2023-04-21 14:44:17 +00:00
{
"type" : "bundle" ,
"id" : "bundle--5eeec9aa-9d88-4ece-9e6f-9d92884ae404" ,
"objects" : [
{
"type" : "identity" ,
"spec_version" : "2.1" ,
"id" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2022-09-19T09:49:23.000Z" ,
"modified" : "2022-09-19T09:49:23.000Z" ,
"name" : "CIRCL" ,
"identity_class" : "organization"
} ,
{
"type" : "report" ,
"spec_version" : "2.1" ,
"id" : "report--5eeec9aa-9d88-4ece-9e6f-9d92884ae404" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2022-09-19T09:49:23.000Z" ,
"modified" : "2022-09-19T09:49:23.000Z" ,
"name" : "Dissecting PlugX to Extract Its Crown Jewels" ,
"published" : "2022-09-19T09:51:24Z" ,
"object_refs" : [
"indicator--2a896148-0562-464f-bd45-6acf246f12c3" ,
"indicator--d851b765-c352-4784-8d88-b9ad47648410" ,
"x-misp-object--37755261-1df4-47c4-b620-775323431ea0" ,
"indicator--45516e32-4f9c-4eee-84d2-91eb673d21e8" ,
"indicator--f4a77dc9-c4fe-44ae-b2a8-abb86e702620" ,
"indicator--78707362-c5b2-45a7-95ad-2efe99a644fb" ,
"indicator--b39459cd-43fb-41e4-932b-7a61bba34077" ,
"indicator--8b8727a9-3787-49bf-9d8d-45f0118e360f" ,
"indicator--490e7061-2f24-4e48-bc84-a5f6b2ff5e0a" ,
"indicator--280fce1c-d0c4-47bc-992f-bf6bbeb19c6c" ,
"indicator--2b06c34b-fdf7-4b02-ab24-f79128695597" ,
"indicator--11ca6866-3639-455e-b9e9-b06a4deaae8f" ,
"indicator--fafaefad-c986-458f-8e09-c812fbd0d27d" ,
"indicator--6e175efb-7b29-4b98-98db-a45c18f92e98" ,
"indicator--aa5ebe67-22fb-4542-9858-c8347fb6c41d" ,
"indicator--cd2257ac-e898-4004-823b-9cac01f267b2" ,
"indicator--f75e073a-0849-41d7-ad58-c45079f4cc35" ,
"indicator--94a0eb25-b7b3-4a52-9000-cffd4c3279ea" ,
"indicator--18891997-ef58-4b19-9d1d-096bb84d4748" ,
"indicator--eb9c4f38-26f9-470d-bfbd-d22cc5b3cdaf" ,
"indicator--94c437ca-4c06-484d-8b86-666dfbebfa50" ,
"indicator--0c55a859-96d7-461f-9082-891a7ec1e105" ,
"indicator--91745102-7414-4d15-ad43-b860560d026b" ,
"indicator--e8088873-f67c-4a24-94f6-d6b3841d0ca0" ,
"indicator--2c3d4d34-115e-4565-a9d3-1c13c7cb240d" ,
"indicator--ede7431e-a02b-475e-9141-68e2834659bd" ,
"indicator--499a5e1e-3338-4d68-8e26-627ca59696d1" ,
"indicator--c70e2d31-eabf-44c0-8c1a-82bc325f4e33" ,
"indicator--d407664d-4edc-4a0f-a6a5-3b69cd898fda" ,
"indicator--7576bd3a-8305-4743-8fba-459fe5f29bd4" ,
"indicator--8dbdca17-8051-4e32-b345-f5653f52c92c" ,
"indicator--a7da47b6-95d0-4027-b63b-fef3d59265ef"
] ,
"labels" : [
"Threat-Report" ,
"misp:tool=\"MISP-STIX-Converter\"" ,
"misp-galaxy:microsoft-activity-group=\"GALLIUM\"" ,
"misp-galaxy:mitre-enterprise-attack-intrusion-set=\"DragonOK - G0017\"" ,
"misp-galaxy:mitre-intrusion-set=\"DragonOK - G0017\"" ,
"misp-galaxy:mitre-intrusion-set=\"Mustang Panda - G0129\"" ,
"misp-galaxy:threat-actor=\"DragonOK\"" ,
"misp-galaxy:threat-actor=\"Earth Berberoka\"" ,
"misp-galaxy:threat-actor=\"GALLIUM\"" ,
"misp-galaxy:threat-actor=\"Mustang Panda\"" ,
"misp-galaxy:mitre-enterprise-attack-malware=\"Winnti - S0141\"" ,
"misp-galaxy:threat-actor=\"Axiom\"" ,
"misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Winnti Group - G0044\"" ,
"misp-galaxy:mitre-intrusion-set=\"Winnti Group - G0044\"" ,
"type:OSINT" ,
"osint:lifetime=\"perpetual\"" ,
"osint:certainty=\"50\"" ,
"osint:source-type=\"technical-report\"" ,
"misp-galaxy:malpedia=\"PlugX\"" ,
"misp-galaxy:mitre-enterprise-attack-malware=\"PlugX - S0013\"" ,
"misp-galaxy:mitre-malware=\"PlugX - S0013\"" ,
"misp-galaxy:rat=\"PlugX\"" ,
"misp-galaxy:tool=\"PlugX\"" ,
"misp-galaxy:mitre-attack-pattern=\"Spearphishing Link - T1192\"" ,
"misp-galaxy:mitre-attack-pattern=\"Spearphishing Link - T1566.002\"" ,
"misp-galaxy:mitre-attack-pattern=\"JavaScript - T1059.007\"" ,
"misp-galaxy:mitre-attack-pattern=\"Visual Basic - T1059.005\"" ,
"misp-galaxy:mitre-attack-pattern=\"Component Object Model - T1559.001\"" ,
"misp-galaxy:mitre-attack-pattern=\"Service Execution - T1569.002\"" ,
"misp-galaxy:mitre-attack-pattern=\"Malicious File - T1204.002\"" ,
"misp-galaxy:mitre-attack-pattern=\"Registry Run Keys / Startup Folder - T1547.001\"" ,
"misp-galaxy:mitre-attack-pattern=\"Registry Run Keys / Startup Folder - T1060\"" ,
"misp-galaxy:mitre-attack-pattern=\"Windows Service - T1543.003\"" ,
"misp-galaxy:mitre-attack-pattern=\"Bypass User Account Control - T1088\"" ,
"misp-galaxy:mitre-attack-pattern=\"Deobfuscate/Decode Files or Information - T1140\"" ,
"misp-galaxy:mitre-attack-pattern=\"Hidden Files and Directories - T1564.001\"" ,
"misp-galaxy:mitre-attack-pattern=\"DLL Side-Loading - T1574.002\"" ,
"misp-galaxy:mitre-attack-pattern=\"DLL Side-Loading - T1073\"" ,
"misp-galaxy:mitre-attack-pattern=\"Disable or Modify Tools - T1562.001\"" ,
"misp-galaxy:mitre-attack-pattern=\"File Deletion - T1070.004\"" ,
"misp-galaxy:mitre-attack-pattern=\"Masquerade Task or Service - T1036.004\"" ,
"misp-galaxy:mitre-attack-pattern=\"Match Legitimate Name or Location - T1036.005\"" ,
"misp-galaxy:mitre-attack-pattern=\"Modify Registry - T1112\"" ,
"misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"" ,
"misp-galaxy:mitre-attack-pattern=\"Software Packing - T1027.002\"" ,
"misp-galaxy:mitre-attack-pattern=\"Software Packing - T1045\"" ,
"misp-galaxy:mitre-attack-pattern=\"Process Hollowing - T1055.012\"" ,
"misp-galaxy:mitre-attack-pattern=\"Phishing - T1566\"" ,
"misp-galaxy:mitre-attack-pattern=\"Command and Scripting Interpreter - T1059\"" ,
"misp-galaxy:mitre-attack-pattern=\"Inter-Process Communication - T1559\"" ,
