供应链攻击!伪装成加密货币交易工具的恶意Python包和Github项目
T0daySeeker 发表于 四川 历史精选 1814浏览 · 2024-11-04 05:03

概述

近日,笔者在浏览威胁情报的时候,发现了一篇介绍供应链攻击的研究报告《Cryptocurrency Enthusiasts Targeted in Multi-Vector Supply Chain Attack》,报告介绍了其研究团队发现了一款名为CryptoAITools的恶意Python包,进一步研究发现此Python包是通过Python官方的第三方仓库和Github项目进行分发的。

截止笔者关注时,此恶意Python包已经被PyPI官方源删除,被删除之前已被下载了1300多次。目前Github项目和C&C站点均还存活。

相关截图如下:

恶意Python包

由于此Python包是通过PyPI官方源和Github项目进行分发的,因此,我们可从恶意Github项目中提取恶意代码。

通过查看Meme-Token-Hunter-Bot项目,发现此项目于2024年2月4日创建,间隔至7月开始陆续更新项目文件,项目于最近3周前更新了Release版本程序,项目首页提供了项目官网地址https://coinsw.app/

整体分析,发现其无论是Github项目还是项目官网均伪装得很像一个正常的项目,因此,若未对其进行恶意排查的话,确实很容易中招,相关截图如下:

通过下载Release版本程序,尝试模拟运行,发现其运行过程中需要联网,相关截图如下:

进一步分析,发现其是由PyInstaller库打包生成的exe程序,相关截图如下:

因此,为了能够详细梳理其攻击链,我们可直接对此Release版本程序进行反编译分析,也可以直接对项目源码进行分析。

Windows、MacOs系统恶意模块

系统版本判断

通过分析,发现此恶意Python包运行后,将首先判断系统版本,根据系统版本选择不同的适用于Windows或MacOs系统的恶意代码进行执行,相关截图如下:

Windows

通过对适用于Windows系统的恶意模块进行分析,发现此模块代码中含有大量的加密代码,相关代码截图如下:

尝试对其关键代码进行解密,发现此模块运行后将解码外联地址,外联下载多个py模块存放于”~\AppData\Local\tmpcode\“路径下,然后加载执行main.py模块运行,相关解密后的关键代码信息如下:

>>> encoded_base_key
'aHR0cHM6Ly9jb2luc3cuYXBwL2Jhc2Vjdw=='

解码后:https://coinsw.app/basecw

>>> encoded_licences
['bWFpbi5weQ==', 'c2VjdXJpdHkucHk=', 'dGFkLnB5', 'bG9jYWwucHk=', 'c3MucHk=', 'Y2F0LnB5', 'dXBkLnB5', 'Zmlyc3RwYWdlLnB5', 'YXJhLnB5', 'Y2YucHk=', 'Y2l6LnB5', 'Y2F0X2RhbmNlLmdpZg==', 'cHMucHk=']

解码后:
main.py
security.py
tad.py
local.py
ss.py
cat.py
upd.py
firstpage.py
ara.py
cf.py
ciz.py
cat_dance.gif
ps.py

>>> target_directory
'~\\AppData\\Local\\tmpcode\\'

>>> aibotpro_path
'~\\AppData\\Local\\tmpcode\\/main.py'

相关代码截图如下:

MacOS

通过对适用于MacOs系统的恶意模块进行分析,发现此模块运行后将解码外联地址,外联下载多个py模块存放于”~/tmpcode/“路径下,然后加载执行MHTBot.py模块运行,相关代码截图如下:

构建去混淆脚本

简单查看了一下功能模块文件,发现所有功能模块均被做了混淆处理,因此,若直接对其进行分析,则只能手工解密,必定费时费力。

为了能节约时间,笔者就琢磨想构建一个去混淆脚本以实现自动去混淆。

简单研究了一下,发现攻击者其实只是对功能模块中的字符串进行了混淆,因此,笔者直接采用的是对其混淆字符串进行动态解密去混淆的方法以实现代码去混淆,大概流程如下:

  • 提取混淆后的字符串;
  • 使用Python.exe对其动态解密去混淆;
  • 将解密后的代码重写至功能模块代码中;

去混淆脚本运行效果如下:

去混淆前的代码截图如下:

去混淆后的代码截图如下:

