Launcher & Gunz.exe projects why are they malicious?

[Enough]

Hi,

My question is something that may have already been discussed at some other time, but I would like to talk about it again, why basically 99% of Launcher's AutoUpdate are considerable malicious files, would it be by the procedure when moving the files? or some code execution that is considered malicious by some anti virus (especially the powerful windows defender)?
In some cases we also have this same problem with the game's own executable, why does this happen? Usually you just compile the project and if you need to run it, in some cases/source code/published projects the file is accused as malicious/virus?

If anyone can clarify these points for me and if possible suggest some launcher source code that works well according to the general need and doesn't accuse viruses I would be very grateful. Thank you!

Note: I refer almost entirely to launcher projects with malicious actions, because I have already tested about 10 projects and they all always accuse malicious actions or infected file on some computers. The Gunz.exe project itself, not all have this type of problem, however, it is not difficult to find one that accuses an infected file even if it has just been compiled.
Note2: if the question was a little difficult to understand, forgive me, because I made this post in a hurry using google translator

 

[BDSX]

they have no signature from MicroSoft as they are custom files, witch all anti virus auto flag as a virus.

 

[jorklenis2]

It may be done by the labor that has inside source code becomes malicious, or tries to compile your code sources from a clean PC with a good anti-virus and try to scan the file so that you are then executed.
If it works, let me know please because I have not had time to do something like this.

 

[Enough]

It may be done by the labor that has inside source code becomes malicious, or tries to compile your code sources from a clean PC with a good anti-virus and try to scan the file so that you are then executed.
If it works, let me know please because I have not had time to do something like this.

Yes, I've done this from a newly formatted computer with kaspersky installed. On this occasion it did not report a virus, but on others it has, especially those who use windows defender as their main means of protection.

 

[Rotana]

Alot of Anti-virus programs scan for certain parts of code, statements, variable name, function names ECT.
If you as which virus the AV shows it.
Then you can always look up on Google to see on which parts it's detects that virus.

 

[jorklenis2]

Yes, I've done this from a newly formatted computer with kaspersky installed. On this occasion it did not report a virus, but on others it has, especially those who use windows defender as their main means of protection.

I think it's because gunz is not a licensed software and any application if licensed or something that is legal is going to detect it as something malicious.
Piracy...

 

[GunzCompetitive]

I recommend u recreate your launcher/selfupdate. I build two launchers, one in Python and other in Nodejs without virus. But I blocked for post in Ragezone :/ I will send some friend to post for me

 

[Enough]

I think it's because gunz is not a licensed software and any application if licensed or something that is legal is going to detect it as something malicious.
Piracy...

It's definitely an option to consider. however, there are many others that are also not licensed and do not accuse 'virus/malicious actions' when running, such as programmers or companies that serve the world of games (development). Would you like an example? There is a wide choice of Mu Online game launcher source codes that we don't have this type of problem, but with our dear Gunz, it's a routine problem that bothers a lot, in addition to losing a lot of points with the audience that plays.

Alot of Anti-virus programs scan for certain parts of code, statements, variable name, function names ECT.
If you as which virus the AV shows it.
Then you can always look up on Google to see on which parts it's detects that virus.

I understand.... but what still generates a certain doubt and discomfort, is that in the GunzLauncher project itself we don't have something 'dubious' with the names of variables and functions, nor does it seem to have a malicious code. Talking specifically about this project, have you seen it in depth or were you able to solve this problem?

I recommend u recreate your launcher/selfupdate. I build two launchers, one in Python and other in Nodejs without virus. But I blocked for post in Ragezone :/ I will send some friend to post for me

Yes, the way to solve this kind of problem would be to forward a development from scratch to a new autoupdate launcher. However, the idea would be to solve this issue and apply it to the game's launcher project. your solution developed in nodejs seems interesting, once I get familiar with it and develop it for the web area, when you can share, please do it

 

[xDividerx]

Code isn't digitally signed so C++ is like that. Rewrite it in C# and it'll work fine. At some point I read someone used the updater.exe to implant malicious code in clients, that will red flag the stub in windows defender.

 

[jorklenis2]

Code isn't digitally signed so C++ is like that. Rewrite it in C# and it'll work fine. At some point I read someone used the updater.exe to implant malicious code in clients, that will red flag the stub in windows defender.

Exactly, this is what I was referring to.

 

[NesuxGxx]

Re: Launcher & Gunz.exe projects why are they malicious?

You took my word for it, if in general update.exe, when trying to run an exe that contains another exe it is a bit... "virus" or so it detects it, when analyzing launcher.exe and its resources it realizes that it has another file inside that is possibly detected as a hack, also the signature, you can sign with a generic signature but you must pass the visual tests - micro-certified



I say that the fault lies with update.exe, because I use other launchers in c++ and this does not happen as in the case of the refined launcher, which is an unfinished wonder, with sync and more <3

 

[VOC]

Well not to be lame but you guys are wrong and right, lemme explain. Yes Gunz is old, client sided, a portable executable etc but the actual problem is the fact UGG is spreading Malware since a long time. All Gunz server are getting flagged to avoid obfuscation technique. A/V solutions have to do such . Ugg malware is not metamorphic/polymorphic but some threats always rewrite their own codes/adapt for theirs need. Ugg does attack your Efi and numerous other windows services. They even replace outlook.exe lel and uses numerous LOLBAS way. Lolbas/lolbin are mostly exploiting signed/microsoft service like at.exe, explorer.exe etc in order to persist / post-escalate a system. What I'm posting is only the tip of the ice GunZberg. It is much more worse and pathetic than this. Well Im not sure what is pathetic his c2 or the fact hes killing gunz. If you guys want to know more about it feel free to come by this dead discord server

