Additionally, it drops a of itself to:
Below is a technical white paper drafted regarding this utility. gx downloader boot v1 032
rule GX_Downloader_Boot_V1032 strings: $x1 = 32 00 00 00 47 58 5F 42 6F 6F 74 // "GX_Boot" $x2 = "/gx/32/boot" ascii $x3 = 8B 45 ?? 35 32 00 00 00 // XOR 0x32 operation condition: uint16(0) == 0x5A4D and all of ($x*) Additionally, it drops a of itself to: Below
| Endpoint type | Example | |---------------|---------| | Primary C2 | https://gx-update[.]cloud/boot | | Backup C2 | 185.xxx.xxx.32:8443 (XOR key 0x32) | | Telemetry | POST /stats – sends system info + installed AV | "os": "Windows 10 22H2"
"uid": "S-1-5-21-...", "ver": "v1.032", "os": "Windows 10 22H2", "arch": "x86", "av": "Windows Defender", "bootid": "32"