Beyond good ol’ Run key, Part 36

March 10, 2016 in Anti-Forensics, Autostart (Persistence), Compromise Detection, Forensic Analysis, Incident Response, Malware Analysis

Last Updated 2017-01-26

At the end of last post I mentioned PlugX. The idea used by this malware is pretty clever and relies on taking a legitimate signed .exe that is dependent on a DLL and swapping the DLL with the malicious replacement which – when loaded – decrypts/loads the final payload to memory.  The trick used by PlugX is referred to as DLL Side-loading and I thought it will be nice to try summarizing various versions of this persistence trick described by various blogs.

The below are triplets describing the following PlugX components:

  • legitimate .exe [‘Source’ refers to the article/blog/WP describing it]
    • DLL Side-loaded .dll
      • Payload

Here they are…

There is also a potential combo:

  • AFLogVw.exe [Source]
    • AhnI2.dll
      • <unknown>

Now, a request – if you know any other combo that I have not included on the list, please let me know+provide a reference/source and I will add it to the list. Thanks!

Share this 🙂

Comments are closed.