You must be registered to see links

 

[jorklenis2]

Well not to be lame but you guys are wrong and right, lemme explain. Yes Gunz is old, client sided, a portable executable etc but the actual problem is the fact UGG is spreading Malware since a long time. All Gunz server are getting flagged to avoid obfuscation technique. A/V solutions have to do such . Ugg malware is not metamorphic/polymorphic but some threats always rewrite their own codes/adapt for theirs need. Ugg does attack your Efi and numerous other windows services. They even replace outlook.exe lel and uses numerous LOLBAS way. Lolbas/lolbin are mostly exploiting signed/microsoft service like at.exe, explorer.exe etc in order to persist / post-escalate a system. What I'm posting is only the tip of the ice GunZberg. It is much more worse and pathetic than this. Well Im not sure what is pathetic his c2 or the fact hes killing gunz. If you guys want to know more about it feel free to come by this dead discord server

You must be registered to see links

It was what they brought to say more or less but it is the theory to apply.

 

[Rotana]

Well not to be lame but you guys are wrong and right, lemme explain. Yes Gunz is old, client sided, a portable executable etc but the actual problem is the fact UGG is spreading Malware since a long time. All Gunz server are getting flagged to avoid obfuscation technique. A/V solutions have to do such . Ugg malware is not metamorphic/polymorphic but some threats always rewrite their own codes/adapt for theirs need. Ugg does attack your Efi and numerous other windows services. They even replace outlook.exe lel and uses numerous LOLBAS way. Lolbas/lolbin are mostly exploiting signed/microsoft service like at.exe, explorer.exe etc in order to persist / post-escalate a system. What I'm posting is only the tip of the ice GunZberg. It is much more worse and pathetic than this. Well Im not sure what is pathetic his c2 or the fact hes killing gunz. If you guys want to know more about it feel free to come by this dead discord server

You must be registered to see links

The Ntdll function DisableUserModeCallbackFilter is not even existing anymore in windows 10 and up. Don't know if Windows 8 stil had it.

But that function is kind of harmless in most situations.
The red highlights in your screenshots are warnings that the function or file isn't found on the checking machines, since it's and old not existing one.

The red flag, drops executable file immediately after launch, can be harmful but also explainable since it's and launcher for an game.
Some launcher download the latest executable everytime and launch it, this to prevent modding.

Haven't check the UGG launcher myself, but your screenshots doesn't show anything useful to me

PS, rundll32.exe is just used to execute and DLL file. DLL are mostly library, but some can be executed standalone also.

 

[VOC]

All the previous pictures are from public scan which can be found on google those are from Hybrid Analysis and Any.run , you can simply google the name of the file with the site or the hashes.

"UGGLauncherRE.exe" (Path: "HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\OUTLOOK.EXE")
would you say the outlook.exe is legit since it is used by an email software ?

the rundll32 hashes was important not the rundll32 functions you are used to see. You cannot bases on your previous experience and what you know from the uses of specific dll, Those can be hook,replaced etc. malwares uses what we call LOLBINS/LOLBAS which are targeting stuff like explorer.exe and very common Microsoft stuff

You must be registered to see links

You must be registered to see links

this is just part of the anyrun, hybrid analysis , most of the work was done on FlareVM ,

You must be registered to see links

. the most weird poop ive seen is them replacing the outlook.exe but since you joined the discord just let me know if you want me to go over my find. I can stream the reversing process again and explain every red flag. So here we can notice some residential ip which he probably got from infecting his own players has showed above

I doubt that you would need to obfuscate string and hide stuff like this in typical patches we ain't doing it on FXP , never seen this on fgunz etc

1. Potential IP "32.32.32.11" found in string "5165176276276254143032/32.32.21-21-0/+/.*/.*0/,32.32.32.11-/.*0/+/.*/.*/.*-,(-,(+*&*)%)($)($)($('#*)%+*&)($('#2"
2. Potential IP "32.21.32.21" found in string "~}|zwvtqqnppmssprronmkihfpolsrpoolnmkkjhkjhihfaa^]]ZZYVVURWVS`_]dc`cc`YXUTSPPOLHGDHGDNMJOOKNMJJIEGGCFEA??;FEADC@A@=?>:A@=>=:;:6995985;:798476254043043/32.21.32.21-0/,10,//+.-*/.*/.*.-*.-).-).-)-,(,+',+'+*&+*&*)%*)%)($)($('#('#('#"
3. Potential IP "32.32.21.10" found in string "0/+.-)/.*10-43/32.10-10,21-32.32.21.10-21.33/32.43/54032.21-540762762884873;:6985551985984984;:6;:6=<8>=:>=9=;7<96<96>;7<:6;:7<;7;:6:95873984873984995873873984984873862863862852851951841951851961851850751751751640641640540540540540541651652540HGD"
4. source ​
   You must be registered to see links

 

[Rotana]

I didn't had time to do some research on it to. I will drive into this weekend.
The lack of time is killing me, running a construction company , working on starting a game development company takes a lot of time������

Edit: seeing the last screens does make me suppissios about it