"misp-galaxy:mitre-attack-pattern=\"System Services - T1569\"" ,
"misp-galaxy:mitre-attack-pattern=\"User Execution - T1204\"" ,
"misp-galaxy:mitre-attack-pattern=\"Boot or Logon Autostart Execution - T1547\"" ,
"misp-galaxy:mitre-attack-pattern=\"Create or Modify System Process - T1543\"" ,
"misp-galaxy:mitre-attack-pattern=\"Abuse Elevation Control Mechanism - T1548\"" ,
"misp-galaxy:mitre-attack-pattern=\"Hijack Execution Flow - T1574\"" ,
"misp-galaxy:mitre-attack-pattern=\"Hide Artifacts - T1564\"" ,
"misp-galaxy:mitre-attack-pattern=\"Impair Defenses - T1562\"" ,
"misp-galaxy:mitre-attack-pattern=\"Indicator Removal on Host - T1070\"" ,
"misp-galaxy:mitre-attack-pattern=\"Masquerading - T1036\"" ,
"misp-galaxy:mitre-attack-pattern=\"Process Injection - T1055\"" ,
"misp-galaxy:mitre-attack-pattern=\"Network Service Discovery - T1046\"" ,
"misp-galaxy:mitre-attack-pattern=\"Network Share Discovery - T1135\"" ,
"misp-galaxy:mitre-attack-pattern=\"Process Discovery - T1057\"" ,
"misp-galaxy:mitre-attack-pattern=\"Query Registry - T1012\"" ,
"misp-galaxy:mitre-attack-pattern=\"Remote System Discovery - T1018\"" ,
"misp-galaxy:mitre-attack-pattern=\"System Information Discovery - T1082\"" ,
"misp-galaxy:mitre-attack-pattern=\"System Network Connections Discovery - T1049\"" ,
"misp-galaxy:mitre-attack-pattern=\"System Service Discovery - T1007\"" ,
"misp-galaxy:mitre-attack-pattern=\"System Network Configuration Discovery - T1016\"" ,
"misp-galaxy:mitre-attack-pattern=\"Remote Services - T1021\"" ,
"misp-galaxy:mitre-attack-pattern=\"Remote Desktop Protocol - T1021.001\"" ,
"misp-galaxy:mitre-attack-pattern=\"Remote Desktop Protocol - T1076\"" ,
"misp-galaxy:mitre-attack-pattern=\"Automated Collection - T1119\"" ,
"misp-galaxy:mitre-attack-pattern=\"Clipboard Data - T1115\"" ,
"misp-galaxy:mitre-attack-pattern=\"Data from Local System - T1005\"" ,
"misp-galaxy:mitre-attack-pattern=\"Input Capture - T1056\"" ,
"misp-galaxy:mitre-attack-pattern=\"Keylogging - T1056.001\"" ,
"misp-galaxy:mitre-attack-pattern=\"Screen Capture - T1113\"" ,
"misp-galaxy:mitre-attack-pattern=\"Data Encoding - T1132\"" ,
"misp-galaxy:mitre-attack-pattern=\"Data Obfuscation - T1001\"" ,
"misp-galaxy:mitre-attack-pattern=\"Encrypted Channel - T1573\"" ,
"misp-galaxy:mitre-attack-pattern=\"Ingress Tool Transfer - T1105\"" ,
"misp-galaxy:mitre-attack-pattern=\"Non-Application Layer Protocol - T1095\"" ,
"misp-galaxy:mitre-attack-pattern=\"Proxy - T1090\"" ,
"misp-galaxy:mitre-attack-pattern=\"External Proxy - T1090.002\"" ,
"misp-galaxy:mitre-attack-pattern=\"Protocol Impersonation - T1001.003\"" ,
"misp-galaxy:mitre-attack-pattern=\"Standard Encoding - T1132.001\"" ,
"misp-galaxy:mitre-attack-pattern=\"Symmetric Cryptography - T1573.001\"" ,
"misp-galaxy:mitre-attack-pattern=\"Exfiltration Over C2 Channel - T1041\""
] ,
"object_marking_refs" : [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--2a896148-0562-464f-bd45-6acf246f12c3" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2022-09-19T09:49:02.000Z" ,
"modified" : "2022-09-19T09:49:02.000Z" ,
"pattern" : "[file:name = '\\\\%WINDIR\\\\%\\\\System32\\\\sysprep\\\\cryptbase.dll']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2022-09-19T09:49:02Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"filename\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--d851b765-c352-4784-8d88-b9ad47648410" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2022-09-19T09:49:23.000Z" ,
"modified" : "2022-09-19T09:49:23.000Z" ,
"pattern" : "[file:name = '\\\\%WINDIR\\\\%\\\\System32\\\\sysprep\\\\sysprep.exe']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2022-09-19T09:49:23Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"filename\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--37755261-1df4-47c4-b620-775323431ea0" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2022-09-15T14:01:57.000Z" ,
"modified" : "2022-09-15T14:01:57.000Z" ,
"labels" : [
"misp:name=\"report\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "link" ,
"object_relation" : "link" ,
"value" : "https://secjoes-reports.s3.eu-central-1.amazonaws.com/Dissecting+PlugX+to+Extract+Its+Crown+Jewels.pdf" ,
"category" : "External analysis" ,
"uuid" : "e00bf389-9c2c-4ebc-bb23-3435bec0e7b9"
} ,
{
"type" : "text" ,
"object_relation" : "summary" ,
"value" : "PlugX is a malware family first spotted in 2008. It is a Remote Access Trojan that has been\r\nused by several threat actors and provides them with full control over infected machines. It\r\nhas continually evolved over time, adding new features and functionalities with each\r\niteration. Hence, it is important to keep following and documenting its transformations." ,
"category" : "Other" ,
"uuid" : "f109f468-e159-4dc3-ba9c-6c9be1d987cc"
} ,
{
"type" : "text" ,
"object_relation" : "type" ,
"value" : "Report" ,
"category" : "Other" ,
"uuid" : "78450e24-65d4-4f80-b648-094c62f8dc27"
} ,
{
"type" : "attachment" ,
"object_relation" : "report-file" ,
"value" : "Dissecting+PlugX+to+Extract+Its+Crown+Jewels.pdf" ,
"category" : "External analysis" ,
"uuid" : "c0d3c7fb-bdfc-41c3-80ac-4a16fb885ae3" ,
