2023-04-21 13:25:09 +00:00
{
2023-12-14 14:30:15 +00:00
"Event" : {
"analysis" : "0" ,
"date" : "2022-09-14" ,
"extends_uuid" : "" ,
"info" : "Dissecting PlugX to Extract Its Crown Jewels" ,
"publish_timestamp" : "1663581084" ,
"published" : true ,
"threat_level_id" : "4" ,
"timestamp" : "1663580963" ,
"uuid" : "5eeec9aa-9d88-4ece-9e6f-9d92884ae404" ,
"Orgc" : {
"name" : "CIRCL" ,
"uuid" : "55f6ea5e-2c60-40e5-964f-47a8950d210f"
} ,
"Tag" : [
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:microsoft-activity-group=\"GALLIUM\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-enterprise-attack-intrusion-set=\"DragonOK - G0017\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-intrusion-set=\"DragonOK - G0017\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#e834ab" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-intrusion-set=\"Mustang Panda - G0129\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#14f700" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:threat-actor=\"DragonOK\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:threat-actor=\"Earth Berberoka\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:threat-actor=\"GALLIUM\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:threat-actor=\"Mustang Panda\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-enterprise-attack-malware=\"Winnti - S0141\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#10c300" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:threat-actor=\"Axiom\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Winnti Group - G0044\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-intrusion-set=\"Winnti Group - G0044\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#004646" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "type:OSINT" ,
"relationship_type" : ""
} ,
{
"colour" : "#0071c3" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "osint:lifetime=\"perpetual\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0087e8" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "osint:certainty=\"50\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#ffffff" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "tlp:white" ,
"relationship_type" : ""
} ,
{
"colour" : "#002b4a" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "osint:source-type=\"technical-report\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:malpedia=\"PlugX\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-enterprise-attack-malware=\"PlugX - S0013\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-malware=\"PlugX - S0013\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:rat=\"PlugX\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#043400" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:tool=\"PlugX\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"Spearphishing Link - T1192\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"Spearphishing Link - T1566.002\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"JavaScript - T1059.007\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#064d00" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"Visual Basic - T1059.005\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"Component Object Model - T1559.001\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"Service Execution - T1569.002\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"Malicious File - T1204.002\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"Registry Run Keys / Startup Folder - T1547.001\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"Registry Run Keys / Startup Folder - T1060\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#065100" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"Windows Service - T1543.003\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"Bypass User Account Control - T1088\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"Deobfuscate/Decode Files or Information - T1140\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"Hidden Files and Directories - T1564.001\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"DLL Side-Loading - T1574.002\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"DLL Side-Loading - T1073\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"Disable or Modify Tools - T1562.001\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"File Deletion - T1070.004\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#053a00" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"Masquerade Task or Service - T1036.004\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"Match Legitimate Name or Location - T1036.005\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"Modify Registry - T1112\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"Software Packing - T1027.002\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"Software Packing - T1045\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#064f00" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"Process Hollowing - T1055.012\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"Phishing - T1566\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"Command and Scripting Interpreter - T1059\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"Inter-Process Communication - T1559\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"System Services - T1569\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"User Execution - T1204\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"Boot or Logon Autostart Execution - T1547\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"Create or Modify System Process - T1543\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"Abuse Elevation Control Mechanism - T1548\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#064b00" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"Hijack Execution Flow - T1574\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"Hide Artifacts - T1564\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"Impair Defenses - T1562\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"Indicator Removal on Host - T1070\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"Masquerading - T1036\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"Process Injection - T1055\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"Network Service Discovery - T1046\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"Network Share Discovery - T1135\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"Process Discovery - T1057\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"Query Registry - T1012\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"Remote System Discovery - T1018\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"System Information Discovery - T1082\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"System Network Connections Discovery - T1049\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"System Service Discovery - T1007\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"System Network Configuration Discovery - T1016\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"Remote Services - T1021\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"Remote Desktop Protocol - T1021.001\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"Remote Desktop Protocol - T1076\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"Automated Collection - T1119\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"Clipboard Data - T1115\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"Data from Local System - T1005\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"Input Capture - T1056\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#075900" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"Keylogging - T1056.001\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"Screen Capture - T1113\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"Data Encoding - T1132\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"Data Obfuscation - T1001\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"Encrypted Channel - T1573\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#064500" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"Ingress Tool Transfer - T1105\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"Non-Application Layer Protocol - T1095\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"Proxy - T1090\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"External Proxy - T1090.002\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"Protocol Impersonation - T1001.003\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#064f00" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"Standard Encoding - T1132.001\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"Symmetric Cryptography - T1573.001\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"Exfiltration Over C2 Channel - T1041\"" ,
"relationship_type" : ""
}
] ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1663580942" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "2a896148-0562-464f-bd45-6acf246f12c3" ,
"value" : "%WINDIR%\\System32\\sysprep\\cryptbase.dll"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1663580963" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "d851b765-c352-4784-8d88-b9ad47648410" ,
"value" : "%WINDIR%\\System32\\sysprep\\sysprep.exe"
}
] ,
"Object" : [
{
"comment" : "" ,
"deleted" : false ,
"description" : "Metadata used to generate an executive level report" ,
"meta-category" : "misc" ,
"name" : "report" ,
"template_uuid" : "70a68471-df22-4e3f-aa1a-5a3be19f82df" ,
"template_version" : "7" ,
"timestamp" : "1663250517" ,
"uuid" : "37755261-1df4-47c4-b620-775323431ea0" ,
"Attribute" : [
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "link" ,
"timestamp" : "1663250517" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "e00bf389-9c2c-4ebc-bb23-3435bec0e7b9" ,
"value" : "https://secjoes-reports.s3.eu-central-1.amazonaws.com/Dissecting+PlugX+to+Extract+Its+Crown+Jewels.pdf"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "summary" ,
"timestamp" : "1663250517" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "f109f468-e159-4dc3-ba9c-6c9be1d987cc" ,
"value" : "PlugX is a malware family first spotted in 2008. It is a Remote Access Trojan that has been\r\nused by several threat actors and provides them with full control over infected machines. It\r\nhas continually evolved over time, adding new features and functionalities with each\r\niteration. Hence, it is important to keep following and documenting its transformations."
