adulau/misp-circl-feed
1
0
Fork 0
Code Issues 1 Pull requests Projects 1 Releases Packages Wiki Activity Actions
misp-circl-feed/feeds/circl/stix-2.1/5eeec9aa-9d88-4ece-9e6f-9d92884ae404.json

931 lines
782 KiB
JSON
Raw Normal View History

chg: [misp-stix] STIX 2.1 export added
2023-04-21 14:44:17 +00:00
{
"type": "bundle",
"id": "bundle--5eeec9aa-9d88-4ece-9e6f-9d92884ae404",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-09-19T09:49:23.000Z",
"modified": "2022-09-19T09:49:23.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--5eeec9aa-9d88-4ece-9e6f-9d92884ae404",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-09-19T09:49:23.000Z",
"modified": "2022-09-19T09:49:23.000Z",
"name": "Dissecting PlugX to Extract Its Crown Jewels",
"published": "2022-09-19T09:51:24Z",
"object_refs": [
"indicator--2a896148-0562-464f-bd45-6acf246f12c3",
"indicator--d851b765-c352-4784-8d88-b9ad47648410",
"x-misp-object--37755261-1df4-47c4-b620-775323431ea0",
"indicator--45516e32-4f9c-4eee-84d2-91eb673d21e8",
"indicator--f4a77dc9-c4fe-44ae-b2a8-abb86e702620",
"indicator--78707362-c5b2-45a7-95ad-2efe99a644fb",
"indicator--b39459cd-43fb-41e4-932b-7a61bba34077",
"indicator--8b8727a9-3787-49bf-9d8d-45f0118e360f",
"indicator--490e7061-2f24-4e48-bc84-a5f6b2ff5e0a",
"indicator--280fce1c-d0c4-47bc-992f-bf6bbeb19c6c",
"indicator--2b06c34b-fdf7-4b02-ab24-f79128695597",
"indicator--11ca6866-3639-455e-b9e9-b06a4deaae8f",
"indicator--fafaefad-c986-458f-8e09-c812fbd0d27d",
"indicator--6e175efb-7b29-4b98-98db-a45c18f92e98",
"indicator--aa5ebe67-22fb-4542-9858-c8347fb6c41d",
"indicator--cd2257ac-e898-4004-823b-9cac01f267b2",
"indicator--f75e073a-0849-41d7-ad58-c45079f4cc35",
"indicator--94a0eb25-b7b3-4a52-9000-cffd4c3279ea",
"indicator--18891997-ef58-4b19-9d1d-096bb84d4748",
"indicator--eb9c4f38-26f9-470d-bfbd-d22cc5b3cdaf",
"indicator--94c437ca-4c06-484d-8b86-666dfbebfa50",
"indicator--0c55a859-96d7-461f-9082-891a7ec1e105",
"indicator--91745102-7414-4d15-ad43-b860560d026b",
"indicator--e8088873-f67c-4a24-94f6-d6b3841d0ca0",
"indicator--2c3d4d34-115e-4565-a9d3-1c13c7cb240d",
"indicator--ede7431e-a02b-475e-9141-68e2834659bd",
"indicator--499a5e1e-3338-4d68-8e26-627ca59696d1",
"indicator--c70e2d31-eabf-44c0-8c1a-82bc325f4e33",
"indicator--d407664d-4edc-4a0f-a6a5-3b69cd898fda",
"indicator--7576bd3a-8305-4743-8fba-459fe5f29bd4",
"indicator--8dbdca17-8051-4e32-b345-f5653f52c92c",
"indicator--a7da47b6-95d0-4027-b63b-fef3d59265ef"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"misp-galaxy:microsoft-activity-group=\"GALLIUM\"",
"misp-galaxy:mitre-enterprise-attack-intrusion-set=\"DragonOK - G0017\"",
"misp-galaxy:mitre-intrusion-set=\"DragonOK - G0017\"",
"misp-galaxy:mitre-intrusion-set=\"Mustang Panda - G0129\"",
"misp-galaxy:threat-actor=\"DragonOK\"",
"misp-galaxy:threat-actor=\"Earth Berberoka\"",
"misp-galaxy:threat-actor=\"GALLIUM\"",
"misp-galaxy:threat-actor=\"Mustang Panda\"",
"misp-galaxy:mitre-enterprise-attack-malware=\"Winnti - S0141\"",
"misp-galaxy:threat-actor=\"Axiom\"",
"misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Winnti Group - G0044\"",
"misp-galaxy:mitre-intrusion-set=\"Winnti Group - G0044\"",
"type:OSINT",
"osint:lifetime=\"perpetual\"",
"osint:certainty=\"50\"",
"osint:source-type=\"technical-report\"",
"misp-galaxy:malpedia=\"PlugX\"",
"misp-galaxy:mitre-enterprise-attack-malware=\"PlugX - S0013\"",
"misp-galaxy:mitre-malware=\"PlugX - S0013\"",
"misp-galaxy:rat=\"PlugX\"",
"misp-galaxy:tool=\"PlugX\"",
"misp-galaxy:mitre-attack-pattern=\"Spearphishing Link - T1192\"",
"misp-galaxy:mitre-attack-pattern=\"Spearphishing Link - T1566.002\"",
"misp-galaxy:mitre-attack-pattern=\"JavaScript - T1059.007\"",
"misp-galaxy:mitre-attack-pattern=\"Visual Basic - T1059.005\"",
"misp-galaxy:mitre-attack-pattern=\"Component Object Model - T1559.001\"",
"misp-galaxy:mitre-attack-pattern=\"Service Execution - T1569.002\"",
"misp-galaxy:mitre-attack-pattern=\"Malicious File - T1204.002\"",
"misp-galaxy:mitre-attack-pattern=\"Registry Run Keys / Startup Folder - T1547.001\"",
"misp-galaxy:mitre-attack-pattern=\"Registry Run Keys / Startup Folder - T1060\"",
"misp-galaxy:mitre-attack-pattern=\"Windows Service - T1543.003\"",
"misp-galaxy:mitre-attack-pattern=\"Bypass User Account Control - T1088\"",
"misp-galaxy:mitre-attack-pattern=\"Deobfuscate/Decode Files or Information - T1140\"",
"misp-galaxy:mitre-attack-pattern=\"Hidden Files and Directories - T1564.001\"",
"misp-galaxy:mitre-attack-pattern=\"DLL Side-Loading - T1574.002\"",
