This rule try to detects Android.Banking.RuMMS

Hunt Hypothesis

The hypothesis is that the detection rule identifies potential Android.Banking.RuMMS malware by matching known malicious patterns in Android applications, which could indicate a targeted financial fraud attempt. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage malware activity before it leads to data exfiltration or financial loss.

YARA Rule

rule Android_RuMMS_0
{
	meta:
		author = "Jacob Soo Lead Re"
		date = "19-May-2016"
		description = "This rule try to detects Android.Banking.RuMMS"
		source = "https://www.fireeye.com/blog/threat-research/2016/04/rumms-android-malware.html"

	condition:
		(androguard.service(/\.Tb/) and 
		 androguard.service(/\.Ad/) and 
		 androguard.receiver(/\.Ac/) and 
		 androguard.receiver(/\.Ma/)) or
        (androguard.url(/http\:\/\/37\.1\.207/) and 
		 androguard.url(/\/api\/\?id\=7/))
		
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints
• Source Rule

False Positive Guidance

• Scenario: Scheduled System Backup Using adb backup
  Description: A legitimate system backup task using adb backup may trigger the YARA rule due to similar string patterns.
  Filter/Exclusion: Exclude processes initiated by adb or with command-line arguments containing backup.

• Scenario: Android Debug Bridge (ADB) Debugging Session
  Description: ADB commands used for debugging or log collection may contain strings that match the YARA rule.
  Filter/Exclusion: Exclude processes with adb in the command line or originating from the platform-tools directory.

• Scenario: Android Studio Build Process
  Description: Android Studio may generate files or logs that include strings matching the YARA rule during a build or export task.
  Filter/Exclusion: Exclude processes initiated by studio or with paths containing AndroidStudio.

• Scenario: System Integrity Check Using logcat
  Description: A system integrity check or log analysis using logcat may include strings that match the YARA rule.
  Filter/Exclusion: Exclude processes with logcat in the command line or associated with system integrity tools like adb logcat.

• Scenario: Mobile Device Management (MDM) Configuration Sync
  Description: MDM tools like Microsoft Intune or VMware Workspace ONE may sync device configurations, which could include strings matching the YARA rule.
  Filter/Exclusion: Exclude processes with MDM tool names in the command line or associated with known MDM services.