The hypothesis suggests that the detected behavior may indicate an adversary leveraging mobile components or potential lateral movement through unknown or custom tools, possibly related to the Perkele framework. SOC teams should proactively hunt for this behavior to identify early-stage compromise or unknown threat actors operating within their Azure Sentinel environment.
YARA Rule
rule qadars : banker
{
meta:
author = "Jean-Philippe Teissier / @Jipe_"
description = "Qadars - Mobile part. Maybe Perkele."
version = "1.0"
filetype = "memory"
ref1 = "http://www.lexsi-leblog.fr/cert/qadars-nouveau-malware-bancaire-composant-mobile.html"
strings:
$cmd1 = "m?D"
$cmd2 = "m?S"
$cmd3 = "ALL"
$cmd4 = "FILTER"
$cmd5 = "NONE"
$cmd6 = "KILL"
$cmd7 = "CANCEL"
$cmd8 = "SMS"
$cmd9 = "DIVERT"
$cmd10 = "MESS"
$nofilter = "nofilter1111111"
$botherderphonenumber1 = "+380678409210"
condition:
all of ($cmd*) or $nofilter or any of ($botherderphonenumber*)
}This YARA rule can be deployed in the following contexts:
This rule contains 12 string patterns in its detection logic.
Scenario: A system administrator is using PowerShell to run a scheduled job that updates mobile device configurations via Microsoft Intune.
Filter/Exclusion: Exclude events where the process name is powershell.exe and the command line includes Invoke-IntuneUpdate or Update-DeviceConfiguration.
Scenario: A security team member is manually reviewing logs using LogonUI.exe to check for suspicious activity related to mobile device authentication.
Filter/Exclusion: Exclude events where the process name is LogonUI.exe and the user is a member of the Security Admins group.
Scenario: A DevOps engineer is deploying a mobile application using Azure DevOps and Azure CLI to update configurations on mobile devices in a test environment.
Filter/Exclusion: Exclude events where the command line includes az devops or az cli and the environment is marked as test in the deployment metadata.
Scenario: A help desk technician is using Remote Desktop Services (RDS) to remotely manage a mobile device configuration on a user’s endpoint.
Filter/Exclusion: Exclude events where the process is initiated from an RDP session and the user is part of the Help Desk group.
Scenario: A system update is being applied via Group Policy that includes mobile device management (MDM) settings, triggering a configuration change on multiple endpoints.
Filter/Exclusion: Exclude events where the process is initiated by gpupdate.exe and the policy is associated with a Group Policy Object (GPO) labeled MDM Configuration Update.