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "type" ,
"timestamp" : "1663250517" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "78450e24-65d4-4f80-b648-094c62f8dc27" ,
"value" : "Report"
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"data" : " J V B E R i 0 x L j c N C i W 1 t b W 1 D Q o x I D A g b 2 J q D Q o 8 P C 9 U e X B l L 0 N h d G F s b 2 c v U G F n Z X M g M i A w I F I v T G F u Z y h l b i 1 V U y k g L 1 N 0 c n V j d F R y Z W V S b 290 I D E 1 M S A w I F I v T W F y a 0 l u Z m 88 P C 9 N Y X J r Z W Q g d H J 1 Z T 4 + L 0 1 l d G F k Y X R h I D E y M D M g M C B S L 1 Z p Z X d l c l B y Z W Z l c m V u Y 2 V z I D E y M D Q g M C B S P j 4 N C m V u Z G 9 i a g 0 K M i A w I G 9 i a g 0 K P D w v V H l w Z S 9 Q Y W d l c y 9 D b 3 V u d C A y N C 9 L a W R z W y A z I D A g U i A y M C A w I F I g M j c g M C B S I D I 5 I D A g U i A z M y A w I F I g N D A g M C B S I D Q x I D A g U i A 0 M y A w I F I g N D Q g M C B S I D Q 2 I D A g U i A 0 N y A w I F I g N D g g M C B S I D Q 5 I D A g U i A 1 M C A w I F I g N T E g M C B S I D U y I D A g U i A 1 N S A w I F I g N T c g M C B S I D U 5 I D A g U i A 2 M C A w I F I g N j E g M C B S I D Y z I D A g U i A 2 N C A w I F I g N j U g M C B S X S A + P g 0 K Z W 5 k b 2 J q D Q o z I D A g b 2 J q D Q o 8 P C 9 U e X B l L 1 B h Z 2 U v U G F y Z W 50 I D I g M C B S L 1 J l c 291 c m N l c z w 8 L 0 Z v b n Q 8 P C 9 G M S A 1 I D A g U i 9 G M i A 5 I D A g U i 9 G M y A x M S A w I F I v R j Q g M T Y g M C B S L 0 Y 1 I D E 4 I D A g U j 4 + L 0 V 4 d E d T d G F 0 Z T w 8 L 0 d T N y A 3 I D A g U i 9 H U z g g O C A w I F I + P i 9 Y T 2 J q Z W N 0 P D w v S W 1 h Z 2 U x M y A x M y A w I F I v S W 1 h Z 2 U x N S A x N S A w I F I + P i 9 Q c m 9 j U 2 V 0 W y 9 Q R E Y v V G V 4 d C 9 J b W F n Z U I v S W 1 h Z 2 V D L 0 l t Y W d l S V 0 g P j 4 v T W V k a W F C b 3 h b I D A g M C A 2 M T I g N z k y X S A v Q 29 u d G V u d H M g N C A w I F I v R 3 J v d X A 8 P C 9 U e X B l L 0 d y b 3 V w L 1 M v V H J h b n N w Y X J l b m N 5 L 0 N T L 0 R l d m l j Z V J H Q j 4 + L 1 R h Y n M v U y 9 T d H J 1 Y 3 R Q Y X J l b n R z I D A + P g 0 K Z W 5 k b 2 J q D Q o 0 I D A g b 2 J q D Q o 8 P C 9 G a W x 0 Z X I v R m x h d G V E Z W N v Z G U v T G V u Z 3 R o I D g 5 M z 4 + D Q p z d H J l Y W 0 N C n i c v V j f a 9 s 6 F H 4 P 5 H 84 T x d 7 L L J + W v Y Y g 7 Z p t 4 w N e t f A H Z Q 9 e I m a G B I 7 s 1 W 6 / f c 7 c j N 2 q a O l S c T y Y K R I 0 f d 9 P t 85 k p K c N b a 8 K 2 Y W X r 9 O z q w t Z k s z h 9 t k W m + + J N M f G 5 N c F 4 u y K m x Z V 8 n N / V f r v n p n i r l p 3 r y B 8 / E F f B s O K K H u k z M O F F J 86 p x D Y 4 a D / 15 A N R y c T 4 e D 5 I o B D k z v h g O G k y g w 0 J x Q L k F L S T I J 0 z V O e n u j Y d H i g r D o e t m 293 Y 4 u I 0 g / g L T 98 P B J S 7373 C w H x c n w e X H C 0 g 8 G s 9 r a + u 1 X + Z V X d u D Z f K n M l m e E a 1 B c a L S T m U n b q t p u m x M Y W F S W b N a x S M R l Q s T j 3 h U z Y z r w T / d c 1 L F j E a z M h 7 J a O 6 a p r L w K R a R a d 34 p q 7 a x + l T U 6 w P f U s e 2 p I J I j I P 7 W N C 8 V w m 4 i k T Q V N C N Y j 8 L 9 F g A i e I R / C M 4 D C X i q Q 5 M E 2 y D G b O p 5 N 1 s T B M w L i G I E 48 K t s y p U F m G J 8 O U N A c W 78 h 0 5 R h 34 k Q T M N I C u w 9 z v 6 f A r V V 0 J G D 5 N r R + n g x G Q M 90 P U C 196 V 3 K n W z k U u c B j U B h g R m k l 4 + G M c e 2 z Y q W y 2 F k p p R v K T 2 f B A b J S k R K l T 2 Y h A b C R G j J 3 M R h 7 O Z u e m I N H N l P U S f l y 2 r Z n Z s l r A 9 e p + 8 f m 4 W t c D F R p r X e 4 D P b j K + F C y l D C 2 G w V G b k 0 s t L P b y N a B A C X n R H v f Z S h Z 24 g J r D e y X 6 I v v 9 u m c H v T z A b C Y 7 k g W v j w Q q n i m B V S + V A m t o W L p n 4 I 5 Q z c Z a l X U h X M 5 Z I I r 6 R w L t f d b r 0 b 5 b 15 M K s 2 E J S i 1 J X z 5 w n q l S p 18 M G O 4 z y 50 / u C k 1 x 0 D B 5 H m s W v 1 i e X 3 P g 75 Q 41 m N y T I 6 O 5 C x 3 r i a B 70 W + j U T j I H D e J 7 B m Q c x P r a G P d U X Y Z q w i 6 E l B h q 3 B f r X 7 E a d S W L R T V H O 4 a 406 y g G V P R v W x 5 t h F V r C 0 S 6 t 9 Z P c 5 J T 31 C v D L J l S g E X p G P b u 3 y 7 r B d / D q y B z s X z n w n J O l P r x 9 c v X J N x 6 E p x g Q r Y g Q P f g r s 3 I e K D f d R Q f G 7 n l f N N a E E q 8 p y Z g P f Z / 4 L F C s u d R E 9 i 9 O Y 5 c H h T W v A o n N U w y 0 F 22 f 2 D x U p F l O U t 6 D v z E b a 9 Z f T R M q s i r / A 1 q w 5 E m 5 u 7 J 4 U F g w l J z g B d K D I o P l g i K Z 8 q G 8 x J q J N Z f z 49 D k U z T u y o 4 X b b c Z b z Z F 9 f u e R 5 M P B Z 7 t o 6 U Z T T 7 E B 7 p T 9 f 44 w G N V p g / h 8 x M x 6 s i 8 D Q p l b m R z d H J l Y W 0 N C m V u Z G 9 i a g 0 K N S A w I G 9 i a g 0 K P D w v V H l w Z S 9 G b 250 L 1 N 1 Y n R 5 c G U v V H J 1 Z V R 5 c G U v T m F t Z S 9 G M S 9 C Y X N l R m 9 u d C 9 U a W 1 l c 0 5 l d 1 J v b W F u U F N N V C 9 F b m N v Z G l u Z y 9 X a W 5 B b n N p R W 5 j b 2 R p b m c v R m 9 u d E R l c 2 N y a X B 0 b 3 I g N i A w I F I v R m l y c 3 R D a G F y I D M y L 0 x h c 3 R D a G F y I D E y M S 9 X a W R 0 a H M g M T E 3 O S A w I F I + P g 0 K Z W 5 k b 2 J q D Q o 2 I D A g b 2 J q D Q o 8 P C 9 U e X B l L 0 Z v b n R E Z X N j c m l w d G 9 y L 0 Z v b n R O Y W 1 l L 1 R p b W V z T m V 3 U m 9 t Y W 5 Q U 0 1 U L 0 Z s Y W d z I D M y L 0 l 0 Y W x p Y 0 F u Z 2 x l I D A v Q X N j Z W 50 I D g 5 M S 9 E Z X N j Z W 50 I C 0 y M T Y v Q 2 F w S G V p Z 2 h 0 I D Y 5 M y 9 B d m d X a W R 0 a C A 0 M D E v T W F 4 V 2 l k d G g g M j Y x N C 9 G b 250 V 2 V p Z 2 h 0 I D Q w M C 9 Y S G V p Z 2 h 0 I D I 1 M C 9 M Z W F k a W 5 n I D Q y L 1 N 0 Z W 1 W I D Q w L 0 Z v b n R C Q m 94 W y A t N T Y 4 I C 0 y M T Y g M j A 0 N i A 2 O T N d I D 4 + D Q p l b m R v Y m o N C j c g M C B v Y m o N C j w 8 L 1 R 5 c G U v R X h 0 R 1 N 0 Y X R l L 0 J N L 0 5 v c m 1 h b C 9 j Y S A x P j 4 N C m V u Z G 9 i a g 0 K O C A w I G 9 i a g 0 K P D w v V H l w Z S 9 F e H R H U 3 R h d G U v Q k 0 v T m 9 y b