IAmTheKing and the SlothfulMedia malware family
Tags
Common Information
| Type | Value |
|---|---|
| UUID | b3ebba40-93a6-40ce-8228-b154cbbf3395 |
| Fingerprint | a4a0099f0f36b7d1 |
| Analysis status | DONE |
| Considered CTI value | 2 |
| Text language | |
| Published | Oct. 15, 2020, 10 a.m. |
| Added to db | Sept. 26, 2022, 9:31 a.m. |
| Last updated | Nov. 18, 2024, 10:24 a.m. |
| Headline | IAmTheKing and the SlothfulMedia malware family |
| Title | IAmTheKing and the SlothfulMedia malware family |
| Detected Hints/Tags/Attributes | 87/4/21 |
Source URLs
URL Provider
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | Domain | 46 | www.yahoo.com |
|
| Details | File | 1 | %appdata%\mediaplayer.exe |
|
| Details | File | 1 | myscreen.jpg |
|
| Details | File | 51 | ipconfig.exe |
|
| Details | File | 258 | net.exe |
|
| Details | File | 76 | ping.exe |
|
| Details | md5 | 1 | 00E415E72A4FC4C8634D4D3815683CE8 |
|
| Details | md5 | 1 | 4E2C2E82F076AD0B5D1F257706A5D579 |
|
| Details | md5 | 1 | AB956623B3A6C2AC5B192E07B79CBB5B |
|
| Details | md5 | 1 | 4BBD5869AA39F144FADDAD85B5EECA12 |
|
| Details | md5 | 1 | 4076DDAF9555031B336B09EBAB402B95 |
|
| Details | md5 | 1 | 096F7084D274166462D445A7686D1E5C |
|
| Details | md5 | 1 | 29AA501447E6E20762893A24BFCE05E9 |
|
| Details | md5 | 1 | 97c6cfa181c849eb87759518e200872f |
|
| Details | md5 | 1 | 7DB4F1547D0E897EF6E6F01ECC484314 |
|
| Details | md5 | 1 | 60D78B3E0D7FFE14A50485A19439209B |
|
| Details | md5 | 1 | 90EF53D025E04335F1A71CB9AA6D6592 |
|
| Details | IPv4 | 1442 | 127.0.0.1 |
|
| Details | Yara rule | 1 | rule apt_IAmTheKing_KingOfHearts {
meta:
description = "Matches IAmTheKing's KingOfHearts C++ implant"
author = "Kaspersky Lab"
copyright = "Kaspersky Lab"
version = "1.0"
type = "APT"
filetype = "PE"
last_modified = "2020-01-20"
strings:
$payload_fmt = "cookie=%s;type=%s;length=%s;realdata=%send"
$cmd1 = "HEART"
$cmd2 = "CMDINFO"
$cmd3 = "PROCESSINFO"
$cmd4 = "LISTDRIVE"
$cmd5 = "LISTFILE"
$cmd6 = "DOWNLOAD"
condition:
uint16(0) == 0x5A4D and filesize < 1MB and ($payload_fmt or all of ($cmd*))
} |
|
| Details | Yara rule | 1 | rule apt_IAmTheKing_KingOfHearts_json {
meta:
description = "Matches IAmTheKing's KingOfHearts JSON C++ implant"
author = "Kaspersky Lab"
copyright = "Kaspersky Lab"
version = "1.0"
type = "APT"
filetype = "PE"
last_modified = "2020-01-20"
strings:
$user_agent = "Mozilla/4.0 (compatible; )"
$error = "write info fail!!! GetLastError-->%u"
$multipart = "Content-Type: multipart/form-data; boundary=--MULTI-PARTS-FORM-DATA-BOUNDARY\x0D\x0A"
condition:
uint16(0) == 0x5A4D and filesize < 1MB and all of them
} |
|
| Details | Yara rule | 1 | rule apt_IAmTheKing_QueenOfHearts_2020 {
meta:
author = "Kaspersky"
copyright = "Kaspersky"
version = "1.0"
type = "APT"
filetype = "PE"
description = "Find IAmTheKing's QueenOfHearts 2020 variants"
last_modified = "2020-09-29"
strings:
$s1 = "www.yahoo.com" wide fullword
$s2 = "8AAAAHicJY9HDsIwFAXnMmQHIsGULKKIUPZwA0SNqCEIcXwGI+vL781vdknNjR17PvQ48eLKhZKGlsJMwoE7T2nBipSKNQtpy0PSlSSqRr0j1208WVRprNqa6Vs3ju6s"
$s3 = "kgAAAHicHYy7DoJAEEXPp2xMKJVEehoKSwsLSqMLCRh5BDTK33vWTHbuzpk7NzLQEMiJ9pmJDy0LK536tA7q1xfYcVJf7Km96jlz5yGJsiCtdN+8XJ1q9yMFR67ySf/M"
$s4 = "2gAAAHicHY/JDoJAEAXrZ+SmEUSUAyEueNc/MOBCVFwwxs+3nEw6/V71lilp6Wg48GXEmTc3rpQ86SmsRBy585IWbIlZsqOS9jwkQ0mkeqobct3elwQVh67ayti+WXAX"
$s5 = "MyScreen.jpg" wide fullword
$s6 = "begin mainthread" wide fullword
$s7 = "begin mainthread ok" wide fullword
$s8 = "getcommand error" wide fullword
$s9 = "querycode error" wide fullword
$s10 = "{'session':[{'name':'admin_001','id':21,'time':12836123}],'jpg':" ascii fullword
$s11 = "cookie size :%d" wide fullword
$s12 = "send request error:%d" wide fullword
$s13 = "AABBCCDDEEFFGGHH" wide fullword
$s14 = " inflate 1.2.8 Copyright 1995-2013 Mark Adler " ascii fullword
$s15 = " Type Descriptor'" ascii fullword
$s16 = " constructor or from DllMain." ascii fullword
$s17 = " Base Class Descriptor at (" ascii fullword
$ex = "ping 127.0.0.1" ascii fullword
condition:
(uint16(0) == 0x5A4D) and (filesize > 70KB and filesize < 3MB) and (12 of them) and (not $ex)
} |