"data" : " J V B E R i 0 x L j c N C i W 1 t b W 1 D Q o x I D A g b 2 J q D Q o 8 P C 9 U e X B l L 0 N h d G F s b 2 c v U G F n Z X M g M i A w I F I v T G F u Z y h l b i 1 V U y k g L 1 N 0 c n V j d F R y Z W V S b 290 I D E 1 M S A w I F I v T W F y a 0 l u Z m 88 P C 9 N Y X J r Z W Q g d H J 1 Z T 4 + L 0 1 l d G F k Y X R h I D E y M D M g M C B S L 1 Z p Z X d l c l B y Z W Z l c m V u Y 2 V z I D E y M D Q g M C B S P j 4 N C m V u Z G 9 i a g 0 K M i A w I G 9 i a g 0 K P D w v V H l w Z S 9 Q Y W d l c y 9 D b 3 V u d C A y N C 9 L a W R z W y A z I D A g U i A y M C A w I F I g M j c g M C B S I D I 5 I D A g U i A z M y A w I F I g N D A g M C B S I D Q x I D A g U i A 0 M y A w I F I g N D Q g M C B S I D Q 2 I D A g U i A 0 N y A w I F I g N D g g M C B S I D Q 5 I D A g U i A 1 M C A w I F I g N T E g M C B S I D U y I D A g U i A 1 N S A w I F I g N T c g M C B S I D U 5 I D A g U i A 2 M C A w I F I g N j E g M C B S I D Y z I D A g U i A 2 N C A w I F I g N j U g M C B S X S A + P g 0 K Z W 5 k b 2 J q D Q o z I D A g b 2 J q D Q o 8 P C 9 U e X B l L 1 B h Z 2 U v U G F y Z W 50 I D I g M C B S L 1 J l c 291 c m N l c z w 8 L 0 Z v b n Q 8 P C 9 G M S A 1 I D A g U i 9 G M i A 5 I D A g U i 9 G M y A x M S A w I F I v R j Q g M T Y g M C B S L 0 Y 1 I D E 4 I D A g U j 4 + L 0 V 4 d E d T d G F 0 Z T w 8 L 0 d T N y A 3 I D A g U i 9 H U z g g O C A w I F I + P i 9 Y T 2 J q Z W N 0 P D w v S W 1 h Z 2 U x M y A x M y A w I F I v S W 1 h Z 2 U x N S A x N S A w I F I + P i 9 Q c m 9 j U 2 V 0 W y 9 Q R E Y v V G V 4 d C 9 J b W F n Z U I v S W 1 h Z 2 V D L 0 l t Y W d l S V 0 g P j 4 v T W V k a W F C b 3 h b I D A g M C A 2 M T I g N z k y X S A v Q 29 u d G V u d H M g N C A w I F I v R 3 J v d X A 8 P C 9 U e X B l L 0 d y b 3 V w L 1 M v V H J h b n N w Y X J l b m N 5 L 0 N T L 0 R l d m l j Z V J H Q j 4 + L 1 R h Y n M v U y 9 T d H J 1 Y 3 R Q Y X J l b n R z I D A + P g 0 K Z W 5 k b 2 J q D Q o 0 I D A g b 2 J q D Q o 8 P C 9 G a W x 0 Z X I v R m x h d G V E Z W N v Z G U v T G V u Z 3 R o I D g 5 M z 4 + D Q p z d H J l Y W 0 N C n i c v V j f a 9 s 6 F H 4 P 5 H 84 T x d 7 L L J + W v Y Y g 7 Z p t 4 w N e t f A H Z Q 9 e I m a G B I 7 s 1 W 6 / f c 7 c j N 2 q a O l S c T y Y K R I 0 f d 9 P t 85 k p K c N b a 8 K 2 Y W X r 9 O z q w t Z k s z h 9 t k W m + + J N M f G 5 N c F 4 u y K m x Z V 8 n N / V f r v n p n i r l p 3 r y B 8 / E F f B s O K K H u k z M O F F J 86 p x D Y 4 a D / 15 A N R y c T 4 e D 5 I o B D k z v h g O G k y g w 0 J x Q L k F L S T I J 0 z V O e n u j Y d H i g r D o e t m 293 Y 4 u I 0 g / g L T 98 P B J S 7373 C w H x c n w e X H C 0 g 8 G s 9 r a + u 1 X + Z V X d u D Z f K n M l m e E a 1 B c a L S T m U n b q t p u m x M Y W F S W b N a x S M R l Q s T j 3 h U z Y z r w T / d c 1 L F j E a z M h 7 J a O 6 a p r L w K R a R a d 34 p q 7 a x + l T U 6 w P f U s e 2 p I J I j I P 7 W N C 8 V w m 4 i k T Q V N C N Y j 8 L 9 F g A i e I R / C M 4 D C X i q Q 5 M E 2 y D G b O p 5 N 1 s T B M w L i G I E 48 K t s y p U F m G J 8 O U N A c W 78 h 0 5 R h 34 k Q T M N I C u w 9 z v 6 f A r V V 0 J G D 5 N r R + n g x G Q M 90 P U C 196 V 3 K n W z k U u c B j U B h g R m k l 4 + G M c e 2 z Y q W y 2 F k p p R v K T 2 f B A b J S k R K l T 2 Y h A b C R G j J 3 M R h 7 O Z u e m I N H N l P U S f l y 2 r Z n Z s l r A 9 e p + 8 f m 4 W t c D F R p r X e 4 D P b j K + F C y l D C 2 G w V G b k 0 s t L P b y N a B A C X n R H v f Z S h Z 24 g J r D e y X 6 I v v 9 u m c H v T z A b C Y 7 k g W v j w Q q n i m B V S + V A m t o W L p n 4 I 5 Q z c Z a l X U h X M 5 Z I I r 6 R w L t f d b r 0 b 5 b 15 M K s 2 E J S i 1 J X z 5 w n q l S p 18 M G O 4 z y 50 / u C k 1 x 0 D B 5 H m s W v 1 i e X 3 P g 75 Q 41 m N y T I 6 O 5 C x 3 r i a B 70 W + j U T j I H D e J 7 B m Q c x P r a G P d U X Y Z q w i 6 E l B h q 3 B f r X 7 E a d S W L R T V H O 4 a 406 y g G V P R v W x 5 t h F V r C 0 S 6 t 9 Z P c 5 J T 31 C v D L J l S g E X p G P b u 3 y 7 r B d / D q y B z s X z n w n J O l P r x 9 c v X J N x 6 E p x g Q r Y g Q P f g r s 3 I e K D f d R Q f G 7 n l f N N a E E q 8 p y Z g P f Z / 4 L F C s u d R E 9 i 9 O Y 5 c H h T W v A o n N U w y 0 F 22 f 2 D x U p F l O U t 6 D v z E b a 9 Z f T R M q s i r / A 1 q w 5 E m 5 u 7 J 4 U F g w l J z g B d K D I o P l g i K Z 8 q G 8 x J q J N Z f z 49 D k U z T u y o 4 X b b c Z b z Z F 9 f u e R 5 M P B Z 7 t o 6 U Z T T 7 E B 7 p T 9 f 44 w G N V p g / h 8 x M x 6 s i 8 D Q p l b m R z d H J l Y W 0 N C m V u Z G 9 i a g 0 K N S A w I G 9 i a g 0 K P D w v V H l w Z S 9 G b 250 L 1 N 1 Y n R 5 c G U v V H J 1 Z V R 5 c G U v T m F t Z S 9 G M S 9 C Y X N l R m 9 u d C 9 U a W 1 l c 0 5 l d 1 J v b W F u U F N N V C 9 F b m N v Z G l u Z y 9 X a W 5 B b n N p R W 5 j b 2 R p b m c v R m 9 u d E R l c 2 N y a X B 0 b 3 I g N i A w I F I v R m l y c 3 R D a G F y I D M y L 0 x h c 3 R D a G F y I D E y M S 9 X a W R 0 a H M g M T E 3 O S A w I F I + P g 0 K Z W 5 k b 2 J q D Q o 2 I D A g b 2 J q D Q o 8 P C 9 U e X B l L 0 Z v b n R E Z X N j c m l w d G 9 y L 0 Z v b n R O Y W 1 l L 1 R p b W V z T m V 3 U m 9 t Y W 5 Q U 0 1 U L 0 Z s Y W d z I D M y L 0 l 0 Y W x p Y 0 F u Z 2 x l I D A v Q X N j Z W 50 I D g 5 M S 9 E Z X N j Z W 50 I C 0 y M T Y v Q 2 F w S G V p Z 2 h 0 I D Y 5 M y 9 B d m d X a W R 0 a C A 0 M D E v T W F 4 V 2 l k d G g g M j Y x N C 9 G b 250 V 2 V p Z 2 h 0 I D Q w M C 9 Y S G V p Z 2 h 0 I D I 1 M C 9 M Z W F k a W 5 n I D Q y L 1 N 0 Z W 1 W I D Q w L 0 Z v b n R C Q m 94 W y A t N T Y 4 I C 0 y M T Y g M j A 0 N i A 2 O T N d I D 4 + D Q p l b m R v Y