Last Updated 2023-02-25
Added xdbg32 from Trend Micro article.
Last Updated 2019-09-20
A few more updates thanks to @bartblaze !!!
Last Updated 2018-10-18
Updated mistake in tplcdclr.exe –> wtsapi32.dll –>wts.chm combo and added VeetlePlayer.exe –> libvlc.dll –>mtcReport.ktc; thanks to @KyleHanslovan !!!
Last Updated 2017-01-26
At the end of last post I mentioned PlugX. The idea used by this malware is pretty clever and relies on taking a legitimate signed .exe that is dependent on a DLL and swapping the DLL with the malicious replacement which – when loaded – decrypts/loads the final payload to memory. The trick used by PlugX is referred to as DLL Side-loading and I thought it will be nice to try summarizing various versions of this persistence trick described by various blogs.
The below are triplets describing the following PlugX components:
- legitimate .exe [‘Source’ refers to the article/blog/WP describing it]
- DLL Side-loaded .dll
- Payload
- DLL Side-loaded .dll
Here they are…
- AShld.exe [Source]
- AShldRes.DLL
- AShldRes.DLL.asr
- AShldRes.DLL
- CamMute.exe [Source]
- CommFunc.dll
- CommFunc.jax
- CommFunc.dll
- chrome_frame_helper.exe [Source PDF] Thx to @bartblaze
- chrome_frame_helper.dll
- chrome_frame_helper.dll.rom
- chrome_frame_helper.dll
- dvcemumanager.exe [Source]
- DESqmWrapper.dll
- DESqmWrapper.wrapper
- DESqmWrapper.dll
- fsguidll.exe [Source]
- fslapi.dll
- fslapi.dll.gui
- fslapi.dll
- fsstm.exe [Source]
- FSPMAPI.dll
- FSPMAPI.dll.fsp
- FSPMAPI.dll
- Gadget.exe [Source]
- Sidebar.dll
- Sidebar.dll.doc
- Sidebar.dll
- hhc.exe [Source]
- hha.dll
- hha.dll.bak
- hha.dll
- hkcmd.exe [Source]
- hccutils.dll
- hccutils.dll.res
- hccutils.dll
- LoLTWLauncher.exe [Source] Thx to @bartblaze
- NtUserEx.dll
- NtUserEx.dat
- NtUserEx.dll
- Mc.exe [Source]
- McUtil.dll
- McUtil.dll.url
- McUtil.dll
- mcf.exe [Source]
- mcutil.dll
- mcf.ep
- mcutil.dll
- mcupdui.exe [Source]
- McUtil.dll
- McUtil.dll.ping
- McUtil.dll
- mcut.exe [Source]
- McUtil.dll
- mcutil.dll.bbc
- McUtil.dll
- MsMpEng.exe [Source]
- MpSvc.dll
- MpSvc
- MpSvc.dll
- msseces.exe [Source] Thx to @bartblaze
- mPclient.dll
- msseces.asm
- mPclient.dll
- NvSmart.exe [Source]
- NvSmartMax.dll
- boot.ldr
- NvSmartMax.dll
- OInfoP11.exe [Source]
- OInfo11.ocx
- OInfo11.ISO
- OInfo11.ocx
- OleView.exe [Source]
- ACLUI.DLL
- ACLUI.DLL.UI
- ACLUI.DLL
- OleView.exe [Source] Thx to @KyleHanslovan
- iviewers.dll
- <unknown>
- iviewers.dll
- POETWLauncher.exe [Source] Thx to @bartblaze
- NtUserEx.dll
- NtUserEx.dat
- NtUserEx.dll
- RasTls.exe [Source]
- RasTls.dll
- RasTls.dll.msc or RasTls.dll.config
- RasTls.dll
- rc.exe [Source] Thx to @KyleHanslovan
- rc.dll
- rc.hlp
- rc.dll
- RunHelp.exe [Source]
- ssMUIDLL.dll
- ssMUIDLL.dll.conf
- ssMUIDLL.dll
- sep_NE.exe [Source] Thx to @KyleHanslovan
- winmm.dll
- sep_NE.slf
- winmm.dll
- Setup.exe [Source]
- msi.dll
- msi.dll.dat
- msi.dll
- sx.exe [Source] Thx to @bartblaze
- SXLOC.DLL
- SXLOC.ZAP
- SXLOC.DLL
- tplcdclr.exe [Source] Thx to @KyleHanslovan
- wtsapi32.dll
- wts.chm
- wtsapi32.dll
- Ushata.exe [Source]
- Ushata.dll
- Ushata.fox
- Ushata.dll
- VeetlePlayer.exe [Source; PDF warning] Thx to @KyleHanslovan
- libvlc.dll
- mtcReport.ktc
- libvlc.dll
- x32dbg.exe [Source]
- x32bridge.dll
- x32bridge.dat
- x32bridge.dll
There is also a potential combo:
- AFLogVw.exe [Source]
- AhnI2.dll
- <unknown>
- AhnI2.dll
Now, a request – if you know any other combo that I have not included on the list, please let me know+provide a reference/source and I will add it to the list. Thanks!