Plugx simple analyse&payload extraction

Submitted by rootmaster on Sun, 06/17/2018 - 00:12

Installation File/木马安装程序是exe文件:

installation fileswinrar self-extracting exe file with few parameter to make it less noticeable.


winrar silent installation

Installation path/我的这个安装路径:


use attrib command to remove the system and hide property.

3个文件本身有系统隐藏属性 用文件夹选项的显示隐藏文件是选项是不能被查看到的



OleView.exe is a win exe with complete valid digital certificate. anti-virus program won't check it loading resource like dll when exe have a good digital certificate signature.


digital cert

ACLUI.DLL is hard encode inside the OleView.exe. When OleView.exe run it will load ACLUI.DLL which is modified by hackers.



ACLUI.DLL will load ACLUI.DLL.UI after itself been loaded. and ACLUI.DLL.UI is a so called payload object file which is an encrypted hacker codes. Because it an encrypted hacker code object file. The file itself won't be reported by any anti-virus program. When loading  the payload.the program raise anther  2 process svchost and msiexec and release/inject the virus code into svchost and msiexec. Run a antivirus program to check the memory will report svchost and msiexec have problem, but it's only when they are in memory. static files are fine file.


OleView.exe 加载ACLUI.DLLACLUI.DLL加载ACLUI.DLL.UI。并在这个过程中释放工作代码,开启svchostmsiexec。把木马工作代码注入到svchost msiexecOleview自己结束自己的进程。Svchostmsiexec驻留系统内存。硬盘上的svchost msiexec是正常文件。只有系统内存中被注入木马代码的这两个文件才会被杀毒软件报毒。


some NvSmart.hlp file are key-recorder files.

相同文件夹下会出现NvSmart.hlp文件这个文件用文本编辑器打开是 记录了 服务器使用者打开的程序和网站饼记录进行的 键盘操作。


according to refer ,build a decryption tool.


decryption tool

run the tool we got .data file. use winhex to check it


de domain

hacker's server used to send command to backdoor program, used to collect information.

黑客服务器域名用于控制操作木马收集肉鸡 信息。


installation path/安装路径

de password

password may used to connect to hacker server./可能是用于认证登陆连接黑客服务器的密码。