misp-circl-feed/feeds/circl/misp/5eeec9aa-9d88-4ece-9e6f-9d92884ae404.json

1752 lines
798 KiB
JSON
Raw Normal View History

2023-04-21 13:25:09 +00:00
{
"Event": {
"analysis": "0",
"date": "2022-09-14",
"extends_uuid": "",
"info": "Dissecting PlugX to Extract Its Crown Jewels",
"publish_timestamp": "1663581084",
"published": true,
"threat_level_id": "4",
"timestamp": "1663580963",
"uuid": "5eeec9aa-9d88-4ece-9e6f-9d92884ae404",
"Orgc": {
"name": "CIRCL",
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
},
"Tag": [
{
"colour": "#0088cc",
"name": "misp-galaxy:microsoft-activity-group=\"GALLIUM\""
},
{
"colour": "#0088cc",
"name": "misp-galaxy:mitre-enterprise-attack-intrusion-set=\"DragonOK - G0017\""
},
{
"colour": "#0088cc",
"name": "misp-galaxy:mitre-intrusion-set=\"DragonOK - G0017\""
},
{
"colour": "#e834ab",
"name": "misp-galaxy:mitre-intrusion-set=\"Mustang Panda - G0129\""
},
{
"colour": "#14f700",
"name": "misp-galaxy:threat-actor=\"DragonOK\""
},
{
"colour": "#0088cc",
"name": "misp-galaxy:threat-actor=\"Earth Berberoka\""
},
{
"colour": "#0088cc",
"name": "misp-galaxy:threat-actor=\"GALLIUM\""
},
{
"colour": "#0088cc",
"name": "misp-galaxy:threat-actor=\"Mustang Panda\""
},
{
"colour": "#0088cc",
"name": "misp-galaxy:mitre-enterprise-attack-malware=\"Winnti - S0141\""
},
{
"colour": "#10c300",
"name": "misp-galaxy:threat-actor=\"Axiom\""
},
{
"colour": "#0088cc",
"name": "misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Winnti Group - G0044\""
},
{
"colour": "#0088cc",
"name": "misp-galaxy:mitre-intrusion-set=\"Winnti Group - G0044\""
},
{
"colour": "#004646",
"name": "type:OSINT"
},
{
"colour": "#0071c3",
"name": "osint:lifetime=\"perpetual\""
},
{
"colour": "#0087e8",
"name": "osint:certainty=\"50\""
},
{
"colour": "#ffffff",
"name": "tlp:white"
},
{
"colour": "#002b4a",
"name": "osint:source-type=\"technical-report\""
},
{
"colour": "#0088cc",
"name": "misp-galaxy:malpedia=\"PlugX\""
},
{
"colour": "#0088cc",
"name": "misp-galaxy:mitre-enterprise-attack-malware=\"PlugX - S0013\""
},
{
"colour": "#0088cc",
"name": "misp-galaxy:mitre-malware=\"PlugX - S0013\""
},
{
"colour": "#0088cc",
"name": "misp-galaxy:rat=\"PlugX\""
},
{
"colour": "#043400",
"name": "misp-galaxy:tool=\"PlugX\""
},
{
"colour": "#0088cc",
"name": "misp-galaxy:mitre-attack-pattern=\"Spearphishing Link - T1192\""
},
{
"colour": "#0088cc",
"name": "misp-galaxy:mitre-attack-pattern=\"Spearphishing Link - T1566.002\""
},
{
"colour": "#0088cc",
"name": "misp-galaxy:mitre-attack-pattern=\"JavaScript - T1059.007\""
},
{
"colour": "#064d00",
"name": "misp-galaxy:mitre-attack-pattern=\"Visual Basic - T1059.005\""
},
{
"colour": "#0088cc",
"name": "misp-galaxy:mitre-attack-pattern=\"Component Object Model - T1559.001\""
},
{
"colour": "#0088cc",
"name": "misp-galaxy:mitre-attack-pattern=\"Service Execution - T1569.002\""
},
{
"colour": "#0088cc",
"name": "misp-galaxy:mitre-attack-pattern=\"Malicious File - T1204.002\""
},
{
"colour": "#0088cc",
"name": "misp-galaxy:mitre-attack-pattern=\"Registry Run Keys / Startup Folder - T1547.001\""
},
{
"colour": "#0088cc",
"name": "misp-galaxy:mitre-attack-pattern=\"Registry Run Keys / Startup Folder - T1060\""
},
{
"colour": "#065100",
"name": "misp-galaxy:mitre-attack-pattern=\"Windows Service - T1543.003\""
},
{
"colour": "#0088cc",
"name": "misp-galaxy:mitre-attack-pattern=\"Bypass User Account Control - T1088\""
},
{
"colour": "#0088cc",
"name": "misp-galaxy:mitre-attack-pattern=\"Deobfuscate/Decode Files or Information - T1140\""
},
{
"colour": "#0088cc",
"name": "misp-galaxy:mitre-attack-pattern=\"Hidden Files and Directories - T1564.001\""
},
{
"colour": "#0088cc",
"name": "misp-galaxy:mitre-attack-pattern=\"DLL Side-Loading - T1574.002\""
},
{
"colour": "#0088cc",
"name": "misp-galaxy:mitre-attack-pattern=\"DLL Side-Loading - T1073\""
},
{
"colour": "#0088cc",
"name": "misp-galaxy:mitre-attack-pattern=\"Disable or Modify Tools - T1562.001\""
},
{
"colour": "#0088cc",
"name": "misp-galaxy:mitre-attack-pattern=\"File Deletion - T1070.004\""
},
{
"colour": "#053a00",
"name": "misp-galaxy:mitre-attack-pattern=\"Masquerade Task or Service - T1036.004\""
},
{
"colour": "#0088cc",
"name": "misp-galaxy:mitre-attack-pattern=\"Match Legitimate Name or Location - T1036.005\""
},
{
"colour": "#0088cc",
"name": "misp-galaxy:mitre-attack-pattern=\"Modify Registry - T1112\""
},
{
"colour": "#0088cc",
"name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\""
},
{
"colour": "#0088cc",
"name": "misp-galaxy:mitre-attack-pattern=\"Software Packing - T1027.002\""
},
{
"colour": "#0088cc",
"name": "misp-galaxy:mitre-attack-pattern=\"Software Packing - T1045\""
},
{
"colour": "#064f00",
"name": "misp-galaxy:mitre-attack-pattern=\"Process Hollowing - T1055.012\""
},
{
"colour": "#0088cc",
"name": "misp-galaxy:mitre-attack-pattern=\"Phishing - T1566\""
},
{
"colour": "#0088cc",
"name": "misp-galaxy:mitre-attack-pattern=\"Command and Scripting Interpreter - T1059\""
},
{
"colour": "#0088cc",
"name": "misp-galaxy:mitre-attack-pattern=\"Inter-Process Communication - T1559\""
},
{
"colour": "#0088cc",
"name": "misp-galaxy:mitre-attack-pattern=\"System Services - T1569\""
},
{
"colour": "#0088cc",
"name": "misp-galaxy:mitre-attack-pattern=\"User Execution - T1204\""
},
{
"colour": "#0088cc",
"name": "misp-galaxy:mitre-attack-pattern=\"Boot or Logon Autostart Execution - T1547\""
},