相关去混淆脚本代码如下:

package main

import (
    "bufio"
    "fmt"
    "io"
    "io/ioutil"
    "os"
    "os/exec"
    "path/filepath"
    "regexp"
    "strings"
)

func main() {
    onefile := "C:\\Users\\admin\\Desktop\\main.py"

    filename := filepath.Base(onefile)

    xor_table := get_xor_table(onefile)

    content, err := ioutil.ReadFile(onefile)
    if err != nil {
        fmt.Printf("Error reading file: %s\n", err)
        return
    }
    // 正则表达式,匹配双引号或单引号包围的字符串
    pattern := `''\.join\(.*?\)\)\)\]\)`
    // 编译正则表达式
    re := regexp.MustCompile(pattern)
    // 查找所有匹配
    matches := re.FindAllStringSubmatch(string(content), -1)
    // 输出匹配结果
    newfiledata := string(content)
    for _, match := range matches {
        //fmt.Println(match[0])
        os.Remove("test.py")
        WriteFile_A("test.py", xor_table)
        WriteFile_A("test.py", "\n")
        WriteFile_A("test.py", `print(`)
        WriteFile_A("test.py", match[0])
        WriteFile_A("test.py", `)`)

        cmd := exec.Command("D:\\Python311\\python.exe", "test.py")
        output, err := cmd.CombinedOutput()
        if err != nil {
            fmt.Printf("Error: %s\n", err)
            return
        }
        fmt.Println(strings.ReplaceAll(string(output), "\r\n", ""))

        if strings.Contains(newfiledata, match[0]) {
            newfiledata = strings.ReplaceAll(newfiledata, match[0], `'`+strings.ReplaceAll(string(output), "\r\n", "")+`'`)
        }
    }
    WriteFile(filename, newfiledata)
}

func get_xor_table(filename string) string {
    file, err := os.Open(filename)
    if err != nil {
        fmt.Println("Error opening file:", err)
        return ""
    }
    defer file.Close()

    reader := bufio.NewReader(file)

    firstLine, err := reader.ReadString('\n')
    if err != nil {
        fmt.Println("Error reading file:", err)
        return ""
    }
    return firstLine
}

func WriteFile(filename, data string) error {
    file, err := os.Create(filename)
    if err != nil {
        return err
    }
    defer file.Close()

    _, err = io.WriteString(file, data)
    if err != nil {
        return err
    }

    return nil
}

func checkFileIsExist(filename string) bool {
    var exist = true
    if _, err := os.Stat(filename); os.IsNotExist(err) {
        exist = false
    }
    return exist
}

func WriteFile_A(filename string, buffer string) {
    var f *os.File
    var err error

    if checkFileIsExist(filename) {
        f, err = os.OpenFile(filename, os.O_APPEND|os.O_WRONLY, os.ModeAppend)
    } else {
        f, err = os.Create(filename)
    }
    _, err = io.WriteString(f, buffer)
    if err != nil {
        fmt.Println(err.Error())
        return
    }
    f.Close()
}

功能模块剖析

通过分析,梳理各功能模块功能如下:

功能模块 功能
main.py 主程序模块
firstpage.py 反虚拟机和反沙箱
tad.py 打包telegram程序的应用数据
ps.py 打包浏览器信息
ciz.py 打包与加密货币相关的各种浏览器扩展的数据
ss.py 屏幕截屏
ara.py 扫描Downloads、Documents、Desktop目录下的文件,备份包含与加密货币、密码和财务信息相关关键字的文件
upd.py 压缩上传数据

备注:在分析过程中,发现Meme-Token-Hunter-Bot项目的Release版本程序即为以下功能模块PyInstaller库打包生成的恶意程序文件。

main.py

通过分析,发现此模块运行后,即会调用其他模块开展一系列的恶意功能,相关截图如下:

firstpage.py

通过分析,发现此模块主要功能为反虚拟机和反沙箱,详细功能如下:

  • 系统进程检查:枚举系统中正在运行的进程,终止那些与进程黑名单中匹配的进程;
  • 网络检查:外联ipapi.co/ip/”地址获取 IP 地址,排查IP、MAC信息是否在黑名单中;
  • 系统信息检查:获取系统的硬件 ID、用户名和计算机名称是否在黑名单中;

相关代码截图如下:

相关黑名单信息如下:

