YARA rules for PLAINTEE
2 rules · scoped to tool · back to PLAINTEE
YARA rules whose family, name, or description matches this tool or its tooling. Use these for binary-pattern hunts.
rule APT_RANCOR_PLAINTEE_Variant {
meta:
description = "Detects PLAINTEE malware"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/"
date = "2018-06-26"
hash1 = "6aad1408a72e7adc88c2e60631a6eee3d77f18a70e4eee868623588612efdd31"
hash2 = "bcd37f1d625772c162350e5383903fe8dbed341ebf0dc38035be5078624c039e"
id = "f5b68079-0517-504d-a45f-f6ced532db82"
strings:
$s1 = "payload.dat" fullword ascii
$s3 = "temp_microsoft_test.txt" fullword ascii
$s4 = "reg add %s /v %s /t REG_SZ /d \"%s\"" fullword ascii
$s6 = "%s %s,helloworld2" fullword ascii
$s9 = "%s \\\"%s\\\",helloworld" fullword ascii
$s16 = "recv plugin type %s size:%d" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 100KB and 3 of them
}
rule APT_RANCOR_PLAINTEE_Malware_Exports {
meta:
description = "Detects PLAINTEE malware"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/"
date = "2018-06-26"
hash1 = "c35609822e6239934606a99cb3dbc925f4768f0b0654d6a2adc35eca473c505d"
id = "fa1e678d-8357-522b-9167-31321ab7753f"
condition:
uint16(0) == 0x5a4d and pe.exports("Add") and pe.exports("Sub") and pe.exports("DllEntryPoint") and pe.number_of_exports == 3
}