Sneed-Reactivity/yara-mikesxrs/Mikesxrs/PlugX_PDB_Paths.yar

80 lines
5.3 KiB
Text
Raw Normal View History

rule PlugX_PDB_Paths
{
meta:
Author = "@X0RC1SM"
Description = "Looking for certificates found in report"
Reference1 = "http://blog.cassidiancybersecurity.com/post/2014/01/plugx-some-uncovered-points.html"
Reference2 = "https://www.circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdf"
Reference3 = "https://www.alienvault.com/blogs/labs-research/the-connection-between-the-plugx-chinese-gang-and-the-latest-internet-explo"
Reference4 = "https://www.alienvault.com/blogs/labs-research/tracking-down-the-author-of-the-plugx-rat"
Date = "2017-10-28"
strings:
$PDB1 = "i:\\work\\plug2.0(......)\\shellcode\\shellcode\\"
$PDB2 = "i:\\work\\plug2.0\\shellcode\\shellcode\\"
$PDB3 = "d:\\work\\plug2.0\\shellcode\\shellcode\\"
$PDB4 = "d:\\work\\plug2.5\\shellcode\\shellcode\\"
$PDB5 = "c:\\users\\whg\\desktop\\plug2.5(nzqk)\\shellcode\\shellcode\\"
$PDB6 = "c:\\users\\whg\\desktop\\plug2.5(rose)\\shellcode\\shellcode\\"
$PDB7 = "c:\\users\\whg\\desktop\\plug3.0\\shellcode\\shellcode\\"
$PDB8 = "d:\\work\\plug3.0(gf)\\shellcode\\shellcode\\"
$PDB9 = "d:\\work\\plug3.0(gf)udp\\shellcode\\shellcode\\"
$PDB10 = "d:\\work\\plug3.0(lyt)\\shellcode\\shellcode\\"
$PDB11 = "d:\\work\\plug3.0\\shellcode\\shellcode\\"
$PDB12 = "d:\\work\\plug3.1(icesword)\\shellcode\\shellcode\\"
$PDB13 = "d:\\work\\plug4.0(....)(......)\\shellcode\\shellcode\\"
$PDB14 = "d:\\work\\plug4.0(cammute)\\shellcode\\shellcode\\"
$PDB15 = "d:\\work\\plug4.0(msidb)(lyt)\\shellcode\\shellcode\\"
$PDB16 = "d:\\work\\plug4.0(nvsmart)(....)(7.0)\\shellcode\\shellcode\\"
$PDB17 = "d:\\work\\plug4.0(nvsmart)(hrb)\\shellcode\\shellcode\\"
$PDB18 = "d:\\work\\plug4.0(nvsmart)(mrxy)(675960)\\shellcode\\shellcode\\"
$PDB19 = "d:\\work\\plug4.0(nvsmart)(sxl)\\shellcode\\shellcode\\"
$PDB20 = "d:\\work\\plug4.0(nvsmart)\\shellcode\\shellcode\\"
$PDB21 = "d:\\work\\plug4.0(shellcode)(....)\\shellcode\\shellcode\\"
$PDB22 = "d:\\work\\plug4.0(shellcode)(hrb)(gf)\\shellcode\\shellcode\\"
$PDB23 = "d:\\work\\plug4.0(shellcode)(hrb)\\shellcode\\shellcode\\"
$PDB24 = "d:\\work\\plug4.0\\shellcode\\shellcode\\"
$PDB25 = "d:\\work\\plug5.0(3f)(zxf)(360)(9022863)(scldr3.0)\\shellcode\\shellcode\\"
$PDB26 = "d:\\work\\plug5.0(hrb)\\shellcode\\shellcode\\"
$PDB27 = "d:\\work\\plug5.0\\shellcode\\shellcode\\"
$PDB28 = "d:\\work\\plug6.0(360)(gadget)(....)\\shellcode\\shellcode\\"
$PDB29 = "d:\\work\\plug6.0(360)(gadget)(........)(....)\\shellcode\\shellcode\\"
$PDB30 = "d:\\work\\plug6.0(360)(hkcmd)(xts)(scldr3.0)\\shellcode\\shellcode\\"
