LOLBINed — CyberGhost VPN (PeLauncher.exe/Dashboard.exe)

CyberGhost VPN Logo

Introduction

PeLauncher

Source PeLauncher
Cyberghost Dashboard
  • Take any binary of your choosing and rename it “Dashboard.exe”.
  • Create two nested folders “A” and “B” and copy “PeLauncher.exe” inside.
  • Copy the fake “Dashboard.exe” two levels from where “PeLauncher” is located.
  • Execute the following command. (The arg is necessary to bypass the check seen in the source)
PeLauncher.exe [ARG]
  • Your binary will be executed as a child of “PeLauncher”. (Note your binary must know how to handle the “!!launch” and the argument you provide as they are hardcoded)
Signed PeLauncher

Dashboard.exe

Dashboard.exe !!launch [PathToBinary]
Launching “calc.exe” via “Dashboard.exe”
Signed Dashboard

Conclusion

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Nasreddine Bencherchali

I write about #ThreatHunting #WindowsInternals #Malware #DFIR and occasionally #Python.