From 6733ddc9adfabd7903b089eabf50b89901cb2689 Mon Sep 17 00:00:00 2001
From: Willi Ballenthin <willi.ballenthin@gmail.com>
Date: Mon, 13 Nov 2023 12:38:58 +0100
Subject: [PATCH 1/3] PLUGX: make more restrictive to fix FP

---
 malware-family/plugx/match-known-plugx-module.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/malware-family/plugx/match-known-plugx-module.yml b/malware-family/plugx/match-known-plugx-module.yml
index ca2e552d5..c3bd3f0d3 100644
--- a/malware-family/plugx/match-known-plugx-module.yml
+++ b/malware-family/plugx/match-known-plugx-module.yml
@@ -24,7 +24,7 @@ rule:
         - number: 0x20190520
         - number: 0x20200208
         - number: 0x88888888 # scrubbed timestamp
-      - or:
+      - 4 or more:
         - number: 0x1001 = get system information
         - number: 0x1002 = start pipe comms
         - number: 0x1003 = echo input

From 5d53af0793be09e63c0556771bac14a42c747dbf Mon Sep 17 00:00:00 2001
From: Willi Ballenthin <willi.ballenthin@gmail.com>
Date: Tue, 14 Nov 2023 12:04:24 +0100
Subject: [PATCH 2/3] Update match-known-plugx-module.yml

---
 .../plugx/match-known-plugx-module.yml        | 131 +++++++++---------
 1 file changed, 69 insertions(+), 62 deletions(-)