{
"colour": "#0088cc",
"name": "misp-galaxy:mitre-attack-pattern=\"Create or Modify System Process - T1543\""
},
{
"colour": "#0088cc",
"name": "misp-galaxy:mitre-attack-pattern=\"Abuse Elevation Control Mechanism - T1548\""
},
{
"colour": "#064b00",
"name": "misp-galaxy:mitre-attack-pattern=\"Hijack Execution Flow - T1574\""
},
{
"colour": "#0088cc",
"name": "misp-galaxy:mitre-attack-pattern=\"Hide Artifacts - T1564\""
},
{
"colour": "#0088cc",
"name": "misp-galaxy:mitre-attack-pattern=\"Impair Defenses - T1562\""
},
{
"colour": "#0088cc",
"name": "misp-galaxy:mitre-attack-pattern=\"Indicator Removal on Host - T1070\""
},
{
"colour": "#0088cc",
"name": "misp-galaxy:mitre-attack-pattern=\"Masquerading - T1036\""
},
{
"colour": "#0088cc",
"name": "misp-galaxy:mitre-attack-pattern=\"Process Injection - T1055\""
},
{
"colour": "#0088cc",
"name": "misp-galaxy:mitre-attack-pattern=\"Network Service Discovery - T1046\""
},
{
"colour": "#0088cc",
"name": "misp-galaxy:mitre-attack-pattern=\"Network Share Discovery - T1135\""
},
{
"colour": "#0088cc",
"name": "misp-galaxy:mitre-attack-pattern=\"Process Discovery - T1057\""
},
{
"colour": "#0088cc",
"name": "misp-galaxy:mitre-attack-pattern=\"Query Registry - T1012\""
},
{
"colour": "#0088cc",
"name": "misp-galaxy:mitre-attack-pattern=\"Remote System Discovery - T1018\""
},
{
"colour": "#0088cc",
"name": "misp-galaxy:mitre-attack-pattern=\"System Information Discovery - T1082\""
},
{
"colour": "#0088cc",
"name": "misp-galaxy:mitre-attack-pattern=\"System Network Connections Discovery - T1049\""
},
{
"colour": "#0088cc",
"name": "misp-galaxy:mitre-attack-pattern=\"System Service Discovery - T1007\""
},
{
"colour": "#0088cc",
"name": "misp-galaxy:mitre-attack-pattern=\"System Network Configuration Discovery - T1016\""
},
{
"colour": "#0088cc",
"name": "misp-galaxy:mitre-attack-pattern=\"Remote Services - T1021\""
},
{
"colour": "#0088cc",
"name": "misp-galaxy:mitre-attack-pattern=\"Remote Desktop Protocol - T1021.001\""
},
{
"colour": "#0088cc",
"name": "misp-galaxy:mitre-attack-pattern=\"Remote Desktop Protocol - T1076\""
},
{
"colour": "#0088cc",
"name": "misp-galaxy:mitre-attack-pattern=\"Automated Collection - T1119\""
},
{
"colour": "#0088cc",
"name": "misp-galaxy:mitre-attack-pattern=\"Clipboard Data - T1115\""
},
{
"colour": "#0088cc",
"name": "misp-galaxy:mitre-attack-pattern=\"Data from Local System - T1005\""
},
{
"colour": "#0088cc",
"name": "misp-galaxy:mitre-attack-pattern=\"Input Capture - T1056\""
},
{
"colour": "#075900",
"name": "misp-galaxy:mitre-attack-pattern=\"Keylogging - T1056.001\""
},
{
"colour": "#0088cc",
"name": "misp-galaxy:mitre-attack-pattern=\"Screen Capture - T1113\""
},
{
"colour": "#0088cc",
"name": "misp-galaxy:mitre-attack-pattern=\"Data Encoding - T1132\""
},
{
"colour": "#0088cc",
"name": "misp-galaxy:mitre-attack-pattern=\"Data Obfuscation - T1001\""
},
{
"colour": "#0088cc",
"name": "misp-galaxy:mitre-attack-pattern=\"Encrypted Channel - T1573\""
},
{
"colour": "#064500",
"name": "misp-galaxy:mitre-attack-pattern=\"Ingress Tool Transfer - T1105\""
},
{
"colour": "#0088cc",
"name": "misp-galaxy:mitre-attack-pattern=\"Non-Application Layer Protocol - T1095\""
},
{
"colour": "#0088cc",
"name": "misp-galaxy:mitre-attack-pattern=\"Proxy - T1090\""
},
{
"colour": "#0088cc",
"name": "misp-galaxy:mitre-attack-pattern=\"External Proxy - T1090.002\""
},
{
"colour": "#0088cc",
"name": "misp-galaxy:mitre-attack-pattern=\"Protocol Impersonation - T1001.003\""
},
{
"colour": "#064f00",
"name": "misp-galaxy:mitre-attack-pattern=\"Standard Encoding - T1132.001\""
},
{
"colour": "#0088cc",
"name": "misp-galaxy:mitre-attack-pattern=\"Symmetric Cryptography - T1573.001\""
},
{
"colour": "#0088cc",
"name": "misp-galaxy:mitre-attack-pattern=\"Exfiltration Over C2 Channel - T1041\""
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1663580942",
"to_ids": true,
"type": "filename",
"uuid": "2a896148-0562-464f-bd45-6acf246f12c3",
"value": "%WINDIR%\\System32\\sysprep\\cryptbase.dll"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1663580963",
"to_ids": true,
"type": "filename",
"uuid": "d851b765-c352-4784-8d88-b9ad47648410",
"value": "%WINDIR%\\System32\\sysprep\\sysprep.exe"
}
],
"Object": [
{
"comment": "",
"deleted": false,
"description": "Metadata used to generate an executive level report",
"meta-category": "misc",
"name": "report",
"template_uuid": "70a68471-df22-4e3f-aa1a-5a3be19f82df",
"template_version": "7",
"timestamp": "1663250517",
"uuid": "37755261-1df4-47c4-b620-775323431ea0",
"Attribute": [
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "link",
"timestamp": "1663250517",
"to_ids": false,
"type": "link",
"uuid": "e00bf389-9c2c-4ebc-bb23-3435bec0e7b9",
"value": "https://secjoes-reports.s3.eu-central-1.amazonaws.com/Dissecting+PlugX+to+Extract+Its+Crown+Jewels.pdf"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "summary",
"timestamp": "1663250517",
"to_ids": false,
"type": "text",
"uuid": "f109f468-e159-4dc3-ba9c-6c9be1d987cc",
"value": "PlugX is a malware family first spotted in 2008. It is a Remote Access Trojan that has been\r\nused by several threat actors and provides them with full control over infected machines. It\r\nhas continually evolved over time, adding new features and functionalities with each\r\niteration. Hence, it is important to keep following and documenting its transformations."
