rule:
meta:
name: match known PlugX module
namespace: malware-family/plugx
maec/malware-family: PlugX
authors:
- still@teamt5.org
description: the sample references known PlugX watermarks (hexified YYYYMMDD + command opcode)
scopes:
static: function
dynamic: thread
references:
- https://circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdf
- https://www.fireeye.com/blog/threat-research/2014/07/pacific-ring-of-fire-plugx-kaba.html
- https://www.avira.com/en/blog/new-wave-of-plugx-targets-hong-kong
examples:
- 64E9F62840DB2F65FC717CFAF99081F9:0x10024BCB
features:
- and:
- instruction:
- description: module timestamp
- mnemonic: mov
- operand[0].offset: 0
- or:
- operand[1].number: 0x20120225
- operand[1].number: 0x20120324
- operand[1].number: 0x20121107
- operand[1].number: 0x20140613
- operand[1].number: 0x20190301
- operand[1].number: 0x20190520
- operand[1].number: 0x20200208
- operand[1].number: 0x88888888 # scrubbed timestamp
- instruction:
- description: command id
- mnemonic: mov
- operand[0].offset: 4
- or:
- operand[1].number: 0x1001 = get system information
- operand[1].number: 0x1002 = start pipe comms
- operand[1].number: 0x1003 = echo input
- operand[1].number: 0x1005 = restart self
- operand[1].number: 0x2000 = lock workstation
- operand[1].number: 0x2001 = shutdown workstation (forced)
- operand[1].number: 0x2002 = reboot workstation
- operand[1].number: 0x2003 = shutdown workstation (graceful)
- operand[1].number: 0x2005 = show messagebox
- operand[1].number: 0x3000 = get disk information
- operand[1].number: 0x3001 = search directory for files
- operand[1].number: 0x3004 = read file
- operand[1].number: 0x3007 = write file
- operand[1].number: 0x300A = create directory
- operand[1].number: 0x300B = check if file exists
- operand[1].number: 0x300C = create a new Windows desktop
- operand[1].number: 0x300D = PerformSH_FileOperation
- operand[1].number: 0x300E = ExpandEnvironmentVariable
- operand[1].number: 0x300F = get current PlugX module directory
- operand[1].number: 0x4000 = create remote desktop thread
- operand[1].number: 0x4004 = send mouse event
- operand[1].number: 0x4005 = send keyboard event
- operand[1].number: 0x4006 = send CTRL-Alt-Delete
- operand[1].number: 0x4100 = take screenshot
- operand[1].number: 0x5000 = create process
- operand[1].number: 0x5001 = enumerate processes
- operand[1].number: 0x5002 = kill process
- operand[1].number: 0x6000 = query service config
- operand[1].number: 0x6001 = change service config (forced)
- operand[1].number: 0x6002 = start service
- operand[1].number: 0x6003 = control service
- operand[1].number: 0x6004 = delete service
- operand[1].number: 0x7002 = create remote shell
- operand[1].number: 0x7100 = create telnet server
- operand[1].number: 0x9000 = enumerate registry keys
- operand[1].number: 0x9001 = create registry key
- operand[1].number: 0x9002 = delete registry key
- operand[1].number: 0x9003 = copy registry key
- operand[1].number: 0x9004 = enumerate registry values
- operand[1].number: 0x9005 = set registry value
- operand[1].number: 0x9006 = delete registry value
- operand[1].number: 0x9007 = get registry value
- operand[1].number: 0xA000 = enumerate network resources
- operand[1].number: 0xB000 = start port mapping
- operand[1].number: 0xC000 = get sql data source information
- operand[1].number: 0xC001 = get sql driver description
- operand[1].number: 0xC002 = execute sql statement
- operand[1].number: 0xD000 = get TCP table
- operand[1].number: 0xD001 = get UDP table
- operand[1].number: 0xD002 = set TCP entry
- operand[1].number: 0xE000 = start keylogger thread
last edited: 2023-11-24 10:34:28