rotation or Archiving Task
  Description: Tools like Logrotate, Splunk, or ELK Stack may generate high file access activity during log rotation, which could be mistaken for malicious behavior.
  Filter/Exclusion: Exclude processes associated with log management tools and filter by file paths in known log directories (e.g., /var/log/, C:\ProgramData\logs\).

• Scenario: Remote Desktop Services (RDP) Session Activity
  Description: High network traffic during RDP sessions (e.g., using Microsoft Remote Desktop, **T