{ "Event": { "analysis": "2", "date": "2016-08-17", "extends_uuid": "", "info": "OSINT Generic Yara rule to detect PlugX by Jay DiMartino", "publish_timestamp": "1474835789", "published": true, "threat_level_id": "2", "timestamp": "1471443370", "uuid": "57b47152-b938-42f7-aa36-4bf1950d210f", "Orgc": { "name": "CthulhuSPRL.be", "uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:white", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "OSINT", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1471443310", "to_ids": false, "type": "link", "uuid": "57b4716e-624c-431e-af53-40c2950d210f", "value": "https://github.com/Neo23x0/signature-base/blob/master/yara/apt_plugx.yar" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1471443327", "to_ids": true, "type": "yara", "uuid": "57b4717f-cc50-4b81-9fd1-4f64950d210f", "value": "rule APTGroupX_PlugXTrojanLoader_StringDecode {\r\n meta:\r\n author = \"Jay DiMartino\"\r\n \tdescription = \"Rule to detect PlugX Malware\"\r\n\t\tscore = 80\r\n \treference = \"https://t.co/4xQ8G2mNap\"\r\n hash1 = \"0535e8c300204e257f0fa57630f386e9fcc8e779\"\r\n hash2 = \"088ebf9ccde958f32d11f4e7eb14f5332332f97d\"\r\n hash3 = \"0c999d0bffa007e9e6b6fe593933b52f40c75b3d\"\r\n hash4 = \"2f644e7131ec0a4f12ce04ba1e54d23856dbbfbf\"\r\n hash5 = \"3be9148ad132ca342d5fbabea1119a175ef1df7c\"\r\n hash6 = \"4c1ee94ec0e15491fc4f6b4095f67eee6309e62a\"\r\n hash7 = \"587af7ce05e61d4c312d6bae12ea380116b08d7e\"\r\n hash8 = \"5990efd83b5646a7ba419541d3a2c19260224ca3\"\r\n hash9 = \"67970367c250c44a5feb263843cf45fd91336df5\"\r\n hash10 = \"68f53f7188910a4cf67843aedd38c1523f1f2e7c\"\r\n hash11 = \"962dc7e0ad37286df012f623423ac4182fe791ca\"\r\n hash12 = \"aa0976906807af2e1b127608040aa3ef6e118a13\"\r\n hash13 = \"b170d015e32b39fa4ac15f94d58e45e65cd16d6c\"\r\n hash14 = \"c9b3d2cef3b34c7ee18fc2f60ff022965959613d\"\r\n hash15 = \"cd425ce7f3e4a823d9027780e1b439759c4dc665\"\r\n hash16 = \"d5e82513c6472d3826a22d9a15c05af8c0d33b58\"\r\n hash17 = \"d9b32084f27ef13001060e1dcee8a1a9e95d89a6\"\r\n hash18 = \"daa2d1cb9148b7ba5a86fa9ab593678e77c92672\"\r\n hash19 = \"e2c098a95d1c1f0e29f207af9c5ffc5bd69a92ee\"\r\n hash20 = \"ef8cf68dc3c80e9cb5a3fa0f92b544eab583812e\"\r\n hash21 = \"f0fc0a4e4e0748464caa6a202d0083cd33458677\"\r\n hash22 = \"fe1abe55529c1d6aa6b2a2f02d7e41ea58040feb\"\r\n strings:\r\n $byte1 = { 8A [2-4] 8A [2-4] FF 05 00 30 00 10 [0-5] 2A [1-6] 80 [2-7] 02 [1-6] 88 0? }\r\n $byte2 = { 8B [2-4] 8A [2-4] FF 05 00 30 00 10 [0-5] 2A [1-6] 80 [2-7] 02 [1-6] 88 0? }\r\n condition:\r\n any of them\r\n}" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool", "deleted": false, "disable_correlation": false, "timestamp": "1471443365", "to_ids": true, "type": "sha1", "uuid": "57b471a5-25b0-4f2d-9181-489a950d210f", "value": "0535e8c300204e257f0fa57630f386e9fcc8e779" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool", "deleted": false, "disable_correlation": false, "timestamp": "1471443365", "to_ids": true, "type": "sha1", "uuid": "57b471a5-9708-4b32-885d-4249950d210f", "value": "088ebf9ccde958f32d11f4e7eb14f5332332f97d" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool", "deleted": false, "disable_correlation": false, "timestamp": "1471443366", "to_ids": true, "type": "sha1", "uuid": "57b471a6-5574-48ae-84e9-4d11950d210f", "value": "0c999d0bffa007e9e6b6fe593933b52f40c75b3d" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool", "deleted": false, "disable_correlation": false, "timestamp": "1471443366", "to_ids": true, "type": "sha1", "uuid": "57b471a6-137c-4dd7-9756-46db950d210f", "value": "2f644e7131ec0a4f12ce04ba1e54d23856dbbfbf" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool", "deleted": false, "disable_correlation": false, "timestamp": "1471443366", "to_ids": true, "type": "sha1", "uuid": "57b471a6-4dc4-4f35-a8f4-4d2d950d210f", "value": "3be9148ad132ca342d5fbabea1119a175ef1df7c" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool", "deleted": false, "disable_correlation": false, "timestamp": "1471443366", "to_ids": true, "type": "sha1", "uuid": "57b471a6-c6e0-49f9-8e12-440b950d210f", "value": "4c1ee94ec0e15491fc4f6b4095f67eee6309e62a" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool", "deleted": false, "disable_correlation": false, "timestamp": "1471443366", "to_ids": true, "type": "sha1", "uuid": "57b471a6-7f80-4c6d-8825-4e11950d210f", "value": "587af7ce05e61d4c312d6bae12ea380116b08d7e" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool", "deleted": false, "disable_correlation": false, "timestamp": "1471443367", "to_ids": true, "type": "sha1", "uuid": "57b471a7-58e0-40fe-9ce5-400c950d210f", "value": "5990efd83b5646a7ba419541d3a2c19260224ca3" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool", "deleted": false, "disable_correlation": false, "timestamp": "1471443367", "to_ids": true, "type": "sha1", "uuid": "57b471a7-43b0-44ef-80f9-4b20950d210f", "value": "67970367c250c44a5feb263843cf45fd91336df5" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool", "deleted": false, "disable_correlation": false, "timestamp": "1471443367", "to_ids": true, "type": "sha1", "uuid": "57b471a7-a564-48fd-8a5e-4c05950d210f", "value": "68f53f7188910a4cf67843aedd38c1523f1f2e7c" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool", "deleted": false, "disable_correlation": false, "timestamp": "1471443367", "to_ids": true, "type": "sha1", "uuid": "57b471a7-9994-4528-be80-45fe950d210f", "value": "962dc7e0ad37286df012f623423ac4182fe791ca" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool", "deleted": false, "disable_correlation": false, "timestamp": "1471443367", "to_ids": true, "type": "sha1", "uuid": "57b471a8-357c-4f03-aff5-4230950d210f", "value": "aa0976906807af2e1b127608040aa3ef6e118a13" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool", "deleted": false, "disable_correlation": false, "timestamp": "1471443368", "to_ids": true, "type": "sha1", "uuid": "57b471a8-c8a8-4844-8897-46b1950d210f", "value": "b170d015e32b39fa4ac15f94d58e45e65cd16d6c" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool", "deleted": false, "disable_correlation": false, "timestamp": "1471443368", "to_ids": true, "type": "sha1", "uuid": "57b471a8-fb7c-4dd7-b366-495f950d210f", "value": "c9b3d2cef3b34c7ee18fc2f60ff022965959613d" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool", "deleted": false, "disable_correlation": false, "timestamp": "1471443368", "to_ids": true, "type": "sha1", "uuid": "57b471a8-fb24-4246-8f8e-4093950d210f", "value": "cd425ce7f3e4a823d9027780e1b439759c4dc665" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool", "deleted": false, "disable_correlation": false, "timestamp": "1471443368", "to_ids": true, "type": "sha1", "uuid": "57b471a8-c074-49c5-a84a-4c2b950d210f", "value": "d5e82513c6472d3826a22d9a15c05af8c0d33b58" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool", "deleted": false, "disable_correlation": false, "timestamp": "1471443369", "to_ids": true, "type": "sha1", "uuid": "57b471a9-29f0-4524-9743-4ffb950d210f", "value": "d9b32084f27ef13001060e1dcee8a1a9e95d89a6" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool", "deleted": false, "disable_correlation": false, "timestamp": "1471443369", "to_ids": true, "type": "sha1", "uuid": "57b471a9-4a44-46d5-94ad-400c950d210f", "value": "daa2d1cb9148b7ba5a86fa9ab593678e77c92672" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool", "deleted": false, "disable_correlation": false, "timestamp": "1471443369", "to_ids": true, "type": "sha1", "uuid": "57b471a9-0f70-4473-9189-41f6950d210f", "value": "e2c098a95d1c1f0e29f207af9c5ffc5bd69a92ee" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool", "deleted": false, "disable_correlation": false, "timestamp": "1471443369", "to_ids": true, "type": "sha1", "uuid": "57b471a9-2588-4b70-8997-4f2f950d210f", "value": "ef8cf68dc3c80e9cb5a3fa0f92b544eab583812e" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool", "deleted": false, "disable_correlation": false, "timestamp": "1471443369", "to_ids": true, "type": "sha1", "uuid": "57b471a9-83b8-4570-81c2-45f8950d210f", "value": "f0fc0a4e4e0748464caa6a202d0083cd33458677" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool", "deleted": false, "disable_correlation": false, "timestamp": "1471443370", "to_ids": true, "type": "sha1", "uuid": "57b471aa-ef54-405c-a475-4d95950d210f", "value": "fe1abe55529c1d6aa6b2a2f02d7e41ea58040feb" } ] } }