setattr(self,'blackListedUsers', ['WDAGUtilityAccount', 'dg', 'Frank', 'Bruno', 'Robert', 'Twig', 'John', 'tim', 'dx', 'Ac', 'ss', 'darrel', 'sujans', 'george', 'elz', 'jz', 'YES', 'wizar', 'Abby', 'hmarc', 'patex', 'RDhJ0CNFevzX', 'kEecfMwgj', '8Nl0ColNQ5bq', 'Lisa', 'PxmdUOpVyx', '8VizSM', 'w0fjuOVmCcP5A', 'lmVwjj9b', 'PqONjHVwexsS', '3u2v9m8', 'Julia', 'HEUeRzl', 'fred', 'server', 'BvJChRPnsxn', 'Harry Johnson', 'SqgFOf3G', 'Lucas', 'mike', 'h7dk1xPr', 'Louise', 'User01', 'test', 'RGzcBUyrznReg', 'BEE7370C-8C0C-4', 'DESKTOP-NAKFFMT', 'WIN-5E07COS9ALR', 'B30F0242-1C6A-4', 'DESKTOP-VRSQLAG', 'Q9IATRKPRH', 'XC64ZB', 'DESKTOP-D019GDM', 'DESKTOP-WI8CLET', 'SERVER1', 'LISA-PC', 'JOHN-PC', 'DESKTOP-B0T93D6', 'DESKTOP-1PYKP29', 'DESKTOP-1Y2433R', 'WILEYPC', 'WORK', '6C4E733F-C2D9-4', 'RALPHS-PC', 'DESKTOP-WG3MYJS', 'DESKTOP-7XC6GEZ', 'DESKTOP-5OV9S0O', 'QarZhrdBpj', 'ORELEEPC', 'ARCHIBALDPC', 'JULIA-PC', 'd1bnJkfVlH', 'NETTYPC', 'DESKTOP-BUGIO', 'DESKTOP-CBGPFEE', 'SERVER-PC', 'TIQIYLA9TW5M', 'DESKTOP-KALVINO', 'COMPNAME_4047', 'DESKTOP-19OLLTD', 'DESKTOP-DE369SE', 'EA8C2E2A-D017-4', 'AIDANPC', 'LUCAS-PC', 'MARCI-PC', 'ACEPC', 'MIKE-PC', 'DESKTOP-IAPKN1P', 'DESKTOP-NTU7VUO', 'LOUISE-PC', 'T00917', 'test42'])
setattr(self,'blackListedPCNames', ['BEE7370C-8C0C-4', 'DESKTOP-NAKFFMT', 'WIN-5E07COS9ALR', 'B30F0242-1C6A-4', 'DESKTOP-VRSQLAG', 'Q9IATRKPRH', 'XC64ZB', 'DESKTOP-D019GDM', 'DESKTOP-WI8CLET', 'SERVER1', 'LISA-PC', 'JOHN-PC', 'DESKTOP-B0T93D6', 'DESKTOP-1PYKP29', 'DESKTOP-1Y2433R', 'WILEYPC', 'WORK', '6C4E733F-C2D9-4', 'RALPHS-PC', 'DESKTOP-WG3MYJS', 'DESKTOP-7XC6GEZ', 'DESKTOP-5OV9S0O', 'QarZhrdBpj', 'ORELEEPC', 'ARCHIBALDPC', 'JULIA-PC', 'd1bnJkfVlH', 'NETTYPC', 'DESKTOP-BUGIO', 'DESKTOP-CBGPFEE', 'SERVER-PC', 'TIQIYLA9TW5M', 'DESKTOP-KALVINO', 'COMPNAME_4047', 'DESKTOP-19OLLTD', 'DESKTOP-DE369SE', 'EA8C2E2A-D017-4', 'AIDANPC', 'LUCAS-PC', 'MARCI-PC', 'ACEPC', 'MIKE-PC', 'DESKTOP-IAPKN1P', 'DESKTOP-NTU7VUO', 'LOUISE-PC', 'T00917', 'test42'])
setattr(self,'blackListedHWIDS', ['7AB5C494-39F5-4941-9163-47F54D6D5016', '03DE0294-0480-05DE-1A06-350700080009', '11111111-2222-3333-4444-555555555555', '6F3CA5EC-BEC9-4A4D-8274-11168F640058', 'ADEEEE9E-EF0A-6B84-B14B-B83A54AFC548', '4C4C4544-0050-3710-8058-CAC04F59344A', '00000000-0000-0000-0000-AC1F6BD04972', '00000000-0000-0000-0000-000000000000', '5BD24D56-789F-8468-7CDC-CAA7222CC121', '49434D53-0200-9065-2500-65902500E439', '49434D53-0200-9036-2500-36902500F022', '777D84B3-88D1-451C-93E4-D235177420A7', '49434D53-0200-9036-2500-369025000C65', 'B1112042-52E8-E25B-3655-6A4F54155DBF', '00000000-0000-0000-0000-AC1F6BD048FE', 'EB16924B-FB6D-4FA1-8666-17B91F62FB37', 'A15A930C-8251-9645-AF63-E45AD728C20C', '67E595EB-54AC-4FF0-B5E3-3DA7C7B547E3', 'C7D23342-A5D4-68A1-59AC-CF40F735B363', '63203342-0EB0-AA1A-4DF5-3FB37DBB0670', '44B94D56-65AB-DC02-86A0-98143A7423BF', '6608003F-ECE4-494E-B07E-1C4615D1D93C', 'D9142042-8F51-5EFF-D5F8-EE9AE3D1602A', '49434D53-0200-9036-2500-369025003AF0', '8B4E8278-525C-7343-B825-280AEBCD3BCB', '4D4DDC94-E06C-44F4-95FE-33A1ADA5AC27', '79AF5279-16CF-4094-9758-F88A616D81B4', 'FF577B79-782E-0A4D-8568-B35A9B7EB76B', '08C1E400-3C56-11EA-8000-3CECEF43FEDE', '6ECEAF72-3548-476C-BD8D-73134A9182C8', '49434D53-0200-9036-2500-369025003865', '119602E8-92F9-BD4B-8979-DA682276D385', '12204D56-28C0-AB03-51B7-44A8B7525250', '63FA3342-31C7-4E8E-8089-DAFF6CE5E967', '365B4000-3B25-11EA-8000-3CECEF44010C', 'D8C30328-1B06-4611-8E3C-E433F4F9794E', '00000000-0000-0000-0000-50E5493391EF', '00000000-0000-0000-0000-AC1F6BD04D98', '4CB82042-BA8F-1748-C941-363C391CA7F3', 'B6464A2B-92C7-4B95-A2D0-E5410081B812', 'BB233342-2E01-718F-D4A1-E7F69D026428', '9921DE3A-5C1A-DF11-9078-563412000026', 'CC5B3F62-2A04-4D2E-A46C-AA41B7050712', '00000000-0000-0000-0000-AC1F6BD04986', 'C249957A-AA08-4B21-933F-9271BEC63C85', 'BE784D56-81F5-2C8D-9D4B-5AB56F05D86E', 'ACA69200-3C4C-11EA-8000-3CECEF4401AA', '3F284CA4-8BDF-489B-A273-41B44D668F6D', 'BB64E044-87BA-C847-BC0A-C797D1A16A50', '2E6FB594-9D55-4424-8E74-CE25A25E36B0', '42A82042-3F13-512F-5E3D-6BF4FFFD8518', '38AB3342-66B0-7175-0B23-F390B3728B78', '48941AE9-D52F-11DF-BBDA-503734826431', '032E02B4-0499-05C3-0806-3C0700080009', 'DD9C3342-FB80-9A31-EB04-5794E5AE2B4C', 'E08DE9AA-C704-4261-B32D-57B2A3993518', '07E42E42-F43D-3E1C-1C6B-9C7AC120F3B9', '88DC3342-12E6-7D62-B0AE-C80E578E7B07', '5E3E7FE0-2636-4CB7-84F5-8D2650FFEC0E', '96BB3342-6335-0FA8-BA29-E1BA5D8FEFBE', '0934E336-72E4-4E6A-B3E5-383BD8E938C3', '12EE3342-87A2-32DE-A390-4C2DA4D512E9', '38813342-D7D0-DFC8-C56F-7FC9DFE5C972', '8DA62042-8B59-B4E3-D232-38B29A10964A', '3A9F3342-D1F2-DF37-68AE-C10F60BFB462', 'F5744000-3C78-11EA-8000-3CECEF43FEFE', 'FA8C2042-205D-13B0-FCB5-C5CC55577A35', 'C6B32042-4EC3-6FDF-C725-6F63914DA7C7', 'FCE23342-91F1-EAFC-BA97-5AAE4509E173', 'CF1BE00F-4AAF-455E-8DCD-B5B09B6BFA8F', '050C3342-FADD-AEDF-EF24-C6454E1A73C9', '4DC32042-E601-F329-21C1-03F27564FD6C', 'DEAEB8CE-A573-9F48-BD40-62ED6C223F20', '05790C00-3B21-11EA-8000-3CECEF4400D0', '5EBD2E42-1DB8-78A6-0EC3-031B661D5C57', '9C6D1742-046D-BC94-ED09-C36F70CC9A91', '907A2A79-7116-4CB6-9FA5-E5A58C4587CD', 'A9C83342-4800-0578-1EE8-BA26D2A678D2', 'D7382042-00A0-A6F0-1E51-FD1BBF06CD71', '1D4D3342-D6C4-710C-98A3-9CC6571234D5', 'CE352E42-9339-8484-293A-BD50CDC639A5', '60C83342-0A97-928D-7316-5F1080A78E72', '02AD9898-FA37-11EB-AC55-1D0C0A67EA8A', 'DBCC3514-FA57-477D-9D1F-1CAF4CC92D0F', 'FED63342-E0D6-C669-D53F-253D696D74DA', '2DD1B176-C043-49A4-830F-C623FFB88F3C', '4729AEB0-FC07-11E3-9673-CE39E79C8A00', '84FE3342-6C67-5FC6-5639-9B3CA3D775A1', 'DBC22E42-59F7-1329-D9F2-E78A2EE5BD0D', 'CEFC836C-8CB1-45A6-ADD7-209085EE2A57', 'A7721742-BE24-8A1C-B859-D7F8251A83D3', '3F3C58D1-B4F2-4019-B2A2-2A500E96AF2E', 'D2DC3342-396C-6737-A8F6-0C6673C1DE08', 'EADD1742-4807-00A0-F92E-CCD933E9D8C1', 'AF1B2042-4B90-0000-A4E4-632A1C8C7EB1', 'FE455D1A-BE27-4BA4-96C8-967A6D3A9661', '921E2042-70D3-F9F1-8CBD-B398A21F89C6'])

