{"id":8427,"date":"2023-02-25T23:55:35","date_gmt":"2023-02-25T23:55:35","guid":{"rendered":"https:\/\/www.hexacorn.com\/blog\/?p=8427"},"modified":"2023-03-05T18:21:51","modified_gmt":"2023-03-05T18:21:51","slug":"beyond-good-ol-run-key-part-141","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2023\/02\/25\/beyond-good-ol-run-key-part-141\/","title":{"rendered":"Beyond good ol\u2019 Run key, Part 141"},"content":{"rendered":"\n<p>In my recent post on <a href=\"https:\/\/infosec.exchange\/@hexacorn\/109916851629026779\">Mastodon<\/a> I asked if there is any repo of Shadowpad side-loading combos. I asked, because long time ago I have created one for <a href=\"https:\/\/www.hexacorn.com\/blog\/2016\/03\/10\/beyond-good-ol-run-key-part-36\">PlugX<\/a>, and was hoping that maybe there is one for Shadowpad that I am not aware of.<\/p>\n\n\n\n<p>I was aware of two existing combos at the time of posting, but <a href=\"https:\/\/blog.polyswarm.io\/wicked-pandas-shadowpad-rat\">googling around<\/a> I found <a href=\"https:\/\/www.secureworks.com\/research\/shadowpad-malware-analysis\">some more<\/a>. <\/p>\n\n\n\n<p>Here they are:<\/p>\n\n\n\n<ul><li>AppLaunch.exe (Microsoft) <a href=\"https:\/\/www.secureworks.com\/research\/shadowpad-malware-analysis\">[source]<\/a><ul><li>mscoree.dll<\/li><\/ul><\/li><li>hpqhvind.exe (Hewlett Packard) <a href=\"https:\/\/www.welivesecurity.com\/2020\/01\/31\/winnti-group-targeting-universities-hong-kong\/\">[source]<\/a><ul><li>hpqhvsei.dll<\/li><\/ul><\/li><li>consent.exe (Microsoft) <a href=\"https:\/\/www.secureworks.com\/research\/shadowpad-malware-analysis\">[source]<\/a><ul><li>secur32.dll<ul><li>secur32.dll.dat<\/li><\/ul><\/li><\/ul><\/li><li>TosBtKbd.exe (Toshiba) <a href=\"https:\/\/www.secureworks.com\/research\/shadowpad-malware-analysis\">[source]<\/a><ul><li>tosbtkbd.dll<\/li><\/ul><\/li><li>BDReinit.exe (BitDefender) <a href=\"https:\/\/www.secureworks.com\/research\/shadowpad-malware-analysis\">[source]<\/a><ul><li>log.dll<ul><li>log.dll.dat<\/li><\/ul><\/li><\/ul><\/li><li>Oleview.exe (Microsoft) <a href=\"https:\/\/www.secureworks.com\/research\/shadowpad-malware-analysis\">[source]<\/a><ul><li>iviewers.dll<ul><li>iviewers.dll.dat<\/li><\/ul><\/li><\/ul><\/li><li>RasTls.exe <a href=\"https:\/\/st.drweb.com\/static\/new-www\/news\/2020\/october\/Study_of_the_ShadowPad_APT_backdoor_and_its_relation_to_PlugX_en.pdf\">[source]<\/a><ul><li>RasTls.dll (thx <a href=\"https:\/\/twitter.com\/fe7ch\">@fe7ch<\/a>)<ul><li>RasTls.dat<\/li><\/ul><\/li><\/ul><\/li><\/ul>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In my recent post on Mastodon I asked if there is any repo of Shadowpad side-loading combos. I asked, because long time ago I have created one for PlugX, and was hoping that maybe there is one for Shadowpad that &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2023\/02\/25\/beyond-good-ol-run-key-part-141\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[35],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/8427"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=8427"}],"version-history":[{"count":3,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/8427\/revisions"}],"predecessor-version":[{"id":8433,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/8427\/revisions\/8433"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=8427"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=8427"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=8427"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}