chineseporn4

Hunt Hypothesis

The chineseporn4 rule detects potential malicious activity involving the download or execution of suspicious files associated with known malicious campaigns. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage threats that may evade traditional detection methods.

YARA Rule

rule chineseporn4 : SMSSend android
{
  meta:
		author = "https://twitter.com/plutec_net"
		reference = "https://koodous.com/"
	condition:
		androguard.activity(/com\.shenqi\.video\.Welcome/) or
		androguard.package_name("org.mygson.videoa.zw")
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

References

• https://koodous.com/
• Source Rule

False Positive Guidance

• Scenario: A system administrator is using Wireshark to analyze network traffic for a security audit and captures a packet containing the string “chineseporn4” as part of a legitimate protocol payload.
  Filter/Exclusion: Check for process.name == "wireshark" or process.name == "tcpdump" in the event log, or use a custom field to mark packets captured for analysis.

• Scenario: A scheduled backup job using Veeam Backup & Replication includes a file with the string “chineseporn4” in its backup data due to a misconfigured file or a corrupted archive.
  Filter/Exclusion: Exclude files or processes associated with backup tools like veeam.exe or check for process.name == "veeam" in the event context.

• Scenario: A Windows Update or Microsoft Endpoint Manager (MEM) task downloads a file containing the string “chineseporn4” as part of a legitimate update or patch.
  Filter/Exclusion: Filter by process.name == "wuauclt.exe" or process.name == "msiexec.exe", or check for parent_process.name == "taskeng.exe" indicating a scheduled task.

• Scenario: A log management tool such as Splunk or ELK Stack is parsing logs and includes the string “chineseporn4” in a log message as part of a test or placeholder text.
  Filter/Exclusion: Use a custom field to identify log messages from log management tools or filter by process.name == "splunkd" or process.name == "logstash".

• Scenario: A devops pipeline using Jenkins or GitLab CI/CD includes a test file or artifact with the string “chineseporn4” as part of a