The dowgin rule detects potential malicious activity associated with the Dowgin malware family, which may indicate initial compromise or reconnaissance. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify early-stage threats and prevent lateral movement or data exfiltration.
YARA Rule
rule dowgin:adware android
{
meta:
author = "https://twitter.com/plutec_net"
reference = "https://koodous.com/"
sample = "4d7f2d6ff4ed8ced6f8f7f96e9899273cc3090ea108f2cc3b32dd1a06e63cf70"
sample2 = "cde8160d09c486bdd6d96b2ed81bd52390d77094d13ff9cfbc6949ed00206a83"
sample3 = "d2e81e6db5f4964246d10241588e0e97cde524815c4de7c0ea1c34a48da1bcaf"
sample4 = "cc2d0b3d8f00690298b0e5813f6ace8f4d4b04c9704292407c2b83a12c69617b"
strings:
$a = "http://112.74.111.42:8000"
$b = "SHA1-Digest: oIx4iYWeTtKib4fBH7hcONeHuaE="
$c = "ONLINEGAMEPROCEDURE_WHICH_WAP_ID"
$d = "http://da.mmarket.com/mmsdk/mmsdk?func=mmsdk:posteventlog"
condition:
all of them
}This YARA rule can be deployed in the following contexts:
This rule contains 4 string patterns in its detection logic.
Scenario: Scheduled System Maintenance Task
Description: A legitimate system maintenance task, such as a Windows Task Scheduler job, is using a tool or script that matches the YARA rule due to shared string patterns.
Filter/Exclusion: Exclude processes initiated by schtasks.exe or with a command line containing /S (scheduled task execution).
Scenario: Admin Using PowerShell for Configuration Changes
Description: An administrator is using PowerShell to configure system settings, and the script or command contains strings that match the YARA rule.
Filter/Exclusion: Exclude processes with powershell.exe where the command line includes -Command or -File and the script path is within a known admin directory (e.g., C:\Windows\System32\ or C:\Program Files\).
Scenario: Antivirus or Endpoint Protection Scan
Description: A legitimate antivirus or endpoint protection tool (e.g., Microsoft Defender, CrowdStrike, or Symantec) is scanning files and triggering the rule due to false positives.
Filter/Exclusion: Exclude processes with mpcmdrun.exe, mpengine.exe, or similar names associated with known security software.
Scenario: Log File Parsing or Analysis Tool
Description: A log analysis tool (e.g., Splunk, ELK Stack, or Graylog) is processing log files and the content matches the YARA rule due to common log patterns.
Filter/Exclusion: Exclude processes with splunkd.exe, logstash.exe, or graylog-server.exe and filter based on file paths or log sources.
Scenario: Software Deployment via Group Policy or SCCM
Description: A software deployment task via Group Policy or SCCM (System Center Configuration Manager) is using a package or script that matches the YARA rule.