{"id":3527,"date":"2016-03-10T00:03:43","date_gmt":"2016-03-10T00:03:43","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=3527"},"modified":"2023-02-25T10:20:56","modified_gmt":"2023-02-25T10:20:56","slug":"beyond-good-ol-run-key-part-36","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2016\/03\/10\/beyond-good-ol-run-key-part-36\/","title":{"rendered":"Beyond good ol\u2019 Run key, Part 36"},"content":{"rendered":"<p><strong>Last Updated 2023-02-25<\/strong><\/p>\n<p>Added xdbg32 from Trend Micro article.<\/p>\n<p><strong>Last Updated 2019-09-20<\/strong><\/p>\n<p>A few more updates thanks to\u00a0<a href=\"https:\/\/twitter.com\/bartblaze\">@bartblaze<\/a> !!!<\/p>\n<p><strong>Last Updated 2018-10-18<\/strong><\/p>\n<p>Updated mistake in tplcdclr.exe &#8211;&gt; wtsapi32.dll &#8211;&gt;wts.chm combo and added\u00a0VeetlePlayer.exe &#8211;&gt; libvlc.dll &#8211;&gt;mtcReport.ktc; thanks to <a href=\"https:\/\/twitter.com\/KyleHanslovan\">@KyleHanslovan<\/a> !!!<\/p>\n<p><strong>Last Updated 2017-01-26<\/strong><\/p>\n<p>At the end of <a href=\"https:\/\/www.hexacorn.com\/blog\/2016\/03\/01\/beyond-good-ol-run-key-part-35\/\">last post<\/a> I mentioned PlugX. The idea used by this malware is pretty clever and relies on taking a legitimate signed .exe that is dependent on a DLL and swapping the DLL with the malicious replacement which &#8211; when loaded &#8211; decrypts\/loads the final payload to memory.\u00a0 The trick used by PlugX is referred to as DLL Side-loading and I thought it will be nice to try summarizing various versions of this persistence trick described by various blogs.<\/p>\n<p>The below are triplets describing the following PlugX components:<\/p>\n<ul>\n<li>legitimate .exe [&#8216;Source&#8217; refers to the article\/blog\/WP describing it]\n<ul>\n<li>DLL Side-loaded .dll\n<ul>\n<li>Payload<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>Here they are&#8230;<\/p>\n<ul>\n<li>AShld.exe <a href=\"https:\/\/www.sophos.com\/en-us\/medialibrary\/PDFs\/technical%20papers\/sophos-rotten-tomato-campaign.pdf?la=en\">[Source]<\/a>\n<ul>\n<li>AShldRes.DLL\n<ul>\n<li>AShldRes.DLL.asr<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>CamMute.exe <a href=\"http:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/new-wave-of-plugx-targets-legitimate-apps\/\">[Source]<\/a>\n<ul>\n<li>CommFunc.dll\n<ul>\n<li>CommFunc.jax<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>chrome_frame_helper.exe <a href=\"https:\/\/www.hpe.com\/h20195\/v2\/GetPDF.aspx\/4AA6-8045ENW.pdf\">[Source PDF]<\/a> Thx to <a href=\"https:\/\/twitter.com\/bartblaze\">@bartblaze<\/a>\n<ul>\n<li>chrome_frame_helper.dll\n<ul>\n<li>chrome_frame_helper.dll.rom<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>dvcemumanager.exe <a href=\"http:\/\/asec.ahnlab.com\/1006\">[Source]<\/a>\n<ul>\n<li>DESqmWrapper.dll\n<ul>\n<li>DESqmWrapper.wrapper<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>fsguidll.exe <a href=\"https:\/\/www.sophos.com\/en-us\/medialibrary\/PDFs\/technical%20papers\/plugx-goes-to-the-registry-and-india.pdf?la=en\">[Source]<\/a>\n<ul>\n<li>fslapi.dll\n<ul>\n<li>fslapi.dll.gui<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>fsstm.exe <a href=\"http:\/\/blog.gerhardlink.com\/wp-content\/uploads\/2015\/11\/Cyber-Brief-Nr.-01_2015_3322.pdf\">[Source]<\/a>\n<ul>\n<li>FSPMAPI.dll\n<ul>\n<li>FSPMAPI.dll.fsp<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>Gadget.exe <a href=\"https:\/\/www.sophos.com\/en-us\/medialibrary\/pdfs\/technical%20papers\/plugx-thenextgeneration.pdf\">[Source]<\/a>\n<ul>\n<li>Sidebar.dll\n<ul>\n<li>Sidebar.dll.doc<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>hhc.exe <a href=\"http:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/new-wave-of-plugx-targets-legitimate-apps\/\">[Source]<\/a>\n<ul>\n<li>hha.dll\n<ul>\n<li>hha.dll.bak<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>hkcmd.exe <a href=\"http:\/\/labs.lastline.com\/an-analysis-of-plugx\">[Source]<\/a>\n<ul>\n<li>hccutils.dll\n<ul>\n<li>hccutils.dll.res<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>LoLTWLauncher.exe <a href=\"http:\/\/909research.com\/a-closer-look-at-plugx-from-league-of-legends-path-of-exile\/\">[Source]<\/a> Thx to <a href=\"https:\/\/twitter.com\/bartblaze\">@bartblaze<\/a>\n<ul>\n<li>NtUserEx.dll\n<ul>\n<li>NtUserEx.dat<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>Mc.exe <a href=\"http:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/new-wave-of-plugx-targets-legitimate-apps\/\">[Source]<\/a>\n<ul>\n<li>McUtil.dll\n<ul>\n<li>McUtil.dll.url<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>mcf.exe <a href=\"http:\/\/pages.arbornetworks.com\/rs\/082-KNA-087\/images\/ASERT%20Threat%20Intelligence%20Brief%202015-05%20PlugX%20Threat%20Activity%20in%20Myanmar.pdf\">[Source]<\/a>\n<ul>\n<li>mcutil.dll\n<ul>\n<li>mcf.ep<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>mcupdui.exe <a href=\"https:\/\/www.trendmicro.com\/vinfo\/us\/threat-encyclopedia\/malware\/bkdr_plugx.gel\">[Source]<\/a>\n<ul>\n<li>McUtil.dll\n<ul>\n<li>McUtil.dll.ping<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>mcut.exe <a href=\"https:\/\/totalhash.cymru.com\/analysis\/?6a42333cb4166d52638f025fe429ec5625f9022b\">[Source]<\/a>\n<ul>\n<li>McUtil.dll\n<ul>\n<li>mcutil.dll.bbc<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>MsMpEng.exe <a href=\"http:\/\/researchcenter.paloaltonetworks.com\/2015\/11\/bookworm-trojan-a-model-of-modular-architecture\/\">[Source]<\/a>\n<ul>\n<li>MpSvc.dll\n<ul>\n<li>MpSvc<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>msseces.exe <a href=\"https:\/\/www.virustotal.com\/en\/file\/da01734bacb716ac303f3018d3c4cf7fdc0784d157bb99976bd3d5a51381d34e\/analysis\/\">[Source]<\/a> Thx to <a href=\"https:\/\/twitter.com\/bartblaze\">@bartblaze<\/a>\n<ul>\n<li>mPclient.dll\n<ul>\n<li>msseces.asm<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>NvSmart.exe <a href=\"https:\/\/www.trendmicro.com\/vinfo\/us\/threat-encyclopedia\/malware\/BKDR_PLUGX.BUT\">[Source]<\/a>\n<ul>\n<li>NvSmartMax.dll\n<ul>\n<li>boot.ldr<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>OInfoP11.exe <a href=\"https:\/\/www.fireeye.com\/blog\/threat-research\/2013\/05\/targeted-attack-trend-alert-plugx-the-old-dog-with-a-new-trick.html\">[Source]<\/a>\n<ul>\n<li>OInfo11.ocx\n<ul>\n<li><span class=\"is-visible-mml\">OInfo11.ISO<\/span><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>OleView.exe <a href=\"http:\/\/www.eset.tw\/html\/309\/201309\/\">[Source]<\/a>\n<ul>\n<li>ACLUI.DLL\n<ul>\n<li>ACLUI.DLL.UI<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>OleView.exe <a href=\"http:\/\/www.symantec.com\/connect\/blogs\/suckfly-revealing-secret-life-your-code-signing-certificates\">[Source]<\/a>\u00a0Thx to <a href=\"https:\/\/twitter.com\/KyleHanslovan\">@KyleHanslovan<\/a>\n<ul>\n<li>iviewers.dll\n<ul>\n<li>&lt;unknown&gt;<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>POETWLauncher.exe <a href=\"http:\/\/909research.com\/a-closer-look-at-plugx-from-league-of-legends-path-of-exile\/\">[Source]<\/a> Thx to <a href=\"https:\/\/twitter.com\/bartblaze\">@bartblaze<\/a>\n<ul>\n<li>NtUserEx.dll\n<ul>\n<li>NtUserEx.dat<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>RasTls.exe <a href=\"https:\/\/www.trendmicro.com\/vinfo\/us\/threat-encyclopedia\/malware\/TROJ_KORPLUG.CEB\">[Source]<\/a>\n<ul>\n<li>RasTls.dll\n<ul>\n<li>RasTls.dll.msc or RasTls.dll.config<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>rc.exe <a href=\"http:\/\/www.symantec.com\/connect\/blogs\/backdoorkorplug-loading-malicious-components-through-trusted-applications\">[Source]<\/a>\u00a0Thx to <a href=\"https:\/\/twitter.com\/KyleHanslovan\">@KyleHanslovan<\/a>\n<ul>\n<li>rc.dll\n<ul>\n<li style=\"box-sizing: border-box; margin: 0px; padding: 0px;\">rc.hlp<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>RunHelp.exe <a href=\"http:\/\/researchcenter.paloaltonetworks.com\/2015\/05\/plugx-uses-legitimate-samsung-application-for-dll-side-loading\/\">[Source]<\/a>\n<ul>\n<li>ssMUIDLL.dll\n<ul>\n<li>ssMUIDLL.dll.conf<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>sep_NE.exe <a href=\"http:\/\/www.symantec.com\/connect\/blogs\/suckfly-revealing-secret-life-your-code-signing-certificates\">[Source]<\/a>\u00a0Thx to <a href=\"https:\/\/twitter.com\/KyleHanslovan\">@KyleHanslovan<\/a>\n<ul>\n<li>winmm.dll\n<ul>\n<li>sep_NE.slf<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>Setup.exe <a href=\"http:\/\/securitybloggersnetwork.com\/author\/ned-moran\/\">[Source]<\/a>\n<ul>\n<li>msi.dll\n<ul>\n<li>msi.dll.dat<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>sx.exe <a href=\"https:\/\/www.sophos.com\/en-us\/medialibrary\/PDFs\/technical%20papers\/plugx-goes-to-the-registry-and-india.pdf\">[Source]<\/a> Thx to <a href=\"https:\/\/twitter.com\/bartblaze\">@bartblaze<\/a>\n<ul>\n<li>SXLOC.DLL\n<ul>\n<li>SXLOC.ZAP<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>tplcdclr.exe <a href=\"https:\/\/securelist.com\/plugx-malware-a-good-hacker-is-an-apologetic-hacker\/74150\/\">[Source]<\/a>\u00a0Thx to <a href=\"https:\/\/twitter.com\/KyleHanslovan\">@KyleHanslovan<\/a>\n<ul>\n<li>wtsapi32.dll\n<ul>\n<li>wts.chm<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>Ushata.exe <a href=\"http:\/\/researchcenter.paloaltonetworks.com\/2015\/11\/bookworm-trojan-a-model-of-modular-architecture\/\">[Source]<\/a>\n<ul>\n<li>Ushata.dll\n<ul>\n<li>Ushata.fox<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>VeetlePlayer.exe <a href=\"https:\/\/www.us-cert.gov\/sites\/default\/files\/publications\/IR-ALERT-MED-17-093-01C-Intrusions_Affecting_Multiple_Victims_Across_Multiple_Sectors.pdf\">[Source; PDF warning]<\/a> Thx to <a href=\"https:\/\/twitter.com\/KyleHanslovan\">@KyleHanslovan<\/a>\n<ul>\n<li>libvlc.dll\n<ul>\n<li>mtcReport.ktc<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>x32dbg.exe <a href=\"_wp_link_placeholder\" data-wplink-edit=\"true\">[Source]<\/a>\n<ul>\n<li>x32bridge.dll\n<ul>\n<li>x32bridge.dat<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>There is also a potential combo:<\/p>\n<ul>\n<li>AFLogVw.exe <a href=\"http:\/\/blog.gerhardlink.com\/wp-content\/uploads\/2015\/11\/Cyber-Brief-Nr.-01_2015_3322.pdf\">[Source]<\/a>\n<ul>\n<li>AhnI2.dll\n<ul>\n<li>&lt;unknown&gt;<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>Now, a request &#8211; if you know any other combo that I have not included on the list, please let me know+provide a reference\/source and I will add it to the list. Thanks!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Last Updated 2023-02-25 Added xdbg32 from Trend Micro article. Last Updated 2019-09-20 A few more updates thanks to\u00a0@bartblaze !!! Last Updated 2018-10-18 Updated mistake in tplcdclr.exe &#8211;&gt; wtsapi32.dll &#8211;&gt;wts.chm combo and added\u00a0VeetlePlayer.exe &#8211;&gt; libvlc.dll &#8211;&gt;mtcReport.ktc; thanks to @KyleHanslovan !!! Last &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2016\/03\/10\/beyond-good-ol-run-key-part-36\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[13,35,15,19,46,9],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/3527"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=3527"}],"version-history":[{"count":21,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/3527\/revisions"}],"predecessor-version":[{"id":8424,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/3527\/revisions\/8424"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=3527"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=3527"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=3527"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}