chinese porn

Hunt Hypothesis

The detection rule identifies potential malicious activity associated with the distribution of illegal content, leveraging a YARA rule targeting specific file patterns. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential threats related to data exfiltration or covert communication channels.

YARA Rule

rule chinese_porn : SMSSend android
{
  meta:
		author = "https://twitter.com/plutec_net"
		reference = "https://koodous.com/"
	condition:
		androguard.package_name("com.tzi.shy") or
		androguard.package_name("com.shenqi.video.nfkw.neim")
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

References

• https://koodous.com/
• Source Rule

False Positive Guidance

• Scenario: A system administrator is using Wireshark to analyze network traffic and captures a packet containing a known benign file hash that matches the YARA rule due to a false positive.
  Filter/Exclusion: Exclude files with known benign hashes using a custom hash list in the YARA rule or add a condition to check for the presence of wireshark in the process name.

• Scenario: A scheduled backup job using Veeam transfers a file that contains a string matching the YARA rule due to the presence of common Chinese characters in log files or configuration backups.
  Filter/Exclusion: Add a filter to exclude files with the backup keyword in their filename or directory path, or use a custom tag in the YARA rule to identify backup-related files.

• Scenario: A system update using Windows Update includes a file that contains a string matching the YARA rule, possibly due to a false positive in the update package.
  Filter/Exclusion: Exclude files that are part of the Windows Update directory or have the update keyword in their filename, or use a process-based filter to exclude updates initiated by wuauclt.exe.

• Scenario: A log file from Splunk or ELK Stack contains entries with Chinese characters that trigger the YARA rule due to the presence of non-malicious text in logs.
  Filter/Exclusion: Exclude files with the .log extension or use a file type filter to ignore log files. Alternatively, add a condition to check for the presence of log-related keywords like splunk or elasticsearch.

• Scenario: A developer is testing a Python script that includes a string with Chinese characters for localization purposes, which inadvertently matches the YARA rule.
  **Filter/Ex