rule PlugX_PDB_Paths { meta: Author = "@X0RC1SM" Description = "Looking for certificates found in report" Reference1 = "http://blog.cassidiancybersecurity.com/post/2014/01/plugx-some-uncovered-points.html" Reference2 = "https://www.circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdf" Reference3 = "https://www.alienvault.com/blogs/labs-research/the-connection-between-the-plugx-chinese-gang-and-the-latest-internet-explo" Reference4 = "https://www.alienvault.com/blogs/labs-research/tracking-down-the-author-of-the-plugx-rat" Date = "2017-10-28" strings: $PDB1 = "i:\\work\\plug2.0(......)\\shellcode\\shellcode\\" $PDB2 = "i:\\work\\plug2.0\\shellcode\\shellcode\\" $PDB3 = "d:\\work\\plug2.0\\shellcode\\shellcode\\" $PDB4 = "d:\\work\\plug2.5\\shellcode\\shellcode\\" $PDB5 = "c:\\users\\whg\\desktop\\plug2.5(nzqk)\\shellcode\\shellcode\\" $PDB6 = "c:\\users\\whg\\desktop\\plug2.5(rose)\\shellcode\\shellcode\\" $PDB7 = "c:\\users\\whg\\desktop\\plug3.0\\shellcode\\shellcode\\" $PDB8 = "d:\\work\\plug3.0(gf)\\shellcode\\shellcode\\" $PDB9 = "d:\\work\\plug3.0(gf)udp\\shellcode\\shellcode\\" $PDB10 = "d:\\work\\plug3.0(lyt)\\shellcode\\shellcode\\" $PDB11 = "d:\\work\\plug3.0\\shellcode\\shellcode\\" $PDB12 = "d:\\work\\plug3.1(icesword)\\shellcode\\shellcode\\" $PDB13 = "d:\\work\\plug4.0(....)(......)\\shellcode\\shellcode\\" $PDB14 = "d:\\work\\plug4.0(cammute)\\shellcode\\shellcode\\" $PDB15 = "d:\\work\\plug4.0(msidb)(lyt)\\shellcode\\shellcode\\" $PDB16 = "d:\\work\\plug4.0(nvsmart)(....)(7.0)\\shellcode\\shellcode\\" $PDB17 = "d:\\work\\plug4.0(nvsmart)(hrb)\\shellcode\\shellcode\\" $PDB18 = "d:\\work\\plug4.0(nvsmart)(mrxy)(675960)\\shellcode\\shellcode\\" $PDB19 = "d:\\work\\plug4.0(nvsmart)(sxl)\\shellcode\\shellcode\\" $PDB20 = "d:\\work\\plug4.0(nvsmart)\\shellcode\\shellcode\\" $PDB21 = "d:\\work\\plug4.0(shellcode)(....)\\shellcode\\shellcode\\" $PDB22 = "d:\\work\\plug4.0(shellcode)(hrb)(gf)\\shellcode\\shellcode\\" $PDB23 = "d:\\work\\plug4.0(shellcode)(hrb)\\shellcode\\shellcode\\" $PDB24 = "d:\\work\\plug4.0\\shellcode\\shellcode\\" $PDB25 = "d:\\work\\plug5.0(3f)(zxf)(360)(9022863)(scldr3.0)\\shellcode\\shellcode\\" $PDB26 = "d:\\work\\plug5.0(hrb)\\shellcode\\shellcode\\" $PDB27 = "d:\\work\\plug5.0\\shellcode\\shellcode\\" $PDB28 = "d:\\work\\plug6.0(360)(gadget)(....)\\shellcode\\shellcode\\" $PDB29 = "d:\\work\\plug6.0(360)(gadget)(........)(....)\\shellcode\\shellcode\\" $PDB30 = "d:\\work\\plug6.0(360)(hkcmd)(xts)(scldr3.0)\\shellcode\\shellcode\\" $PDB31 = "d:\\work\\plug6.0(360)(hkcmd)(xts)\\shellcode\\shellcode\\" $PDB32 = "d:\\work\\plug6.0(360)(mcinsupd)(....)