setattr(self,'blackListedIPS', ['88.132.231.71', '78.139.8.50', '20.99.160.173', '88.153.199.169', '84.147.62.12', '194.154.78.160', '92.211.109.160', '195.74.76.222', '188.105.91.116', '34.105.183.68', '92.211.55.199', '79.104.209.33', '95.25.204.90', '34.145.89.174', '109.74.154.90', '109.145.173.169', '34.141.146.114', '212.119.227.151', '195.239.51.59', '192.40.57.234', '64.124.12.162', '34.142.74.220', '188.105.91.173', '109.74.154.91', '34.105.72.241', '109.74.154.92', '213.33.142.50', '109.74.154.91', '93.216.75.209', '192.87.28.103', '88.132.226.203', '195.181.175.105', '88.132.225.100', '92.211.192.144', '34.83.46.130', '188.105.91.143', '34.85.243.241', '34.141.245.25', '178.239.165.70', '84.147.54.113', '193.128.114.45', '95.25.81.24', '92.211.52.62', '88.132.227.238', '35.199.6.13', '80.211.0.97', '34.85.253.170', '23.128.248.46', '35.229.69.227', '34.138.96.23', '192.211.110.74', '35.237.47.12', '87.166.50.213', '34.253.248.228', '212.119.227.167', '193.225.193.201', '34.145.195.58', '34.105.0.27', '195.239.51.3', '35.192.93.107'])