$PDB31 = "d:\\work\\plug6.0(360)(hkcmd)(xts)\\shellcode\\shellcode\\"
$PDB32 = "d:\\work\\plug6.0(360)(mcinsupd)(....)\\shellcode\\shellcode\\"
$PDB33 = "d:\\work\\plug6.0(360)(mcinsupd)(48846669)\\shellcode\\shellcode\\"
$PDB34 = "d:\\work\\plug6.0(360)(mcoemcpy)(hhhtwy)(scldr3.0)\\shellcode\\shellcode\\"
$PDB35 = "d:\\work\\plug6.0(360)(minidownloader)\\shellcode\\shellcode\\"
$PDB36 = "d:\\work\\plug6.0\\plug6.0(minidownloader)\\shellcode\\shellcode\\"
$PDB37 = "d:\\work\\plug6.0\\plug6.0(rstray)\\shellcode\\shellcode\\"
$PDB38 = "d:\\work\\plug7.0(....)(3..)\\plug7.0(oleview)(....3)(........)\\shellcode\\shellcode\\"
$PDB39 = "d:\\work\\plug7.0(arotutorial)(ykcai)(2)\\shellcode\\shellcode\\"
$PDB40 = "d:\\work\\plug7.0(bdreinit)(....)(360)\\shellcode\\shellcode\\"
$PDB41 = "d:\\work\\plug7.0(mcappcfg)(gf)(....)\\shellcode\\shellcode\\"
$PDB42 = "d:\\work\\plug7.0(mcvsmap)(fking)(....)\\shellcode\\shellcode\\"
$PDB43 = "d:\\work\\plug8.0(hkcmd)(....)\\plug6.0(360)(mcoemcpy)(hhhtwy)(scldr3.0)\\shellcode\\shellcode\\"
$PDB44 = "d:\\work\\plug8.0(mcoemcpy)(lyt)\\shellcode\\shellcode\\"
$PDB45 = "d:\\work\\plug7.0(mcvsmap)(fking)"
$PDB46 = "d:\\work\\plug4.0(nvsmart)(sxl)\\shellcode\\shellcode\\XPlug.h"
$PDB47 = "d:\\work\\plug3.1(icesword)\\shellcode\\shellcode\\XPlug.h"
$PDB48 = "d:\\work\\Plug3.0(Gf)UDP\\Shell6\\Release\\Shell6.pdb"
$PDB49 = "i:\\work\\plug2.0()\\shellcode\\shellcode\\XPlug.h"
$PDB50 = "d:\\work\\plug4.0(nvsmart)(sxl)\\shellcode\\shellcode\\XSetting.h"
$PDB51 = "d:\\work\\plug4.0(nvsmart)(sxl)\\shellcode\\shellcode\\XPlug.h"
$PDB52 = "d:\\work\\Plug3.0(Gf)UDP\\Shell6\\Release\\Shell6.pdb"
$PDB53 = "d:\\work\\plug4.0(nvsmart)\\shellcode\\shellcode\\XPlug.h"
$PDB54 = "d:\\work\\plug3.1(icesword)\\shellcode\\shellcode\\XPlug.h"
$PDB55 = "C:\\Users\\whg\\Desktop\\Plug\\FastGui(LYT)\\Shell\\Release\\Shell.pdb"
$PDB56 = "C:\\Documents and Settings\\whg\\\\Plug\\FastGui(LYT)\\Shell\\Release\\Shell.pdb"
$PDB57 = "C:\\Users\\whg\\Desktop\\Plug\\FastGui(LYT)\\Shell\\Release\\Shell.pdb"
$PDB58 = "C:\\Users\\whg\\Desktop\\SockMon2011\\SockMon\\UnitCache.pas"
$PDB59 = "c:\\Documents and Settings\\whg\\SockMon2010\\RunProtect\\Release\\RunProtect.pdb"
$PDB60 = "c:\\Documents and Settings\\whg\\\\SockMon2010\\SmComm\\Release\\SmComm.pdb"
$PDB61 = "C:\\Users\\whg\\Desktop\\vtcp11.0lib\\vtcpT0\\UnitMain.pas"
$PDB62 = "c:\\Documents and Settings\\whg\\Pnw(all)\\Pc()\\FamHook\\Release\\FamHook.pdb"
$PDB63 = "i:\\work\\plug2.0()\\shellcode\\shellcode\\XPlug.h"
$PDB64 = "d:\\work\\plug4.0(nvsmart)\\shellcode\\shellcode\\XPlug.h"
condition:
any of them
}