diff --git a/malware-family/plugx/match-known-plugx-module.yml b/malware-family/plugx/match-known-plugx-module.yml
index c3bd3f0d3..bac442fc8 100644
--- a/malware-family/plugx/match-known-plugx-module.yml
+++ b/malware-family/plugx/match-known-plugx-module.yml
@@ -6,73 +6,80 @@ rule:
     authors:
       - still@teamt5.org
     description: the sample references known PlugX watermarks (hexified YYYYMMDD + command opcode)
-    scope: function
+    scope: basic block
     references:
       - https://circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdf
       - https://www.fireeye.com/blog/threat-research/2014/07/pacific-ring-of-fire-plugx-kaba.html
       - https://www.avira.com/en/blog/new-wave-of-plugx-targets-hong-kong
     examples:
-      - 64E9F62840DB2F65FC717CFAF99081F9:0x10024950
+      - 64E9F62840DB2F65FC717CFAF99081F9:0x10024BCB
   features:
     - and:
-      - or:
+      - instruction:
         - description: module timestamp
-        - number: 0x20120225
-        - number: 0x20120324
-        - number: 0x20121107
-        - number: 0x20190301
-        - number: 0x20190520
-        - number: 0x20200208
-        - number: 0x88888888 # scrubbed timestamp
-      - 4 or more:
-        - number: 0x1001 = get system information
-        - number: 0x1002 = start pipe comms
-        - number: 0x1003 = echo input
-        - number: 0x1005 = restart self
-        - number: 0x2000 = lock workstation
-        - number: 0x2001 = shutdown workstation (forced)
-        - number: 0x2002 = reboot workstation
-        - number: 0x2003 = shutdown workstation (graceful)
-        - number: 0x2005 = show messagebox
-        - number: 0x3000 = get disk information
-        - number: 0x3001 = search directory for files
-        - number: 0x3004 = read file
-        - number: 0x3007 = write file
-        - number: 0x300A = create directory
-        - number: 0x300B = check if file exists
-        - number: 0x300C = create a new Windows desktop
-        - number: 0x300D = PerformSH_FileOperation
-        - number: 0x300E = ExpandEnvironmentVariable
-        - number: 0x300F = get current PlugX module directory
-        - number: 0x4000 = create remote desktop thread
-        - number: 0x4004 = send mouse event
-        - number: 0x4005 = send keyboard event
-        - number: 0x4006 = send CTRL-Alt-Delete
-        - number: 0x4100 = take screenshot
-        - number: 0x5000 = create process
-        - number: 0x5001 = enumerate processes
-        - number: 0x5002 = kill process
-        - number: 0x6000 = query service config
-        - number: 0x6001 = change service config (forced)
-        - number: 0x6002 = start service
-        - number: 0x6003 = control service
-        - number: 0x6004 = delete service
-        - number: 0x7002 = create remote shell
-        - number: 0x7100 = create telnet server
-        - number: 0x9000 = enumerate registry keys
-        - number: 0x9001 = create registry key
-        - number: 0x9002 = delete registry key
-        - number: 0x9003 = copy registry key
-        - number: 0x9004 = enumerate registry values
-        - number: 0x9005 = set registry value
-        - number: 0x9006 = delete registry value
-        - number: 0x9007 = get registry value
-        - number: 0xA000 = enumerate network resources
-        - number: 0xB000 = start port mapping
-        - number: 0xC000 = get sql data source information
-        - number: 0xC001 = get sql driver description
-        - number: 0xC002 = execute sql statement
-        - number: 0xD000 = get TCP table
-        - number: 0xD001 = get UDP table
-        - number: 0xD002 = set TCP entry
-        - number: 0xE000 = start keylogger thread
+        - mnemonic: mov
+        - operand[0].offset: 0
+        - or:
+          - operand[1].number: 0x20120225
+          - operand[1].number: 0x20120324
+          - operand[1].number: 0x20121107
+          - operand[1].number: 0x20190301
+          - operand[1].number: 0x20190520
+          - operand[1].number: 0x20200208
+          - operand[1].number: 0x88888888 # scrubbed timestamp
+      - instruction:
+        - description: command id
+        - mnemonic: mov
+        - operand[0].offset: 4
+        - or:
+          - operand[1].number: 0x1001 = get system information
+          - operand[1].number: 0x1002 = start pipe comms
+          - operand[1].number: 0x1003 = echo input
+          - operand[1].number: 0x1005 = restart self
+          - operand[1].number: 0x2000 = lock workstation
+          - operand[1].number: 0x2001 = shutdown workstation (forced)
+          - operand[1].number: 0x2002 = reboot workstation
+          - operand[1].number: 0x2003 = shutdown workstation (graceful)
+          - operand[1].number: 0x2005 = show messagebox
+          - operand[1].number: 0x3000 = get disk information
+          - operand[1].number: 0x3001 = search directory for files
+          - operand[1].number: 0x3004 = read file
+          - operand[1].number: 0x3007 = write file
+          - operand[1].number: 0x300A = create directory
+          - operand[1].number: 0x300B = check if file exists
+          - operand[1].number: 0x300C = create a new Windows desktop
+          - operand[1].number: 0x300D = PerformSH_FileOperation
+          - operand[1].number: 0x300E = ExpandEnvironmentVariable
+          - operand[1].number: 0x300F = get current PlugX module directory
+          - operand[1].number: 0x4000 = create remote desktop thread
+          - operand[1].number: 0x4004 = send mouse event
+          - operand[1].number: 0x4005 = send keyboard event
+          - operand[1].number: 0x4006 = send CTRL-Alt-Delete
+          - operand[1].number: 0x4100 = take screenshot
+          - operand[1].number: 0x5000 = create process
+          - operand[1].number: 0x5001 = enumerate processes
+          - operand[1].number: 0x5002 = kill process
+          - operand[1].number: 0x6000 = query service config
+          - operand[1].number: 0x6001 = change service config (forced)
+          - operand[1].number: 0x6002 = start service
+          - operand[1].number: 0x6003 = control service
+          - operand[1].number: 0x6004 = delete service
+          - operand[1].number: 0x7002 = create remote shell
+          - operand[1].number: 0x7100 = create telnet server
+          - operand[1].number: 0x9000 = enumerate registry keys
+          - operand[1].number: 0x9001 = create registry key
+          - operand[1].number: 0x9002 = delete registry key
+          - operand[1].number: 0x9003 = copy registry key
+          - operand[1].number: 0x9004 = enumerate registry values
+          - operand[1].number: 0x9005 = set registry value
+          - operand[1].number: 0x9006 = delete registry value
+          - operand[1].number: 0x9007 = get registry value
+          - operand[1].number: 0xA000 = enumerate network resources
+          - operand[1].number: 0xB000 = start port mapping
+          - operand[1].number: 0xC000 = get sql data source information
+          - operand[1].number: 0xC001 = get sql driver description
+          - operand[1].number: 0xC002 = execute sql statement
+          - operand[1].number: 0xD000 = get TCP table
+          - operand[1].number: 0xD001 = get UDP table
+          - operand[1].number: 0xD002 = set TCP entry
+          - operand[1].number: 0xE000 = start keylogger thread

From 60b39810e1b52e7f3d7299fa4dfe6fa5585c7a96 Mon Sep 17 00:00:00 2001
From: Willi Ballenthin <willi.ballenthin@gmail.com>
Date: Wed, 15 Nov 2023 10:23:00 +0100
Subject: [PATCH 3/3] Update malware-family/plugx/match-known-plugx-module.yml

Co-authored-by: Moritz <mr-tz@users.noreply.github.com>
---
 malware-family/plugx/match-known-plugx-module.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/malware-family/plugx/match-known-plugx-module.yml b/malware-family/plugx/match-known-plugx-module.yml
index bac442fc8..278087363 100644
--- a/malware-family/plugx/match-known-plugx-module.yml
+++ b/malware-family/plugx/match-known-plugx-module.yml
@@ -23,6 +23,7 @@ rule:
           - operand[1].number: 0x20120225
           - operand[1].number: 0x20120324
           - operand[1].number: 0x20121107
+          - operand[1].number: 0x20140613
           - operand[1].number: 0x20190301
           - operand[1].number: 0x20190520
           - operand[1].number: 0x20200208