"misp-galaxy:mitre-attack-pattern=\"DLL Side-Loading - T1073\"",
"misp-galaxy:mitre-attack-pattern=\"Disable or Modify Tools - T1562.001\"",
"misp-galaxy:mitre-attack-pattern=\"File Deletion - T1070.004\"",
"misp-galaxy:mitre-attack-pattern=\"Masquerade Task or Service - T1036.004\"",
"misp-galaxy:mitre-attack-pattern=\"Match Legitimate Name or Location - T1036.005\"",
"misp-galaxy:mitre-attack-pattern=\"Modify Registry - T1112\"",
"misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"",
"misp-galaxy:mitre-attack-pattern=\"Software Packing - T1027.002\"",
"misp-galaxy:mitre-attack-pattern=\"Software Packing - T1045\"",
"misp-galaxy:mitre-attack-pattern=\"Process Hollowing - T1055.012\"",
"misp-galaxy:mitre-attack-pattern=\"Phishing - T1566\"",
"misp-galaxy:mitre-attack-pattern=\"Command and Scripting Interpreter - T1059\"",
"misp-galaxy:mitre-attack-pattern=\"Inter-Process Communication - T1559\"",
"misp-galaxy:mitre-attack-pattern=\"System Services - T1569\"",
"misp-galaxy:mitre-attack-pattern=\"User Execution - T1204\"",
"misp-galaxy:mitre-attack-pattern=\"Boot or Logon Autostart Execution - T1547\"",
"misp-galaxy:mitre-attack-pattern=\"Create or Modify System Process - T1543\"",
"misp-galaxy:mitre-attack-pattern=\"Abuse Elevation Control Mechanism - T1548\"",
"misp-galaxy:mitre-attack-pattern=\"Hijack Execution Flow - T1574\"",
"misp-galaxy:mitre-attack-pattern=\"Hide Artifacts - T1564\"",
"misp-galaxy:mitre-attack-pattern=\"Impair Defenses - T1562\"",
"misp-galaxy:mitre-attack-pattern=\"Indicator Removal on Host - T1070\"",
"misp-galaxy:mitre-attack-pattern=\"Masquerading - T1036\"",
"misp-galaxy:mitre-attack-pattern=\"Process Injection - T1055\"",
"misp-galaxy:mitre-attack-pattern=\"Network Service Discovery - T1046\"",
"misp-galaxy:mitre-attack-pattern=\"Network Share Discovery - T1135\"",
"misp-galaxy:mitre-attack-pattern=\"Process Discovery - T1057\"",
"misp-galaxy:mitre-attack-pattern=\"Query Registry - T1012\"",
"misp-galaxy:mitre-attack-pattern=\"Remote System Discovery - T1018\"",
"misp-galaxy:mitre-attack-pattern=\"System Information Discovery - T1082\"",
"misp-galaxy:mitre-attack-pattern=\"System Network Connections Discovery - T1049\"",
"misp-galaxy:mitre-attack-pattern=\"System Service Discovery - T1007\"",
"misp-galaxy:mitre-attack-pattern=\"System Network Configuration Discovery - T1016\"",
"misp-galaxy:mitre-attack-pattern=\"Remote Services - T1021\"",
"misp-galaxy:mitre-attack-pattern=\"Remote Desktop Protocol - T1021.001\"",
"misp-galaxy:mitre-attack-pattern=\"Remote Desktop Protocol - T1076\"",
"misp-galaxy:mitre-attack-pattern=\"Automated Collection - T1119\"",
"misp-galaxy:mitre-attack-pattern=\"Clipboard Data - T1115\"",
"misp-galaxy:mitre-attack-pattern=\"Data from Local System - T1005\"",
"misp-galaxy:mitre-attack-pattern=\"Input Capture - T1056\"",
"misp-galaxy:mitre-attack-pattern=\"Keylogging - T1056.001\"",
"misp-galaxy:mitre-attack-pattern=\"Screen Capture - T1113\"",
"misp-galaxy:mitre-attack-pattern=\"Data Encoding - T1132\"",
"misp-galaxy:mitre-attack-pattern=\"Data Obfuscation - T1001\"",
"misp-galaxy:mitre-attack-pattern=\"Encrypted Channel - T1573\"",
"misp-galaxy:mitre-attack-pattern=\"Ingress Tool Transfer - T1105\"",
"misp-galaxy:mitre-attack-pattern=\"Non-Application Layer Protocol - T1095\"",
"misp-galaxy:mitre-attack-pattern=\"Proxy - T1090\"",
"misp-galaxy:mitre-attack-pattern=\"External Proxy - T1090.002\"",
"misp-galaxy:mitre-attack-pattern=\"Protocol Impersonation - T1001.003\"",
"misp-galaxy:mitre-attack-pattern=\"Standard Encoding - T1132.001\"",
"misp-galaxy:mitre-attack-pattern=\"Symmetric Cryptography - T1573.001\"",
"misp-galaxy:mitre-attack-pattern=\"Exfiltration Over C2 Channel - T1041\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--2a896148-0562-464f-bd45-6acf246f12c3",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-09-19T09:49:02.000Z",
"modified": "2022-09-19T09:49:02.000Z",
"pattern": "[file:name = '\\\\%WINDIR\\\\%\\\\System32\\\\sysprep\\\\cryptbase.dll']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-09-19T09:49:02Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--d851b765-c352-4784-8d88-b9ad47648410",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-09-19T09:49:23.000Z",
"modified": "2022-09-19T09:49:23.000Z",
"pattern": "[file:name = '\\\\%WINDIR\\\\%\\\\System32\\\\sysprep\\\\sysprep.exe']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-09-19T09:49:23Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--37755261-1df4-47c4-b620-775323431ea0",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-09-15T14:01:57.000Z",
