chineseporn5

Hunt Hypothesis

The chineseporn5 rule detects potential malicious activity involving the download or execution of files associated with known malicious campaigns, leveraging indicators linked to Chinese-based threat actors. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage threats that may evade traditional detection methods.

YARA Rule

rule chineseporn5 : SMSSend android
{
  meta:
		author = "https://twitter.com/plutec_net"
		reference = "https://koodous.com/"
	condition:
		androguard.package_name("com.shenqi.video.ycef.svcr") or 
		androguard.package_name("dxas.ixa.xvcekbxy") or
		androguard.package_name("com.video.ui") or 
		androguard.package_name("com.qq.navideo") or
		androguard.package_name("com.android.sxye.wwwl") or
		androguard.certificate.issuer(/llfovtfttfldddcffffhhh/)
		
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

References

• https://koodous.com/
• Source Rule

False Positive Guidance

• Scenario: A system administrator is using Windows Task Scheduler to run a scheduled backup job that temporarily creates files with names similar to known malicious patterns.
  Filter/Exclusion: Exclude files created by the Task Scheduler with a specific command line or user context (e.g., schtasks.exe or user SYSTEM).

• Scenario: A network monitoring tool like Wireshark or tcpdump is capturing and saving packet capture files (.pcap) that contain binary data matching the YARA rule due to raw data in the capture.
  Filter/Exclusion: Exclude files with the file extension .pcap or magic number indicating packet capture data.

• Scenario: A software update process using WSUS (Windows Server Update Services) temporarily stores update files that match the YARA rule due to embedded content or naming conventions.
  Filter/Exclusion: Exclude files located in WSUS download directories (e.g., C:\Windows\SoftwareDistribution\Download) or with known update file extensions (e.g., .msu, .cab).

• Scenario: A log management tool like Splunk or ELK Stack is indexing raw log files that contain binary or encoded data matching the YARA rule due to unprocessed log content.
  Filter/Exclusion: Exclude files with log file extensions (e.g., .log, .txt) or specific log sources (e.g., syslog, eventlog).

• Scenario: A virtualization platform like VMware vCenter or Microsoft Hyper-V generates snapshot files or configuration backups that include binary data matching the YARA rule due to internal structure.
  Filter/Exclusion: Exclude