The detection identifies potential MiniDionis malware activity through the execution of suspicious files like readerView.exe or adobe.exe, which are commonly used by the malware to exfiltrate data. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromises that may evade traditional detection methods.
YARA Rule
rule MiniDionis_readerView
{
meta:
description = "MiniDionis Malware - file readerView.exe / adobe.exe"
author = "Florian Roth"
reference = "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3950"
date = "2015-07-20"
/* Original Hash */
hash1 = "ee5eb9d57c3611e91a27bb1fc2d0aaa6bbfa6c69ab16e65e7123c7c49d46f145"
/* Derived Samples */
hash2 = "a713982d04d2048a575912a5fc37c93091619becd5b21e96f049890435940004"
hash3 = "88a40d5b679bccf9641009514b3d18b09e68b609ffaf414574a6eca6536e8b8f"
hash4 = "97d8725e39d263ed21856477ed09738755134b5c0d0b9ae86ebb1cdd4cdc18b7"
hash5 = "ed7abf93963395ce9c9cba83a864acb4ed5b6e57fd9a6153f0248b8ccc4fdb46"
hash6 = "56ac764b81eb216ebed5a5ad38e703805ba3e1ca7d63501ba60a1fb52c7ebb6e"
strings:
$s1 = "%ws_out%ws" fullword wide /* score: '8.00' */
$s2 = "dnlibsh" fullword ascii /* score: '7.00' */
$op0 = { 0f b6 80 68 0e 41 00 0b c8 c1 e1 08 0f b6 c2 8b } /* Opcode */
$op1 = { 8b ce e8 f8 01 00 00 85 c0 74 41 83 7d f8 00 0f } /* Opcode */
$op2 = { e8 2f a2 ff ff 83 20 00 83 c8 ff 5f 5e 5d c3 55 } /* Opcode */
condition:
uint16(0) == 0x5a4d and filesize < 500KB and all of ($s*) and 1 of ($op*)
}This YARA rule can be deployed in the following contexts:
This rule contains 5 string patterns in its detection logic.
Scenario: A system administrator is using Adobe Acrobat Reader (adobe.exe) to open and review PDF documents as part of a routine compliance check.
Filter/Exclusion: Check for the presence of Adobe Acrobat Reader in the process name or use a filter like process.name != "adobe.exe" when the file is opened from a known trusted location (e.g., C:\Program Files\Adobe\).
Scenario: A scheduled job runs readerView.exe to generate reports from a legacy application that uses this tool for data extraction.
Filter/Exclusion: Exclude processes that originate from a known scheduled task or service, e.g., task.name = "LegacyReportGenerator" or process.parent.name = "TaskScheduler".
Scenario: A developer is using Adobe AIR runtime (adobe.exe) to run a local application for testing purposes.
Filter/Exclusion: Filter out processes that are running from a development directory (e.g., process.cwd contains "C:\Dev\AdobeAIR"), or use a filter like process.name != "adobe.exe" when the process is initiated from a specific user profile.
Scenario: A system update or patching tool temporarily executes readerView.exe as part of a deployment process.
Filter/Exclusion: Exclude processes that are initiated from a known patching or update tool, such as process.parent.name = "WindowsUpdate" or process.parent.name = "PatchManager".
Scenario: A user is running a legitimate third-party application that includes adobe.exe as part of its runtime environment.
Filter/Exclusion: Use a filter based on the file path, such as file.path != "C:\Program Files\Adobe\...", or check for the presence of a known legitimate application signature in the process context.