\\shellcode\\shellcode\\" $PDB33 = "d:\\work\\plug6.0(360)(mcinsupd)(48846669)\\shellcode\\shellcode\\" $PDB34 = "d:\\work\\plug6.0(360)(mcoemcpy)(hhhtwy)(scldr3.0)\\shellcode\\shellcode\\" $PDB35 = "d:\\work\\plug6.0(360)(minidownloader)\\shellcode\\shellcode\\" $PDB36 = "d:\\work\\plug6.0\\plug6.0(minidownloader)\\shellcode\\shellcode\\" $PDB37 = "d:\\work\\plug6.0\\plug6.0(rstray)\\shellcode\\shellcode\\" $PDB38 = "d:\\work\\plug7.0(....)(3..)\\plug7.0(oleview)(....3)(........)\\shellcode\\shellcode\\" $PDB39 = "d:\\work\\plug7.0(arotutorial)(ykcai)(2)\\shellcode\\shellcode\\" $PDB40 = "d:\\work\\plug7.0(bdreinit)(....)(360)\\shellcode\\shellcode\\" $PDB41 = "d:\\work\\plug7.0(mcappcfg)(gf)(....)\\shellcode\\shellcode\\" $PDB42 = "d:\\work\\plug7.0(mcvsmap)(fking)(....)\\shellcode\\shellcode\\" $PDB43 = "d:\\work\\plug8.0(hkcmd)(....)\\plug6.0(360)(mcoemcpy)(hhhtwy)(scldr3.0)\\shellcode\\shellcode\\" $PDB44 = "d:\\work\\plug8.0(mcoemcpy)(lyt)\\shellcode\\shellcode\\" $PDB45 = "d:\\work\\plug7.0(mcvsmap)(fking)" $PDB46 = "d:\\work\\plug4.0(nvsmart)(sxl)\\shellcode\\shellcode\\XPlug.h" $PDB47 = "d:\\work\\plug3.1(icesword)\\shellcode\\shellcode\\XPlug.h" $PDB48 = "d:\\work\\Plug3.0(Gf)UDP\\Shell6\\Release\\Shell6.pdb" $PDB49 = "i:\\work\\plug2.0()\\shellcode\\shellcode\\XPlug.h" $PDB50 = "d:\\work\\plug4.0(nvsmart)(sxl)\\shellcode\\shellcode\\XSetting.h" $PDB51 = "d:\\work\\plug4.0(nvsmart)(sxl)\\shellcode\\shellcode\\XPlug.h" $PDB52 = "d:\\work\\Plug3.0(Gf)UDP\\Shell6\\Release\\Shell6.pdb" $PDB53 = "d:\\work\\plug4.0(nvsmart)\\shellcode\\shellcode\\XPlug.h" $PDB54 = "d:\\work\\plug3.1(icesword)\\shellcode\\shellcode\\XPlug.h" $PDB55 = "C:\\Users\\whg\\Desktop\\Plug\\FastGui(LYT)\\Shell\\Release\\Shell.pdb" $PDB56 = "C:\\Documents and Settings\\whg\\\\Plug\\FastGui(LYT)\\Shell\\Release\\Shell.pdb" $PDB57 = "C:\\Users\\whg\\Desktop\\Plug\\FastGui(LYT)\\Shell\\Release\\Shell.pdb" $PDB58 = "C:\\Users\\whg\\Desktop\\SockMon2011\\SockMon\\UnitCache.pas" $PDB59 = "c:\\Documents and Settings\\whg\\SockMon2010\\RunProtect\\Release\\RunProtect.pdb" $PDB60 = "c:\\Documents and Settings\\whg\\\\SockMon2010\\SmComm\\Release\\SmComm.pdb" $PDB61 = "C:\\Users\\whg\\Desktop\\vtcp11.0lib\\vtcpT0\\UnitMain.pas" $PDB62 = "c:\\Documents and Settings\\whg\\Pnw(all)\\Pc()\\FamHook\\Release\\FamHook.pdb" $PDB63 = "i:\\work\\plug2.0()\\shellcode\\shellcode\\XPlug.h" $PDB64 = "d:\\work\\plug4.0(nvsmart)\\shellcode\\shellcode\\XPlug.h" condition: any of them }