-
Notifications
You must be signed in to change notification settings - Fork 164
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge branch 'mandiant:master' into master
- Loading branch information
Showing
1 changed file
with
70 additions
and
62 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -6,73 +6,81 @@ rule: | |
| authors: | ||
| - [email protected] | ||
| description: the sample references known PlugX watermarks (hexified YYYYMMDD + command opcode) | ||
| scope: function | ||
| scope: basic block | ||
| references: | ||
| - https://circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdf | ||
| - https://www.fireeye.com/blog/threat-research/2014/07/pacific-ring-of-fire-plugx-kaba.html | ||
| - https://www.avira.com/en/blog/new-wave-of-plugx-targets-hong-kong | ||
| examples: | ||
| - 64E9F62840DB2F65FC717CFAF99081F9:0x10024950 | ||
| - 64E9F62840DB2F65FC717CFAF99081F9:0x10024BCB | ||
| features: | ||
| - and: | ||
| - or: | ||
| - instruction: | ||
| - description: module timestamp | ||
| - number: 0x20120225 | ||
| - number: 0x20120324 | ||
| - number: 0x20121107 | ||
| - number: 0x20190301 | ||
| - number: 0x20190520 | ||
| - number: 0x20200208 | ||
| - number: 0x88888888 # scrubbed timestamp | ||
| - or: | ||
| - number: 0x1001 = get system information | ||
| - number: 0x1002 = start pipe comms | ||
| - number: 0x1003 = echo input | ||
| - number: 0x1005 = restart self | ||
| - number: 0x2000 = lock workstation | ||
| - number: 0x2001 = shutdown workstation (forced) | ||
| - number: 0x2002 = reboot workstation | ||
| - number: 0x2003 = shutdown workstation (graceful) | ||
| - number: 0x2005 = show messagebox | ||
| - number: 0x3000 = get disk information | ||
| - number: 0x3001 = search directory for files | ||
| - number: 0x3004 = read file | ||
| - number: 0x3007 = write file | ||
| - number: 0x300A = create directory | ||
| - number: 0x300B = check if file exists | ||
| - number: 0x300C = create a new Windows desktop | ||
| - number: 0x300D = PerformSH_FileOperation | ||
| - number: 0x300E = ExpandEnvironmentVariable | ||
| - number: 0x300F = get current PlugX module directory | ||
| - number: 0x4000 = create remote desktop thread | ||
| - number: 0x4004 = send mouse event | ||
| - number: 0x4005 = send keyboard event | ||
| - number: 0x4006 = send CTRL-Alt-Delete | ||
| - number: 0x4100 = take screenshot | ||
| - number: 0x5000 = create process | ||
| - number: 0x5001 = enumerate processes | ||
| - number: 0x5002 = kill process | ||
| - number: 0x6000 = query service config | ||
| - number: 0x6001 = change service config (forced) | ||
| - number: 0x6002 = start service | ||
| - number: 0x6003 = control service | ||
| - number: 0x6004 = delete service | ||
| - number: 0x7002 = create remote shell | ||
| - number: 0x7100 = create telnet server | ||
| - number: 0x9000 = enumerate registry keys | ||
| - number: 0x9001 = create registry key | ||
| - number: 0x9002 = delete registry key | ||
| - number: 0x9003 = copy registry key | ||
| - number: 0x9004 = enumerate registry values | ||
| - number: 0x9005 = set registry value | ||
| - number: 0x9006 = delete registry value | ||
| - number: 0x9007 = get registry value | ||
| - number: 0xA000 = enumerate network resources | ||
| - number: 0xB000 = start port mapping | ||
| - number: 0xC000 = get sql data source information | ||
| - number: 0xC001 = get sql driver description | ||
| - number: 0xC002 = execute sql statement | ||
| - number: 0xD000 = get TCP table | ||
| - number: 0xD001 = get UDP table | ||