"modified": "2022-09-15T14:01:57.000Z",
"labels": [
"misp:name=\"report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "link",
"object_relation": "link",
"value": "https://secjoes-reports.s3.eu-central-1.amazonaws.com/Dissecting+PlugX+to+Extract+Its+Crown+Jewels.pdf",
"category": "External analysis",
"uuid": "e00bf389-9c2c-4ebc-bb23-3435bec0e7b9"
},
{
"type": "text",
"object_relation": "summary",
"value": "PlugX is a malware family first spotted in 2008. It is a Remote Access Trojan that has been\r\nused by several threat actors and provides them with full control over infected machines. It\r\nhas continually evolved over time, adding new features and functionalities with each\r\niteration. Hence, it is important to keep following and documenting its transformations.",
"category": "Other",
"uuid": "f109f468-e159-4dc3-ba9c-6c9be1d987cc"
},
{
"type": "text",
"object_relation": "type",
"value": "Report",
"category": "Other",
"uuid": "78450e24-65d4-4f80-b648-094c62f8dc27"
},
{
"type": "attachment",
"object_relation": "report-file",
"value": "Dissecting+PlugX+to+Extract+Its+Crown+Jewels.pdf",
"category": "External analysis",
"uuid": "c0d3c7fb-bdfc-41c3-80ac-4a16fb885ae3",
"data": "JVBERi0xLjcNCiW1tbW1DQoxIDAgb2JqDQo8PC9UeXBlL0NhdGFsb2cvUGFnZXMgMiAwIFIvTGFuZyhlbi1VUykgL1N0cnVjdFRyZWVSb290IDE1MSAwIFIvTWFya0luZm88PC9NYXJrZWQgdHJ1ZT4+L01ldGFkYXRhIDEyMDMgMCBSL1ZpZXdlclByZWZlcmVuY2VzIDEyMDQgMCBSPj4NCmVuZG9iag0KMiAwIG9iag0KPDwvVHlwZS9QYWdlcy9Db3VudCAyNC9LaWRzWyAzIDAgUiAyMCAwIFIgMjcgMCBSIDI5IDAgUiAzMyAwIFIgNDAgMCBSIDQxIDAgUiA0MyAwIFIgNDQgMCBSIDQ2IDAgUiA0NyAwIFIgNDggMCBSIDQ5IDAgUiA1MCAwIFIgNTEgMCBSIDUyIDAgUiA1NSAwIFIgNTcgMCBSIDU5IDAgUiA2MCAwIFIgNjEgMCBSIDYzIDAgUiA2NCAwIFIgNjUgMCBSXSA+Pg0KZW5kb2JqDQozIDAgb2JqDQo8PC9UeXBlL1BhZ2UvUGFyZW50IDIgMCBSL1Jlc291cmNlczw8L0ZvbnQ8PC9GMSA1IDAgUi9GMiA5IDAgUi9GMyAxMSAwIFIvRjQgMTYgMCBSL0Y1IDE4IDAgUj4+L0V4dEdTdGF0ZTw8L0dTNyA3IDAgUi9HUzggOCAwIFI+Pi9YT2JqZWN0PDwvSW1hZ2UxMyAxMyAwIFIvSW1hZ2UxNSAxNSAwIFI+Pi9Qcm9jU2V0Wy9QREYvVGV4dC9JbWFnZUIvSW1hZ2VDL0ltYWdlSV0gPj4vTWVkaWFCb3hbIDAgMCA2MTIgNzkyXSAvQ29udGVudHMgNCAwIFIvR3JvdXA8PC9UeXBlL0dyb3VwL1MvVHJhbnNwYXJlbmN5L0NTL0RldmljZVJHQj4+L1RhYnMvUy9TdHJ1Y3RQYXJlbnRzIDA+Pg0KZW5kb2JqDQo0IDAgb2JqDQo8PC9GaWx0ZXIvRmxhdGVEZWNvZGUvTGVuZ3RoIDg5Mz4+DQpzdHJlYW0NCnicvVjfa9s6FH4P5H84Txd7LLJ+WvYYg7Zpt4wNetfAHZQ9eImaGBI7s1W6/fc7cjN2qaOlScTyYKRI0fd9Pt85kpKcNba8K2YWXr9OzqwtZkszh9tkWm++JNMfG5NcF4uyKmxZV8nN/Vfrvnpnirlp3ryB8/EFfBsOKKHukzMOFFJ86pxDY4aD/15ANRycT4eD5IoBDkzvhgOGkygw0JxQLkFLSTIJ0zVOenujYdHigrDoetm293Y4uI0g/gLT98PBJS7373CwHxcnweXHC0g8Gs9ra+u1X+ZVXduDZfKnMlmeEa1BcaLSTmUnbqtpumxMYWFSWbNaxSMRlQsTj3hUzYzrwT/dc1LFjEazMh7JaO6aprLwKRaRad34pq7ax+lTU6wPfUse2pIJIjIP7WNC8Vwm4ikTQVNCNYj8L9FgAieIR/CM4DCXiqQ5ME2yDGbOp5N1sTBMwLiGIE48KtsypUFmGJ8OUNAcW78h05Rh34kQTMNICuw9zv6fArVV0JGD5NrR+ngxGQM90PUC196V3KnWzkUucBjUBhgRmkl4+GMce2zYqWy2FkppRvKT2fBAbJSkRKlT2YhAbCRGjJ3MRh7OZuemINHNlPUSfly2rZnZslrA9ep+8fm4WtcDFRprXe4DPbjK+FCylDC2GwVGbk0stLPbyNaBACXnRHvfZShZ24gJrDeyX6Ivv9umcHvTzAbCY7kgWvjwQqnimBVS+VAmtoWLpn4I5QzcZalXUhXM5ZIIr6RwLtfdbr0b5b15MKs2EJSi1JXz5wnqlSp18MGO4zy50/uCk1x0DB5HmsWv1ieX3Pg75Q41mNyTI6O5Cx3riaB70W+jUTjIHDeJ7BmQcxPraGPdUXYZqwi6ElBhq3BfrX7EadSWLRTVHO4a406ygGVPRvWx5thFVrC0S6t9ZPc5JT31CvDLJlSgEXpGPbu3y7rBd/DqyBzsXznwnJOlPrx9cvXJNx6EpxgQrYgQPfgrs3IeKDfdRQfG7nlfNNaEEq8pyZgPfZ/4LFCsudRE9i9OY5cHhTWvAonNUwy0F22f2DxUpFlOUt6DvzEba9ZfTRMqsir/A1qw5Em5u7J4UFgwlJzgBdKDIoPlgiKZ8qG8xJqJNZfz49DkUzTuyo4XbbcZbzZF9fueR5MPBZ7to6UZTT7EB7pT9f44wGNVpg/h8xMx6si8DQplbmRzdHJlYW0NCmVuZG9iag0KNSAwIG9iag0KPDwvVHlwZS9Gb250L1N1YnR5cGUvVHJ1ZVR5cGUvTmFtZS9GMS9CYXNlRm9udC9UaW1lc05ld1JvbWFuUFNNVC9FbmNvZGluZy9XaW5BbnNpRW5jb2RpbmcvRm9udERlc2NyaXB0b3IgNiAwIFIvRmlyc3RDaGFyIDMyL0xhc3RDaGFyIDEyMS9XaWR0aHMgMTE3OSAwIFI+Pg0KZW5kb2JqDQo2IDAgb2JqDQo8PC9UeXBlL0ZvbnREZXNjcmlwdG9yL0ZvbnROYW1lL1RpbWVzTmV3Um9tYW5QU01UL0ZsYWdzIDMyL0l0YWxpY0FuZ2xlIDAvQXNjZW50IDg5MS9EZXNjZW50IC0yMTYvQ2FwSGVpZ2h0IDY5My9BdmdXaWR0aCA0MDEvTWF4V2lkdGggMjYxNC9Gb250V2VpZ2h0IDQwMC9YSGVpZ2h0IDI1MC9MZWFkaW5nIDQyL1N0ZW1WIDQwL0ZvbnRCQm94WyAtNTY4IC0yMTYgMjA0NiA2OTNdID4+DQplbmRvYmoNCjcgMCBvYmoNCjw8L1R5cGUvRXh0R1N0YXRlL0JNL05vcm1hbC9jYSAxPj4NCmVuZG9iag0KOCAwIG9iag0KPDwvVHlwZS9FeHRHU3RhdGUvQk0vTm9ybWFsL0NBIDE+Pg0KZW5kb2JqDQo5IDAgb2JqDQo8PC9UeXBlL0ZvbnQvU3VidHlwZS9UcnVlVHlwZS9OYW1lL0YyL0Jhc2VGb250L0JDREVFRStBYmFkaSMyMEV4dHJhIzIwTGlnaHQvRW5jb2RpbmcvV2luQW5zaUVuY29kaW5nL0ZvbnREZXNjcmlwdG9yIDEwIDAgUi9GaXJzdENoYXIgMzIvTGFzdENoYXIgMTIxL1dpZHRocyAxMTgwIDAgUj4+DQplbmRvYmoNCjEwIDAgb2JqDQo8PC9UeXBlL0ZvbnREZXNjcmlwdG9yL0ZvbnROYW1lL0JDREVFRStBYmFkaSMyMEV4dHJhIzIwTGlnaHQvRmxhZ3MgMzIvSXRhbGljQW5nbGUgMC9Bc2NlbnQgOTEzL0Rlc2NlbnQgLTIzMi9DYXBIZWlnaHQgNjg3L0F2Z1dpZHRoIDM5MS9NYXhXaWR0aCAxMTU3L0ZvbnRXZWlnaHQgNDAwL1hIZWlnaHQgMjUwL1N0ZW1WIDM5L0ZvbnRCQm94WyAtNTggLTIzMiAxMDk5IDY4N10gL0ZvbnRGaWxlMiAxMTgxIDAgUj4+DQplbmRvYmoNCjExIDAgb2JqDQo8PC9UeXBlL0ZvbnQvU3VidHlwZS9UcnVlVHlwZS9OYW1lL0YzL0Jhc2VGb250L0JDREZFRStBYmFkaS9FbmNvZGluZy9XaW5BbnNpRW5jb2RpbmcvRm9udERlc2NyaXB0b3IgMTIgMCBSL0ZpcnN0Q2hhciAzMi9MYXN0Q2hhciAxMjIvV2lkdGhzIDExODUgMCBSPj4NCmVuZG9iag0KMTIgMCBvYmoNCjw8L1R5cGUvRm9udERlc2NyaXB0b3IvRm9udE5hbWUvQkNERkVFK0FiYWRpL0ZsYWdzIDMyL0l0YWxpY0FuZ2xlIDAvQXNjZW50IDg4Ny9EZXNjZW50IC0yMjkvQ2FwSGVpZ2h0IDY5My9BdmdXaWR0aCA1MTYvTWF4V2lkdGggMTM0NC9Gb250V2VpZ2h0IDQwMC9YSGVpZ2h0IDI1MC9TdGVtViA1MS9Gb250QkJveFsgLTUwIC0yMjkgMTI5NCA2OTNdIC9Gb250RmlsZTIgMTE4My
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "report"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--45516e32-4f9c-4eee-84d2-91eb673d21e8",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-09-16T07:53:43.000Z",
"modified": "2022-09-16T07:53:43.000Z",
"pattern": "[domain-name:value = 'fuckeryoumm.nmb.bet' AND domain-name:x_misp_port = '53' AND domain-name:x_misp_port = '443']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-09-16T07:53:43Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"domain-ip\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--f4a77dc9-c4fe-44ae-b2a8-abb86e702620",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-09-16T07:54:20.000Z",
"modified": "2022-09-16T07:54:20.000Z",
"pattern": "[domain-name:value = 'tcp.wy01.com' AND domain-name:x_misp_port = '53' AND domain-name:x_misp_port = '443']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-09-16T07:54:20Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"domain-ip\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--78707362-c5b2-45a7-95ad-2efe99a644fb",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-09-16T07:55:03.000Z",
"modified": "2022-09-16T07:55:03.000Z",
"pattern": "[domain-name:value = 'tools.daji8.me' AND domain-name:x_misp_port = '53' AND domain-name:x_misp_port = '443']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-09-16T07:55:03Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"domain-ip\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--b39459cd-43fb-41e4-932b-7a61bba34077",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-09-16T07:55:43.000Z",
"modified": "2022-09-16T07:55:43.000Z",
"pattern": "[domain-name:value = 'a2.fafafazq.com' AND domain-name:x_misp_port = '80']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-09-16T07:55:43Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"domain-ip\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--8b8727a9-3787-49bf-9d8d-45f0118e360f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-09-16T07:56:21.000Z",
"modified": "2022-09-16T07:56:21.000Z",
"pattern": "[domain-name:value = 'tho.pad62.com' AND domain-name:x_misp_port = '443']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-09-16T07:56:21Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"domain-ip\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--490e7061-2f24-4e48-bc84-a5f6b2ff5e0a",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-09-16T08:10:05.000Z",
"modified": "2022-09-16T08:10:05.000Z",
"pattern": "[domain-name:value = 'tank.hja63.com' AND domain-name:x_misp_port = '53']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-09-16T08:10:05Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"domain-ip\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--280fce1c-d0c4-47bc-992f-bf6bbeb19c6c",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-09-16T08:10:47.000Z",
"modified": "2022-09-16T08:10:47.000Z",
"pattern": "[domain-name:value = 'wps.daj8.me' AND domain-name:x_misp_port = '53']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-09-16T08:10:47Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"domain-ip\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--2b06c34b-fdf7-4b02-ab24-f79128695597",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-09-16T08:15:03.000Z",
"modified": "2022-09-16T08:15:03.000Z",
"pattern": "[domain-name:value = 'wpsup.daj8.me' AND domain-name:x_misp_port = '443']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-09-16T08:15:03Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"domain-ip\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--11ca6866-3639-455e-b9e9-b06a4deaae8f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-09-16T08:16:25.000Z",