W F s L 0 N B I D E + P g 0 K Z W 5 k b 2 J q D Q o 5 I D A g b 2 J q D Q o 8 P C 9 U e X B l L 0 Z v b n Q v U 3 V i d H l w Z S 9 U c n V l V H l w Z S 9 O Y W 1 l L 0 Y y L 0 J h c 2 V G b 250 L 0 J D R E V F R S t B Y m F k a S M y M E V 4 d H J h I z I w T G l n a H Q v R W 5 j b 2 R p b m c v V 2 l u Q W 5 z a U V u Y 29 k a W 5 n L 0 Z v b n R E Z X N j c m l w d G 9 y I D E w I D A g U i 9 G a X J z d E N o Y X I g M z I v T G F z d E N o Y X I g M T I x L 1 d p Z H R o c y A x M T g w I D A g U j 4 + D Q p l b m R v Y m o N C j E w I D A g b 2 J q D Q o 8 P C 9 U e X B l L 0 Z v b n R E Z X N j c m l w d G 9 y L 0 Z v b n R O Y W 1 l L 0 J D R E V F R S t B Y m F k a S M y M E V 4 d H J h I z I w T G l n a H Q v R m x h Z 3 M g M z I v S X R h b G l j Q W 5 n b G U g M C 9 B c 2 N l b n Q g O T E z L 0 R l c 2 N l b n Q g L T I z M i 9 D Y X B I Z W l n a H Q g N j g 3 L 0 F 2 Z 1 d p Z H R o I D M 5 M S 9 N Y X h X a W R 0 a C A x M T U 3 L 0 Z v b n R X Z W l n a H Q g N D A w L 1 h I Z W l n a H Q g M j U w L 1 N 0 Z W 1 W I D M 5 L 0 Z v b n R C Q m 94 W y A t N T g g L T I z M i A x M D k 5 I D Y 4 N 10 g L 0 Z v b n R G a W x l M i A x M T g x I D A g U j 4 + D Q p l b m R v Y m o N C j E x I D A g b 2 J q D Q o 8 P C 9 U e X B l L 0 Z v b n Q v U 3 V i d H l w Z S 9 U c n V l V H l w Z S 9 O Y W 1 l L 0 Y z L 0 J h c 2 V G b 250 L 0 J D R E Z F R S t B Y m F k a S 9 F b m N v Z G l u Z y 9 X a W 5 B b n N p R W 5 j b 2 R p b m c v R m 9 u d E R l c 2 N y a X B 0 b 3 I g M T I g M C B S L 0 Z p c n N 0 Q 2 h h c i A z M i 9 M Y X N 0 Q 2 h h c i A x M j I v V 2 l k d G h z I D E x O D U g M C B S P j 4 N C m V u Z G 9 i a g 0 K M T I g M C B v Y m o N C j w 8 L 1 R 5 c G U v R m 9 u d E R l c 2 N y a X B 0 b 3 I v R m 9 u d E 5 h b W U v Q k N E R k V F K 0 F i Y W R p L 0 Z s Y W d z I D M y L 0 l 0 Y W x p Y 0 F u Z 2 x l I D A v Q X N j Z W 50 I D g 4 N y 9 E Z X N j Z W 50 I C 0 y M j k v Q 2 F w S G V p Z 2 h 0 I D Y 5 M y 9 B d m d X a W R 0 a C A 1 M T Y v T W F 4 V 2 l k d G g g M T M 0 N C 9 G b 250 V 2 V p Z 2 h 0 I D Q w M C 9 Y S G V p Z 2 h 0 I D I 1 M C 9 T d G V t V i A 1 M S 9 G b 250 Q k J v e F s g L T U w I C 0 y M j k g M T I 5 N C A 2 O T N d I C 9 G b 250 R m l s Z T I g M T E 4 M y A w I F I + P g
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "report-file" ,
"timestamp" : "1663250517" ,
"to_ids" : false ,
"type" : "attachment" ,
"uuid" : "c0d3c7fb-bdfc-41c3-80ac-4a16fb885ae3" ,
"value" : "Dissecting+PlugX+to+Extract+Its+Crown+Jewels.pdf"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "A domain/hostname and IP address seen as a tuple in a specific time frame." ,
"meta-category" : "network" ,
"name" : "domain-ip" ,
"template_uuid" : "43b3b146-77eb-4931-b4cc-b66c60f28734" ,
"template_version" : "11" ,
"timestamp" : "1663314823" ,
"uuid" : "45516e32-4f9c-4eee-84d2-91eb673d21e8" ,
"Attribute" : [
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "domain" ,
"timestamp" : "1663314823" ,
"to_ids" : true ,
"type" : "domain" ,
"uuid" : "d0503326-d321-4b8f-9da1-52523753c9be" ,
"value" : "fuckeryoumm.nmb.bet"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "port" ,
"timestamp" : "1663314823" ,
"to_ids" : false ,
"type" : "port" ,
"uuid" : "2951201a-f6a3-4ce1-ae99-0c8566ded0b5" ,
"value" : "53"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "port" ,
"timestamp" : "1663314823" ,
"to_ids" : false ,
"type" : "port" ,
"uuid" : "93c72a1c-7353-4584-af9a-a200ccf9fdd1" ,
"value" : "443"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "A domain/hostname and IP address seen as a tuple in a specific time frame." ,
"meta-category" : "network" ,
"name" : "domain-ip" ,
"template_uuid" : "43b3b146-77eb-4931-b4cc-b66c60f28734" ,
"template_version" : "11" ,
"timestamp" : "1663314860" ,
"uuid" : "f4a77dc9-c4fe-44ae-b2a8-abb86e702620" ,
"Attribute" : [
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "domain" ,
"timestamp" : "1663314860" ,
"to_ids" : true ,
"type" : "domain" ,
"uuid" : "f5e30d9e-184f-4578-b8b1-eb14d8b9afe6" ,
"value" : "tcp.wy01.com"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "port" ,
"timestamp" : "1663314860" ,
"to_ids" : false ,
"type" : "port" ,
"uuid" : "aece0e7f-912a-430e-86d2-5cbbfd37d28f" ,
"value" : "53"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "port" ,
"timestamp" : "1663314860" ,
"to_ids" : false ,
"type" : "port" ,
"uuid" : "4cd0fe41-ddf5-4892-8e7b-9588f4267c04" ,
"value" : "443"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "A domain/hostname and IP address seen as a tuple in a specific time frame." ,
"meta-category" : "network" ,
"name" : "domain-ip" ,
"template_uuid" : "43b3b146-77eb-4931-b4cc-b66c60f28734" ,
"template_version" : "11" ,
"timestamp" : "1663314903" ,
"uuid" : "78707362-c5b2-45a7-95ad-2efe99a644fb" ,
"Attribute" : [
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "domain" ,
"timestamp" : "1663314903" ,
"to_ids" : true ,
"type" : "domain" ,
"uuid" : "e4fcc0ef-91dc-4fa5-aa05-436f5420a9ce" ,
"value" : "tools.daji8.me"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "port" ,
"timestamp" : "1663314903" ,
"to_ids" : false ,
"type" : "port" ,
"uuid" : "28c5f591-e1ad-435e-abc8-9f06b9b3a77c" ,
"value" : "53"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "port" ,
"timestamp" : "1663314903" ,
"to_ids" : false ,
"type" : "port" ,
"uuid" : "20bed43b-84d7-44a5-8d00-115d29561200" ,
"value" : "443"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "A domain/hostname and IP address seen as a tuple in a specific time frame." ,
"meta-category" : "network" ,
"name" : "domain-ip" ,
"template_uuid" : "43b3b146-77eb-4931-b4cc-b66c60f28734" ,
"template_version" : "11" ,
"timestamp" : "1663314943" ,
"uuid" : "b39459cd-43fb-41e4-932b-7a61bba34077" ,
"Attribute" : [
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "domain" ,
"timestamp" : "1663314943" ,
"to_ids" : true ,
"type" : "domain" ,
"uuid" : "350fe8fa-7f19-4f75-8f5b-11ffeff8290a" ,
"value" : "a2.fafafazq.com"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "port" ,
"timestamp" : "1663314943" ,
