fake king games

Hunt Hypothesis

Adversaries may use fake king games as a social engineering tactic to trick users into granting access or divulging credentials. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential phishing attempts and prevent credential compromise.

YARA Rule

rule fake_king_games: fake android
{
	condition:
		(androguard.app_name("AlphaBetty Saga")
		or androguard.app_name("Candy Crush Soda Saga")
		or androguard.app_name("Candy Crush Saga")
		or androguard.app_name("Farm Heroes Saga")
		or androguard.app_name("Pet Rescue Saga")
		or androguard.app_name("Bubble Witch 2 Saga")
		or androguard.app_name("Scrubby Dubby Saga")
		or androguard.app_name("Diamond Digger Saga")
		or androguard.app_name("Papa Pear Saga")
		or androguard.app_name("Pyramid Solitaire Saga")
		or androguard.app_name("Bubble Witch Saga")
		or androguard.app_name("King Challenge"))
		and not androguard.certificate.sha1("9E93B3336C767C3ABA6FCC4DEADA9F179EE4A05B")
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints
• Source Rule

False Positive Guidance

• Scenario: A system administrator is using PowerShell to automate the deployment of a legitimate game server, which includes copying game assets to a server.
  Filter/Exclusion: Exclude processes initiated by the Local System account or those with a command line containing powershell.exe -File deploy_game.ps1

• Scenario: A scheduled task runs a batch script to update game assets from a known internal repository, which is part of the game development lifecycle.
  Filter/Exclusion: Exclude tasks that are scheduled under the Task Scheduler and have a command line containing update_game_assets.bat or internal_repo_path

• Scenario: A DevOps engineer is using Ansible to provision a new server and install a game server application, which includes copying game files.
  Filter/Exclusion: Exclude processes initiated by Ansible or with a command line containing ansible-playbook install_game_server.yml

• Scenario: A system update or patching process includes copying game-related files as part of a larger update package, which is a common practice in enterprise environments.
  Filter/Exclusion: Exclude processes that are part of a Windows Update or initiated by WSUS or SCCM

• Scenario: A game development team uses Git to clone a repository containing game assets, which are then deployed to a staging environment.
  Filter/Exclusion: Exclude processes with a command line containing git clone or git pull and associated with a known development repository.