setattr(self,'blackListedMacs', ['00:15:5d:00:07:34', '00:e0:4c:b8:7a:58', '00:0c:29:2c:c1:21', '00:25:90:65:39:e4', 'c8:9f:1d:b6:58:e4', '00:25:90:36:65:0c', '00:15:5d:00:00:f3', '2e:b8:24:4d:f7:de', '00:15:5d:13:6d:0c', '00:50:56:a0:dd:00', '00:15:5d:13:66:ca', '56:e8:92:2e:76:0d', 'ac:1f:6b:d0:48:fe', '00:e0:4c:94:1f:20', '00:15:5d:00:05:d5', '00:e0:4c:4b:4a:40', '42:01:0a:8a:00:22', '00:1b:21:13:15:20', '00:15:5d:00:06:43', '00:15:5d:1e:01:c8', '00:50:56:b3:38:68', '60:02:92:3d:f1:69', '00:e0:4c:7b:7b:86', '00:e0:4c:46:cf:01', '42:85:07:f4:83:d0', '56:b0:6f:ca:0a:e7', '12:1b:9e:3c:a6:2c', '00:15:5d:00:1c:9a', '00:15:5d:00:1a:b9', 'b6:ed:9d:27:f4:fa', '00:15:5d:00:01:81', '4e:79:c0:d9:af:c3', '00:15:5d:b6:e0:cc', '00:15:5d:00:02:26', '00:50:56:b3:05:b4', '1c:99:57:1c:ad:e4', '08:00:27:3a:28:73', '00:15:5d:00:00:c3', '00:50:56:a0:45:03', '12:8a:5c:2a:65:d1', '00:25:90:36:f0:3b', '00:1b:21:13:21:26', '42:01:0a:8a:00:22', '00:1b:21:13:32:51', 'a6:24:aa:ae:e6:12', '08:00:27:45:13:10', '00:1b:21:13:26:44', '3c:ec:ef:43:fe:de', 'd4:81:d7:ed:25:54', '00:25:90:36:65:38', '00:03:47:63:8b:de', '00:15:5d:00:05:8d', '00:0c:29:52:52:50', '00:50:56:b3:42:33', '3c:ec:ef:44:01:0c', '06:75:91:59:3e:02', '42:01:0a:8a:00:33', 'ea:f6:f1:a2:33:76', 'ac:1f:6b:d0:4d:98', '1e:6c:34:93:68:64', '00:50:56:a0:61:aa', '42:01:0a:96:00:22', '00:50:56:b3:21:29', '00:15:5d:00:00:b3', '96:2b:e9:43:96:76', 'b4:a9:5a:b1:c6:fd', 'd4:81:d7:87:05:ab', 'ac:1f:6b:d0:49:86', '52:54:00:8b:a6:08', '00:0c:29:05:d8:6e', '00:23:cd:ff:94:f0', '00:e0:4c:d6:86:77', '3c:ec:ef:44:01:aa', '00:15:5d:23:4c:a3', '00:1b:21:13:33:55', '00:15:5d:00:00:a4', '16:ef:22:04:af:76', '00:15:5d:23:4c:ad', '1a:6c:62:60:3b:f4', '00:15:5d:00:00:1d', '00:50:56:a0:cd:a8', '00:50:56:b3:fa:23', '52:54:00:a0:41:92', '00:50:56:b3:f6:57', '00:e0:4c:56:42:97', 'ca:4d:4b:ca:18:cc', 'f6:a5:41:31:b2:78', 'd6:03:e4:ab:77:8e', '00:50:56:ae:b2:b0', '00:50:56:b3:94:cb', '42:01:0a:8e:00:22', '00:50:56:b3:4c:bf', '00:50:56:b3:09:9e', '00:50:56:b3:38:88', '00:50:56:a0:d0:fa', '00:50:56:b3:91:c8', '3e:c1:fd:f1:bf:71', '00:50:56:a0:6d:86', '00:50:56:a0:af:75', '00:50:56:b3:dd:03', 'c2:ee:af:fd:29:21', '00:50:56:b3:ee:e1', '00:50:56:a0:84:88', '00:1b:21:13:32:20', '3c:ec:ef:44:00:d0', '00:50:56:ae:e5:d5', '00:50:56:97:f6:c8', '52:54:00:ab:de:59', '00:50:56:b3:9e:9e', '00:50:56:a0:39:18', '32:11:4d:d0:4a:9e', '00:50:56:b3:d0:a7', '94:de:80:de:1a:35', '00:50:56:ae:5d:ea', '00:50:56:b3:14:59', 'ea:02:75:3c:90:9f', '00:e0:4c:44:76:54', 'ac:1f:6b:d0:4d:e4', '52:54:00:3b:78:24', '00:50:56:b3:50:de', '7e:05:a3:62:9c:4d', '52:54:00:b3:e4:71', '90:48:9a:9d:d5:24', '00:50:56:b3:3b:a6', '92:4c:a8:23:fc:2e', '5a:e2:a6:a4:44:db', '00:50:56:ae:6f:54', '42:01:0a:96:00:33', '00:50:56:97:a1:f8', '5e:86:e4:3d:0d:f6', '00:50:56:b3:ea:ee', '3e:53:81:b7:01:13', '00:50:56:97:ec:f2', '00:e0:4c:b3:5a:2a', '12:f8:87:ab:13:ec', '00:50:56:a0:38:06', '2e:62:e8:47:14:49', '00:0d:3a:d2:4f:1f', '60:02:92:66:10:79', '', '00:50:56:a0:d7:38', 'be:00:e5:c5:0c:e5', '00:50:56:a0:59:10', '00:50:56:a0:06:8d', '00:e0:4c:cb:62:08', '4e:81:81:8e:22:4e'])