"modified": "2022-09-16T08:16:25.000Z",
"pattern": "[domain-name:value = 'tools.googleupdateinfo.com' AND domain-name:x_misp_port = '53' AND domain-name:x_misp_port = '443']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-09-16T08:16:25Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"domain-ip\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--fafaefad-c986-458f-8e09-c812fbd0d27d",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-09-16T08:16:50.000Z",
"modified": "2022-09-16T08:16:50.000Z",
"pattern": "[domain-name:value = 'fly.pad62.com' AND domain-name:x_misp_port = '443']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-09-16T08:16:50Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"domain-ip\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--6e175efb-7b29-4b98-98db-a45c18f92e98",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-09-16T08:25:40.000Z",
"modified": "2022-09-16T08:25:40.000Z",
"pattern": "[domain-name:value = 'tho.hja63.com' AND domain-name:x_misp_port = '53']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-09-16T08:25:40Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"domain-ip\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--aa5ebe67-22fb-4542-9858-c8347fb6c41d",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-09-16T08:25:56.000Z",
"modified": "2022-09-16T08:25:56.000Z",
"pattern": "[domain-name:value = 'helpdesk.lnip.org' AND domain-name:x_misp_port = '443']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-09-16T08:25:56Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"domain-ip\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--cd2257ac-e898-4004-823b-9cac01f267b2",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-09-16T08:29:01.000Z",
"modified": "2022-09-16T08:29:01.000Z",
"pattern": "[domain-name:value = 'www.trendmicro-update.org' AND domain-name:x_misp_port = '443' AND domain-name:x_misp_port = '80']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-09-16T08:29:01Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"domain-ip\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--f75e073a-0849-41d7-ad58-c45079f4cc35",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-09-16T08:40:47.000Z",
"modified": "2022-09-16T08:40:47.000Z",
"pattern": "[domain-name:value = 'fuckchina.govnb.com' AND domain-name:x_misp_port = '53' AND domain-name:x_misp_port = '80' AND domain-name:x_misp_port = '443']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-09-16T08:40:47Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"domain-ip\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--94a0eb25-b7b3-4a52-9000-cffd4c3279ea",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-09-16T08:43:51.000Z",
"modified": "2022-09-16T08:43:51.000Z",
"pattern": "[domain-name:value = 'wmi.ns01.us' AND domain-name:x_misp_port = '80']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-09-16T08:43:51Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"domain-ip\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--18891997-ef58-4b19-9d1d-096bb84d4748",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-09-16T08:44:08.000Z",
"modified": "2022-09-16T08:44:08.000Z",
"pattern": "[domain-name:value = 'services.darkhero.org' AND domain-name:x_misp_port = '443']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-09-16T08:44:08Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"domain-ip\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--eb9c4f38-26f9-470d-bfbd-d22cc5b3cdaf",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-09-16T08:44:33.000Z",
"modified": "2022-09-16T08:44:33.000Z",
"pattern": "[domain-name:value = 'microsafes.no-ip.org' AND domain-name:x_misp_port = '53' AND domain-name:x_misp_port = '443' AND domain-name:x_misp_port = '80']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-09-16T08:44:33Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"domain-ip\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--94c437ca-4c06-484d-8b86-666dfbebfa50",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-09-16T09:00:26.000Z",
"modified": "2022-09-16T09:00:26.000Z",
"pattern": "[domain-name:value = 'wmi.ns01.us' AND domain-name:x_misp_port = '12345']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-09-16T09:00:26Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"domain-ip\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--0c55a859-96d7-461f-9082-891a7ec1e105",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-09-16T09:00:44.000Z",
