{
	"id": "36e636ff-6a43-4201-a4a0-ffa378078bfb",
	"created_at": "2026-04-06T00:13:47.053397Z",
	"updated_at": "2026-04-10T13:12:27.718319Z",
	"deleted_at": null,
	"sha1_hash": "84abfa7be35628cbb749fcbe46f6a9e9cd64f31a",
	"title": "MalwareAnalysisReports/GCleaner/GCleaner Techincal Analysis with BinaryNinja.md at main · VenzoV/MalwareAnalysisReports",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 286034,
	"plain_text": "MalwareAnalysisReports/GCleaner/GCleaner Techincal Analysis\r\nwith BinaryNinja.md at main · VenzoV/MalwareAnalysisReports\r\nBy VenzoV\r\nArchived: 2026-04-05 13:22:18 UTC\r\nSample Information\r\nPacked\r\nSHA256\r\n0918a0e9939f235924a5fb65284c97efff83f871bc1851c7e61b1b9800512885\r\nUnpacked\r\nSHA256\r\n931309bc4cca2b42beae4a162c200bf76dc5a3dba9980f93d7959dc1001b9c\r\ni found the sample initially on malware bazaar, and wanted to try out BinaryNinja and its API. Luckily I found this\r\nsample with simple stack strings, so I could practise the base usage of some of the API, like going through code and\r\ninstructions. There is probably a better way to write some of the code, but the API is very new to me.\r\nStack Strings With Binary Ninja API\r\nMost of the stack strings are fetched from a single initial function. Hex values are pushed into memory locations.\r\nTwo functions are called which cancel each other out. They simply +5 and xor by 0x13 and the other does the\r\ninverse. In the end, the hex values are the characters that will be concatenated to form a string. Let's call them:\r\nmw_xor_b\r\nmw_xor_string\r\nmw_xor_b is called on each single hex byte,and saved to sequential memory block. mw_xor_string is finally called\r\non the pointer to the start of the memory block.\r\nThe two functions help build out a pattern which looks something like this:\r\nmw_xor_b(location) mw_xor_b(location+1) mw_xor_b(location+2) mw_xor_string(\u0026location)\r\nhttps://github.com/VenzoV/MalwareAnalysisReports/blob/main/GCleaner/GCleaner%20Techincal%20Analysis%20with%20BinaryNinja.md\r\nPage 1 of 7\n\nUsing the BinaryNinja API, the script will go through all the basic blocks of the .text section, identify all the single\r\nhex bytes that are before any call to mw_minus5xor. This is because we know once mw_minus5xor is called the\r\nstring is complete in memory.\r\nThis gives us all the strings and the relevant locations in the code. From here things are as simple as just reading\r\nthrough the code.\r\nThe script is in the folder \"Scripts\".\r\nNote: the the variables are called \"decrypted\" \"encrypted\" the string here at encrypted at all but as mentioned are\r\njust hex values. Initially I though they were and was too lazy to change the var names.\r\nStrings:\r\n[Default] /cpa/ping.php?substr=%s\u0026s=ab\u0026sub=%s\r\n[Default] 185.172.128.90\r\n[Default] one\r\nhttps://github.com/VenzoV/MalwareAnalysisReports/blob/main/GCleaner/GCleaner%20Techincal%20Analysis%20with%20BinaryNinja.md\r\nPage 2 of 7\n\n[Default] two\r\n[Default] three\r\n[Default] four\r\n[Default] five\r\n[Default] six\r\n[Default] seven\r\n[Default] eight\r\n[Default] nine\r\n[Default] ten\r\n[Default] SOFTWARE\\BroomCleaner\r\n[Default] Installed\r\n[Default] 1\r\n[Default] 185.172.128.65\r\n[Default] /ping.php?substr=%s\r\n[Default] 185.172.128.65\r\n[Default] /syncUpd.exe\r\n[Default] 185.172.128.144\r\n[Default] /BroomSetup.exe\r\n[Default] HTTP/1.1 200 OK\r\n[Default] Content-Length\r\n[Default] Transfer-Encoding\r\n[Default] chunked\r\n[Default] :\r\n[Default]\r\n[Default] POST\r\n[Default] GET\r\n[Default] HTTP/1.1\r\n[Default] Host:\r\n[Default] User-Agent:\r\n[Default] Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36\r\n[Default] (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36\r\n[Default] Content-Length:\r\n[Default] LoadLibraryA\r\n[Default] Kernel32.dll\r\n[Default] GetProcAddress\r\n[Default] ExitProcess\r\n[Default] GetLastError\r\n[Default] CreateFileA\r\n[Default] WriteFile\r\n[Default] User32.dll\r\n[Default] GetModuleFileName\r\n[Default] MoveFileA\r\n[Default] Sleep\r\n[Default] CloseHandle\r\n[Default] CreateDirectoryA\r\n[Default] WaitForSingleObject\r\n[Default] msvcrt.dll\r\n[Default] memcpy\r\nhttps://github.com/VenzoV/MalwareAnalysisReports/blob/main/GCleaner/GCleaner%20Techincal%20Analysis%20with%20BinaryNinja.md\r\nPage 