Yara rule for Dogspectus intial ransomware apk

Hunt Hypothesis

The Yara rule detects the presence of the Dogspectus ransomware APK, which may indicate initial compromise by an adversary seeking to encrypt and exfiltrate sensitive data. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage ransomware activity before data is encrypted or exfiltrated.

YARA Rule

rule Android_Dogspectus_rswm
{
	meta:
		author = "https://twitter.com/5h1vang"
		description = "Yara rule for Dogspectus intial ransomware apk"
		sample = "197588be3e8ba5c779696d864121aff188901720dcda796759906c17473d46fe"
		source = "https://www.bluecoat.com/security-blog/2016-04-25/android-exploit-delivers-dogspectus-ransomware"

	strings:
		$str_1 = "android.app.action.ADD_DEVICE_ADMIN"
		$str_2 = "Tap ACTIVATE to continue with software update"
		
		
	condition:
		(androguard.package_name("net.prospectus") and
		 androguard.app_name("System update")) or
		 
		androguard.certificate.sha1("180ADFC5DE49C0D7F643BD896E9AAC4B8941E44E") or
		
		(androguard.activity(/Loganberry/i) or 
		androguard.activity("net.prospectus.pu") or 
		androguard.activity("PanickedActivity")) or 
		
		(androguard.permission(/android.permission.INTERNET/) and
		 androguard.permission(/android.permission.WAKE_LOCK/) and 
		 androguard.permission(/android.permission.RECEIVE_BOOT_COMPLETED/) and
		 all of ($str_*))
		 	
		
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 2 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: Legitimate Android App Signing with apksigner
  Description: A system administrator signs an internal Android app using apksigner, which may trigger the rule due to similar file signatures.
  Filter/Exclusion: Check for the presence of apksigner in the process tree or filter by file paths containing /usr/bin/apksigner or /usr/local/bin/apksigner.

• Scenario: Scheduled Job for APK Packaging with apktool
  Description: A DevOps team uses apktool to package and build internal Android applications as part of a CI/CD pipeline, which may match the Yara rule.
  Filter/Exclusion: Filter processes containing /usr/bin/apktool or check for the presence of apktool in the command line arguments.

• Scenario: Android Debug Bridge (ADB) APK Push with adb push
  Description: An admin pushes a debug APK to a device using adb push, which may trigger the rule due to APK file characteristics.
  Filter/Exclusion: Filter by command-line arguments containing adb push or check for the presence of adb in the process tree.

• Scenario: Internal APK Signing with jarsigner
  Description: A developer signs an internal APK using jarsigner, which may have similar signature patterns to the ransomware APK.
  Filter/Exclusion: Filter processes containing /usr/bin/jarsigner or check for the presence of jarsigner in the command line.

• Scenario: Automated APK Analysis with androlyze or apktool
  Description: Security tools like androlyze or apktool are used for static analysis of APK files, which may trigger the rule due to file structure.
  Filter/Exclusion: Filter by