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "type",
"timestamp": "1663250517",
"to_ids": false,
"type": "text",
"uuid": "78450e24-65d4-4f80-b648-094c62f8dc27",
"value": "Report"
},
{
"category": "External analysis",
"comment": "",
"data": "JVBERi0xLjcNCiW1tbW1DQoxIDAgb2JqDQo8PC9UeXBlL0NhdGFsb2cvUGFnZXMgMiAwIFIvTGFuZyhlbi1VUykgL1N0cnVjdFRyZWVSb290IDE1MSAwIFIvTWFya0luZm88PC9NYXJrZWQgdHJ1ZT4+L01ldGFkYXRhIDEyMDMgMCBSL1ZpZXdlclByZWZlcmVuY2VzIDEyMDQgMCBSPj4NCmVuZG9iag0KMiAwIG9iag0KPDwvVHlwZS9QYWdlcy9Db3VudCAyNC9LaWRzWyAzIDAgUiAyMCAwIFIgMjcgMCBSIDI5IDAgUiAzMyAwIFIgNDAgMCBSIDQxIDAgUiA0MyAwIFIgNDQgMCBSIDQ2IDAgUiA0NyAwIFIgNDggMCBSIDQ5IDAgUiA1MCAwIFIgNTEgMCBSIDUyIDAgUiA1NSAwIFIgNTcgMCBSIDU5IDAgUiA2MCAwIFIgNjEgMCBSIDYzIDAgUiA2NCAwIFIgNjUgMCBSXSA+Pg0KZW5kb2JqDQozIDAgb2JqDQo8PC9UeXBlL1BhZ2UvUGFyZW50IDIgMCBSL1Jlc291cmNlczw8L0ZvbnQ8PC9GMSA1IDAgUi9GMiA5IDAgUi9GMyAxMSAwIFIvRjQgMTYgMCBSL0Y1IDE4IDAgUj4+L0V4dEdTdGF0ZTw8L0dTNyA3IDAgUi9HUzggOCAwIFI+Pi9YT2JqZWN0PDwvSW1hZ2UxMyAxMyAwIFIvSW1hZ2UxNSAxNSAwIFI+Pi9Qcm9jU2V0Wy9QREYvVGV4dC9JbWFnZUIvSW1hZ2VDL0ltYWdlSV0gPj4vTWVkaWFCb3hbIDAgMCA2MTIgNzkyXSAvQ29udGVudHMgNCAwIFIvR3JvdXA8PC9UeXBlL0dyb3VwL1MvVHJhbnNwYXJlbmN5L0NTL0RldmljZVJHQj4+L1RhYnMvUy9TdHJ1Y3RQYXJlbnRzIDA+Pg0KZW5kb2JqDQo0IDAgb2JqDQo8PC9GaWx0ZXIvRmxhdGVEZWNvZGUvTGVuZ3RoIDg5Mz4+DQpzdHJlYW0NCnicvVjfa9s6FH4P5H84Txd7LLJ+WvYYg7Zpt4wNetfAHZQ9eImaGBI7s1W6/fc7cjN2qaOlScTyYKRI0fd9Pt85kpKcNba8K2YWXr9OzqwtZkszh9tkWm++JNMfG5NcF4uyKmxZV8nN/Vfrvnpnirlp3ryB8/EFfBsOKKHukzMOFFJ86pxDY4aD/15ANRycT4eD5IoBDkzvhgOGkygw0JxQLkFLSTIJ0zVOenujYdHigrDoetm293Y4uI0g/gLT98PBJS7373CwHxcnweXHC0g8Gs9ra+u1X+ZVXduDZfKnMlmeEa1BcaLSTmUnbqtpumxMYWFSWbNaxSMRlQsTj3hUzYzrwT/dc1LFjEazMh7JaO6aprLwKRaRad34pq7ax+lTU6wPfUse2pIJIjIP7WNC8Vwm4ikTQVNCNYj8L9FgAieIR/CM4DCXiqQ5ME2yDGbOp5N1sTBMwLiGIE48KtsypUFmGJ8OUNAcW78h05Rh34kQTMNICuw9zv6fArVV0JGD5NrR+ngxGQM90PUC196V3KnWzkUucBjUBhgRmkl4+GMce2zYqWy2FkppRvKT2fBAbJSkRKlT2YhAbCRGjJ3MRh7OZuemINHNlPUSfly2rZnZslrA9ep+8fm4WtcDFRprXe4DPbjK+FCylDC2GwVGbk0stLPbyNaBACXnRHvfZShZ24gJrDeyX6Ivv9umcHvTzAbCY7kgWvjwQqnimBVS+VAmtoWLpn4I5QzcZalXUhXM5ZIIr6RwLtfdbr0b5b15MKs2EJSi1JXz5wnqlSp18MGO4zy50/uCk1x0DB5HmsWv1ieX3Pg75Q41mNyTI6O5Cx3riaB70W+jUTjIHDeJ7BmQcxPraGPdUXYZqwi6ElBhq3BfrX7EadSWLRTVHO4a406ygGVPRvWx5thFVrC0S6t9ZPc5JT31CvDLJlSgEXpGPbu3y7rBd/DqyBzsXznwnJOlPrx9cvXJNx6EpxgQrYgQPfgrs3IeKDfdRQfG7nlfNNaEEq8pyZgPfZ/4LFCsudRE9i9OY5cHhTWvAonNUwy0F22f2DxUpFlOUt6DvzEba9ZfTRMqsir/A1qw5Em5u7J4UFgwlJzgBdKDIoPlgiKZ8qG8xJqJNZfz49DkUzTuyo4XbbcZbzZF9fueR5MPBZ7to6UZTT7EB7pT9f44wGNVpg/h8xMx6si8DQplbmRzdHJlYW0NCmVuZG9iag0KNSAwIG9iag0KPDwvVHlwZS9Gb250L1N1YnR5cGUvVHJ1ZVR5cGUvTmFtZS9GMS9CYXNlRm9udC9UaW1lc05ld1JvbWFuUFNNVC9FbmNvZGluZy9XaW5BbnNpRW5jb2RpbmcvRm9udERlc2NyaXB0b3IgNiAwIFIvRmlyc3RDaGFyIDMyL0xhc3RDaGFyIDEyMS9XaWR0aHMgMTE3OSAwIFI+Pg0KZW5kb2JqDQo2IDAgb2JqDQo8PC9UeXBlL0ZvbnREZXNjcmlwdG9yL0ZvbnROYW1lL1RpbWVzTmV3Um9tYW5QU01UL0ZsYWdzIDMyL0l0YWxpY0FuZ2xlIDAvQXNjZW50IDg5MS9EZXNjZW50IC0yMTYvQ2FwSGVpZ2h0IDY5My9BdmdXaWR0aCA0MDEvTWF4V2lkdGggMjYxNC9Gb250V2VpZ2h0IDQwMC9YSGVpZ2h0IDI1MC9MZWFkaW5nIDQyL1N0ZW1WIDQwL0ZvbnRCQm94WyAtNTY4IC0yMTYgMjA0NiA2OTNdID4+DQplbmRvYmoNCjcgMCBvYmoNCjw8L1R5cGUvRXh0R1N0YXRlL0JNL05vcm1hbC9jYSAxPj4NCmVuZG9iag0KOCAwIG9iag0KPDwvVHlwZS9FeHRHU3RhdGUvQk0vTm9ybWFsL0NBIDE+Pg0KZW5kb2JqDQo5IDAgb2JqDQo8PC9UeXBlL0ZvbnQvU3VidHlwZS9UcnVlVHlwZS9OYW1lL0YyL0Jhc2VGb250L0JDREVFRStBYmFkaSMyMEV4dHJhIzIwTGlnaHQvRW5jb2RpbmcvV2luQW5zaUVuY29kaW5nL0ZvbnREZXNjcmlwdG9yIDEwIDAgUi9GaXJzdENoYXIgMzIvTGFzdENoYXIgMTIxL1dpZHRocyAxMTgwIDAgUj4+DQplbmRvYmoNCjEwIDAgb2JqDQo8PC9UeXBlL0ZvbnREZXNjcmlwdG9yL0ZvbnROYW1lL0JDREVFRStBYmFkaSMyMEV4dHJhIzIwTGlnaHQvRmxhZ3MgMzIvSXRhbGljQW5nbGUgMC9Bc2NlbnQgOTEzL0Rlc2NlbnQgLTIzMi9DYXBIZWlnaHQgNjg3L0F2Z1dpZHRoIDM5MS9NYXhXaWR0aCAxMTU3L0ZvbnRXZWlnaHQgNDAwL1hIZWlnaHQgMjUwL1N0ZW1WIDM5L0ZvbnRCQm94WyAtNTggLTIzMiAxMDk5IDY4N10gL0ZvbnRGaWxlMiAxMTgxIDAgUj4+DQplbmRvYmoNCjExIDAgb2JqDQo8PC9UeXBlL0ZvbnQvU3VidHlwZS9UcnVlVHlwZS9OYW1lL0YzL0Jhc2VGb250L0JDREZFRStBYmFkaS9FbmNvZGluZy9XaW5BbnNpRW5jb2RpbmcvRm9udERlc2NyaXB0b3IgMTIgMCBSL0ZpcnN0Q2hhciAzMi9MYXN0Q2hhciAxMjIvV2lkdGhzIDExODUgMCBSPj4NCmVuZG9iag0KMTIgMCBvYmoNCjw8L1R5cGUvRm9udERlc2NyaXB0b3IvRm9udE5hbWUvQkNERkVFK0FiYWRpL0ZsYWdzIDMyL0l0YWxpY0FuZ2xlIDAvQXNjZW50IDg4Ny9EZXNjZW50IC0yMjkvQ2FwSGVpZ2h0IDY5My9BdmdXaWR0aCA1MTYvTWF4V2lkdGggMTM0NC9Gb250V2VpZ2h0IDQwMC9YSGVpZ2h0IDI1MC9TdGVtViA1MS9Gb250QkJveFsgLTUwIC0yMjkgMTI5NCA2OTNdIC9Gb250RmlsZTIgMTE4MyAwIFI+Pg
"deleted": false,
"disable_correlation": false,
"object_relation": "report-file",
"timestamp": "1663250517",
"to_ids": false,
"type": "attachment",
"uuid": "c0d3c7fb-bdfc-41c3-80ac-4a16fb885ae3",
"value": "Dissecting+PlugX+to+Extract+Its+Crown+Jewels.pdf"
}
]
},
{
"comment": "",
"deleted": false,
"description": "A domain/hostname and IP address seen as a tuple in a specific time frame.",
"meta-category": "network",
"name": "domain-ip",
"template_uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734",
"template_version": "11",
"timestamp": "1663314823",
"uuid": "45516e32-4f9c-4eee-84d2-91eb673d21e8",
"Attribute": [
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "domain",
"timestamp": "1663314823",
"to_ids": true,
"type": "domain",
"uuid": "d0503326-d321-4b8f-9da1-52523753c9be",
"value": "fuckeryoumm.nmb.bet"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "port",
"timestamp": "1663314823",
"to_ids": false,
"type": "port",
"uuid": "2951201a-f6a3-4ce1-ae99-0c8566ded0b5",
"value": "53"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "port",
"timestamp": "1663314823",
"to_ids": false,
"type": "port",
"uuid": "93c72a1c-7353-4584-af9a-a200ccf9fdd1",
"value": "443"
}
]
},
{
"comment": "",
"deleted": false,
"description": "A domain/hostname and IP address seen as a tuple in a specific time frame.",
"meta-category": "network",
"name": "domain-ip",
"template_uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734",
"template_version": "11",
"timestamp": "1663314860",
"uuid": "f4a77dc9-c4fe-44ae-b2a8-abb86e702620",
"Attribute": [
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "domain",
"timestamp": "1663314860",
"to_ids": true,
"type": "domain",
"uuid": "f5e30d9e-184f-4578-b8b1-eb14d8b9afe6",
"value": "tcp.wy01.com"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "port",
"timestamp": "1663314860",
"to_ids": false,
"type": "port",