"to_ids" : false ,
"type" : "port" ,
"uuid" : "a1a9c125-5126-44d5-b590-9c09a398f018" ,
"value" : "80"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "A domain/hostname and IP address seen as a tuple in a specific time frame." ,
"meta-category" : "network" ,
"name" : "domain-ip" ,
"template_uuid" : "43b3b146-77eb-4931-b4cc-b66c60f28734" ,
"template_version" : "11" ,
"timestamp" : "1663314981" ,
"uuid" : "8b8727a9-3787-49bf-9d8d-45f0118e360f" ,
"Attribute" : [
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "domain" ,
"timestamp" : "1663314981" ,
"to_ids" : true ,
"type" : "domain" ,
"uuid" : "b7fcf5f6-afac-499f-ac1a-ee1f4e5c59e9" ,
"value" : "tho.pad62.com"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "port" ,
"timestamp" : "1663314981" ,
"to_ids" : false ,
"type" : "port" ,
"uuid" : "2ea6419c-2fb6-45e1-bd27-457b97826edc" ,
"value" : "443"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "A domain/hostname and IP address seen as a tuple in a specific time frame." ,
"meta-category" : "network" ,
"name" : "domain-ip" ,
"template_uuid" : "43b3b146-77eb-4931-b4cc-b66c60f28734" ,
"template_version" : "11" ,
"timestamp" : "1663315805" ,
"uuid" : "490e7061-2f24-4e48-bc84-a5f6b2ff5e0a" ,
"Attribute" : [
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "domain" ,
"timestamp" : "1663315805" ,
"to_ids" : true ,
"type" : "domain" ,
"uuid" : "88177418-9747-478f-9978-c2b46623268e" ,
"value" : "tank.hja63.com"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "port" ,
"timestamp" : "1663315805" ,
"to_ids" : false ,
"type" : "port" ,
"uuid" : "7257ec94-1536-4691-8fb8-85e617195599" ,
"value" : "53"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "A domain/hostname and IP address seen as a tuple in a specific time frame." ,
"meta-category" : "network" ,
"name" : "domain-ip" ,
"template_uuid" : "43b3b146-77eb-4931-b4cc-b66c60f28734" ,
"template_version" : "11" ,
"timestamp" : "1663315847" ,
"uuid" : "280fce1c-d0c4-47bc-992f-bf6bbeb19c6c" ,
"Attribute" : [
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "domain" ,
"timestamp" : "1663315847" ,
"to_ids" : true ,
"type" : "domain" ,
"uuid" : "6f5e0368-ec91-423a-be88-9443d18e7009" ,
"value" : "wps.daj8.me"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "port" ,
"timestamp" : "1663315847" ,
"to_ids" : false ,
"type" : "port" ,
"uuid" : "f71117ba-95d0-408f-bc16-fee0329f496a" ,
"value" : "53"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "A domain/hostname and IP address seen as a tuple in a specific time frame." ,
"meta-category" : "network" ,
"name" : "domain-ip" ,
"template_uuid" : "43b3b146-77eb-4931-b4cc-b66c60f28734" ,
"template_version" : "11" ,
"timestamp" : "1663316103" ,
"uuid" : "2b06c34b-fdf7-4b02-ab24-f79128695597" ,
"Attribute" : [
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "domain" ,
"timestamp" : "1663316103" ,
"to_ids" : true ,
"type" : "domain" ,
"uuid" : "b8ba21bf-414b-4a42-97af-57a2e8343beb" ,
"value" : "wpsup.daj8.me"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "port" ,
"timestamp" : "1663316103" ,
"to_ids" : false ,
"type" : "port" ,
"uuid" : "3d41ff1d-1fd4-4995-81f7-99fc1113a674" ,
"value" : "443"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "A domain/hostname and IP address seen as a tuple in a specific time frame." ,
"meta-category" : "network" ,
"name" : "domain-ip" ,
"template_uuid" : "43b3b146-77eb-4931-b4cc-b66c60f28734" ,
"template_version" : "11" ,
"timestamp" : "1663316185" ,
"uuid" : "11ca6866-3639-455e-b9e9-b06a4deaae8f" ,
"Attribute" : [
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "domain" ,
"timestamp" : "1663316186" ,
"to_ids" : true ,
"type" : "domain" ,
"uuid" : "d2626d40-f4df-47a4-8169-dcd3f23c0c01" ,
"value" : "tools.googleupdateinfo.com"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "port" ,
"timestamp" : "1663316186" ,
"to_ids" : false ,
"type" : "port" ,
"uuid" : "39d011d4-1898-45a7-b5c7-709a43de2595" ,
"value" : "53"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "port" ,
"timestamp" : "1663316186" ,
"to_ids" : false ,
"type" : "port" ,
"uuid" : "6a237e3c-af37-4070-abf0-d9637adeaf58" ,
"value" : "443"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "A domain/hostname and IP address seen as a tuple in a specific time frame." ,
"meta-category" : "network" ,
"name" : "domain-ip" ,
"template_uuid" : "43b3b146-77eb-4931-b4cc-b66c60f28734" ,
"template_version" : "11" ,
"timestamp" : "1663316210" ,
"uuid" : "fafaefad-c986-458f-8e09-c812fbd0d27d" ,
"Attribute" : [
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "domain" ,
"timestamp" : "1663316210" ,
"to_ids" : true ,
"type" : "domain" ,
"uuid" : "23273ab0-438d-4e97-86a9-76fbc7c14809" ,
"value" : "fly.pad62.com"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "port" ,
"timestamp" : "1663316210" ,
"to_ids" : false ,
"type" : "port" ,
"uuid" : "e401fc62-52a9-4686-a589-ed8806654c2e" ,
"value" : "443"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "A domain/hostname and IP address seen as a tuple in a specific time frame." ,
"meta-category" : "network" ,
"name" : "domain-ip" ,
"template_uuid" : "43b3b146-77eb-4931-b4cc-b66c60f28734" ,
"template_version" : "11" ,
"timestamp" : "1663316740" ,
"uuid" : "6e175efb-7b29-4b98-98db-a45c18f92e98" ,
"Attribute" : [
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "domain" ,
"timestamp" : "1663316740" ,
"to_ids" : true ,
"type" : "domain" ,
"uuid" : "26afb7c7-5951-4a19-b2b4-b2a93f4993b4" ,
"value" : "tho.hja63.com"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "port" ,
"timestamp" : "1663316740" ,
"to_ids" : false ,
"type" : "port" ,
"uuid" : "fd912afd-58a9-4852-aecb-1b86acde3ed7" ,
"value" : "53"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "A domain/hostname and IP address seen as a tuple in a specific time frame." ,
"meta-category" : "network" ,
"name" : "domain-ip" ,
"template_uuid" : "43b3b146-77eb-4931-b4cc-b66c60f28734" ,
"template_version" : "11" ,
"timestamp" : "1663316756" ,
"uuid" : "aa5ebe67-22fb-4542-9858-c8347fb6c41d" ,
"Attribute" : [
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "domain" ,