m o N C j c g M C B v Y m o N C j w 8 L 1 R 5 c G U v R X h 0 R 1 N 0 Y X R l L 0 J N L 0 5 v c m 1 h b C 9 j Y S A x P j 4 N C m V u Z G 9 i a g 0 K O C A w I G 9 i a g 0 K P D w v V H l w Z S 9 F e H R H U 3 R h d G U v Q k 0 v T m 9 y b W F s L 0 N B I D E + P g 0 K Z W 5 k b 2 J q D Q o 5 I D A g b 2 J q D Q o 8 P C 9 U e X B l L 0 Z v b n Q v U 3 V i d H l w Z S 9 U c n V l V H l w Z S 9 O Y W 1 l L 0 Y y L 0 J h c 2 V G b 250 L 0 J D R E V F R S t B Y m F k a S M y M E V 4 d H J h I z I w T G l n a H Q v R W 5 j b 2 R p b m c v V 2 l u Q W 5 z a U V u Y 29 k a W 5 n L 0 Z v b n R E Z X N j c m l w d G 9 y I D E w I D A g U i 9 G a X J z d E N o Y X I g M z I v T G F z d E N o Y X I g M T I x L 1 d p Z H R o c y A x M T g w I D A g U j 4 + D Q p l b m R v Y m o N C j E w I D A g b 2 J q D Q o 8 P C 9 U e X B l L 0 Z v b n R E Z X N j c m l w d G 9 y L 0 Z v b n R O Y W 1 l L 0 J D R E V F R S t B Y m F k a S M y M E V 4 d H J h I z I w T G l n a H Q v R m x h Z 3 M g M z I v S X R h b G l j Q W 5 n b G U g M C 9 B c 2 N l b n Q g O T E z L 0 R l c 2 N l b n Q g L T I z M i 9 D Y X B I Z W l n a H Q g N j g 3 L 0 F 2 Z 1 d p Z H R o I D M 5 M S 9 N Y X h X a W R 0 a C A x M T U 3 L 0 Z v b n R X Z W l n a H Q g N D A w L 1 h I Z W l n a H Q g M j U w L 1 N 0 Z W 1 W I D M 5 L 0 Z v b n R C Q m 94 W y A t N T g g L T I z M i A x M D k 5 I D Y 4 N 10 g L 0 Z v b n R G a W x l M i A x M T g x I D A g U j 4 + D Q p l b m R v Y m o N C j E x I D A g b 2 J q D Q o 8 P C 9 U e X B l L 0 Z v b n Q v U 3 V i d H l w Z S 9 U c n V l V H l w Z S 9 O Y W 1 l L 0 Y z L 0 J h c 2 V G b 250 L 0 J D R E Z F R S t B Y m F k a S 9 F b m N v Z G l u Z y 9 X a W 5 B b n N p R W 5 j b 2 R p b m c v R m 9 u d E R l c 2 N y a X B 0 b 3 I g M T I g M C B S L 0 Z p c n N 0 Q 2 h h c i A z M i 9 M Y X N 0 Q 2 h h c i A x M j I v V 2 l k d G h z I D E x O D U g M C B S P j 4 N C m V u Z G 9 i a g 0 K M T I g M C B v Y m o N C j w 8 L 1 R 5 c G U v R m 9 u d E R l c 2 N y a X B 0 b 3 I v R m 9 u d E 5 h b W U v Q k N E R k V F K 0 F i Y W R p L 0 Z s Y W d z I D M y L 0 l 0 Y W x p Y 0 F u Z 2 x l I D A v Q X N j Z W 50 I D g 4 N y 9 E Z X N j Z W 50 I C 0 y M j k v Q 2 F w S G V p Z 2 h 0 I D Y 5 M y 9 B d m d X a W R 0 a C A 1 M T Y v T W F 4 V 2 l k d G g g M T M 0 N C 9 G b 250 V 2 V p Z 2 h 0 I D Q w M C 9 Y S G V p Z 2 h 0 I D I 1 M C 9 T d G V t V i A 1 M S 9 G b 250 Q k J v e F s g L T U w I C 0 y M j k g M T I 5 N C A 2 O T N d I C 9 G b 250 R m l s Z T I g M T E 4 M y
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "report"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--45516e32-4f9c-4eee-84d2-91eb673d21e8" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2022-09-16T07:53:43.000Z" ,
"modified" : "2022-09-16T07:53:43.000Z" ,
"pattern" : "[domain-name:value = 'fuckeryoumm.nmb.bet' AND domain-name:x_misp_port = '53' AND domain-name:x_misp_port = '443']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2022-09-16T07:53:43Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "network"
}
] ,
"labels" : [
"misp:name=\"domain-ip\"" ,
"misp:meta-category=\"network\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--f4a77dc9-c4fe-44ae-b2a8-abb86e702620" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2022-09-16T07:54:20.000Z" ,
"modified" : "2022-09-16T07:54:20.000Z" ,
"pattern" : "[domain-name:value = 'tcp.wy01.com' AND domain-name:x_misp_port = '53' AND domain-name:x_misp_port = '443']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2022-09-16T07:54:20Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "network"
}
] ,
"labels" : [
"misp:name=\"domain-ip\"" ,
"misp:meta-category=\"network\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--78707362-c5b2-45a7-95ad-2efe99a644fb" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2022-09-16T07:55:03.000Z" ,
"modified" : "2022-09-16T07:55:03.000Z" ,
"pattern" : "[domain-name:value = 'tools.daji8.me' AND domain-name:x_misp_port = '53' AND domain-name:x_misp_port = '443']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2022-09-16T07:55:03Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "network"
}
] ,
"labels" : [
"misp:name=\"domain-ip\"" ,
"misp:meta-category=\"network\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--b39459cd-43fb-41e4-932b-7a61bba34077" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2022-09-16T07:55:43.000Z" ,
"modified" : "2022-09-16T07:55:43.000Z" ,
"pattern" : "[domain-name:value = 'a2.fafafazq.com' AND domain-name:x_misp_port = '80']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2022-09-16T07:55:43Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "network"
}
] ,
"labels" : [
"misp:name=\"domain-ip\"" ,
"misp:meta-category=\"network\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--8b8727a9-3787-49bf-9d8d-45f0118e360f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2022-09-16T07:56:21.000Z" ,
"modified" : "2022-09-16T07:56:21.000Z" ,
"pattern" : "[domain-name:value = 'tho.pad62.com' AND domain-name:x_misp_port = '443']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2022-09-16T07:56:21Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "network"
}
] ,
"labels" : [
"misp:name=\"domain-ip\"" ,
"misp:meta-category=\"network\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--490e7061-2f24-4e48-bc84-a5f6b2ff5e0a" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2022-09-16T08:10:05.000Z" ,
