Live Stream VOD: GCleaner (Patreon)

In this stream we take a look at a new version of GCleaner with a particularly weak string encryption algorithm. Instead of attacking this statically we used some advanced breakpoint features in x64dbg.

Hint -- this approach will work for all encrypted string that are decrypted in the CRT setup functions.

Once we extract the strings we poke around an open directory for one of the C2s and discover how the backend payload delivery works.

Samples

• Packed 1fda9e004442de3c7a7ace86aeb2f35b982b3680a7ff0052d7992d216c60ce7c UnpacMe

• Unpacked 110c64b4a03a6ed6c8ffd2baba0a5831fd8bd59ca6b23d6e885a8f34e13461fc UnpacMe

Notes

New Gcleaner - A look into the the gcleaner backend