SYMBOLCOMMON_NAMEaka. SYNONYMS
win.pcshare (Back to overview)

PcShare

Actor(s): Pirate Panda


PcShare is a open-source backdoor which has been seen modified and used by Chinese threat actors, mainly attacking countries in South East Asia.

References
2021-06-16Recorded FutureInsikt Group®
@techreport{group:20210616:threat:d585785, author = {Insikt Group®}, title = {{Threat Activity Group RedFoxtrot Linked to China’s PLA Unit 69010; Targets Bordering Asian Countries}}, date = {2021-06-16}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2021-0616.pdf}, language = {English}, urldate = {2022-07-29} } Threat Activity Group RedFoxtrot Linked to China’s PLA Unit 69010; Targets Bordering Asian Countries
Icefog PcShare PlugX Poison Ivy QuickHeal
2019-09-25CylanceCylance Research and Intelligence Team
@online{team:20190925:pcshare:ac2d45a, author = {Cylance Research and Intelligence Team}, title = {{PcShare Backdoor Attacks Targeting Windows Users with FakeNarrator Malware}}, date = {2019-09-25}, organization = {Cylance}, url = {https://web.archive.org/web/20191115210757/https://threatvector.cylance.com/en_us/home/pcshare-backdoor-attacks-targeting-windows-users-with-fakenarrator-malware.html}, language = {English}, urldate = {2021-10-24} } PcShare Backdoor Attacks Targeting Windows Users with FakeNarrator Malware
PcShare
Yara Rules
[TLP:WHITE] win_pcshare_auto (20220808 | Detects win.pcshare.)
rule win_pcshare_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-08-05"
        version = "1"
        description = "Detects win.pcshare."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pcshare"
        malpedia_rule_date = "20220805"
        malpedia_hash = "6ec06c64bcfdbeda64eff021c766b4ce34542b71"
        malpedia_version = "20220808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8bd6 8bce c1fa10 81e1ffff0000 8b0490 c1e105 }
            // n = 6, score = 100
            //   8bd6                 | mov                 edx, esi
            //   8bce                 | mov                 ecx, esi
            //   c1fa10               | sar                 edx, 0x10
            //   81e1ffff0000         | and                 ecx, 0xffff
            //   8b0490               | mov                 eax, dword ptr [eax + edx*4]
            //   c1e105               | shl                 ecx, 5

        $sequence_1 = { 0f84b6010000 8b4508 8bc8 83e01f c1f905 8d34c0 8b048da0720610 }
            // n = 7, score = 100
            //   0f84b6010000         | je                  0x1bc
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   8bc8                 | mov                 ecx, eax
            //   83e01f               | and                 eax, 0x1f
            //   c1f905               | sar                 ecx, 5
            //   8d34c0               | lea                 esi, [eax + eax*8]
            //   8b048da0720610       | mov                 eax, dword ptr [ecx*4 + 0x100672a0]

        $sequence_2 = { 7523 8b542410 8d0432 50 e8???????? }
            // n = 5, score = 100
            //   7523                 | jne                 0x25
            //   8b542410             | mov                 edx, dword ptr [esp + 0x10]
            //   8d0432               | lea                 eax, [edx + esi]
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_3 = { ff15???????? 85c0 890437 7456 8b4e04 83c604 85c9 }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   890437               | mov                 dword ptr [edi + esi], eax
            //   7456                 | je                  0x58
            //   8b4e04               | mov                 ecx, dword ptr [esi + 4]
            //   83c604               | add                 esi, 4
            //   85c9                 | test                ecx, ecx

        $sequence_4 = { f6450802 7421 8d45cc 897dcc 50 c745f0a0580110 c745e810000000 }
            // n = 7, score = 100
            //   f6450802             | test                byte ptr [ebp + 8], 2
            //   7421                 | je                  0x23
            //   8d45cc               | lea                 eax, [ebp - 0x34]
            //   897dcc               | mov                 dword ptr [ebp - 0x34], edi
            //   50                   | push                eax
            //   c745f0a0580110       | mov                 dword ptr [ebp - 0x10], 0x100158a0
            //   c745e810000000       | mov                 dword ptr [ebp - 0x18], 0x10

        $sequence_5 = { 83c404 3bc6 7406 8b542418 8910 }
            // n = 5, score = 100
            //   83c404               | add                 esp, 4
            //   3bc6                 | cmp                 eax, esi
            //   7406                 | je                  8
            //   8b542418             | mov                 edx, dword ptr [esp + 0x18]
            //   8910                 | mov                 dword ptr [eax], edx

        $sequence_6 = { 8b540a08 895004 e9???????? 8b7c2414 }
            // n = 4, score = 100
            //   8b540a08             | mov                 edx, dword ptr [edx + ecx + 8]
            //   895004               | mov                 dword ptr [eax + 4], edx
            //   e9????????           |                     
            //   8b7c2414             | mov                 edi, dword ptr [esp + 0x14]

        $sequence_7 = { 68???????? 50 c745c44c680110 e8???????? 5e b8???????? }
            // n = 6, score = 100
            //   68????????           |                     
            //   50                   | push                eax
            //   c745c44c680110       | mov                 dword ptr [ebp - 0x3c], 0x1001684c
            //   e8????????           |                     
            //   5e                   | pop                 esi
            //   b8????????           |                     

        $sequence_8 = { 68???????? e8???????? 83c408 85c0 750d 8b442410 3500010000 }
            // n = 7, score = 100
            //   68????????           |                     
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   85c0                 | test                eax, eax
            //   750d                 | jne                 0xf
            //   8b442410             | mov                 eax, dword ptr [esp + 0x10]
            //   3500010000           | xor                 eax, 0x100

        $sequence_9 = { 7609 83fb5b 0f824c010000 83fb5f 0f8443010000 }
            // n = 5, score = 100
            //   7609                 | jbe                 0xb
            //   83fb5b               | cmp                 ebx, 0x5b
            //   0f824c010000         | jb                  0x152
            //   83fb5f               | cmp                 ebx, 0x5f
            //   0f8443010000         | je                  0x149

    condition:
        7 of them and filesize < 893708
}
Download all Yara Rules