Trojan Droidjack

Hunt Hypothesis

The Trojan Droidjack detection rule identifies potential command and control communication associated with a known malicious Android malware, indicating possible compromise of endpoint devices. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and respond to advanced persistent threats that may evade traditional detection methods.

YARA Rule

rule Trojan_Droidjack
{
meta:
author = "https://twitter.com/SadFud75"
condition:
androguard.package_name("net.droidjack.server") or androguard.activity(/net.droidjack.server/i)
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints
• Source Rule

False Positive Guidance

• Scenario: Legitimate Android Debug Bridge (ADB) Usage
  Description: A system administrator uses ADB to debug or manage Android devices in a development environment.
  Filter/Exclusion: Check for adb commands in the command line context, and exclude processes associated with known development tools (e.g., adb, fastboot, Android Studio).

• Scenario: Scheduled Job for Device Management
  Description: A scheduled job runs to push configuration updates to Android devices using a legitimate device management tool like MobileIron or Microsoft Intune.
  Filter/Exclusion: Filter out processes associated with device management platforms, and exclude payloads that match known legitimate device management tools.

• Scenario: Admin Task – Pushing APKs for Internal Use
  Description: A system admin pushes a custom APK to a fleet of Android devices for internal use (e.g., a company-specific app).
  Filter/Exclusion: Exclude APK files signed with internal certificates, and filter out processes associated with package installation tools like adb install or pm install.

• Scenario: Security Tool for Android Forensics
  Description: A security analyst uses a forensics tool like Cellebrite or Xamarin to analyze Android devices for incident response.
  Filter/Exclusion: Exclude processes related to forensic tools and filter out any payloads that match known forensic software signatures.

• Scenario: Legitimate Android Emulator Usage
  Description: A developer uses an Android emulator (e.g., Genymotion, Android Studio Emulator) for testing applications.
  Filter/Exclusion: Exclude processes running under emulator environments, and filter out any payloads that match known emulator tooling signatures.