pornlocker

Hunt Hypothesis

The “pornlocker” rule detects potential adversary behavior involving the use of malicious payloads or scripts associated with known ransomware or malware families, often used in targeted attacks. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage threats that could lead to data encryption or system compromise.

YARA Rule

rule pornlocker: amtrckr
{
	meta:
		family = "pornlocker"

	condition:
		androguard.url(/playmarketcheck\.com/) or 
		androguard.url(/pornigy\.biz/)
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints
• Source Rule

False Positive Guidance

• Scenario: Scheduled backup job using rsync with temporary files
  Description: A legitimate backup process may generate temporary files with names similar to malicious payloads.
  Filter/Exclusion: Exclude processes associated with rsync or backup tools like borgbackup, or filter by file paths in known backup directories (e.g., /backup/, /var/backups/).

• Scenario: System update using apt or yum with temporary package files
  Description: Package managers may create temporary files during updates that could match the YARA rule.
  Filter/Exclusion: Exclude processes related to package managers (apt, yum, dnf) or filter by file paths in /tmp/, /var/cache/apt/, or /var/cache/yum/.

• Scenario: Admin task using wget or curl to download legitimate software
  Description: System administrators may use wget or curl to download software from trusted sources, which may result in files matching the rule.
  Filter/Exclusion: Exclude processes initiated by admin users or filter by known trusted domains (e.g., download.example.com, software.example.org).

• Scenario: Log file parsing using logrotate or rsyslog
  Description: Log rotation tools may generate temporary files that could trigger the rule.
  Filter/Exclusion: Exclude processes related to log management tools (logrotate, rsyslog, syslog-ng) or filter by file paths in /var/log/ or /etc/logrotate.d/.

• Scenario: Development environment using docker or k8s with temporary containers
  Description: Docker or Kubernetes may create temporary files or containers that match the YARA rule.
  Filter/Exclusion: Exclude processes related to container orchestration tools