"timestamp" : "1663316756" ,
"to_ids" : true ,
"type" : "domain" ,
"uuid" : "c8e06a65-fba9-4171-8424-a50aa4ef097e" ,
"value" : "helpdesk.lnip.org"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "port" ,
"timestamp" : "1663316756" ,
"to_ids" : false ,
"type" : "port" ,
"uuid" : "30c46420-d28f-4da1-806d-f13503a3070b" ,
"value" : "443"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "A domain/hostname and IP address seen as a tuple in a specific time frame." ,
"meta-category" : "network" ,
"name" : "domain-ip" ,
"template_uuid" : "43b3b146-77eb-4931-b4cc-b66c60f28734" ,
"template_version" : "11" ,
"timestamp" : "1663316941" ,
"uuid" : "cd2257ac-e898-4004-823b-9cac01f267b2" ,
"Attribute" : [
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "domain" ,
"timestamp" : "1663316941" ,
"to_ids" : true ,
"type" : "domain" ,
"uuid" : "f9d46691-2c78-4963-879e-a878e43e13a5" ,
"value" : "www.trendmicro-update.org"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "port" ,
"timestamp" : "1663316941" ,
"to_ids" : false ,
"type" : "port" ,
"uuid" : "91904272-79b8-4350-bfbb-a6a60a097d9d" ,
"value" : "443"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "port" ,
"timestamp" : "1663316941" ,
"to_ids" : false ,
"type" : "port" ,
"uuid" : "de3d25c5-754d-40c4-a311-853980407a64" ,
"value" : "80"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "A domain/hostname and IP address seen as a tuple in a specific time frame." ,
"meta-category" : "network" ,
"name" : "domain-ip" ,
"template_uuid" : "43b3b146-77eb-4931-b4cc-b66c60f28734" ,
"template_version" : "11" ,
"timestamp" : "1663317647" ,
"uuid" : "f75e073a-0849-41d7-ad58-c45079f4cc35" ,
"Attribute" : [
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "domain" ,
"timestamp" : "1663317647" ,
"to_ids" : true ,
"type" : "domain" ,
"uuid" : "727ecd91-0501-4a52-a8e5-f15a92c5ef69" ,
"value" : "fuckchina.govnb.com"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "port" ,
"timestamp" : "1663317647" ,
"to_ids" : false ,
"type" : "port" ,
"uuid" : "738e6c0a-f9ee-40e2-b63e-e7fe1609867e" ,
"value" : "53"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "port" ,
"timestamp" : "1663317647" ,
"to_ids" : false ,
"type" : "port" ,
"uuid" : "fb27a837-131e-41df-a5f6-56408c46cded" ,
"value" : "80"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "port" ,
"timestamp" : "1663317647" ,
"to_ids" : false ,
"type" : "port" ,
"uuid" : "1cc553bc-aa58-4d7b-95b3-1fc62f2e0a27" ,
"value" : "443"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "A domain/hostname and IP address seen as a tuple in a specific time frame." ,
"meta-category" : "network" ,
"name" : "domain-ip" ,
"template_uuid" : "43b3b146-77eb-4931-b4cc-b66c60f28734" ,
"template_version" : "11" ,
"timestamp" : "1663317831" ,
"uuid" : "94a0eb25-b7b3-4a52-9000-cffd4c3279ea" ,
"Attribute" : [
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "domain" ,
"timestamp" : "1663317831" ,
"to_ids" : true ,
"type" : "domain" ,
"uuid" : "b0e31727-df07-4e6f-98fe-95c8f4ef49ac" ,
"value" : "wmi.ns01.us"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "port" ,
"timestamp" : "1663317831" ,
"to_ids" : false ,
"type" : "port" ,
"uuid" : "93bad8fd-afd1-428c-8b9e-ce53f0d85723" ,
"value" : "80"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "A domain/hostname and IP address seen as a tuple in a specific time frame." ,
"meta-category" : "network" ,
"name" : "domain-ip" ,
"template_uuid" : "43b3b146-77eb-4931-b4cc-b66c60f28734" ,
"template_version" : "11" ,
"timestamp" : "1663317848" ,
"uuid" : "18891997-ef58-4b19-9d1d-096bb84d4748" ,
"Attribute" : [
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "domain" ,
"timestamp" : "1663317848" ,
"to_ids" : true ,
"type" : "domain" ,
"uuid" : "0336610b-cfea-4dcc-9fc2-64a9d1e107ca" ,
"value" : "services.darkhero.org"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "port" ,
"timestamp" : "1663317848" ,
"to_ids" : false ,
"type" : "port" ,
"uuid" : "7fea11f9-3634-4bb5-b3ee-660dcfa71c33" ,
"value" : "443"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "A domain/hostname and IP address seen as a tuple in a specific time frame." ,
"meta-category" : "network" ,
"name" : "domain-ip" ,
"template_uuid" : "43b3b146-77eb-4931-b4cc-b66c60f28734" ,
"template_version" : "11" ,
"timestamp" : "1663317873" ,
"uuid" : "eb9c4f38-26f9-470d-bfbd-d22cc5b3cdaf" ,
"Attribute" : [
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "domain" ,
"timestamp" : "1663317873" ,
"to_ids" : true ,
"type" : "domain" ,
"uuid" : "fc9331a6-d4ed-497b-8501-f88d1c4d50b7" ,
"value" : "microsafes.no-ip.org"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "port" ,
"timestamp" : "1663317873" ,
"to_ids" : false ,
"type" : "port" ,
"uuid" : "1eee8de3-dbc8-4bc7-aa60-69db3c570445" ,
"value" : "53"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "port" ,
"timestamp" : "1663317873" ,
"to_ids" : false ,
"type" : "port" ,
"uuid" : "bf2f251d-9e9c-4019-8836-2c1b7e625c43" ,
"value" : "443"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "port" ,
"timestamp" : "1663317873" ,
"to_ids" : false ,
"type" : "port" ,
"uuid" : "5bda8551-ba11-404a-9861-525a0e4079c5" ,
"value" : "80"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "A domain/hostname and IP address seen as a tuple in a specific time frame." ,
"meta-category" : "network" ,
"name" : "domain-ip" ,
"template_uuid" : "43b3b146-77eb-4931-b4cc-b66c60f28734" ,
"template_version" : "11" ,
"timestamp" : "1663318826" ,
"uuid" : "94c437ca-4c06-484d-8b86-666dfbebfa50" ,
"Attribute" : [
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "domain" ,
"timestamp" : "1663318826" ,
"to_ids" : true ,
"type" : "domain" ,
"uuid" : "bb2bdce0-7d69-4b48-a367-2db2178c2042" ,
"value" : "wmi.ns01.us"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "port" ,
"timestamp" : "1663318826" ,
"to_ids" : false ,
"type" : "port" ,
"uuid" : "d3bf56b3-aabe-4da8-a953-d61d5d214d87" ,
"value" : "12345"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "A domain/hostname and IP address seen as a tuple in a specific time frame." ,