"uuid": "aece0e7f-912a-430e-86d2-5cbbfd37d28f",
"value": "53"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "port",
"timestamp": "1663314860",
"to_ids": false,
"type": "port",
"uuid": "4cd0fe41-ddf5-4892-8e7b-9588f4267c04",
"value": "443"
}
]
},
{
"comment": "",
"deleted": false,
"description": "A domain/hostname and IP address seen as a tuple in a specific time frame.",
"meta-category": "network",
"name": "domain-ip",
"template_uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734",
"template_version": "11",
"timestamp": "1663314903",
"uuid": "78707362-c5b2-45a7-95ad-2efe99a644fb",
"Attribute": [
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "domain",
"timestamp": "1663314903",
"to_ids": true,
"type": "domain",
"uuid": "e4fcc0ef-91dc-4fa5-aa05-436f5420a9ce",
"value": "tools.daji8.me"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "port",
"timestamp": "1663314903",
"to_ids": false,
"type": "port",
"uuid": "28c5f591-e1ad-435e-abc8-9f06b9b3a77c",
"value": "53"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "port",
"timestamp": "1663314903",
"to_ids": false,
"type": "port",
"uuid": "20bed43b-84d7-44a5-8d00-115d29561200",
"value": "443"
}
]
},
{
"comment": "",
"deleted": false,
"description": "A domain/hostname and IP address seen as a tuple in a specific time frame.",
"meta-category": "network",
"name": "domain-ip",
"template_uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734",
"template_version": "11",
"timestamp": "1663314943",
"uuid": "b39459cd-43fb-41e4-932b-7a61bba34077",
"Attribute": [
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "domain",
"timestamp": "1663314943",
"to_ids": true,
"type": "domain",
"uuid": "350fe8fa-7f19-4f75-8f5b-11ffeff8290a",
"value": "a2.fafafazq.com"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "port",
"timestamp": "1663314943",
"to_ids": false,
"type": "port",
"uuid": "a1a9c125-5126-44d5-b590-9c09a398f018",
"value": "80"
}
]
},
{
"comment": "",
"deleted": false,
"description": "A domain/hostname and IP address seen as a tuple in a specific time frame.",
"meta-category": "network",
"name": "domain-ip",
"template_uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734",
"template_version": "11",
"timestamp": "1663314981",
"uuid": "8b8727a9-3787-49bf-9d8d-45f0118e360f",
"Attribute": [
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "domain",
"timestamp": "1663314981",
"to_ids": true,
"type": "domain",
"uuid": "b7fcf5f6-afac-499f-ac1a-ee1f4e5c59e9",
"value": "tho.pad62.com"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "port",
"timestamp": "1663314981",
"to_ids": false,
"type": "port",
"uuid": "2ea6419c-2fb6-45e1-bd27-457b97826edc",
"value": "443"
}
]
},
{
"comment": "",
"deleted": false,
"description": "A domain/hostname and IP address seen as a tuple in a specific time frame.",
"meta-category": "network",
"name": "domain-ip",
"template_uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734",
"template_version": "11",
"timestamp": "1663315805",
"uuid": "490e7061-2f24-4e48-bc84-a5f6b2ff5e0a",
"Attribute": [
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "domain",
"timestamp": "1663315805",
"to_ids": true,
"type": "domain",
"uuid": "88177418-9747-478f-9978-c2b46623268e",
"value": "tank.hja63.com"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "port",
"timestamp": "1663315805",
"to_ids": false,
"type": "port",
"uuid": "7257ec94-1536-4691-8fb8-85e617195599",
"value": "53"
}
]
},
{
"comment": "",
"deleted": false,
"description": "A domain/hostname and IP address seen as a tuple in a specific time frame.",
"meta-category": "network",
"name": "domain-ip",
"template_uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734",
"template_version": "11",
"timestamp": "1663315847",
"uuid": "280fce1c-d0c4-47bc-992f-bf6bbeb19c6c",
"Attribute": [
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "domain",
"timestamp": "1663315847",
"to_ids": true,
"type": "domain",
"uuid": "6f5e0368-ec91-423a-be88-9443d18e7009",
"value": "wps.daj8.me"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "port",
"timestamp": "1663315847",
"to_ids": false,
"type": "port",
"uuid": "f71117ba-95d0-408f-bc16-fee0329f496a",
"value": "53"
}
]
},
{
"comment": "",
"deleted": false,
"description": "A domain/hostname and IP address seen as a tuple in a specific time frame.",
"meta-category": "network",
"name": "domain-ip",
"template_uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734",
"template_version": "11",
"timestamp": "1663316103",
"uuid": "2b06c34b-fdf7-4b02-ab24-f79128695597",
"Attribute": [
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "domain",
"timestamp": "1663316103",
"to_ids": true,
"type": "domain",
"uuid": "b8ba21bf-414b-4a42-97af-57a2e8343beb",
"value": "wpsup.daj8.me"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "port",
"timestamp": "1663316103",
"to_ids": false,
"type": "port",
"uuid": "3d41ff1d-1fd4-4995-81f7-99fc1113a674",
"value": "443"
}
]
},
{
"comment": "",
"deleted": false,
"description": "A domain/hostname and IP address seen as a tuple in a specific time frame.",
"meta-category": "network",
"name": "domain-ip",
"template_uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734",
"template_version": "11",
"timestamp": "1663316185",
"uuid": "11ca6866-3639-455e-b9e9-b06a4deaae8f",
"Attribute": [
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "domain",
"timestamp": "1663316186",
"to_ids": true,
"type": "domain",
"uuid": "d2626d40-f4df-47a4-8169-dcd3f23c0c01",
"value": "tools.googleupdateinfo.com"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "port",
"timestamp": "1663316186",
"to_ids": false,
"type": "port",
"uuid": "39d011d4-1898-45a7-b5c7-709a43de2595",
"value": "53"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "port",
"timestamp": "1663316186",
"to_ids": false,
"type": "port",
"uuid": "6a237e3c-af37-4070-abf0-d9637adeaf58",
"value": "443"
}
]
},
{
"comment": "",
"deleted": false,
"description": "A domain/hostname and IP address seen as a tuple in a specific time frame.",
"meta-category": "network",
"name": "domain-ip",
"template_uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734",
"template_version": "11",
"timestamp": "1663316210",
"uuid": "fafaefad-c986-458f-8e09-c812fbd0d27d",