"modified" : "2022-09-16T08:10:05.000Z" ,
"pattern" : "[domain-name:value = 'tank.hja63.com' AND domain-name:x_misp_port = '53']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2022-09-16T08:10:05Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "network"
}
] ,
"labels" : [
"misp:name=\"domain-ip\"" ,
"misp:meta-category=\"network\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--280fce1c-d0c4-47bc-992f-bf6bbeb19c6c" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2022-09-16T08:10:47.000Z" ,
"modified" : "2022-09-16T08:10:47.000Z" ,
"pattern" : "[domain-name:value = 'wps.daj8.me' AND domain-name:x_misp_port = '53']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2022-09-16T08:10:47Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "network"
}
] ,
"labels" : [
"misp:name=\"domain-ip\"" ,
"misp:meta-category=\"network\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--2b06c34b-fdf7-4b02-ab24-f79128695597" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2022-09-16T08:15:03.000Z" ,
"modified" : "2022-09-16T08:15:03.000Z" ,
"pattern" : "[domain-name:value = 'wpsup.daj8.me' AND domain-name:x_misp_port = '443']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2022-09-16T08:15:03Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "network"
}
] ,
"labels" : [
"misp:name=\"domain-ip\"" ,
"misp:meta-category=\"network\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--11ca6866-3639-455e-b9e9-b06a4deaae8f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2022-09-16T08:16:25.000Z" ,
"modified" : "2022-09-16T08:16:25.000Z" ,
"pattern" : "[domain-name:value = 'tools.googleupdateinfo.com' AND domain-name:x_misp_port = '53' AND domain-name:x_misp_port = '443']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2022-09-16T08:16:25Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "network"
}
] ,
"labels" : [
"misp:name=\"domain-ip\"" ,
"misp:meta-category=\"network\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--fafaefad-c986-458f-8e09-c812fbd0d27d" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2022-09-16T08:16:50.000Z" ,
"modified" : "2022-09-16T08:16:50.000Z" ,
"pattern" : "[domain-name:value = 'fly.pad62.com' AND domain-name:x_misp_port = '443']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2022-09-16T08:16:50Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "network"
}
] ,
"labels" : [
"misp:name=\"domain-ip\"" ,
"misp:meta-category=\"network\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--6e175efb-7b29-4b98-98db-a45c18f92e98" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2022-09-16T08:25:40.000Z" ,
"modified" : "2022-09-16T08:25:40.000Z" ,
"pattern" : "[domain-name:value = 'tho.hja63.com' AND domain-name:x_misp_port = '53']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2022-09-16T08:25:40Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "network"
}
] ,
"labels" : [
"misp:name=\"domain-ip\"" ,
"misp:meta-category=\"network\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--aa5ebe67-22fb-4542-9858-c8347fb6c41d" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2022-09-16T08:25:56.000Z" ,
"modified" : "2022-09-16T08:25:56.000Z" ,
"pattern" : "[domain-name:value = 'helpdesk.lnip.org' AND domain-name:x_misp_port = '443']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2022-09-16T08:25:56Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "network"
}
] ,
"labels" : [
"misp:name=\"domain-ip\"" ,
"misp:meta-category=\"network\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--cd2257ac-e898-4004-823b-9cac01f267b2" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2022-09-16T08:29:01.000Z" ,
"modified" : "2022-09-16T08:29:01.000Z" ,
"pattern" : "[domain-name:value = 'www.trendmicro-update.org' AND domain-name:x_misp_port = '443' AND domain-name:x_misp_port = '80']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2022-09-16T08:29:01Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "network"
}
] ,
"labels" : [
"misp:name=\"domain-ip\"" ,
"misp:meta-category=\"network\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--f75e073a-0849-41d7-ad58-c45079f4cc35" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2022-09-16T08:40:47.000Z" ,
"modified" : "2022-09-16T08:40:47.000Z" ,
"pattern" : "[domain-name:value = 'fuckchina.govnb.com' AND domain-name:x_misp_port = '53' AND domain-name:x_misp_port = '80' AND domain-name:x_misp_port = '443']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2022-09-16T08:40:47Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "network"
}
] ,
"labels" : [
"misp:name=\"domain-ip\"" ,
"misp:meta-category=\"network\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--94a0eb25-b7b3-4a52-9000-cffd4c3279ea" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2022-09-16T08:43:51.000Z" ,
"modified" : "2022-09-16T08:43:51.000Z" ,
"pattern" : "[domain-name:value = 'wmi.ns01.us' AND domain-name:x_misp_port = '80']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2022-09-16T08:43:51Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "network"
}
] ,
"labels" : [
"misp:name=\"domain-ip\"" ,
"misp:meta-category=\"network\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--18891997-ef58-4b19-9d1d-096bb84d4748" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2022-09-16T08:44:08.000Z" ,
"modified" : "2022-09-16T08:44:08.000Z" ,