setattr(self,'blacklistedProcesses', ['httpdebuggerui', 'wireshark', 'fiddler', 'regedit', 'vboxservice', 'df5serv', 'processhacker', 'vboxtray', 'vmtoolsd', 'vmwaretray', 'ida64', 'ollydbg', 'pestudio', 'vmwareuser', 'vgauthservice', 'vmacthlp', 'x96dbg', 'vmsrvc', 'x32dbg', 'vmusrvc', 'prl_cc', 'prl_tools', 'xenservice', 'qemu-ga', 'joeboxcontrol', 'ksdumperclient', 'ksdumper', 'joeboxserver'])

若此模块发现程序运行于虚拟机或沙箱环境中,则将直接打开名为“cat_dance.gif”的动画GIF文件,相关代码截图如下:

相关动画GIF文件截图如下:

cf.py

通过分析,发现此模块主要功能为创建临时文件夹,相关代码截图如下:

tad.py

通过分析,发现此模块主要功能为打包telegram程序的应用数据目录,将其压缩保存为ArchiveX.zip文件,相关代码截图如下:

ps.py

通过分析,发现此模块主要功能为打包浏览器信息,包括cookies信息、网页记录、下载目录等,相关代码截图如下:

ciz.py

通过分析,发现此模块主要功能为打包与加密货币相关的各种浏览器扩展的数据,相关代码截图如下:

相关目录信息如下:

