Common Information
| Type | Value |
|---|---|
| Value |
rule apt_IAmTheKing_QueenOfHearts_2020 {
meta:
author = "Kaspersky"
copyright = "Kaspersky"
version = "1.0"
type = "APT"
filetype = "PE"
description = "Find IAmTheKing's QueenOfHearts 2020 variants"
last_modified = "2020-09-29"
strings:
$s1 = "www.yahoo.com" wide fullword
$s2 = "8AAAAHicJY9HDsIwFAXnMmQHIsGULKKIUPZwA0SNqCEIcXwGI+vL781vdknNjR17PvQ48eLKhZKGlsJMwoE7T2nBipSKNQtpy0PSlSSqRr0j1208WVRprNqa6Vs3ju6s"
$s3 = "kgAAAHicHYy7DoJAEEXPp2xMKJVEehoKSwsLSqMLCRh5BDTK33vWTHbuzpk7NzLQEMiJ9pmJDy0LK536tA7q1xfYcVJf7Km96jlz5yGJsiCtdN+8XJ1q9yMFR67ySf/M"
$s4 = "2gAAAHicHY/JDoJAEAXrZ+SmEUSUAyEueNc/MOBCVFwwxs+3nEw6/V71lilp6Wg48GXEmTc3rpQ86SmsRBy585IWbIlZsqOS9jwkQ0mkeqobct3elwQVh67ayti+WXAX"
$s5 = "MyScreen.jpg" wide fullword
$s6 = "begin mainthread" wide fullword
$s7 = "begin mainthread ok" wide fullword
$s8 = "getcommand error" wide fullword
$s9 = "querycode error" wide fullword
$s10 = "{'session':[{'name':'admin_001','id':21,'time':12836123}],'jpg':" ascii fullword
$s11 = "cookie size :%d" wide fullword
$s12 = "send request error:%d" wide fullword
$s13 = "AABBCCDDEEFFGGHH" wide fullword
$s14 = " inflate 1.2.8 Copyright 1995-2013 Mark Adler " ascii fullword
$s15 = " Type Descriptor'" ascii fullword
$s16 = " constructor or from DllMain." ascii fullword
$s17 = " Base Class Descriptor at (" ascii fullword
$ex = "ping 127.0.0.1" ascii fullword
condition:
(uint16(0) == 0x5A4D) and (filesize > 70KB and filesize < 3MB) and (12 of them) and (not $ex)
}
|
| Category | |
| Type | Yara Rule |
| Misp Type | |
| Description |