"Attribute": [
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "domain",
"timestamp": "1663316210",
"to_ids": true,
"type": "domain",
"uuid": "23273ab0-438d-4e97-86a9-76fbc7c14809",
"value": "fly.pad62.com"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "port",
"timestamp": "1663316210",
"to_ids": false,
"type": "port",
"uuid": "e401fc62-52a9-4686-a589-ed8806654c2e",
"value": "443"
}
]
},
{
"comment": "",
"deleted": false,
"description": "A domain/hostname and IP address seen as a tuple in a specific time frame.",
"meta-category": "network",
"name": "domain-ip",
"template_uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734",
"template_version": "11",
"timestamp": "1663316740",
"uuid": "6e175efb-7b29-4b98-98db-a45c18f92e98",
"Attribute": [
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "domain",
"timestamp": "1663316740",
"to_ids": true,
"type": "domain",
"uuid": "26afb7c7-5951-4a19-b2b4-b2a93f4993b4",
"value": "tho.hja63.com"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "port",
"timestamp": "1663316740",
"to_ids": false,
"type": "port",
"uuid": "fd912afd-58a9-4852-aecb-1b86acde3ed7",
"value": "53"
}
]
},
{
"comment": "",
"deleted": false,
"description": "A domain/hostname and IP address seen as a tuple in a specific time frame.",
"meta-category": "network",
"name": "domain-ip",
"template_uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734",
"template_version": "11",
"timestamp": "1663316756",
"uuid": "aa5ebe67-22fb-4542-9858-c8347fb6c41d",
"Attribute": [
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "domain",
"timestamp": "1663316756",
"to_ids": true,
"type": "domain",
"uuid": "c8e06a65-fba9-4171-8424-a50aa4ef097e",
"value": "helpdesk.lnip.org"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "port",
"timestamp": "1663316756",
"to_ids": false,
"type": "port",
"uuid": "30c46420-d28f-4da1-806d-f13503a3070b",
"value": "443"
}
]
},
{
"comment": "",
"deleted": false,
"description": "A domain/hostname and IP address seen as a tuple in a specific time frame.",
"meta-category": "network",
"name": "domain-ip",
"template_uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734",
"template_version": "11",
"timestamp": "1663316941",
"uuid": "cd2257ac-e898-4004-823b-9cac01f267b2",
"Attribute": [
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "domain",
"timestamp": "1663316941",
"to_ids": true,
"type": "domain",
"uuid": "f9d46691-2c78-4963-879e-a878e43e13a5",
"value": "www.trendmicro-update.org"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "port",
"timestamp": "1663316941",
"to_ids": false,
"type": "port",
"uuid": "91904272-79b8-4350-bfbb-a6a60a097d9d",
"value": "443"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "port",
"timestamp": "1663316941",
"to_ids": false,
"type": "port",
"uuid": "de3d25c5-754d-40c4-a311-853980407a64",
"value": "80"
}
]
},
{
"comment": "",
"deleted": false,
"description": "A domain/hostname and IP address seen as a tuple in a specific time frame.",
"meta-category": "network",
"name": "domain-ip",
"template_uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734",
"template_version": "11",
"timestamp": "1663317647",
"uuid": "f75e073a-0849-41d7-ad58-c45079f4cc35",
"Attribute": [
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "domain",
"timestamp": "1663317647",
"to_ids": true,
"type": "domain",
"uuid": "727ecd91-0501-4a52-a8e5-f15a92c5ef69",
"value": "fuckchina.govnb.com"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "port",
"timestamp": "1663317647",
"to_ids": false,
"type": "port",
"uuid": "738e6c0a-f9ee-40e2-b63e-e7fe1609867e",
"value": "53"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "port",
"timestamp": "1663317647",
"to_ids": false,
"type": "port",
"uuid": "fb27a837-131e-41df-a5f6-56408c46cded",
"value": "80"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "port",
"timestamp": "1663317647",
"to_ids": false,
"type": "port",
"uuid": "1cc553bc-aa58-4d7b-95b3-1fc62f2e0a27",
"value": "443"
}
]
},
{
"comment": "",
"deleted": false,
"description": "A domain/hostname and IP address seen as a tuple in a specific time frame.",
"meta-category": "network",
"name": "domain-ip",
"template_uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734",
"template_version": "11",
"timestamp": "1663317831",
"uuid": "94a0eb25-b7b3-4a52-9000-cffd4c3279ea",
"Attribute": [
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "domain",
"timestamp": "1663317831",
"to_ids": true,
"type": "domain",
"uuid": "b0e31727-df07-4e6f-98fe-95c8f4ef49ac",
"value": "wmi.ns01.us"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "port",
"timestamp": "1663317831",
"to_ids": false,
"type": "port",
"uuid": "93bad8fd-afd1-428c-8b9e-ce53f0d85723",
"value": "80"
}
]
},
{
"comment": "",
"deleted": false,
"description": "A domain/hostname and IP address seen as a tuple in a specific time frame.",
"meta-category": "network",
"name": "domain-ip",
"template_uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734",
"template_version": "11",
"timestamp": "1663317848",
"uuid": "18891997-ef58-4b19-9d1d-096bb84d4748",
"Attribute": [
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "domain",
"timestamp": "1663317848",
"to_ids": true,
"type": "domain",
"uuid": "0336610b-cfea-4dcc-9fc2-64a9d1e107ca",
"value": "services.darkhero.org"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "port",
"timestamp": "1663317848",
"to_ids": false,
"type": "port",
"uuid": "7fea11f9-3634-4bb5-b3ee-660dcfa71c33",
"value": "443"
}
]
},
{
"comment": "",
"deleted": false,
"description": "A domain/hostname and IP address seen as a tuple in a specific time frame.",
"meta-category": "network",
"name": "domain-ip",
"template_uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734",
"template_version": "11",
"timestamp": "1663317873",
"uuid": "eb9c4f38-26f9-470d-bfbd-d22cc5b3cdaf",
"Attribute": [
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "domain",
"timestamp": "1663317873",
"to_ids": true,
"type": "domain",
"uuid": "fc9331a6-d4ed-497b-8501-f88d1c4d50b7",
"value": "microsafes.no-ip.org"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "port",
"timestamp": "1663317873",
"to_ids": false,
"type": "port",