TARGET_FOLDERS = ['nkbihfbeogaeaoehlefnkodbefgpgknn', 'fhbohimaelbohpjbbldcngcnapndodjp', 'hnfanknocfeofbddgcijnmhnfnkdnaad', 'fnjhmkhhmkbjkkabndcnnogagogbneec', 'egjidjbpglichdcondbcbdnbeeppgdph', 'ojggmchlghnjlapmfbnjholfjkiidbch', 'opcgpfmipidbgpenhmajoajpbobppdil', 'efbglgofoippbgcjepnhiblaibcnclgk', 'ibnejdfjmmkpcnlpebklmnkoeoihofec', 'ejjladinnckdgjemekebdpeokbikhfci', 'phkbamefinggmakgklpkljjmgibohnba', 'ebfidpplhabeedpnhjnobghokpiioolj', 'afbcbjpbpfadlkmhmclhkeeodmamcflc', 'aeachknmefphepccionboohckonoeemg', 'bhghoamapcdpbohphigoooaddinpkbai', 'aholpfdialjgjfhomihkjbmgjidlcdno', 'bfnaelmomeimhlpmgjnjophhpkkoljpa', 'agoakfejjabomempkjlepdflaleeobhb', 'mfgccjchihfkkindfppnaooecgfneiii', 'lgmpcpglpngdoalbgeoldeajfclnhafa', 'bhhhlbepdkbapadjdnnojkbgioiodbic', 'jblndlipeogpafnldhgmapagcccfchpi', 'kncchdigobghenbbaddojjnnaogfppfj', 'ffnbelfdoeiohenkjibnmadjiehjhajb', 'hpglfhgfnhbgpjdenjgmdgoeiappafln', 'cjelfplplebdjjenllpjcblmjkfcffne', 'amkmjjmmflddogmhpjloimipbofnfjih', 'fhilaheimglignddkjgofkcbgekhenbh', 'nlbmnnijcnlegkjjpcfjclmcfggfefdm', 'nanjmdknhkinifnkgdcggcfnhdaammmj', 'nkddgncdjgjfcddamfgcmfnlhccnimig', 'aiifbnbfobpmeekipheeijimdpnlpgpp', 'fnnegphlobjdpkhecapkijjdkgcjhkib', 'cgeeodpfagjceefieflmdfphplkenlfk', 'pdadjkfkgcafgbceimcpbkalnfnepbnk', 'mgffkfbidihfpoaomajlbgchddlicgpn', 'aodkkagnadcbobfpggfnjeongemjbjca', 'kpfopkelmapcoipemfendmdcghnegimn', 'hmeobnfnfcmdkdcmlblgagmfpfboieaf', 'lpfcbjknijpeeillifnkikgncikgfhdo', 'dngmlblcodfobpdpecaadgfbcggfjfnm', 'ookjlbkiijinhpmnjffcofjonbfbgaoc', 'eigblbgjknlfbajkfhopmcojidlgcehm', 'ejbalbakoplchlghecdalmeeeajnimhm', 'mgffkfbidihjpoaomajlbgchddlicgpn', 'chphlpgkkbolifaimnlloiipkdnihall', 'fhmfendgdocmcbmfikdcogofphimnkno', 'bkhddocelccimeajgeiilmklhiffdffb', 'hdcckdpafdegjaghlanajoplobnjdenj', 'aobdiaigjablhjlkaieedpjnmneeacen', 'ccelpjofonmkhegehhokcboeckdmnmpm', 'flpiciilemghbmfalicajoolhkkenfel', 'jpdbagkgkjmpilmggkmjilnlnmldfhia', 'ihbgcodcpmgfiehpclfhbjlcpiemnmfn', 'aaomjnnllhcnbamffjganpbnjdlhlhhk', 'okadibdjfmakhflnelkbmnnenjaihfej', 'pljpcfojbfoklcclggonheaiieeojaoc', 'blnieiiffboillknjnepogjhkgnoapac', 'kgaiejdhnghlnbhlhmjbnfobepkcidfg', 'akjbpncbahndhpfnrhedgofbeoglhdfh', 'mggfdkoabdbikjklgnfcpphjdijlhthb', 'mllgbkfpmgkomafkcjmcpmnmlbinpdnb', 'onnhjdhmgcapdaepbhghpjanigciekjn', 'ceejooplpdlmjkceghjbhphjechbpmki', 'jclmmbaobpmfccoebpgoackamjjkcglj', 'jdldjholijjeegpfjonnpfhjfajccged', 'hdmkndblkojggbobhnhbfngpkfkdnokj', 'oofcbjbkmnmgmpmagbcjdmollbfoemoj', 'belekhmglikpbdeimcomlenfflfggfjj', 'ahbjhhbkbhfnmgeedjgbemdkocmkbede', 'llhiacnklmokacacnpnjceiipehjklgf', 'pgdjlholnghtgnnjobkphlppabiccbmm', 'nfpejmanjgnadnkojflgimfelhnpoibd', 'mnhcfoildemjfoicpeckvhhndknnkldd', 'cjpffackkaacjpjcakmbaklmohjbihni', 'aobojaljokphflhmhbbepnmddedhndld', 'bhodjdzfpdkgbpaleonbmmdboodagmjg', 'kdanhphhcpgkaekhpolmfcpldmccojgm', 'bgnknjcnclbclkfllbcjcoofdffgfgjh', 'jbdaocneiiinmjbjlgalhcelgbejmnid', 'fihkakfobkmkjojpchpfgcmhfjnmnfpi', 'cphhlgmgameodnhkjdmkpanlelnlohao', 'nhnkbkgjikgcigadomkphalanndcapjk', 'dmkamcknogkgcdfhhbddcghachkejeap', 'cnmamaachppnkjgnildpdmkaakejnhae', 'jojhfeoedkpkglbfimdfabpdfjaoolaf', 'nknhiehlklippafakaeklbeglecifhad', 'hcflpincpppdclinealmandijcmnkbgn', 'mnfifefkajgofkcjkemidiaecocnkjeh', 'lodccjjbdhfakaekdiahmedfbieldgik', 'Ijmpgkjfkbfhoebgogflfebnmejmfbml', 'lkcjlnjfpbikmcmbachjpdbijejflpcm', 'bcopgchhojmggmffilplmbdicgaihlkp', 'klnaejjgbibmhlephnhpmaofohgkpgkd', 'dkdedlpgdmmkkfjabffeganieamfklkm', 'nlgbhdfgdhgbiamfdfmbikcdghidoadd', 'onofpnbbkehpmmoabgpcpmigafmmnjhl', 'cihmoadaighcejopammfbmddcmdekcje', 'acmacodkjbdgmoleebolmdjonilkdbch', 'opfgelmcmbiajamepnmloijbpoleiama', 'ppbibelpcjmhbdihakflkdcoccbgbkpo', 'bocpokimicclpaiekenaeelehdjllofo', 'aabpklopgjbipiamfjbklncohbfcaklj', 'khpkpbbcccdmmclmpigdgddabeilkdpd', 'fcckkdbjnoikooededlapcalpionmalo', 'aapbdbdomjkkjkaonfhkkikfgjllcleb', 'mkpegjkblkkefacfnmkajcjmabijhclg', 'fnmihdojmnkclgjpcoonokmkhjpjechg', 'mpiodijhokgodhhofbcjdecpffjipkle', 'aigkgngdpghaibcgbjnceofelpaeebii', 'aliiefgcdelfmngphnnhmcdpalfdccbl', 'dldjpboieedgcmpkchcjcbijingjcgok', 'pnlccmojcmeohlpggmfnbbiapkmbliob', 'jnhgnonknehpejjnehehllkliplmbmhn', 'omaabbefbmiijedngplfjmnooppbclkk', 'pocmplpaccanhmnllbbkpgfliimjljgo', 'ghbmnnjooekpmoecnnnilnnbdlolhkhi']

