The jagonca rule detects potential obfuscation or packing techniques used by adversaries to evade basic detection mechanisms. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage threats that may bypass traditional signature-based detection.
YARA Rule
rule jagonca: amtrckr
{
meta:
family = "jagonca"
condition:
androguard.url(/abra-k0dabra\.com/) or
androguard.url(/heibe-titten\.com/)
}This YARA rule can be deployed in the following contexts:
Scenario: Scheduled system maintenance using task scheduler
Filter/Exclusion: process.parent_process == "C:\Windows\System32\taskhost.exe" and process.name == "schtasks.exe"
Scenario: Regular log file rotation performed by logrotate (Linux) or Windows Event Log Management
Filter/Exclusion: process.name == "logrotate" or process.name == "wevtutil.exe" and process.command_line contains "rotate"
Scenario: Admin performing a disk cleanup or defragmentation via Disk Cleanup or Defragment and Optimize Drives tool
Filter/Exclusion: process.name == "cleanmgr.exe" or process.name == "dfrg.msc"
Scenario: Software update installation using Windows Update or Chocolatey package manager
Filter/Exclusion: process.name == "wuauclt.exe" or process.name == "choco.exe" and command_line contains "install"
Scenario: Database backup job executed by SQL Server Agent or pg_dump (PostgreSQL)
Filter/Exclusion: process.name == "sqlservr.exe" or process.name == "pg_dump.exe" and command_line contains "backup"