"modified": "2022-09-16T09:00:44.000Z",
"pattern": "[domain-name:value = 'kr.942m.com' AND domain-name:x_misp_port = '53' AND domain-name:x_misp_port = '80']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-09-16T09:00:44Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"domain-ip\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--91745102-7414-4d15-ad43-b860560d026b",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-09-16T09:00:59.000Z",
"modified": "2022-09-16T09:00:59.000Z",
"pattern": "[domain-name:value = 'www.92al.com' AND domain-name:x_misp_port = '53']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-09-16T09:00:59Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"domain-ip\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--e8088873-f67c-4a24-94f6-d6b3841d0ca0",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-09-16T09:01:18.000Z",
"modified": "2022-09-16T09:01:18.000Z",
"pattern": "[domain-name:value = '101.55.29.17' AND domain-name:x_misp_port = '80']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-09-16T09:01:18Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"domain-ip\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--2c3d4d34-115e-4565-a9d3-1c13c7cb240d",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-09-16T09:14:39.000Z",
"modified": "2022-09-16T09:14:39.000Z",
"name": "win_x86_backdoor_plug_x_shellcode_loader_dll",
"pattern": "rule win_x86_backdoor_plug_x_shellcode_loader_dll {\r\nmeta:\r\nauthor = \\\\\"Felipe Duarte, Security Joes\\\\\"\r\ndescription = \\\\\"Detects the PlugX Shellcode Loader DLL for 32 bits systems\\\\\"\r\nsha256_reference = \\\\\"5304d00250196a8cd5e9a81e053a886d1a291e4615484e49ff537bebecc13976\\\\\"\r\nstrings:\r\n// Code to set memory protections and launch shellcode\r\n$opcode1 = { 8d ?? ?? 5? 6a 20 68 00 00 10 00 5? ff 15 ?? ?? ?? ?? 85 ?? 75 ?? 6a 43 e8 ?? ?? ?? ?? 83 c? ?? ff d? 3d ?? ?? ?? ?? 7d ?? 85 ?? 74 ?? 6a 4a e8 ?? ?? ?? ?? 83 c? ?? }\r\n// Strings required to resolve depencies to load and execute the shellcode\r\n$str1 = \\\\\"kernel32\\\\\" nocase\r\n$str2 = \\\\\"GetModuleFileNameW\\\\\"\r\n$str3 = \\\\\"CreateFileW\\\\\"\r\n$str4 = \\\\\"VirtualAlloc\\\\\"\r\n$str5 = \\\\\"ReadFile\\\\\"\r\n$str6 = \\\\\"VirtualProtect\\\\\"\r\ncondition:\r\nall of them\r\n}",
"pattern_type": "yara",
"valid_from": "2022-09-16T09:14:39Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "misc"
}
],
"labels": [
"misp:name=\"yara\"",
"misp:meta-category=\"misc\"",
"misp:to_ids=\"True\""
],
"x_misp_reference": "https://secjoes-reports.s3.eu-central-1.amazonaws.com/Dissecting+PlugX+to+Extract+Its+Crown+Jewels.pdf"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--ede7431e-a02b-475e-9141-68e2834659bd",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-09-16T09:18:02.000Z",
"modified": "2022-09-16T09:18:02.000Z",
"name": "win_x64_backdoor_plug_x_shellcode_loader_dll",
"pattern": "rule win_x64_backdoor_plug_x_shellcode_loader_dll {\r\nmeta:\r\nauthor = \\\\\"Felipe Duarte, Security Joes\\\\\"\r\ndescription = \\\\\"Detects the PlugX Shellcode Loader DLL for 64 bits systems\\\\\"\r\nsha256_reference = \\\\\"6b8ae6f01ab31243a5176c9fd14c156e9d5c139d170115acb87e1bc65400d54f\\\\\"\r\nstrings:\r\n// Code to get file name of the current module and replaces the extension to .dat\r\n$opcode1 = { 4? 8d 1d ?? ?? ?? ?? 41 b8 00 20 00 00 33 c9 4? 8b d3 ff d0 4? 8b cb 89 44 ?? ?? ff 15 ?? ?? ?? ?? b9 64 00 00 00 8d 50 fd 33 f6 66 89 0c ?? 8d 50 fe b9 61 00 00 00 66 89 0c ?? 8d 50 ff 8b c0 66 89 34 ?? 4? 8b 05 ?? ?? ?? ?? b9 74 00 00 00 66 89 0c ?? 4? 85 c0 75 ?? 4? 8b 05 ?? ?? ?? ?? 4? 85 c0 75 ?? 4? 8d 0d ?? ?? ?? ?? ff 15 ?? ?? ?? ?? 4? 89 05 ?? ?? ?? ?? }\r\n// Code to set memory protections and launch shellcode\r\n$opcode2 = { 4? 8d 4c ?? ?? ba 00 00 10 00 41 b8 40 00 00 00 4? 8b cb ff d0 85 c0 74 ?? ff d3 83 c9 ff ff 15 ?? ?? ?? ?? }\r\n// Strings required to resolve depencies to load and execute the shellcode\r\n$str1 = \\\\\"kernel32\\\\\" nocase\r\n$str2 = \\\\\"GetModuleFileNameW\\\\\"\r\n$str3 = \\\\\"CreateFileW\\\\\"\r\n$str4 = \\\\\"VirtualAlloc\\\\\"\r\n$str5 = \\\\\"ReadFile\\\\\"\r\n$str6 = \\\\\"VirtualProtect\\\\\"\r\ncondition:\r\nall of them\r\n}",
"pattern_type": "yara",
"valid_from": "2022-09-16T09:18:02Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "misc"
}