"meta-category" : "network" ,
"name" : "domain-ip" ,
"template_uuid" : "43b3b146-77eb-4931-b4cc-b66c60f28734" ,
"template_version" : "11" ,
"timestamp" : "1663318844" ,
"uuid" : "0c55a859-96d7-461f-9082-891a7ec1e105" ,
"Attribute" : [
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "domain" ,
"timestamp" : "1663318844" ,
"to_ids" : true ,
"type" : "domain" ,
"uuid" : "3e476ecb-6086-471b-ac6f-b8589e10b7e3" ,
"value" : "kr.942m.com"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "port" ,
"timestamp" : "1663318844" ,
"to_ids" : false ,
"type" : "port" ,
"uuid" : "866d8723-56fb-4b5e-a231-2dbd8ca3bb74" ,
"value" : "53"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "port" ,
"timestamp" : "1663318844" ,
"to_ids" : false ,
"type" : "port" ,
"uuid" : "1fb2bf12-f0fa-4521-8db4-1e84b34c82fd" ,
"value" : "80"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "A domain/hostname and IP address seen as a tuple in a specific time frame." ,
"meta-category" : "network" ,
"name" : "domain-ip" ,
"template_uuid" : "43b3b146-77eb-4931-b4cc-b66c60f28734" ,
"template_version" : "11" ,
"timestamp" : "1663318859" ,
"uuid" : "91745102-7414-4d15-ad43-b860560d026b" ,
"Attribute" : [
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "domain" ,
"timestamp" : "1663318859" ,
"to_ids" : true ,
"type" : "domain" ,
"uuid" : "209bc090-fd74-44f2-90d9-32c6db46ce8d" ,
"value" : "www.92al.com"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "port" ,
"timestamp" : "1663318859" ,
"to_ids" : false ,
"type" : "port" ,
"uuid" : "c9874311-be80-41c3-9baf-4aab13bdad6e" ,
"value" : "53"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "A domain/hostname and IP address seen as a tuple in a specific time frame." ,
"meta-category" : "network" ,
"name" : "domain-ip" ,
"template_uuid" : "43b3b146-77eb-4931-b4cc-b66c60f28734" ,
"template_version" : "11" ,
"timestamp" : "1663318878" ,
"uuid" : "e8088873-f67c-4a24-94f6-d6b3841d0ca0" ,
"Attribute" : [
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "domain" ,
"timestamp" : "1663318878" ,
"to_ids" : true ,
"type" : "domain" ,
"uuid" : "128ec8c1-e380-43b6-8c00-e145803a4e22" ,
"value" : "101.55.29.17"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "port" ,
"timestamp" : "1663318878" ,
"to_ids" : false ,
"type" : "port" ,
"uuid" : "8e8e3476-f969-406a-8c1b-3cc3d984e70f" ,
"value" : "80"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "An object describing a YARA rule (or a YARA rule name) along with its version." ,
"meta-category" : "misc" ,
"name" : "yara" ,
"template_uuid" : "b5acf82e-ecca-4868-82fe-9dbdf4d808c3" ,
"template_version" : "6" ,
"timestamp" : "1663319679" ,
"uuid" : "2c3d4d34-115e-4565-a9d3-1c13c7cb240d" ,
"Attribute" : [
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "reference" ,
"timestamp" : "1663319679" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "06b4f0d4-2c1a-42e4-81b6-d12f8a369570" ,
"value" : "https://secjoes-reports.s3.eu-central-1.amazonaws.com/Dissecting+PlugX+to+Extract+Its+Crown+Jewels.pdf"
} ,
{
"category" : "Payload installation" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "yara" ,
"timestamp" : "1663319680" ,
"to_ids" : true ,
"type" : "yara" ,
"uuid" : "b197be37-7a16-4400-bea6-a9a3f8a665cd" ,
"value" : "rule win_x86_backdoor_plug_x_shellcode_loader_dll {\r\nmeta:\r\nauthor = \"Felipe Duarte, Security Joes\"\r\ndescription = \"Detects the PlugX Shellcode Loader DLL for 32 bits systems\"\r\nsha256_reference = \"5304d00250196a8cd5e9a81e053a886d1a291e4615484e49ff537bebecc13976\"\r\nstrings:\r\n// Code to set memory protections and launch shellcode\r\n$opcode1 = { 8d ?? ?? 5? 6a 20 68 00 00 10 00 5? ff 15 ?? ?? ?? ?? 85 ?? 75 ?? 6a 43 e8 ?? ?? ?? ?? 83 c? ?? ff d? 3d ?? ?? ?? ?? 7d ?? 85 ?? 74 ?? 6a 4a e8 ?? ?? ?? ?? 83 c? ?? }\r\n// Strings required to resolve depencies to load and execute the shellcode\r\n$str1 = \"kernel32\" nocase\r\n$str2 = \"GetModuleFileNameW\"\r\n$str3 = \"CreateFileW\"\r\n$str4 = \"VirtualAlloc\"\r\n$str5 = \"ReadFile\"\r\n$str6 = \"VirtualProtect\"\r\ncondition:\r\nall of them\r\n}"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "yara-rule-name" ,
"timestamp" : "1663319680" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "b07916ad-ec24-47e5-9f18-ea5ea4c7d929" ,
"value" : "win_x86_backdoor_plug_x_shellcode_loader_dll"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "An object describing a YARA rule (or a YARA rule name) along with its version." ,
"meta-category" : "misc" ,
"name" : "yara" ,
"template_uuid" : "b5acf82e-ecca-4868-82fe-9dbdf4d808c3" ,
"template_version" : "6" ,
"timestamp" : "1663319882" ,
"uuid" : "ede7431e-a02b-475e-9141-68e2834659bd" ,
"Attribute" : [
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "reference" ,
"timestamp" : "1663319882" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "8b30ab4a-ee7e-487b-ac8e-362a7a345d7c" ,
"value" : "https://secjoes-reports.s3.eu-central-1.amazonaws.com/Dissecting+PlugX+to+Extract+Its+Crown+Jewels.pdf"
} ,
{
"category" : "Payload installation" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "yara" ,
"timestamp" : "1663319882" ,
"to_ids" : true ,
"type" : "yara" ,
"uuid" : "d809b696-9de2-42cd-a174-dfba28fca044" ,
"value" : "rule win_x64_backdoor_plug_x_shellcode_loader_dll {\r\nmeta:\r\nauthor = \"Felipe Duarte, Security Joes\"\r\ndescription = \"Detects the PlugX Shellcode Loader DLL for 64 bits systems\"\r\nsha256_reference = \"6b8ae6f01ab31243a5176c9fd14c156e9d5c139d170115acb87e1bc65400d54f\"\r\nstrings:\r\n// Code to get file name of the current module and replaces the extension to .dat\r\n$opcode1 = { 4? 8d 1d ?? ?? ?? ?? 41 b8 00 20 00 00 33 c9 4? 8b d3 ff d0 4? 8b cb 89 44 ?? ?? ff 15 ?? ?? ?? ?? b9 64 00 00 00 8d 50 fd 33 f6 66 89 0c ?? 8d 50 fe b9 61 00 00 00 66 89 0c ?? 8d 50 ff 8b c0 66 89 34 ?? 4? 8b 05 ?? ?? ?? ?? b9 74 00 00 00 66 89 0c ?? 4? 85 c0 75 ?? 4? 8b 05 ?? ?? ?? ?? 4? 85 c0 75 ?? 4? 8d 0d ?? ?? ?? ?? ff 15 ?? ?? ?? ?? 4? 89 05 ?? ?? ?? ?? }\r\n// Code to set memory protections and launch shellcode\r\n$opcode2 = { 4? 8d 4c ?? ?? ba 00 00 10 00 41 b8 40 00 00 00 4? 8b cb ff d0 85 c0 74 ?? ff d3 83 c9 ff ff 15 ?? ?? ?? ?? }\r\n// Strings required to resolve depencies to load and execute the shellcode\r\n$str1 = \"kernel32\" nocase\r\n$str2 = \"GetModuleFileNameW\"\r\n$str3 = \"CreateFileW\"\r\n$str4 = \"VirtualAlloc\"\r\n$str5 = \"ReadFile\"\r\n$str6 = \"VirtualProtect\"\r\ncondition:\r\nall of them\r\n}"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "yara-rule-name" ,