"pattern" : "[domain-name:value = 'services.darkhero.org' AND domain-name:x_misp_port = '443']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2022-09-16T08:44:08Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "network"
}
] ,
"labels" : [
"misp:name=\"domain-ip\"" ,
"misp:meta-category=\"network\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--eb9c4f38-26f9-470d-bfbd-d22cc5b3cdaf" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2022-09-16T08:44:33.000Z" ,
"modified" : "2022-09-16T08:44:33.000Z" ,
"pattern" : "[domain-name:value = 'microsafes.no-ip.org' AND domain-name:x_misp_port = '53' AND domain-name:x_misp_port = '443' AND domain-name:x_misp_port = '80']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2022-09-16T08:44:33Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "network"
}
] ,
"labels" : [
"misp:name=\"domain-ip\"" ,
"misp:meta-category=\"network\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--94c437ca-4c06-484d-8b86-666dfbebfa50" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2022-09-16T09:00:26.000Z" ,
"modified" : "2022-09-16T09:00:26.000Z" ,
"pattern" : "[domain-name:value = 'wmi.ns01.us' AND domain-name:x_misp_port = '12345']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2022-09-16T09:00:26Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "network"
}
] ,
"labels" : [
"misp:name=\"domain-ip\"" ,
"misp:meta-category=\"network\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--0c55a859-96d7-461f-9082-891a7ec1e105" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2022-09-16T09:00:44.000Z" ,
"modified" : "2022-09-16T09:00:44.000Z" ,
"pattern" : "[domain-name:value = 'kr.942m.com' AND domain-name:x_misp_port = '53' AND domain-name:x_misp_port = '80']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2022-09-16T09:00:44Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "network"
}
] ,
"labels" : [
"misp:name=\"domain-ip\"" ,
"misp:meta-category=\"network\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--91745102-7414-4d15-ad43-b860560d026b" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2022-09-16T09:00:59.000Z" ,
"modified" : "2022-09-16T09:00:59.000Z" ,
"pattern" : "[domain-name:value = 'www.92al.com' AND domain-name:x_misp_port = '53']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2022-09-16T09:00:59Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "network"
}
] ,
"labels" : [
"misp:name=\"domain-ip\"" ,
"misp:meta-category=\"network\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--e8088873-f67c-4a24-94f6-d6b3841d0ca0" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2022-09-16T09:01:18.000Z" ,
"modified" : "2022-09-16T09:01:18.000Z" ,
"pattern" : "[domain-name:value = '101.55.29.17' AND domain-name:x_misp_port = '80']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2022-09-16T09:01:18Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "network"
}
] ,
"labels" : [
"misp:name=\"domain-ip\"" ,
"misp:meta-category=\"network\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--2c3d4d34-115e-4565-a9d3-1c13c7cb240d" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2022-09-16T09:14:39.000Z" ,
"modified" : "2022-09-16T09:14:39.000Z" ,
"name" : "win_x86_backdoor_plug_x_shellcode_loader_dll" ,
"pattern" : "rule win_x86_backdoor_plug_x_shellcode_loader_dll {\r\nmeta:\r\nauthor = \\\\\"Felipe Duarte, Security Joes\\\\\"\r\ndescription = \\\\\"Detects the PlugX Shellcode Loader DLL for 32 bits systems\\\\\"\r\nsha256_reference = \\\\\"5304d00250196a8cd5e9a81e053a886d1a291e4615484e49ff537bebecc13976\\\\\"\r\nstrings:\r\n// Code to set memory protections and launch shellcode\r\n$opcode1 = { 8d ?? ?? 5? 6a 20 68 00 00 10 00 5? ff 15 ?? ?? ?? ?? 85 ?? 75 ?? 6a 43 e8 ?? ?? ?? ?? 83 c? ?? ff d? 3d ?? ?? ?? ?? 7d ?? 85 ?? 74 ?? 6a 4a e8 ?? ?? ?? ?? 83 c? ?? }\r\n// Strings required to resolve depencies to load and execute the shellcode\r\n$str1 = \\\\\"kernel32\\\\\" nocase\r\n$str2 = \\\\\"GetModuleFileNameW\\\\\"\r\n$str3 = \\\\\"CreateFileW\\\\\"\r\n$str4 = \\\\\"VirtualAlloc\\\\\"\r\n$str5 = \\\\\"ReadFile\\\\\"\r\n$str6 = \\\\\"VirtualProtect\\\\\"\r\ncondition:\r\nall of them\r\n}" ,
"pattern_type" : "yara" ,
2023-12-14 14:30:15 +00:00
"pattern_version" : "2.1" ,
2023-04-21 14:44:17 +00:00
"valid_from" : "2022-09-16T09:14:39Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "misc"
}
] ,
"labels" : [
"misp:name=\"yara\"" ,
"misp:meta-category=\"misc\"" ,
"misp:to_ids=\"True\""
] ,
"x_misp_reference" : "https://secjoes-reports.s3.eu-central-1.amazonaws.com/Dissecting+PlugX+to+Extract+Its+Crown+Jewels.pdf"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--ede7431e-a02b-475e-9141-68e2834659bd" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2022-09-16T09:18:02.000Z" ,
"modified" : "2022-09-16T09:18:02.000Z" ,
"name" : "win_x64_backdoor_plug_x_shellcode_loader_dll" ,