3 of 7\n\n[Default] Shell32.dll\r\n[Default] ShellExecuteEx\r\n[Default] SHGetFolderPathA\r\n[Default] ws2_32.dll\r\n[Default] WSAStartup\r\n[Default] socket\r\n[Default] gethostbyname\r\n[Default] htons\r\n[Default] connect\r\n[Default] send\r\n[Default] recv\r\n[Default] closesocket\r\n[Default] WSACleanup\r\nC2 communication\r\nThere is one specific function which deals with interaction with the C2 server. The function is called 4 times. Each\r\ntime, before the call some memory allocations take place for the parameters that need to be sent to the C2. The code\r\nmakes use of the API seen in the strings from the dll ws2_32.dll:\r\nWSAStartup\r\nsocket\r\ngethostbyname\r\nhtons\r\nconnect\r\nsend\r\nrecv\r\nclosesocket\r\nWSACleanup\r\nThe first time the malware proceeds to reach out to C2 (185.172.128.90) with URI:\r\n/cpa/ping.php?substr=%s\u0026s=ab\u0026sub=%s\r\nThe second time it reaches to the C2 (185.172.128.65) with URI:\r\nping.php?substr=%s\r\nAnd also sending out the following information:\r\n\"SOFTWARE\\BroomCleaner Installed 1\"\r\nThe third time it calls the C2 (185.172.128.65) for a binary:\r\nsyncUpd.exe\r\nLast time it calls for the C2 (185.172.128.144) for another binary:\r\nhttps://github.com/VenzoV/MalwareAnalysisReports/blob/main/GCleaner/GCleaner%20Techincal%20Analysis%20with%20BinaryNinja.md\r\nPage 4 of 7\n\nBroomSetup.exe\r\nFile execution\r\nThe files will be executed with ShellExecuteEx after some initial setups of structures necessary to sue the API call.\r\nFile is written to the temp folder with a temporary name, this is achieved with the inbuilt function _tmpnam_s.\r\nDownloaded Binaries\r\nhttps://github.com/VenzoV/MalwareAnalysisReports/blob/main/GCleaner/GCleaner%20Techincal%20Analysis%20with%20BinaryNinja.md\r\nPage 5 of 7\n\nAt time of analysis binaries were still up. According to unpac.me category, these seem to be StealC binaries. Below\r\nthe links for both VT and unpac.me.\r\nsynUpd.exe\r\nSHA256\r\n4ddb70f6593a3b8989c814b1cf9bc6607ee72c316685f904bf1e7014f87e85a2\r\nhttps://www.virustotal.com/gui/file/4ddb70f6593a3b8989c814b1cf9bc6607ee72c316685f904bf1e7014f87e85a2\r\nhttps://www.unpac.me/results/a5fcd9fc-dd3e-48e1-af52-79e836e2320d\r\nBroomSetup.exe\r\nSHA256\r\n4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7\r\nhttps://www.virustotal.com/gui/file/4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7\r\nhttps://www.unpac.me/results/6300fa43-b28f-4b89-adb8-dedb6d52c4f0\r\nhttps://github.com/VenzoV/MalwareAnalysisReports/blob/main/GCleaner/GCleaner%20Techincal%20Analysis%20with%20BinaryNinja.md\r\nPage 6 of 7\n\nReferences\r\nhttps://www.unpac.me/results/077f0c59-26e8-4bff-8032-a7a9db10bb81?\r\nhash=0918a0e9939f235924a5fb65284c97efff83f871bc1851c7e61b1b9800512885#/\r\nhttps://www.virustotal.com/gui/file/4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7\r\nhttps://www.virustotal.com/gui/file/4ddb70f6593a3b8989c814b1cf9bc6607ee72c316685f904bf1e7014f87e85a2\r\nhttps://research.openanalysis.net/gcleaner/loader/debugging/encryption/opendir/2024/03/17/new-gcleaner.html\r\nhttps://www.unpac.me/results/a5fcd9fc-dd3e-48e1-af52-79e836e2320d\r\nhttps://www.unpac.me/results/6300fa43-b28f-4b89-adb8-dedb6d52c4f0\r\nSource: https://github.com/VenzoV/MalwareAnalysisReports/blob/main/GCleaner/GCleaner%20Techincal%20Analysis%20with%20BinaryNinj\r\na.md\r\nhttps://github.com/VenzoV/MalwareAnalysisReports/blob/main/GCleaner/GCleaner%20Techincal%20Analysis%20with%20BinaryNinja.md\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://github.com/VenzoV/MalwareAnalysisReports/blob/main/GCleaner/GCleaner%20Techincal%20Analysis%20with%20BinaryNinja.md"
	],
	"report_names": [
		"GCleaner%20Techincal%20Analysis%20with%20BinaryNinja.md"
	],
	"threat_actors": [],
	"ts_created_at": 1775434427,
	"ts_updated_at": 1775826747,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/84abfa7be35628cbb749fcbe46f6a9e9cd64f31a.pdf",
		"text": "https://archive.orkl.eu/84abfa7be35628cbb749fcbe46f6a9e9cd64f31a.txt",
		"img": "https://archive.orkl.eu/84abfa7be35628cbb749fcbe46f6a9e9cd64f31a.jpg"
	}
}