This rule detects mapin dropper files

Hunt Hypothesis

The hypothesis is that the detection of mapin dropper files indicates an adversary is using a known malicious file to deliver additional payloads, potentially leading to further compromise. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage malware deployment attempts before they escalate.

YARA Rule

rule dropperMapin : android
{
    meta:
        author = "https://twitter.com/plutec_net"
        source = "https://koodous.com/"
        reference = "http://www.welivesecurity.com/2015/09/22/android-trojan-drops-in-despite-googles-bouncer/"
        description = "This rule detects mapin dropper files"
        sample = "7e97b234a5f169e41a2d6d35fadc786f26d35d7ca60ab646fff947a294138768"
        sample2 = "bfd13f624446a2ce8dec9006a16ae2737effbc4e79249fd3d8ea2dc1ec809f1a"

    strings:
        $a = ":Write APK file (from txt in assets) to SDCard sucessfully!"
        $b = "4Write APK (from Txt in assets) file to SDCard  Fail!"
        $c = "device_admin"

    condition:
        all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 3 string patterns in its detection logic.

References

• http://www.welivesecurity.com/2015/09/22/android-trojan-drops-in-despite-googles-bouncer/
• Source Rule

False Positive Guidance

• Scenario: A system administrator is using PowerShell to deploy a legitimate script that includes the string “mapin” in the script name for internal documentation purposes.
  Filter/Exclusion: Exclude processes initiated by the Administrators group or filter by Process.User = “Administrator” or Process.Owner = “Administrator”.

• Scenario: A scheduled job runs a PowerShell script that uses the term “mapin” in a variable name as part of a naming convention for log files.
  Filter/Exclusion: Exclude processes with Process.CommandLine containing “log” or “file” or filter by Process.Name = “schtasks” or Process.Name = “powershell.exe” with specific command-line arguments.

• Scenario: A third-party tool such as Microsoft Baseline Security Analyzer (MSBAS) or Windows Defender generates a temporary file with the name “mapin.exe” during a scan or update process.
  Filter/Exclusion: Exclude files with File.Name = “mapin.exe” and File.Path containing “Windows” or “System32” or File.Path containing “Temp” or “TempFolder”.

• Scenario: A software update or patching tool such as Microsoft Update or WSUS creates a temporary file named “mapin.exe” during installation.
  Filter/Exclusion: Exclude processes with Process.Name = “msiexec.exe” or Process.Name = “wusa.exe” or Process.Name = “setup.exe” or Process.Name = “msiexec” and filter by Process.CommandLine containing “install” or “update”.

• Scenario: A custom script written by a developer uses the term “mapin” in a function or variable name as part of