"uuid": "1eee8de3-dbc8-4bc7-aa60-69db3c570445",
"value": "53"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "port",
"timestamp": "1663317873",
"to_ids": false,
"type": "port",
"uuid": "bf2f251d-9e9c-4019-8836-2c1b7e625c43",
"value": "443"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "port",
"timestamp": "1663317873",
"to_ids": false,
"type": "port",
"uuid": "5bda8551-ba11-404a-9861-525a0e4079c5",
"value": "80"
}
]
},
{
"comment": "",
"deleted": false,
"description": "A domain/hostname and IP address seen as a tuple in a specific time frame.",
"meta-category": "network",
"name": "domain-ip",
"template_uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734",
"template_version": "11",
"timestamp": "1663318826",
"uuid": "94c437ca-4c06-484d-8b86-666dfbebfa50",
"Attribute": [
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "domain",
"timestamp": "1663318826",
"to_ids": true,
"type": "domain",
"uuid": "bb2bdce0-7d69-4b48-a367-2db2178c2042",
"value": "wmi.ns01.us"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "port",
"timestamp": "1663318826",
"to_ids": false,
"type": "port",
"uuid": "d3bf56b3-aabe-4da8-a953-d61d5d214d87",
"value": "12345"
}
]
},
{
"comment": "",
"deleted": false,
"description": "A domain/hostname and IP address seen as a tuple in a specific time frame.",
"meta-category": "network",
"name": "domain-ip",
"template_uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734",
"template_version": "11",
"timestamp": "1663318844",
"uuid": "0c55a859-96d7-461f-9082-891a7ec1e105",
"Attribute": [
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "domain",
"timestamp": "1663318844",
"to_ids": true,
"type": "domain",
"uuid": "3e476ecb-6086-471b-ac6f-b8589e10b7e3",
"value": "kr.942m.com"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "port",
"timestamp": "1663318844",
"to_ids": false,
"type": "port",
"uuid": "866d8723-56fb-4b5e-a231-2dbd8ca3bb74",
"value": "53"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "port",
"timestamp": "1663318844",
"to_ids": false,
"type": "port",
"uuid": "1fb2bf12-f0fa-4521-8db4-1e84b34c82fd",
"value": "80"
}
]
},
{
"comment": "",
"deleted": false,
"description": "A domain/hostname and IP address seen as a tuple in a specific time frame.",
"meta-category": "network",
"name": "domain-ip",
"template_uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734",
"template_version": "11",
"timestamp": "1663318859",
"uuid": "91745102-7414-4d15-ad43-b860560d026b",
"Attribute": [
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "domain",
"timestamp": "1663318859",
"to_ids": true,
"type": "domain",
"uuid": "209bc090-fd74-44f2-90d9-32c6db46ce8d",
"value": "www.92al.com"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "port",
"timestamp": "1663318859",
"to_ids": false,
"type": "port",
"uuid": "c9874311-be80-41c3-9baf-4aab13bdad6e",
"value": "53"
}
]
},
{
"comment": "",
"deleted": false,
"description": "A domain/hostname and IP address seen as a tuple in a specific time frame.",
"meta-category": "network",
"name": "domain-ip",
"template_uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734",
"template_version": "11",
"timestamp": "1663318878",
"uuid": "e8088873-f67c-4a24-94f6-d6b3841d0ca0",
"Attribute": [
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "domain",
"timestamp": "1663318878",
"to_ids": true,
"type": "domain",
"uuid": "128ec8c1-e380-43b6-8c00-e145803a4e22",
"value": "101.55.29.17"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "port",
"timestamp": "1663318878",
"to_ids": false,
"type": "port",
"uuid": "8e8e3476-f969-406a-8c1b-3cc3d984e70f",
"value": "80"
}
]
},
{
"comment": "",
"deleted": false,
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
"meta-category": "misc",
"name": "yara",
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
"template_version": "6",
"timestamp": "1663319679",
"uuid": "2c3d4d34-115e-4565-a9d3-1c13c7cb240d",
"Attribute": [
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "reference",
"timestamp": "1663319679",
"to_ids": false,
"type": "link",
"uuid": "06b4f0d4-2c1a-42e4-81b6-d12f8a369570",
"value": "https://secjoes-reports.s3.eu-central-1.amazonaws.com/Dissecting+PlugX+to+Extract+Its+Crown+Jewels.pdf"
},
{
"category": "Payload installation",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara",
"timestamp": "1663319680",
"to_ids": true,
"type": "yara",
"uuid": "b197be37-7a16-4400-bea6-a9a3f8a665cd",
"value": "rule win_x86_backdoor_plug_x_shellcode_loader_dll {\r\nmeta:\r\nauthor = \"Felipe Duarte, Security Joes\"\r\ndescription = \"Detects the PlugX Shellcode Loader DLL for 32 bits systems\"\r\nsha256_reference = \"5304d00250196a8cd5e9a81e053a886d1a291e4615484e49ff537bebecc13976\"\r\nstrings:\r\n// Code to set memory protections and launch shellcode\r\n$opcode1 = { 8d ?? ?? 5? 6a 20 68 00 00 10 00 5? ff 15 ?? ?? ?? ?? 85 ?? 75 ?? 6a 43 e8 ?? ?? ?? ?? 83 c? ?? ff d? 3d ?? ?? ?? ?? 7d ?? 85 ?? 74 ?? 6a 4a e8 ?? ?? ?? ?? 83 c? ?? }\r\n// Strings required to resolve depencies to load and execute the shellcode\r\n$str1 = \"kernel32\" nocase\r\n$str2 = \"GetModuleFileNameW\"\r\n$str3 = \"CreateFileW\"\r\n$str4 = \"VirtualAlloc\"\r\n$str5 = \"ReadFile\"\r\n$str6 = \"VirtualProtect\"\r\ncondition:\r\nall of them\r\n}"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara-rule-name",
"timestamp": "1663319680",
"to_ids": false,
"type": "text",
"uuid": "b07916ad-ec24-47e5-9f18-ea5ea4c7d929",
"value": "win_x86_backdoor_plug_x_shellcode_loader_dll"
}
]
},
{
"comment": "",
"deleted": false,
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
"meta-category": "misc",
"name": "yara",
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
"template_version": "6",
"timestamp": "1663319882",
"uuid": "ede7431e-a02b-475e-9141-68e2834659bd",
"Attribute": [
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "reference",
"timestamp": "1663319882",
"to_ids": false,
"type": "link",
"uuid": "8b30ab4a-ee7e-487b-ac8e-362a7a345d7c",
"value": "https://secjoes-reports.s3.eu-central-1.amazonaws.com/Dissecting+PlugX+to+Extract+Its+Crown+Jewels.pdf"
},
{
"category": "Payload installation",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara",
"timestamp": "1663319882",
"to_ids": true,
"type": "yara",
