Beyond good ol’ Run key, Part 36

Last Updated 2023-02-25

Added xdbg32 from Trend Micro article.

Last Updated 2019-09-20

A few more updates thanks to @bartblaze !!!

Last Updated 2018-10-18

Updated mistake in tplcdclr.exe –> wtsapi32.dll –>wts.chm combo and added VeetlePlayer.exe –> libvlc.dll –>mtcReport.ktc; thanks to @KyleHanslovan !!!

Last Updated 2017-01-26

At the end of last post I mentioned PlugX. The idea used by this malware is pretty clever and relies on taking a legitimate signed .exe that is dependent on a DLL and swapping the DLL with the malicious replacement which – when loaded – decrypts/loads the final payload to memory.  The trick used by PlugX is referred to as DLL Side-loading and I thought it will be nice to try summarizing various versions of this persistence trick described by various blogs.

The below are triplets describing the following PlugX components:

  • legitimate .exe [‘Source’ refers to the article/blog/WP describing it]
    • DLL Side-loaded .dll
      • Payload

Here they are…

There is also a potential combo:

  • AFLogVw.exe [Source]
    • AhnI2.dll
      • <unknown>

Now, a request – if you know any other combo that I have not included on the list, please let me know+provide a reference/source and I will add it to the list. Thanks!