],
"labels": [
"misp:name=\"yara\"",
"misp:meta-category=\"misc\"",
"misp:to_ids=\"True\""
],
"x_misp_reference": "https://secjoes-reports.s3.eu-central-1.amazonaws.com/Dissecting+PlugX+to+Extract+Its+Crown+Jewels.pdf"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--499a5e1e-3338-4d68-8e26-627ca59696d1",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-09-16T11:59:39.000Z",
"modified": "2022-09-16T11:59:39.000Z",
"name": "win_x86_backdoor_plug_x_shellcode",
"pattern": "rule win_x86_backdoor_plug_x_shellcode {\r\nmeta:\r\nauthor = \\\\\"Felipe Duarte, Security Joes\\\\\"\r\ndescription = \\\\\"Detects the PlugX Shellcode for 32 bits systems\\\\\"\r\nsha256_reference = \\\\\"07ed636049be7bc31fb404da9cf12cff6af01d920ec245b4e087049bd9b5488d\\\\\"\r\nstrings:\r\n// Code of the decryption rutine\r\n$opcode1 = { 8b ?? c1 e? 03 8d ?? ?? ?? ?? ?? ?? 8b ?? c1 e? 05 8d ?? ?? ?? ?? ?? ?? 8b ?? ?? c1 e? 07 b? 33 33 33 33 2b ?? 01 ?? ?? 8b ?? ?? c1 e? 09 b? 44 44 44 44 2b ?? 01 ?? ?? 8b ?? ?? 8d ?? ?? 02 ?? ?? 02 ?? ?? 32 ?? ?? 88 ?? 4? 4? 75 ?? }\r\n// Stack strings for VirtualAlloc\r\n$opcode2 = { c7 8? ?? ?? ?? ?? 56 69 72 74 c7 8? ?? ?? ?? ?? 75 61 6c 41 c7 8? ?? ?? ?? ?? 6c 6c 6f 63 88 ?? ?? ?? ?? ?? ff d? }\r\ncondition:\r\nall of them\r\n}",
"pattern_type": "yara",
"valid_from": "2022-09-16T11:59:39Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "misc"
}
],
"labels": [
"misp:name=\"yara\"",
"misp:meta-category=\"misc\"",
"misp:to_ids=\"True\""
],
"x_misp_reference": "https://secjoes-reports.s3.eu-central-1.amazonaws.com/Dissecting+PlugX+to+Extract+Its+Crown+Jewels.pdf"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--c70e2d31-eabf-44c0-8c1a-82bc325f4e33",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-09-16T12:00:05.000Z",
"modified": "2022-09-16T12:00:05.000Z",
"name": "win_x64_backdoor_plug_x_shellcode",
"pattern": "rule win_x64_backdoor_plug_x_shellcode {\r\nmeta:\r\nauthor = \\\\\"Felipe Duarte, Security Joes\\\\\"\r\ndescription = \\\\\"Detects the PlugX Shellcode for 64 bits systems\\\\\"\r\nsha256_reference = \\\\\"07ed636049be7bc31fb404da9cf12cff6af01d920ec245b4e087049bd9b5488d\\\\\"\r\nstrings:\r\n// Code of the decryption rutine\r\n$opcode1 = { 41 8b ?? 41 8b ?? c1 e? 03 c1 e? 07 45 8d ?? ?? ?? ?? ?? ?? 41 8b ?? c1 e? 05 45 8d ?? ?? ?? ?? ?? ?? b? 33 33 33 33 2b ?? 41 8b ?? 44 03 ?? c1 e? 09 b? 44 44 44 44 2b ?? 44 03 ?? 43 8d ?? ?? 41 02 ?? 41 02 ?? 32 ?? ?? 88 ?? 4? ff c? 4? ff c? }\r\n// Stack strings for VirtualAlloc\r\n$opcode2 = { c6 4? ?? 56 c6 4? ?? 69 c6 4? ?? 72 c6 4? ?? 74 c6 4? ?? 75 c6 4? ?? 61 c6 4? ?? 6c c6 4? ?? 41 c6 4? ?? 6c c6 4? ?? 6c c6 4? ?? 6f c6 4? ?? 63 }\r\ncondition:\r\nall of them\r\n}",
"pattern_type": "yara",
"valid_from": "2022-09-16T12:00:05Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "misc"
}
],
"labels": [
"misp:name=\"yara\"",
"misp:meta-category=\"misc\"",
"misp:to_ids=\"True\""
],
"x_misp_reference": "https://secjoes-reports.s3.eu-central-1.amazonaws.com/Dissecting+PlugX+to+Extract+Its+Crown+Jewels.pdf"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--d407664d-4edc-4a0f-a6a5-3b69cd898fda",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-09-16T12:00:30.000Z",
"modified": "2022-09-16T12:00:30.000Z",
"name": "win_x86_backdoor_plug_x_uac_bypass",
"pattern": "rule win_x86_backdoor_plug_x_uac_bypass {\r\nmeta:\r\nauthor = \\\\\"Felipe Duarte, Security Joes\\\\\"\r\ndescription = \\\\\"Detects the PlugX UAC Bypass DLL for 32 bits systems\\\\\"\r\nsha256_reference = \\\\\"9d51427f4f5b9f34050a502df3fbcea77f87d4e8f0cef29b05b543db03276e06\\\\\"\r\nstrings:\r\n// Main loop\r\n$opcode1 = { 0f b7 ?? ?? ?? ?? ?? ?? 4? 66 85 ?? 75 ?? 8d ?? ?? ?? ?? ?? ?? 66 83 3? 00 74 ?? 5? e8 ?? ?? ?? ?? 5? c3 }\r\n$str1 = \\\\\"kernel32\\\\\" nocase\r\n$str2 = \\\\\"GetCommandLineW\\\\\"\r\n$str3 = \\\\\"CreateProcessW\\\\\"\r\n$str4 = \\\\\"GetCurrentProcess\\\\\"\r\n$str5 = \\\\\"TerminateProcess\\\\\"\r\ncondition:\r\nall of them\r\n}",
"pattern_type": "yara",
"valid_from": "2022-09-16T12:00:30Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "misc"
}
],
"labels": [
"misp:name=\"yara\"",
"misp:meta-category=\"misc\"",
"misp:to_ids=\"True\""
],
"x_misp_reference": "https://secjoes-reports.s3.eu-central-1.amazonaws.com/Dissecting+PlugX+to+Extract+Its+Crown+Jewels.pdf"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--7576bd3a-8305-4743-8fba-459fe5f29bd4",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-09-16T13:39:33.000Z",
"modified": "2022-09-16T13:39:33.000Z",