"pattern" : "rule win_x64_backdoor_plug_x_shellcode_loader_dll {\r\nmeta:\r\nauthor = \\\\\"Felipe Duarte, Security Joes\\\\\"\r\ndescription = \\\\\"Detects the PlugX Shellcode Loader DLL for 64 bits systems\\\\\"\r\nsha256_reference = \\\\\"6b8ae6f01ab31243a5176c9fd14c156e9d5c139d170115acb87e1bc65400d54f\\\\\"\r\nstrings:\r\n// Code to get file name of the current module and replaces the extension to .dat\r\n$opcode1 = { 4? 8d 1d ?? ?? ?? ?? 41 b8 00 20 00 00 33 c9 4? 8b d3 ff d0 4? 8b cb 89 44 ?? ?? ff 15 ?? ?? ?? ?? b9 64 00 00 00 8d 50 fd 33 f6 66 89 0c ?? 8d 50 fe b9 61 00 00 00 66 89 0c ?? 8d 50 ff 8b c0 66 89 34 ?? 4? 8b 05 ?? ?? ?? ?? b9 74 00 00 00 66 89 0c ?? 4? 85 c0 75 ?? 4? 8b 05 ?? ?? ?? ?? 4? 85 c0 75 ?? 4? 8d 0d ?? ?? ?? ?? ff 15 ?? ?? ?? ?? 4? 89 05 ?? ?? ?? ?? }\r\n// Code to set memory protections and launch shellcode\r\n$opcode2 = { 4? 8d 4c ?? ?? ba 00 00 10 00 41 b8 40 00 00 00 4? 8b cb ff d0 85 c0 74 ?? ff d3 83 c9 ff ff 15 ?? ?? ?? ?? }\r\n// Strings required to resolve depencies to load and execute the shellcode\r\n$str1 = \\\\\"kernel32\\\\\" nocase\r\n$str2 = \\\\\"GetModuleFileNameW\\\\\"\r\n$str3 = \\\\\"CreateFileW\\\\\"\r\n$str4 = \\\\\"VirtualAlloc\\\\\"\r\n$str5 = \\\\\"ReadFile\\\\\"\r\n$str6 = \\\\\"VirtualProtect\\\\\"\r\ncondition:\r\nall of them\r\n}" ,
"pattern_type" : "yara" ,
2023-12-14 14:30:15 +00:00
"pattern_version" : "2.1" ,
2023-04-21 14:44:17 +00:00
"valid_from" : "2022-09-16T09:18:02Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "misc"
}
] ,
"labels" : [
"misp:name=\"yara\"" ,
"misp:meta-category=\"misc\"" ,
"misp:to_ids=\"True\""
] ,
"x_misp_reference" : "https://secjoes-reports.s3.eu-central-1.amazonaws.com/Dissecting+PlugX+to+Extract+Its+Crown+Jewels.pdf"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--499a5e1e-3338-4d68-8e26-627ca59696d1" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2022-09-16T11:59:39.000Z" ,
"modified" : "2022-09-16T11:59:39.000Z" ,
"name" : "win_x86_backdoor_plug_x_shellcode" ,
"pattern" : "rule win_x86_backdoor_plug_x_shellcode {\r\nmeta:\r\nauthor = \\\\\"Felipe Duarte, Security Joes\\\\\"\r\ndescription = \\\\\"Detects the PlugX Shellcode for 32 bits systems\\\\\"\r\nsha256_reference = \\\\\"07ed636049be7bc31fb404da9cf12cff6af01d920ec245b4e087049bd9b5488d\\\\\"\r\nstrings:\r\n// Code of the decryption rutine\r\n$opcode1 = { 8b ?? c1 e? 03 8d ?? ?? ?? ?? ?? ?? 8b ?? c1 e? 05 8d ?? ?? ?? ?? ?? ?? 8b ?? ?? c1 e? 07 b? 33 33 33 33 2b ?? 01 ?? ?? 8b ?? ?? c1 e? 09 b? 44 44 44 44 2b ?? 01 ?? ?? 8b ?? ?? 8d ?? ?? 02 ?? ?? 02 ?? ?? 32 ?? ?? 88 ?? 4? 4? 75 ?? }\r\n// Stack strings for VirtualAlloc\r\n$opcode2 = { c7 8? ?? ?? ?? ?? 56 69 72 74 c7 8? ?? ?? ?? ?? 75 61 6c 41 c7 8? ?? ?? ?? ?? 6c 6c 6f 63 88 ?? ?? ?? ?? ?? ff d? }\r\ncondition:\r\nall of them\r\n}" ,
"pattern_type" : "yara" ,
2023-12-14 14:30:15 +00:00
"pattern_version" : "2.1" ,
2023-04-21 14:44:17 +00:00
"valid_from" : "2022-09-16T11:59:39Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "misc"
}
] ,
"labels" : [
"misp:name=\"yara\"" ,
"misp:meta-category=\"misc\"" ,
"misp:to_ids=\"True\""
] ,
"x_misp_reference" : "https://secjoes-reports.s3.eu-central-1.amazonaws.com/Dissecting+PlugX+to+Extract+Its+Crown+Jewels.pdf"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--c70e2d31-eabf-44c0-8c1a-82bc325f4e33" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2022-09-16T12:00:05.000Z" ,
"modified" : "2022-09-16T12:00:05.000Z" ,
"name" : "win_x64_backdoor_plug_x_shellcode" ,
"pattern" : "rule win_x64_backdoor_plug_x_shellcode {\r\nmeta:\r\nauthor = \\\\\"Felipe Duarte, Security Joes\\\\\"\r\ndescription = \\\\\"Detects the PlugX Shellcode for 64 bits systems\\\\\"\r\nsha256_reference = \\\\\"07ed636049be7bc31fb404da9cf12cff6af01d920ec245b4e087049bd9b5488d\\\\\"\r\nstrings:\r\n// Code of the decryption rutine\r\n$opcode1 = { 41 8b ?? 41 8b ?? c1 e? 03 c1 e? 07 45 8d ?? ?? ?? ?? ?? ?? 41 8b ?? c1 e? 05 45 8d ?? ?? ?? ?? ?? ?? b? 33 33 33 33 2b ?? 41 8b ?? 44 03 ?? c1 e? 09 b? 44 44 44 44 2b ?? 44 03 ?? 43 8d ?? ?? 41 02 ?? 41 02 ?? 32 ?? ?? 88 ?? 4? ff c? 4? ff c? }\r\n// Stack strings for VirtualAlloc\r\n$opcode2 = { c6 4? ?? 56 c6 4? ?? 69 c6 4? ?? 72 c6 4? ?? 74 c6 4? ?? 75 c6 4? ?? 61 c6 4? ?? 6c c6 4? ?? 41 c6 4? ?? 6c c6 4? ?? 6c c6 4? ?? 6f c6 4? ?? 63 }\r\ncondition:\r\nall of them\r\n}" ,
"pattern_type" : "yara" ,
2023-12-14 14:30:15 +00:00
"pattern_version" : "2.1" ,
2023-04-21 14:44:17 +00:00
"valid_from" : "2022-09-16T12:00:05Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "misc"
}
] ,
"labels" : [
"misp:name=\"yara\"" ,
"misp:meta-category=\"misc\"" ,
"misp:to_ids=\"True\""
] ,
"x_misp_reference" : "https://secjoes-reports.s3.eu-central-1.amazonaws.com/Dissecting+PlugX+to+Extract+Its+Crown+Jewels.pdf"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--d407664d-4edc-4a0f-a6a5-3b69cd898fda" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2022-09-16T12:00:30.000Z" ,
"modified" : "2022-09-16T12:00:30.000Z" ,
"name" : "win_x86_backdoor_plug_x_uac_bypass" ,
"pattern" : "rule win_x86_backdoor_plug_x_uac_bypass {\r\nmeta:\r\nauthor = \\\\\"Felipe Duarte, Security Joes\\\\\"\r\ndescription = \\\\\"Detects the PlugX UAC Bypass DLL for 32 bits systems\\\\\"\r\nsha256_reference = \\\\\"9d51427f4f5b9f34050a502df3fbcea77f87d4e8f0cef29b05b543db03276e06\\\\\"\r\nstrings:\r\n// Main loop\r\n$opcode1 = { 0f b7 ?? ?? ?? ?? ?? ?? 4? 66 85 ?? 75 ?? 8d ?? ?? ?? ?? ?? ?? 66 83 3? 00 74 ?? 5? e8 ?? ?? ?? ?? 5? c3 }\r\n$str1 = \\\\\"kernel32\\\\\" nocase\r\n$str2 = \\\\\"GetCommandLineW\\\\\"\r\n$str3 = \\\\\"CreateProcessW\\\\\"\r\n$str4 = \\\\\"GetCurrentProcess\\\\\"\r\n$str5 = \\\\\"TerminateProcess\\\\\"\r\ncondition:\r\nall of them\r\n}" ,
"pattern_type" : "yara" ,
2023-12-14 14:30:15 +00:00
"pattern_version" : "2.1" ,
2023-04-21 14:44:17 +00:00
"valid_from" : "2022-09-16T12:00:30Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "misc"
}
] ,