"timestamp" : "1663319882" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "16a737ec-5cb4-4327-b5b2-1e212c0b0db0" ,
"value" : "win_x64_backdoor_plug_x_shellcode_loader_dll"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "An object describing a YARA rule (or a YARA rule name) along with its version." ,
"meta-category" : "misc" ,
"name" : "yara" ,
"template_uuid" : "b5acf82e-ecca-4868-82fe-9dbdf4d808c3" ,
"template_version" : "6" ,
"timestamp" : "1663329579" ,
"uuid" : "499a5e1e-3338-4d68-8e26-627ca59696d1" ,
"Attribute" : [
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "reference" ,
"timestamp" : "1663329579" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "1722c73d-51ef-41f2-aa6c-338a8fd85159" ,
"value" : "https://secjoes-reports.s3.eu-central-1.amazonaws.com/Dissecting+PlugX+to+Extract+Its+Crown+Jewels.pdf"
} ,
{
"category" : "Payload installation" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "yara" ,
"timestamp" : "1663329579" ,
"to_ids" : true ,
"type" : "yara" ,
"uuid" : "4595a5c5-3f9c-4775-acb4-7802b526d57c" ,
"value" : "rule win_x86_backdoor_plug_x_shellcode {\r\nmeta:\r\nauthor = \"Felipe Duarte, Security Joes\"\r\ndescription = \"Detects the PlugX Shellcode for 32 bits systems\"\r\nsha256_reference = \"07ed636049be7bc31fb404da9cf12cff6af01d920ec245b4e087049bd9b5488d\"\r\nstrings:\r\n// Code of the decryption rutine\r\n$opcode1 = { 8b ?? c1 e? 03 8d ?? ?? ?? ?? ?? ?? 8b ?? c1 e? 05 8d ?? ?? ?? ?? ?? ?? 8b ?? ?? c1 e? 07 b? 33 33 33 33 2b ?? 01 ?? ?? 8b ?? ?? c1 e? 09 b? 44 44 44 44 2b ?? 01 ?? ?? 8b ?? ?? 8d ?? ?? 02 ?? ?? 02 ?? ?? 32 ?? ?? 88 ?? 4? 4? 75 ?? }\r\n// Stack strings for VirtualAlloc\r\n$opcode2 = { c7 8? ?? ?? ?? ?? 56 69 72 74 c7 8? ?? ?? ?? ?? 75 61 6c 41 c7 8? ?? ?? ?? ?? 6c 6c 6f 63 88 ?? ?? ?? ?? ?? ff d? }\r\ncondition:\r\nall of them\r\n}"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "yara-rule-name" ,
"timestamp" : "1663329579" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "9ce13a3d-7769-44fb-bfe0-fec46600bce1" ,
"value" : "win_x86_backdoor_plug_x_shellcode"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "An object describing a YARA rule (or a YARA rule name) along with its version." ,
"meta-category" : "misc" ,
"name" : "yara" ,
"template_uuid" : "b5acf82e-ecca-4868-82fe-9dbdf4d808c3" ,
"template_version" : "6" ,
"timestamp" : "1663329605" ,
"uuid" : "c70e2d31-eabf-44c0-8c1a-82bc325f4e33" ,
"Attribute" : [
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "reference" ,
"timestamp" : "1663329605" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "cf38a26e-ea4d-49b7-8644-0de1f3d01825" ,
"value" : "https://secjoes-reports.s3.eu-central-1.amazonaws.com/Dissecting+PlugX+to+Extract+Its+Crown+Jewels.pdf"
} ,
{
"category" : "Payload installation" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "yara" ,
"timestamp" : "1663329605" ,
"to_ids" : true ,
"type" : "yara" ,
"uuid" : "e94b9835-d440-4f88-adec-3dcb7e4ce7c4" ,
"value" : "rule win_x64_backdoor_plug_x_shellcode {\r\nmeta:\r\nauthor = \"Felipe Duarte, Security Joes\"\r\ndescription = \"Detects the PlugX Shellcode for 64 bits systems\"\r\nsha256_reference = \"07ed636049be7bc31fb404da9cf12cff6af01d920ec245b4e087049bd9b5488d\"\r\nstrings:\r\n// Code of the decryption rutine\r\n$opcode1 = { 41 8b ?? 41 8b ?? c1 e? 03 c1 e? 07 45 8d ?? ?? ?? ?? ?? ?? 41 8b ?? c1 e? 05 45 8d ?? ?? ?? ?? ?? ?? b? 33 33 33 33 2b ?? 41 8b ?? 44 03 ?? c1 e? 09 b? 44 44 44 44 2b ?? 44 03 ?? 43 8d ?? ?? 41 02 ?? 41 02 ?? 32 ?? ?? 88 ?? 4? ff c? 4? ff c? }\r\n// Stack strings for VirtualAlloc\r\n$opcode2 = { c6 4? ?? 56 c6 4? ?? 69 c6 4? ?? 72 c6 4? ?? 74 c6 4? ?? 75 c6 4? ?? 61 c6 4? ?? 6c c6 4? ?? 41 c6 4? ?? 6c c6 4? ?? 6c c6 4? ?? 6f c6 4? ?? 63 }\r\ncondition:\r\nall of them\r\n}"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "yara-rule-name" ,
"timestamp" : "1663329605" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "f53a6157-3974-4f3c-9e76-42d8efd670f0" ,
"value" : "win_x64_backdoor_plug_x_shellcode"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "An object describing a YARA rule (or a YARA rule name) along with its version." ,
"meta-category" : "misc" ,
"name" : "yara" ,
"template_uuid" : "b5acf82e-ecca-4868-82fe-9dbdf4d808c3" ,
"template_version" : "6" ,
"timestamp" : "1663329630" ,
"uuid" : "d407664d-4edc-4a0f-a6a5-3b69cd898fda" ,
"Attribute" : [
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "reference" ,
"timestamp" : "1663329630" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "3f7b2114-86c7-4107-bcec-d0a8309c9272" ,
"value" : "https://secjoes-reports.s3.eu-central-1.amazonaws.com/Dissecting+PlugX+to+Extract+Its+Crown+Jewels.pdf"
} ,
{
"category" : "Payload installation" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "yara" ,
"timestamp" : "1663329630" ,
"to_ids" : true ,
"type" : "yara" ,
"uuid" : "c53e3631-b5b3-432e-b79d-517ee8046ab7" ,
"value" : "rule win_x86_backdoor_plug_x_uac_bypass {\r\nmeta:\r\nauthor = \"Felipe Duarte, Security Joes\"\r\ndescription = \"Detects the PlugX UAC Bypass DLL for 32 bits systems\"\r\nsha256_reference = \"9d51427f4f5b9f34050a502df3fbcea77f87d4e8f0cef29b05b543db03276e06\"\r\nstrings:\r\n// Main loop\r\n$opcode1 = { 0f b7 ?? ?? ?? ?? ?? ?? 4? 66 85 ?? 75 ?? 8d ?? ?? ?? ?? ?? ?? 66 83 3? 00 74 ?? 5? e8 ?? ?? ?? ?? 5? c3 }\r\n$str1 = \"kernel32\" nocase\r\n$str2 = \"GetCommandLineW\"\r\n$str3 = \"CreateProcessW\"\r\n$str4 = \"GetCurrentProcess\"\r\n$str5 = \"TerminateProcess\"\r\ncondition:\r\nall of them\r\n}"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "yara-rule-name" ,
"timestamp" : "1663329630" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "53b9d375-4499-4ce5-b367-e47df190e699" ,