"name": "win_x86_backdoor_plug_x_core",
"pattern": "rule win_x86_backdoor_plug_x_core {\r\nmeta:\r\nauthor = \\\\\"Felipe Duarte, Security Joes\\\\\"\r\ndescription = \\\\\"Detects the PlugX Core DLL for 32 bits systems\\\\\"\r\nsha256_reference = \\\\\"fde1a930c6b12d7b00b6e95d52ce1b6536646a903713b1d3d37dc1936da2df88\\\\\"\r\nstrings:\r\n// Decryption routine\r\n$opcode1 = { 8b ?? ?? 8b ?? c1 e? 03 8d ?? ?? ?? ?? ?? ?? 8b ?? c1 e? 05 8d ?? ?? ?? ?? ?? ?? 8b ?? c1 e? 07 b? 33 33 33 33 2b ?? 8b ?? ?? 03 ?? c1 e? 09 b? 44 44 44 44 2b ?? 01 ?? ?? 8d ?? ?? 02 ?? 02 ?? ?? 89 ?? ?? 8b 5? ?? 32 ?? 32 4? ff 4? ?? 88 ?? ?? 75 ?? 5? }\r\n$str1 = \\\\\"Mozilla/4.0 (compatible; MSIE \\\\\" wide ascii\r\n$str2 = \\\\\"X-Session\\\\\" ascii\r\n$str3 = \\\\\"Software\\\\\\\\CLASSES\\\\\\\\FAST\\\\\" wide ascii\r\n$str4 = \\\\\"KLProc\\\\\"\r\n$str5 = \\\\\"OlProcManager\\\\\"\r\n$str6 = \\\\\"JoProcBroadcastRecv\\\\\"\r\ncondition:\r\nall of them\r\n}",
"pattern_type": "yara",
"valid_from": "2022-09-16T13:39:33Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "misc"
}
],
"labels": [
"misp:name=\"yara\"",
"misp:meta-category=\"misc\"",
"misp:to_ids=\"True\""
],
"x_misp_reference": "https://secjoes-reports.s3.eu-central-1.amazonaws.com/Dissecting+PlugX+to+Extract+Its+Crown+Jewels.pdf"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--8dbdca17-8051-4e32-b345-f5653f52c92c",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-09-16T13:39:23.000Z",
"modified": "2022-09-16T13:39:23.000Z",
"name": "win_x64_backdoor_plug_x_uac_bypass",
"pattern": "rule win_x64_backdoor_plug_x_uac_bypass {\r\nmeta:\r\nauthor = \\\\\"Felipe Duarte, Security Joes\\\\\"\r\ndescription = \\\\\"Detects the PlugX UAC Bypass DLL for 64 bits systems\\\\\"\r\nsha256_reference = \\\\\"547b605673a2659fe2c8111c8f0c3005c532cab6b3ba638e2cdcd52fb62296d3\\\\\"\r\nstrings:\r\n// 360tray.exe stack strings\r\n$opcode1 = { 4? 83 e? 48 b? 33 00 00 00 4? 8d ?? ?? ?? c7 44 ?? ?? 2e 00 65 00 66 89 ?? ?? ?? b? 36 00 00 00 c7 44 ?? ?? 78 00 65 00 66 89 ?? ?? ?? b? 30 00 00 00 66 89 ?? ?? ?? b? 74 00 00 00 66 89 ?? ?? ?? b? 72 00 00 00 66 89 ?? ?? ?? b? 61 00 00 00 66 89 ?? ?? ?? b? 79 00 00 00 66 89 ?? ?? ?? 33 ?? 66 89 ?? ?? ?? e8 ?? ?? ?? ?? }\r\n$str1 = \\\\\"Elevation:Administrator!new:\\\\%s\\\\\" wide ascii\r\n$str2 = \\\\\"{3E5FC7F9-9A51-4367-9063-A120244FBEC7}\\\\\" wide ascii\r\n$str3 = \\\\\"{6EDD6D74-C007-4E75-B76A-E5740995E24C}\\\\\" wide ascii\r\n$str4 = \\\\\"CLSIDFromString\\\\\"\r\n$str5 = \\\\\"CoGetObject\\\\\"\r\ncondition:\r\nall of them\r\n}",
"pattern_type": "yara",
"valid_from": "2022-09-16T13:39:23Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "misc"
}
],
"labels": [
"misp:name=\"yara\"",
"misp:meta-category=\"misc\"",
"misp:to_ids=\"True\""
],
"x_misp_reference": "https://secjoes-reports.s3.eu-central-1.amazonaws.com/Dissecting+PlugX+to+Extract+Its+Crown+Jewels.pdf"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--a7da47b6-95d0-4027-b63b-fef3d59265ef",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-09-16T13:39:45.000Z",
"modified": "2022-09-16T13:39:45.000Z",
"name": "win_x64_backdoor_plug_x_core",
"pattern": "rule win_x64_backdoor_plug_x_core {\r\nmeta:\r\nauthor = \\\\\"Felipe Duarte, Security Joes\\\\\"\r\ndescription = \\\\\"Detects the PlugX Core DLL for 64 bits systems\\\\\"\r\nsha256_reference = \\\\\"af9cb318c4c28d7030f62a62f561ff612a9efb839c6934ead0eb496d49f73e03\\\\\"\r\nstrings:\r\n// Decryption routine\r\n$opcode1 = { 41 8b ?? 8b ?? 4? ff c? c1 e? 03 c1 e? 07 45 8d ?? ?? ?? ?? ?? ?? 41 8b ?? c1 e? 05 45 8d ?? ?? ?? ?? ?? ?? b? 33 33 33 33 2b ?? 8b ?? 03 ?? c1 e? 09 b? 44 44 44 44 2b ?? 03 ?? 43 8d ?? ?? 02 ?? 40 02 ?? 43 32 ?? ?? ?? 4? ff c? 41 88 ?? ?? 75 ?? }\r\n$str1 = \\\\\"Mozilla/4.0 (compatible; MSIE \\\\\" wide ascii\r\n$str2 = \\\\\"X-Session\\\\\" wide ascii\r\n$str3 = \\\\\"Software\\\\\\\\CLASSES\\\\\\\\FAST\\\\\" wide ascii\r\n$str4 = \\\\\"KLProc\\\\\"\r\n$str5 = \\\\\"OlProcManager\\\\\"\r\n$str6 = \\\\\"JoProcBroadcastRecv\\\\\"\r\ncondition:\r\nall of them\r\n}",
"pattern_type": "yara",
"valid_from": "2022-09-16T13:39:45Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "misc"
}
],
"labels": [
"misp:name=\"yara\"",
"misp:meta-category=\"misc\"",
"misp:to_ids=\"True\""
],
"x_misp_reference": "https://secjoes-reports.s3.eu-central-1.amazonaws.com/Dissecting+PlugX+to+Extract+Its+Crown+Jewels.pdf"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}
Reference in a new issue Copy permalink