mandiant · williballenthin · Nov 15, 2023 · Nov 13, 2023 · Nov 14, 2023 · Nov 15, 2023
diff --git a/malware-family/plugx/match-known-plugx-module.yml b/malware-family/plugx/match-known-plugx-module.yml
@@ -6,73 +6,80 @@ rule:
     authors:
       - [email protected]
     description: the sample references known PlugX watermarks (hexified YYYYMMDD + command opcode)
-    scope: function
+    scope: basic block
     references:
       - https://circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdf
       - https://www.fireeye.com/blog/threat-research/2014/07/pacific-ring-of-fire-plugx-kaba.html
       - https://www.avira.com/en/blog/new-wave-of-plugx-targets-hong-kong
     examples:
-      - 64E9F62840DB2F65FC717CFAF99081F9:0x10024950
+      - 64E9F62840DB2F65FC717CFAF99081F9:0x10024BCB
   features:
     - and:
-      - or:
+      - instruction:
         - description: module timestamp
-        - number: 0x20120225
-        - number: 0x20120324
-        - number: 0x20121107
-        - number: 0x20190301
-        - number: 0x20190520
-        - number: 0x20200208
-        - number: 0x88888888 # scrubbed timestamp
-      - or:
-        - number: 0x1001 = get system information
-        - number: 0x1002 = start pipe comms
-        - number: 0x1003 = echo input
-        - number: 0x1005 = restart self
-        - number: 0x2000 = lock workstation
-        - number: 0x2001 = shutdown workstation (forced)
-        - number: 0x2002 = reboot workstation
-        - number: 0x2003 = shutdown workstation (graceful)
-        - number: 0x2005 = show messagebox
-        - number: 0x3000 = get disk information
-        - number: 0x3001 = search directory for files
-        - number: 0x3004 = read file
-        - number: 0x3007 = write file
-        - number: 0x300A = create directory
-        - number: 0x300B = check if file exists
-        - number: 0x300C = create a new Windows desktop
-        - number: 0x300D = PerformSH_FileOperation
-        - number: 0x300E = ExpandEnvironmentVariable
-        - number: 0x300F = get current PlugX module directory
-        - number: 0x4000 = create remote desktop thread
-        - number: 0x4004 = send mouse event
-        - number: 0x4005 = send keyboard event
-        - number: 0x4006 = send CTRL-Alt-Delete
-        - number: 0x4100 = take screenshot
-        - number: 0x5000 = create process
-        - number: 0x5001 = enumerate processes
-        - number: 0x5002 = kill process
-        - number: 0x6000 = query service config
-        - number: 0x6001 = change service config (forced)
-        - number: 0x6002 = start service
-        - number: 0x6003 = control service
-        - number: 0x6004 = delete service
-        - number: 0x7002 = create remote shell
-        - number: 0x7100 = create telnet server
-        - number: 0x9000 = enumerate registry keys
-        - number: 0x9001 = create registry key
-        - number: 0x9002 = delete registry key
-        - number: 0x9003 = copy registry key
-        - number: 0x9004 = enumerate registry values
-        - number: 0x9005 = set registry value
-        - number: 0x9006 = delete registry value
-        - number: 0x9007 = get registry value
-        - number: 0xA000 = enumerate network resources
-        - number: 0xB000 = start port mapping
-        - number: 0xC000 = get sql data source information
-        - number: 0xC001 = get sql driver description
-        - number: 0xC002 = execute sql statement
-        - number: 0xD000 = get TCP table
-        - number: 0xD001 = get UDP table
-        - number: 0xD002 = set TCP entry
-        - number: 0xE000 = start keylogger thread
+        - mnemonic: mov
+        - operand[0].offset: 0
+        - or:
+          - operand[1].number: 0x20120225
+          - operand[1].number: 0x20120324
+          - operand[1].number: 0x20121107
+          - operand[1].number: 0x20190301
+          - operand[1].number: 0x20190520
+          - operand[1].number: 0x20200208
+          - operand[1].number: 0x88888888 # scrubbed timestamp
+      - instruction:
+        - description: command id
+        - mnemonic: mov
+        - operand[0].offset: 4
+        - or:
+          - operand[1].number: 0x1001 = get system information
+          - operand[1].number: 0x1002 = start pipe comms
+          - operand[1].number: 0x1003 = echo input
+          - operand[1].number: 0x1005 = restart self
+          - operand[1].number: 0x2000 = lock workstation
+          - operand[1].number: 0x2001 = shutdown workstation (forced)
+          - operand[1].number: 0x2002 = reboot workstation
+          - operand[1].number: 0x2003 = shutdown workstation (graceful)
+          - operand[1].number: 0x2005 = show messagebox
+          - operand[1].number: 0x3000 = get disk information
+          - operand[1].number: 0x3001 = search directory for files
+          - operand[1].number: 0x3004 = read file
+          - operand[1].number: 0x3007 = write file
+          - operand[1].number: 0x300A = create directory
+          - operand[1].number: 0x300B = check if file exists
+          - operand[1].number: 0x300C = create a new Windows desktop
+          - operand[1].number: 0x300D = PerformSH_FileOperation
+          - operand[1].number: 0x300E = ExpandEnvironmentVariable
+          - operand[1].number: 0x300F = get current PlugX module directory
+          - operand[1].number: 0x4000 = create remote desktop thread
+          - operand[1].number: 0x4004 = send mouse event
+          - operand[1].number: 0x4005 = send keyboard event
+          - operand[1].number: 0x4006 = send CTRL-Alt-Delete
+          - operand[1].number: 0x4100 = take screenshot
+          - operand[1].number: 0x5000 = create process
+          - operand[1].number: 0x5001 = enumerate processes
+          - operand[1].number: 0x5002 = kill process
+          - operand[1].number: 0x6000 = query service config
+          - operand[1].number: 0x6001 = change service config (forced)
+          - operand[1].number: 0x6002 = start service
+          - operand[1].number: 0x6003 = control service
+          - operand[1].number: 0x6004 = delete service
+          - operand[1].number: 0x7002 = create remote shell
+          - operand[1].number: 0x7100 = create telnet server
+          - operand[1].number: 0x9000 = enumerate registry keys
+          - operand[1].number: 0x9001 = create registry key
+          - operand[1].number: 0x9002 = delete registry key
+          - operand[1].number: 0x9003 = copy registry key
+          - operand[1].number: 0x9004 = enumerate registry values
+          - operand[1].number: 0x9005 = set registry value
+          - operand[1].number: 0x9006 = delete registry value
+          - operand[1].number: 0x9007 = get registry value
+          - operand[1].number: 0xA000 = enumerate network resources
+          - operand[1].number: 0xB000 = start port mapping
+          - operand[1].number: 0xC000 = get sql data source information
+          - operand[1].number: 0xC001 = get sql driver description
+          - operand[1].number: 0xC002 = execute sql statement
+          - operand[1].number: 0xD000 = get TCP table
+          - operand[1].number: 0xD001 = get UDP table
+          - operand[1].number: 0xD002 = set TCP entry
+          - operand[1].number: 0xE000 = start keylogger thread