The hypothesis is that the detected behavior may indicate the presence of a malicious payload or obfuscated code commonly associated with SMS-based phishing campaigns targeting Chinese-speaking users. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential compromise vectors used by adversaries to deliver payloads or exfiltrate data.
YARA Rule
rule smspay_chinnese : hejupay android
{
meta:
author = "Fernando Denis https://twitter.com/fdrg21"
reference = "https://koodous.com/"
strings:
$a = "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC/Jvgb0/jSRWi7i4J9IwO72KZw404kj02A97ExbUefVeE7yyWSTbKw5sYlKXCtaoQwWr19j0Y+xb6+h2BRuNx307BV/QpG6DnPg+Lx8fPPvhbhOudgKb/XuZPaz/GJbTpwzTbBmT+mI1QTRLyAKDxSjGWYvoPFVz82RxcAblV/twIDAQAB"
$b = "MIICeAIBADANBgkqhkiG9w0BAQEFAASCAmIwggJeAgEAAoGBAL8m+BvT+NJFaLuLgn0jA7vYpnDjTiSPTYD3sTFtR59V4TvLJZJNsrDmxiUpcK1qhDBavX2PRj7Fvr6HYFG43HfTsFX9CkboOc+D4vHx88++FuE652Apv9e5k9rP8YltOnDNNsGZP6YjVBNEvIAoPFKMZZi+g8VXPzZHFwBuVX+3AgMBAAECgYBLYR6uOqUApoZqjtVia5BpX0Ijej+ygyBZH1Qs3Z9E4iTz42RpkWJKCHdS6Eia2kpOlznqbbmRv4E8uT3ufCvUFexjR5ClGVKJ+XHXxqS75+KT38wGZZ1bW0pK4sT1/aGLrt5/netwuzMi/YFNfAKRPqvRXuNcxNLhMhs2efLKIQJBAPGea2UXVWd0Ti8ClA8hiWPSNCPtcp41Dh2H0YczrFmO2zafPPJih2GQY5txszwBLbjxFCY8/WhrYAqx0itMrgsCQQDKh5U1NfpRvk0Hu8iBRB/LPyGimz+WM/chFSC65SlS/cml3U7hUOj2lRGPz+bm68624H0KLviqpBJpmayvbbyFAkEA1NNFJ9uAx8rDn1b3EcjpmvqqIMdjwYVcNJjQ7/WNJ6nU3+0toxc0xrSHeIGTbhRfsNrxc6kfUV3bUDBHvwog9wJBAI+fRH1ekOwlAqVIUnDw6YcNdwHEDHysz0TDodlHp112Ieign06DPSGYJsMQURNTB92CJsnw82C3R2Nhmicxr60CQQCN466JF9GJRZipO64OYw/ElMac7vXgTeGMvYZ2/yfX5CRCLua4DygD1Ju0eMXpea9og/EtwCTV0RVpFc9SSN8V"
condition:
$a or $b
}This YARA rule can be deployed in the following contexts:
This rule contains 2 string patterns in its detection logic.
Scenario: A system administrator is using PowerShell to automate the deployment of a legitimate software update that includes a string resembling “smspay chinnese” in its configuration file.
Filter/Exclusion: Exclude processes initiated by powershell.exe with the -File parameter pointing to known update scripts or paths in the C:\Windows\System32 directory.
Scenario: A scheduled task runs nightly to clean up temporary files and logs, and the cleanup script contains a comment or placeholder text that includes the string “smspay chinnese” for documentation purposes.
Filter/Exclusion: Exclude processes associated with the Task Scheduler service (svchost.exe or taskschd.exe) running tasks with known cleanup or maintenance names.
Scenario: A network monitoring tool like Wireshark or tcpdump is capturing traffic that includes the string “smspay chinnese” in a legitimate API response or payload during a test environment simulation.
Filter/Exclusion: Exclude traffic from known monitoring tools or processes running in a test or staging environment, such as those under C:\Program Files\Wireshark or with a specific User-Agent header.
Scenario: A database backup job using SQL Server Agent or MySQL Workbench includes a script that references a placeholder or test data string “smspay chinnese” in a backup script or log file.
Filter/Exclusion: Exclude processes initiated by SQL Server Agent (sqlagent.exe) or MySQL Workbench (mysql.exe) running during scheduled backup windows.
Scenario: An IT helpdesk tool like ServiceNow or Zendesk has a custom field or note that includes the string “smspay chinnese” as part of a ticket description or internal note.
**Filter/