| - number: 0xD002 = set TCP entry | ||
| - number: 0xE000 = start keylogger thread | ||
| - mnemonic: mov | ||
| - operand[0].offset: 0 | ||
| - or: | ||
| - operand[1].number: 0x20120225 | ||
| - operand[1].number: 0x20120324 | ||
| - operand[1].number: 0x20121107 | ||
| - operand[1].number: 0x20140613 | ||
| - operand[1].number: 0x20190301 | ||
| - operand[1].number: 0x20190520 | ||
| - operand[1].number: 0x20200208 | ||
| - operand[1].number: 0x88888888 # scrubbed timestamp | ||
| - instruction: | ||
| - description: command id | ||
| - mnemonic: mov | ||
| - operand[0].offset: 4 | ||
| - or: | ||
| - operand[1].number: 0x1001 = get system information | ||
| - operand[1].number: 0x1002 = start pipe comms | ||
| - operand[1].number: 0x1003 = echo input | ||
| - operand[1].number: 0x1005 = restart self | ||
| - operand[1].number: 0x2000 = lock workstation | ||
| - operand[1].number: 0x2001 = shutdown workstation (forced) | ||
| - operand[1].number: 0x2002 = reboot workstation | ||
| - operand[1].number: 0x2003 = shutdown workstation (graceful) | ||
| - operand[1].number: 0x2005 = show messagebox | ||
| - operand[1].number: 0x3000 = get disk information | ||
| - operand[1].number: 0x3001 = search directory for files | ||
| - operand[1].number: 0x3004 = read file | ||
| - operand[1].number: 0x3007 = write file | ||
| - operand[1].number: 0x300A = create directory | ||
| - operand[1].number: 0x300B = check if file exists | ||
| - operand[1].number: 0x300C = create a new Windows desktop | ||
| - operand[1].number: 0x300D = PerformSH_FileOperation | ||
| - operand[1].number: 0x300E = ExpandEnvironmentVariable | ||
| - operand[1].number: 0x300F = get current PlugX module directory | ||
| - operand[1].number: 0x4000 = create remote desktop thread | ||
| - operand[1].number: 0x4004 = send mouse event | ||
| - operand[1].number: 0x4005 = send keyboard event | ||
| - operand[1].number: 0x4006 = send CTRL-Alt-Delete | ||
| - operand[1].number: 0x4100 = take screenshot | ||
| - operand[1].number: 0x5000 = create process | ||
| - operand[1].number: 0x5001 = enumerate processes | ||
| - operand[1].number: 0x5002 = kill process | ||
| - operand[1].number: 0x6000 = query service config | ||
| - operand[1].number: 0x6001 = change service config (forced) | ||
| - operand[1].number: 0x6002 = start service | ||
| - operand[1].number: 0x6003 = control service | ||
| - operand[1].number: 0x6004 = delete service | ||
| - operand[1].number: 0x7002 = create remote shell | ||
| - operand[1].number: 0x7100 = create telnet server | ||
| - operand[1].number: 0x9000 = enumerate registry keys | ||
| - operand[1].number: 0x9001 = create registry key | ||
| - operand[1].number: 0x9002 = delete registry key | ||
| - operand[1].number: 0x9003 = copy registry key | ||
| - operand[1].number: 0x9004 = enumerate registry values | ||
| - operand[1].number: 0x9005 = set registry value | ||
| - operand[1].number: 0x9006 = delete registry value | ||
| - operand[1].number: 0x9007 = get registry value | ||
| - operand[1].number: 0xA000 = enumerate network resources | ||
| - operand[1].number: 0xB000 = start port mapping | ||
| - operand[1].number: 0xC000 = get sql data source information | ||
| - operand[1].number: 0xC001 = get sql driver description | ||
| - operand[1].number: 0xC002 = execute sql statement | ||
| - operand[1].number: 0xD000 = get TCP table | ||
| - operand[1].number: 0xD001 = get UDP table | ||
| - operand[1].number: 0xD002 = set TCP entry | ||
| - operand[1].number: 0xE000 = start keylogger thread | ||