"value" : "win_x86_backdoor_plug_x_uac_bypass"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "An object describing a YARA rule (or a YARA rule name) along with its version." ,
"meta-category" : "misc" ,
"name" : "yara" ,
"template_uuid" : "b5acf82e-ecca-4868-82fe-9dbdf4d808c3" ,
"template_version" : "6" ,
"timestamp" : "1663335573" ,
"uuid" : "7576bd3a-8305-4743-8fba-459fe5f29bd4" ,
"Attribute" : [
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "reference" ,
"timestamp" : "1663334341" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "aebd30d7-0667-49e4-bb46-df88af22dc78" ,
"value" : "https://secjoes-reports.s3.eu-central-1.amazonaws.com/Dissecting+PlugX+to+Extract+Its+Crown+Jewels.pdf"
} ,
{
"category" : "Payload installation" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "yara" ,
"timestamp" : "1663335573" ,
"to_ids" : true ,
"type" : "yara" ,
"uuid" : "f3958c22-6a1b-47ec-b181-92d55df3655c" ,
"value" : "rule win_x86_backdoor_plug_x_core {\r\nmeta:\r\nauthor = \"Felipe Duarte, Security Joes\"\r\ndescription = \"Detects the PlugX Core DLL for 32 bits systems\"\r\nsha256_reference = \"fde1a930c6b12d7b00b6e95d52ce1b6536646a903713b1d3d37dc1936da2df88\"\r\nstrings:\r\n// Decryption routine\r\n$opcode1 = { 8b ?? ?? 8b ?? c1 e? 03 8d ?? ?? ?? ?? ?? ?? 8b ?? c1 e? 05 8d ?? ?? ?? ?? ?? ?? 8b ?? c1 e? 07 b? 33 33 33 33 2b ?? 8b ?? ?? 03 ?? c1 e? 09 b? 44 44 44 44 2b ?? 01 ?? ?? 8d ?? ?? 02 ?? 02 ?? ?? 89 ?? ?? 8b 5? ?? 32 ?? 32 4? ff 4? ?? 88 ?? ?? 75 ?? 5? }\r\n$str1 = \"Mozilla/4.0 (compatible; MSIE \" wide ascii\r\n$str2 = \"X-Session\" ascii\r\n$str3 = \"Software\\\\CLASSES\\\\FAST\" wide ascii\r\n$str4 = \"KLProc\"\r\n$str5 = \"OlProcManager\"\r\n$str6 = \"JoProcBroadcastRecv\"\r\ncondition:\r\nall of them\r\n}"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "yara-rule-name" ,
"timestamp" : "1663334341" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "74634ba0-03a5-424c-a490-1260ac397462" ,
"value" : "win_x86_backdoor_plug_x_core"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "An object describing a YARA rule (or a YARA rule name) along with its version." ,
"meta-category" : "misc" ,
"name" : "yara" ,
"template_uuid" : "b5acf82e-ecca-4868-82fe-9dbdf4d808c3" ,
"template_version" : "6" ,
"timestamp" : "1663335563" ,
"uuid" : "8dbdca17-8051-4e32-b345-f5653f52c92c" ,
"Attribute" : [
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "reference" ,
"timestamp" : "1663334437" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "dc8753cf-01ed-4a69-a2ae-f684b63ab951" ,
"value" : "https://secjoes-reports.s3.eu-central-1.amazonaws.com/Dissecting+PlugX+to+Extract+Its+Crown+Jewels.pdf"
} ,
{
"category" : "Payload installation" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "yara" ,
"timestamp" : "1663335563" ,
"to_ids" : true ,
"type" : "yara" ,
"uuid" : "eb541abb-c34a-48c6-969d-9f1f663ba4c7" ,
"value" : "rule win_x64_backdoor_plug_x_uac_bypass {\r\nmeta:\r\nauthor = \"Felipe Duarte, Security Joes\"\r\ndescription = \"Detects the PlugX UAC Bypass DLL for 64 bits systems\"\r\nsha256_reference = \"547b605673a2659fe2c8111c8f0c3005c532cab6b3ba638e2cdcd52fb62296d3\"\r\nstrings:\r\n// 360tray.exe stack strings\r\n$opcode1 = { 4? 83 e? 48 b? 33 00 00 00 4? 8d ?? ?? ?? c7 44 ?? ?? 2e 00 65 00 66 89 ?? ?? ?? b? 36 00 00 00 c7 44 ?? ?? 78 00 65 00 66 89 ?? ?? ?? b? 30 00 00 00 66 89 ?? ?? ?? b? 74 00 00 00 66 89 ?? ?? ?? b? 72 00 00 00 66 89 ?? ?? ?? b? 61 00 00 00 66 89 ?? ?? ?? b? 79 00 00 00 66 89 ?? ?? ?? 33 ?? 66 89 ?? ?? ?? e8 ?? ?? ?? ?? }\r\n$str1 = \"Elevation:Administrator!new:%s\" wide ascii\r\n$str2 = \"{3E5FC7F9-9A51-4367-9063-A120244FBEC7}\" wide ascii\r\n$str3 = \"{6EDD6D74-C007-4E75-B76A-E5740995E24C}\" wide ascii\r\n$str4 = \"CLSIDFromString\"\r\n$str5 = \"CoGetObject\"\r\ncondition:\r\nall of them\r\n}"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "yara-rule-name" ,
"timestamp" : "1663334437" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "76b18db5-0b25-4c72-a198-9e5f06f707e2" ,
"value" : "win_x64_backdoor_plug_x_uac_bypass"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "An object describing a YARA rule (or a YARA rule name) along with its version." ,
"meta-category" : "misc" ,
"name" : "yara" ,
"template_uuid" : "b5acf82e-ecca-4868-82fe-9dbdf4d808c3" ,
"template_version" : "6" ,
"timestamp" : "1663335585" ,
"uuid" : "a7da47b6-95d0-4027-b63b-fef3d59265ef" ,
"Attribute" : [
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "reference" ,
"timestamp" : "1663335470" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "c6ac2ad2-dc49-45d5-9594-5ce91e2660d8" ,
"value" : "https://secjoes-reports.s3.eu-central-1.amazonaws.com/Dissecting+PlugX+to+Extract+Its+Crown+Jewels.pdf"
} ,
{
"category" : "Payload installation" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "yara" ,
"timestamp" : "1663335585" ,
"to_ids" : true ,
"type" : "yara" ,
"uuid" : "0ccdbb66-547e-45cb-9952-820f1697631e" ,
"value" : "rule win_x64_backdoor_plug_x_core {\r\nmeta:\r\nauthor = \"Felipe Duarte, Security Joes\"\r\ndescription = \"Detects the PlugX Core DLL for 64 bits systems\"\r\nsha256_reference = \"af9cb318c4c28d7030f62a62f561ff612a9efb839c6934ead0eb496d49f73e03\"\r\nstrings:\r\n// Decryption routine\r\n$opcode1 = { 41 8b ?? 8b ?? 4? ff c? c1 e? 03 c1 e? 07 45 8d ?? ?? ?? ?? ?? ?? 41 8b ?? c1 e? 05 45 8d ?? ?? ?? ?? ?? ?? b? 33 33 33 33 2b ?? 8b ?? 03 ?? c1 e? 09 b? 44 44 44 44 2b ?? 03 ?? 43 8d ?? ?? 02 ?? 40 02 ?? 43 32 ?? ?? ?? 4? ff c? 41 88 ?? ?? 75 ?? }\r\n$str1 = \"Mozilla/4.0 (compatible; MSIE \" wide ascii\r\n$str2 = \"X-Session\" wide ascii\r\n$str3 = \"Software\\\\CLASSES\\\\FAST\" wide ascii\r\n$str4 = \"KLProc\"\r\n$str5 = \"OlProcManager\"\r\n$str6 = \"JoProcBroadcastRecv\"\r\ncondition:\r\nall of them\r\n}"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "yara-rule-name" ,
"timestamp" : "1663335470" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "ba11fdcd-b116-4f11-b98a-79f72303af31" ,
"value" : "win_x64_backdoor_plug_x_core"
}
]
}
2023-04-21 13:25:09 +00:00
]
2023-12-14 14:30:15 +00:00
}
2023-04-21 13:25:09 +00:00
}
