dropper

Hunt Hypothesis

The dropper rule detects potential malicious file execution behavior by identifying suspicious artifacts associated with known dropper indicators. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage adversary activity before it leads to deeper compromise.

YARA Rule

rule dropper:realshell android {
    meta:
        author = "https://twitter.com/plutec_net"
        reference = "https://koodous.com/"
        source = "https://blog.malwarebytes.org/mobile-2/2015/06/complex-method-of-obfuscation-found-in-dropper-realshell/"
    strings:
        $b = "Decrypt.malloc.memset.free.pluginSMS_encrypt.Java_com_skymobi_pay_common_util_LocalDataDecrpty_Encrypt.strcpy"
    
    condition:
        $b
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 1 string patterns in its detection logic.

References

• https://koodous.com/
• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate system maintenance task (e.g., schtasks.exe) is executed to clean up temporary files or update system settings.
  Filter/Exclusion: Check for process.parent.name == "schtasks.exe" and process.name == "cmd.exe" with a command line containing known maintenance commands (e.g., del /q %temp%\*).

• Scenario: Admin Performing Software Deployment
  Description: An administrator uses a tool like PowerShell.exe or msiexec.exe to deploy software updates or patches.
  Filter/Exclusion: Filter by process.name == "PowerShell.exe" or process.name == "msiexec.exe" and check for known deployment command patterns (e.g., -File or -Package parameters).

• Scenario: Log File Parsing or Analysis
  Description: A security tool like LogParser.exe or ELK stack component is parsing log files and temporarily creates or modifies files that match the YARA rule.
  Filter/Exclusion: Check for process.name == "LogParser.exe" or process.name == "java.exe" (for ELK) and verify the file path matches known log directories (e.g., C:\Windows\System32\logfiles\).

• Scenario: Antivirus or Endpoint Protection Scan
  Description: A legitimate antivirus tool like Windows Defender or Malwarebytes performs a scan and temporarily creates or modifies files that match the YARA rule.
  Filter/Exclusion: Filter by process.name == "MsMpEng.exe" or process.name == "mbam.exe" and check for known scan-related command lines (e.g., Scan or FullScan).

• Scenario: User-Initiated File Cleanup