"uuid": "d809b696-9de2-42cd-a174-dfba28fca044",
"value": "rule win_x64_backdoor_plug_x_shellcode_loader_dll {\r\nmeta:\r\nauthor = \"Felipe Duarte, Security Joes\"\r\ndescription = \"Detects the PlugX Shellcode Loader DLL for 64 bits systems\"\r\nsha256_reference = \"6b8ae6f01ab31243a5176c9fd14c156e9d5c139d170115acb87e1bc65400d54f\"\r\nstrings:\r\n// Code to get file name of the current module and replaces the extension to .dat\r\n$opcode1 = { 4? 8d 1d ?? ?? ?? ?? 41 b8 00 20 00 00 33 c9 4? 8b d3 ff d0 4? 8b cb 89 44 ?? ?? ff 15 ?? ?? ?? ?? b9 64 00 00 00 8d 50 fd 33 f6 66 89 0c ?? 8d 50 fe b9 61 00 00 00 66 89 0c ?? 8d 50 ff 8b c0 66 89 34 ?? 4? 8b 05 ?? ?? ?? ?? b9 74 00 00 00 66 89 0c ?? 4? 85 c0 75 ?? 4? 8b 05 ?? ?? ?? ?? 4? 85 c0 75 ?? 4? 8d 0d ?? ?? ?? ?? ff 15 ?? ?? ?? ?? 4? 89 05 ?? ?? ?? ?? }\r\n// Code to set memory protections and launch shellcode\r\n$opcode2 = { 4? 8d 4c ?? ?? ba 00 00 10 00 41 b8 40 00 00 00 4? 8b cb ff d0 85 c0 74 ?? ff d3 83 c9 ff ff 15 ?? ?? ?? ?? }\r\n// Strings required to resolve depencies to load and execute the shellcode\r\n$str1 = \"kernel32\" nocase\r\n$str2 = \"GetModuleFileNameW\"\r\n$str3 = \"CreateFileW\"\r\n$str4 = \"VirtualAlloc\"\r\n$str5 = \"ReadFile\"\r\n$str6 = \"VirtualProtect\"\r\ncondition:\r\nall of them\r\n}"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara-rule-name",
"timestamp": "1663319882",
"to_ids": false,
"type": "text",
"uuid": "16a737ec-5cb4-4327-b5b2-1e212c0b0db0",
"value": "win_x64_backdoor_plug_x_shellcode_loader_dll"
}
]
},
{
"comment": "",
"deleted": false,
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
"meta-category": "misc",
"name": "yara",
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
"template_version": "6",
"timestamp": "1663329579",
"uuid": "499a5e1e-3338-4d68-8e26-627ca59696d1",
"Attribute": [
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "reference",
"timestamp": "1663329579",
"to_ids": false,
"type": "link",
"uuid": "1722c73d-51ef-41f2-aa6c-338a8fd85159",
"value": "https://secjoes-reports.s3.eu-central-1.amazonaws.com/Dissecting+PlugX+to+Extract+Its+Crown+Jewels.pdf"
},
{
"category": "Payload installation",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara",
"timestamp": "1663329579",
"to_ids": true,
"type": "yara",
"uuid": "4595a5c5-3f9c-4775-acb4-7802b526d57c",
"value": "rule win_x86_backdoor_plug_x_shellcode {\r\nmeta:\r\nauthor = \"Felipe Duarte, Security Joes\"\r\ndescription = \"Detects the PlugX Shellcode for 32 bits systems\"\r\nsha256_reference = \"07ed636049be7bc31fb404da9cf12cff6af01d920ec245b4e087049bd9b5488d\"\r\nstrings:\r\n// Code of the decryption rutine\r\n$opcode1 = { 8b ?? c1 e? 03 8d ?? ?? ?? ?? ?? ?? 8b ?? c1 e? 05 8d ?? ?? ?? ?? ?? ?? 8b ?? ?? c1 e? 07 b? 33 33 33 33 2b ?? 01 ?? ?? 8b ?? ?? c1 e? 09 b? 44 44 44 44 2b ?? 01 ?? ?? 8b ?? ?? 8d ?? ?? 02 ?? ?? 02 ?? ?? 32 ?? ?? 88 ?? 4? 4? 75 ?? }\r\n// Stack strings for VirtualAlloc\r\n$opcode2 = { c7 8? ?? ?? ?? ?? 56 69 72 74 c7 8? ?? ?? ?? ?? 75 61 6c 41 c7 8? ?? ?? ?? ?? 6c 6c 6f 63 88 ?? ?? ?? ?? ?? ff d? }\r\ncondition:\r\nall of them\r\n}"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara-rule-name",
"timestamp": "1663329579",
"to_ids": false,
"type": "text",
"uuid": "9ce13a3d-7769-44fb-bfe0-fec46600bce1",
"value": "win_x86_backdoor_plug_x_shellcode"
}
]
},
{
"comment": "",
"deleted": false,
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
"meta-category": "misc",
"name": "yara",
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
"template_version": "6",
"timestamp": "1663329605",
"uuid": "c70e2d31-eabf-44c0-8c1a-82bc325f4e33",
"Attribute": [
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "reference",
"timestamp": "1663329605",
"to_ids": false,
"type": "link",
"uuid": "cf38a26e-ea4d-49b7-8644-0de1f3d01825",
"value": "https://secjoes-reports.s3.eu-central-1.amazonaws.com/Dissecting+PlugX+to+Extract+Its+Crown+Jewels.pdf"
},
{
"category": "Payload installation",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara",
"timestamp": "1663329605",
"to_ids": true,
"type": "yara",
"uuid": "e94b9835-d440-4f88-adec-3dcb7e4ce7c4",
"value": "rule win_x64_backdoor_plug_x_shellcode {\r\nmeta:\r\nauthor = \"Felipe Duarte, Security Joes\"\r\ndescription = \"Detects the PlugX Shellcode for 64 bits systems\"\r\nsha256_reference = \"07ed636049be7bc31fb404da9cf12cff6af01d920ec245b4e087049bd9b5488d\"\r\nstrings:\r\n// Code of the decryption rutine\r\n$opcode1 = { 41 8b ?? 41 8b ?? c1 e? 03 c1 e? 07 45 8d ?? ?? ?? ?? ?? ?? 41 8b ?? c1 e? 05 45 8d ?? ?? ?? ?? ?? ?? b? 33 33 33 33 2b ?? 41 8b ?? 44 03 ?? c1 e? 09 b? 44 44 44 44 2b ?? 44 03 ?? 43 8d ?? ?? 41 02 ?? 41 02 ?? 32 ?? ?? 88 ?? 4? ff c? 4? ff c? }\r\n// Stack strings for VirtualAlloc\r\n$opcode2 = { c6 4? ?? 56 c6 4? ?? 69 c6 4? ?? 72 c6 4? ?? 74 c6 4? ?? 75 c6 4? ?? 61 c6 4? ?? 6c c6 4? ?? 41 c6 4? ?? 6c c6 4? ?? 6c c6 4? ?? 6f c6 4? ?? 63 }\r\ncondition:\r\nall of them\r\n}"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara-rule-name",
"timestamp": "1663329605",
"to_ids": false,
"type": "text",
"uuid": "f53a6157-3974-4f3c-9e76-42d8efd670f0",
"value": "win_x64_backdoor_plug_x_shellcode"
}
]
},
{
"comment": "",
"deleted": false,
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
"meta-category": "misc",
"name": "yara",
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
"template_version": "6",
"timestamp": "1663329630",
"uuid": "d407664d-4edc-4a0f-a6a5-3b69cd898fda",
"Attribute": [
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "reference",
"timestamp": "1663329630",
"to_ids": false,
"type": "link",
"uuid": "3f7b2114-86c7-4107-bcec-d0a8309c9272",
"value": "https://secjoes-reports.s3.eu-central-1.amazonaws.com/Dissecting+PlugX+to+Extract+Its+Crown+Jewels.pdf"
},
{
"category": "Payload installation",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara",
"timestamp": "1663329630",
"to_ids": true,
"type": "yara",
"uuid": "c53e3631-b5b3-432e-b79d-517ee8046ab7",
