Mapin trojan, not for droppers

Hunt Hypothesis

The hypothesis is that the detection identifies potential Mapin Trojan activity, which may indicate lateral movement or data exfiltration by an adversary. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate persistent threats that may not be detected by traditional dropper-based indicators.

YARA Rule

rule Mapin : android
{
    meta:
        author = "https://twitter.com/plutec_net"
        source = "https://koodous.com/"
        reference = "http://www.welivesecurity.com/2015/09/22/android-trojan-drops-in-despite-googles-bouncer/"
        description = "Mapin trojan, not for droppers"
        sample = "7f208d0acee62712f3fa04b0c2744c671b3a49781959aaf6f72c2c6672d53776"

    strings:
        $a = "138675150963" //GCM id
        $b = "res/xml/device_admin.xml"
        $c = "Device registered: regId ="
        

    condition:
        all of them
        
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 3 string patterns in its detection logic.

References

• http://www.welivesecurity.com/2015/09/22/android-trojan-drops-in-despite-googles-bouncer/
• Source Rule

False Positive Guidance

• Scenario: A system administrator is using PowerShell to automate the deployment of a legitimate application that includes a script with the word “Mapin” in its name.
  Filter/Exclusion: Exclude processes where the command line contains powershell.exe and the script path is within a known admin tool directory (e.g., C:\Windows\System32\ or C:\Program Files\).

• Scenario: A scheduled job runs Task Scheduler to execute a script that is part of a regular maintenance task, and the script name contains “Mapin” due to a naming convention.
  Filter/Exclusion: Exclude tasks that are scheduled via Task Scheduler and have a known legitimate script path or are associated with a trusted service account.

• Scenario: A developer is using Visual Studio to debug a script that includes the term “Mapin” in a comment or variable name.
  Filter/Exclusion: Exclude processes initiated from Visual Studio or where the parent process is a known IDE (e.g., devenv.exe) and the script is located in a development directory.

• Scenario: A backup tool like Veeam or Commvault runs a script that contains the word “Mapin” in a log file or temporary file during a backup operation.
  Filter/Exclusion: Exclude processes where the parent process is a known backup tool (e.g., veeam.exe, cvbackup.exe) or where the file path includes a backup directory.

• Scenario: A system update or patching tool like Windows Update or Chocolatey executes a script that includes the term “Mapin” in a temporary file during installation.
  Filter/Exclusion: Exclude processes where the parent process is a known update or package manager (e.g., wuauclt.exe, choco.exe) or