"labels" : [
"misp:name=\"yara\"" ,
"misp:meta-category=\"misc\"" ,
"misp:to_ids=\"True\""
] ,
"x_misp_reference" : "https://secjoes-reports.s3.eu-central-1.amazonaws.com/Dissecting+PlugX+to+Extract+Its+Crown+Jewels.pdf"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--7576bd3a-8305-4743-8fba-459fe5f29bd4" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2022-09-16T13:39:33.000Z" ,
"modified" : "2022-09-16T13:39:33.000Z" ,
"name" : "win_x86_backdoor_plug_x_core" ,
"pattern" : "rule win_x86_backdoor_plug_x_core {\r\nmeta:\r\nauthor = \\\\\"Felipe Duarte, Security Joes\\\\\"\r\ndescription = \\\\\"Detects the PlugX Core DLL for 32 bits systems\\\\\"\r\nsha256_reference = \\\\\"fde1a930c6b12d7b00b6e95d52ce1b6536646a903713b1d3d37dc1936da2df88\\\\\"\r\nstrings:\r\n// Decryption routine\r\n$opcode1 = { 8b ?? ?? 8b ?? c1 e? 03 8d ?? ?? ?? ?? ?? ?? 8b ?? c1 e? 05 8d ?? ?? ?? ?? ?? ?? 8b ?? c1 e? 07 b? 33 33 33 33 2b ?? 8b ?? ?? 03 ?? c1 e? 09 b? 44 44 44 44 2b ?? 01 ?? ?? 8d ?? ?? 02 ?? 02 ?? ?? 89 ?? ?? 8b 5? ?? 32 ?? 32 4? ff 4? ?? 88 ?? ?? 75 ?? 5? }\r\n$str1 = \\\\\"Mozilla/4.0 (compatible; MSIE \\\\\" wide ascii\r\n$str2 = \\\\\"X-Session\\\\\" ascii\r\n$str3 = \\\\\"Software\\\\\\\\CLASSES\\\\\\\\FAST\\\\\" wide ascii\r\n$str4 = \\\\\"KLProc\\\\\"\r\n$str5 = \\\\\"OlProcManager\\\\\"\r\n$str6 = \\\\\"JoProcBroadcastRecv\\\\\"\r\ncondition:\r\nall of them\r\n}" ,
"pattern_type" : "yara" ,
2023-12-14 14:30:15 +00:00
"pattern_version" : "2.1" ,
2023-04-21 14:44:17 +00:00
"valid_from" : "2022-09-16T13:39:33Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "misc"
}
] ,
"labels" : [
"misp:name=\"yara\"" ,
"misp:meta-category=\"misc\"" ,
"misp:to_ids=\"True\""
] ,
"x_misp_reference" : "https://secjoes-reports.s3.eu-central-1.amazonaws.com/Dissecting+PlugX+to+Extract+Its+Crown+Jewels.pdf"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--8dbdca17-8051-4e32-b345-f5653f52c92c" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2022-09-16T13:39:23.000Z" ,
"modified" : "2022-09-16T13:39:23.000Z" ,
"name" : "win_x64_backdoor_plug_x_uac_bypass" ,
"pattern" : "rule win_x64_backdoor_plug_x_uac_bypass {\r\nmeta:\r\nauthor = \\\\\"Felipe Duarte, Security Joes\\\\\"\r\ndescription = \\\\\"Detects the PlugX UAC Bypass DLL for 64 bits systems\\\\\"\r\nsha256_reference = \\\\\"547b605673a2659fe2c8111c8f0c3005c532cab6b3ba638e2cdcd52fb62296d3\\\\\"\r\nstrings:\r\n// 360tray.exe stack strings\r\n$opcode1 = { 4? 83 e? 48 b? 33 00 00 00 4? 8d ?? ?? ?? c7 44 ?? ?? 2e 00 65 00 66 89 ?? ?? ?? b? 36 00 00 00 c7 44 ?? ?? 78 00 65 00 66 89 ?? ?? ?? b? 30 00 00 00 66 89 ?? ?? ?? b? 74 00 00 00 66 89 ?? ?? ?? b? 72 00 00 00 66 89 ?? ?? ?? b? 61 00 00 00 66 89 ?? ?? ?? b? 79 00 00 00 66 89 ?? ?? ?? 33 ?? 66 89 ?? ?? ?? e8 ?? ?? ?? ?? }\r\n$str1 = \\\\\"Elevation:Administrator!new:\\\\%s\\\\\" wide ascii\r\n$str2 = \\\\\"{3E5FC7F9-9A51-4367-9063-A120244FBEC7}\\\\\" wide ascii\r\n$str3 = \\\\\"{6EDD6D74-C007-4E75-B76A-E5740995E24C}\\\\\" wide ascii\r\n$str4 = \\\\\"CLSIDFromString\\\\\"\r\n$str5 = \\\\\"CoGetObject\\\\\"\r\ncondition:\r\nall of them\r\n}" ,
"pattern_type" : "yara" ,
2023-12-14 14:30:15 +00:00
"pattern_version" : "2.1" ,
2023-04-21 14:44:17 +00:00
"valid_from" : "2022-09-16T13:39:23Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "misc"
}
] ,
"labels" : [
"misp:name=\"yara\"" ,
"misp:meta-category=\"misc\"" ,
"misp:to_ids=\"True\""
] ,
"x_misp_reference" : "https://secjoes-reports.s3.eu-central-1.amazonaws.com/Dissecting+PlugX+to+Extract+Its+Crown+Jewels.pdf"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--a7da47b6-95d0-4027-b63b-fef3d59265ef" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2022-09-16T13:39:45.000Z" ,
"modified" : "2022-09-16T13:39:45.000Z" ,
"name" : "win_x64_backdoor_plug_x_core" ,
"pattern" : "rule win_x64_backdoor_plug_x_core {\r\nmeta:\r\nauthor = \\\\\"Felipe Duarte, Security Joes\\\\\"\r\ndescription = \\\\\"Detects the PlugX Core DLL for 64 bits systems\\\\\"\r\nsha256_reference = \\\\\"af9cb318c4c28d7030f62a62f561ff612a9efb839c6934ead0eb496d49f73e03\\\\\"\r\nstrings:\r\n// Decryption routine\r\n$opcode1 = { 41 8b ?? 8b ?? 4? ff c? c1 e? 03 c1 e? 07 45 8d ?? ?? ?? ?? ?? ?? 41 8b ?? c1 e? 05 45 8d ?? ?? ?? ?? ?? ?? b? 33 33 33 33 2b ?? 8b ?? 03 ?? c1 e? 09 b? 44 44 44 44 2b ?? 03 ?? 43 8d ?? ?? 02 ?? 40 02 ?? 43 32 ?? ?? ?? 4? ff c? 41 88 ?? ?? 75 ?? }\r\n$str1 = \\\\\"Mozilla/4.0 (compatible; MSIE \\\\\" wide ascii\r\n$str2 = \\\\\"X-Session\\\\\" wide ascii\r\n$str3 = \\\\\"Software\\\\\\\\CLASSES\\\\\\\\FAST\\\\\" wide ascii\r\n$str4 = \\\\\"KLProc\\\\\"\r\n$str5 = \\\\\"OlProcManager\\\\\"\r\n$str6 = \\\\\"JoProcBroadcastRecv\\\\\"\r\ncondition:\r\nall of them\r\n}" ,
"pattern_type" : "yara" ,
2023-12-14 14:30:15 +00:00
"pattern_version" : "2.1" ,
2023-04-21 14:44:17 +00:00
"valid_from" : "2022-09-16T13:39:45Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "misc"
}
] ,
"labels" : [
"misp:name=\"yara\"" ,
"misp:meta-category=\"misc\"" ,
"misp:to_ids=\"True\""
] ,
"x_misp_reference" : "https://secjoes-reports.s3.eu-central-1.amazonaws.com/Dissecting+PlugX+to+Extract+Its+Crown+Jewels.pdf"
} ,
{
"type" : "marking-definition" ,
"spec_version" : "2.1" ,
"id" : "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ,
"created" : "2017-01-20T00:00:00.000Z" ,
"definition_type" : "tlp" ,
"name" : "TLP:WHITE" ,
"definition" : {
"tlp" : "white"
}
}
]
}