"value": "rule win_x86_backdoor_plug_x_uac_bypass {\r\nmeta:\r\nauthor = \"Felipe Duarte, Security Joes\"\r\ndescription = \"Detects the PlugX UAC Bypass DLL for 32 bits systems\"\r\nsha256_reference = \"9d51427f4f5b9f34050a502df3fbcea77f87d4e8f0cef29b05b543db03276e06\"\r\nstrings:\r\n// Main loop\r\n$opcode1 = { 0f b7 ?? ?? ?? ?? ?? ?? 4? 66 85 ?? 75 ?? 8d ?? ?? ?? ?? ?? ?? 66 83 3? 00 74 ?? 5? e8 ?? ?? ?? ?? 5? c3 }\r\n$str1 = \"kernel32\" nocase\r\n$str2 = \"GetCommandLineW\"\r\n$str3 = \"CreateProcessW\"\r\n$str4 = \"GetCurrentProcess\"\r\n$str5 = \"TerminateProcess\"\r\ncondition:\r\nall of them\r\n}"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara-rule-name",
"timestamp": "1663329630",
"to_ids": false,
"type": "text",
"uuid": "53b9d375-4499-4ce5-b367-e47df190e699",
"value": "win_x86_backdoor_plug_x_uac_bypass"
}
]
},
{
"comment": "",
"deleted": false,
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
"meta-category": "misc",
"name": "yara",
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
"template_version": "6",
"timestamp": "1663335573",
"uuid": "7576bd3a-8305-4743-8fba-459fe5f29bd4",
"Attribute": [
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "reference",
"timestamp": "1663334341",
"to_ids": false,
"type": "link",
"uuid": "aebd30d7-0667-49e4-bb46-df88af22dc78",
"value": "https://secjoes-reports.s3.eu-central-1.amazonaws.com/Dissecting+PlugX+to+Extract+Its+Crown+Jewels.pdf"
},
{
"category": "Payload installation",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara",
"timestamp": "1663335573",
"to_ids": true,
"type": "yara",
"uuid": "f3958c22-6a1b-47ec-b181-92d55df3655c",
"value": "rule win_x86_backdoor_plug_x_core {\r\nmeta:\r\nauthor = \"Felipe Duarte, Security Joes\"\r\ndescription = \"Detects the PlugX Core DLL for 32 bits systems\"\r\nsha256_reference = \"fde1a930c6b12d7b00b6e95d52ce1b6536646a903713b1d3d37dc1936da2df88\"\r\nstrings:\r\n// Decryption routine\r\n$opcode1 = { 8b ?? ?? 8b ?? c1 e? 03 8d ?? ?? ?? ?? ?? ?? 8b ?? c1 e? 05 8d ?? ?? ?? ?? ?? ?? 8b ?? c1 e? 07 b? 33 33 33 33 2b ?? 8b ?? ?? 03 ?? c1 e? 09 b? 44 44 44 44 2b ?? 01 ?? ?? 8d ?? ?? 02 ?? 02 ?? ?? 89 ?? ?? 8b 5? ?? 32 ?? 32 4? ff 4? ?? 88 ?? ?? 75 ?? 5? }\r\n$str1 = \"Mozilla/4.0 (compatible; MSIE \" wide ascii\r\n$str2 = \"X-Session\" ascii\r\n$str3 = \"Software\\\\CLASSES\\\\FAST\" wide ascii\r\n$str4 = \"KLProc\"\r\n$str5 = \"OlProcManager\"\r\n$str6 = \"JoProcBroadcastRecv\"\r\ncondition:\r\nall of them\r\n}"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara-rule-name",
"timestamp": "1663334341",
"to_ids": false,
"type": "text",
"uuid": "74634ba0-03a5-424c-a490-1260ac397462",
"value": "win_x86_backdoor_plug_x_core"
}
]
},
{
"comment": "",
"deleted": false,
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
"meta-category": "misc",
"name": "yara",
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
"template_version": "6",
"timestamp": "1663335563",
"uuid": "8dbdca17-8051-4e32-b345-f5653f52c92c",
"Attribute": [
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "reference",
"timestamp": "1663334437",
"to_ids": false,
"type": "link",
"uuid": "dc8753cf-01ed-4a69-a2ae-f684b63ab951",
"value": "https://secjoes-reports.s3.eu-central-1.amazonaws.com/Dissecting+PlugX+to+Extract+Its+Crown+Jewels.pdf"
},
{
"category": "Payload installation",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara",
"timestamp": "1663335563",
"to_ids": true,
"type": "yara",
"uuid": "eb541abb-c34a-48c6-969d-9f1f663ba4c7",
"value": "rule win_x64_backdoor_plug_x_uac_bypass {\r\nmeta:\r\nauthor = \"Felipe Duarte, Security Joes\"\r\ndescription = \"Detects the PlugX UAC Bypass DLL for 64 bits systems\"\r\nsha256_reference = \"547b605673a2659fe2c8111c8f0c3005c532cab6b3ba638e2cdcd52fb62296d3\"\r\nstrings:\r\n// 360tray.exe stack strings\r\n$opcode1 = { 4? 83 e? 48 b? 33 00 00 00 4? 8d ?? ?? ?? c7 44 ?? ?? 2e 00 65 00 66 89 ?? ?? ?? b? 36 00 00 00 c7 44 ?? ?? 78 00 65 00 66 89 ?? ?? ?? b? 30 00 00 00 66 89 ?? ?? ?? b? 74 00 00 00 66 89 ?? ?? ?? b? 72 00 00 00 66 89 ?? ?? ?? b? 61 00 00 00 66 89 ?? ?? ?? b? 79 00 00 00 66 89 ?? ?? ?? 33 ?? 66 89 ?? ?? ?? e8 ?? ?? ?? ?? }\r\n$str1 = \"Elevation:Administrator!new:%s\" wide ascii\r\n$str2 = \"{3E5FC7F9-9A51-4367-9063-A120244FBEC7}\" wide ascii\r\n$str3 = \"{6EDD6D74-C007-4E75-B76A-E5740995E24C}\" wide ascii\r\n$str4 = \"CLSIDFromString\"\r\n$str5 = \"CoGetObject\"\r\ncondition:\r\nall of them\r\n}"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara-rule-name",
"timestamp": "1663334437",
"to_ids": false,
"type": "text",
"uuid": "76b18db5-0b25-4c72-a198-9e5f06f707e2",
"value": "win_x64_backdoor_plug_x_uac_bypass"
}
]
},
{
"comment": "",
"deleted": false,
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
"meta-category": "misc",
"name": "yara",
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
"template_version": "6",
"timestamp": "1663335585",
"uuid": "a7da47b6-95d0-4027-b63b-fef3d59265ef",
"Attribute": [
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "reference",
"timestamp": "1663335470",
"to_ids": false,
"type": "link",
"uuid": "c6ac2ad2-dc49-45d5-9594-5ce91e2660d8",
"value": "https://secjoes-reports.s3.eu-central-1.amazonaws.com/Dissecting+PlugX+to+Extract+Its+Crown+Jewels.pdf"
},
{
"category": "Payload installation",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara",
"timestamp": "1663335585",
"to_ids": true,
"type": "yara",
"uuid": "0ccdbb66-547e-45cb-9952-820f1697631e",
"value": "rule win_x64_backdoor_plug_x_core {\r\nmeta:\r\nauthor = \"Felipe Duarte, Security Joes\"\r\ndescription = \"Detects the PlugX Core DLL for 64 bits systems\"\r\nsha256_reference = \"af9cb318c4c28d7030f62a62f561ff612a9efb839c6934ead0eb496d49f73e03\"\r\nstrings:\r\n// Decryption routine\r\n$opcode1 = { 41 8b ?? 8b ?? 4? ff c? c1 e? 03 c1 e? 07 45 8d ?? ?? ?? ?? ?? ?? 41 8b ?? c1 e? 05 45 8d ?? ?? ?? ?? ?? ?? b? 33 33 33 33 2b ?? 8b ?? 03 ?? c1 e? 09 b? 44 44 44 44 2b ?? 03 ?? 43 8d ?? ?? 02 ?? 40 02 ?? 43 32 ?? ?? ?? 4? ff c? 41 88 ?? ?? 75 ?? }\r\n$str1 = \"Mozilla/4.0 (compatible; MSIE \" wide ascii\r\n$str2 = \"X-Session\" wide ascii\r\n$str3 = \"Software\\\\CLASSES\\\\FAST\" wide ascii\r\n$str4 = \"KLProc\"\r\n$str5 = \"OlProcManager\"\r\n$str6 = \"JoProcBroadcastRecv\"\r\ncondition:\r\nall of them\r\n}"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara-rule-name",
"timestamp": "1663335470",
"to_ids": false,
"type": "text",
"uuid": "ba11fdcd-b116-4f11-b98a-79f72303af31",
"value": "win_x64_backdoor_plug_x_core"
}
]
}
]
}
}