browser_paths = {'7star': os.getenv('LOCALAPPDATA') + '\7Star\7Star\User Data', 'amigo': os.getenv('LOCALAPPDATA') + '\Amigo\User Data', 'brave': os.getenv('LOCALAPPDATA') + '\BraveSoftware\Brave-Browser\User Data', 'centbrowser': os.getenv('LOCALAPPDATA') + '\CentBrowser\User Data', 'chedot': os.getenv('LOCALAPPDATA') + '\Chedot\User Data', 'chrome_beta': os.getenv('LOCALAPPDATA') + '\Google\Chrome Beta\User Data', 'chrome_canary': os.getenv('LOCALAPPDATA') + '\Google\Chrome SxS\User Data', 'chromium': os.getenv('LOCALAPPDATA') + '\Chromium\User Data', 'chromium edge': os.getenv('LOCALAPPDATA') + '\Microsoft\Edge\User Data', 'coccoc': os.getenv('LOCALAPPDATA') + '\CocCoc\Browser\User Data', 'comodo_dragon': os.getenv('LOCALAPPDATA') + '\Comodo\Dragon\User Data', 'elements': os.getenv('LOCALAPPDATA') + '\Elements Browser\User Data', 'DCBrowser': os.getenv('LOCALAPPDATA') + '\DCBrowser\User Data', 'epic_privacy': os.getenv('LOCALAPPDATA') + '\Epic Privacy Browser\User Data', 'chrome': os.getenv('LOCALAPPDATA') + '\Google\Chrome\User Data', 'kometa': os.getenv('LOCALAPPDATA') + '\Kometa\User Data', 'opera': os.getenv('APPDATA') + '\Opera Software\Opera Stable', 'opera gx': os.getenv('APPDATA') + '\Opera Software\Opera GX Stable', 'orbitum': os.getenv('LOCALAPPDATA') + '\Orbitum\User Data', 'qqbrowser': os.getenv('LOCALAPPDATA') + '\Tencent\QQBrowser\User Data', 'sogouExplorer': os.getenv('APPDATA') + '\SogouExplorer\Webkit\User Data', 'sputnik': os.getenv('LOCALAPPDATA') + '\Sputnik\Sputnik\User Data', 'torch': os.getenv('LOCALAPPDATA') + '\Torch\User Data', 'uran': os.getenv('LOCALAPPDATA') + '\uCozMedia\Uran\User Data', 'vivaldi': os.getenv('LOCALAPPDATA') + '\Vivaldi\User Data', 'yandexBrowser': os.getenv('LOCALAPPDATA') + '\Yandex\YandexBrowser\User Data'}

local.py

通过分析,发现此模块主要功能为打包各种加密货币应用程序的加密货币钱包数据,相关代码截图如下:

相关加密钱包目录如下:

wallets = {'Bitcoin': 'C:\Users\%USERNAME%\AppData\Roaming\Bitcoin\wallets\', 'Electrum': 'C:\Users\%USERNAME%\AppData\Roaming\Electrum\wallets\', 'Coinomi': 'C:\Users\%USERNAME%\AppData\Local\Coinomi\wallets\', 'Exodus': 'C:\Users\%USERNAME%\AppData\Roaming\Exodus\exodus.wallet\', 'Atomic': 'C:\Users\%USERNAME%\AppData\Roaming\atomic\Local Storage\leveldb\', 'Ethereum': 'C:\Users\%USERNAME%\AppData\Roaming\Ethereum\keystore\', 'X-Electrum': 'C:\Users\%USERNAME%\AppData\Roaming\electrum\wallets\', 'Litecoin': 'C:\Users\%USERNAME%\AppData\Roaming\Litecoin\wallets\', 'Dogecoin': 'C:\Users\%USERNAME%\AppData\Roaming\Dogecoin\wallets\', 'Dash': 'C:\Users\%USERNAME%\AppData\Roaming\DashCore\wallets\', 'Monero': 'C:\Users\%USERNAME%\AppData\Roaming\monero\wallets\', 'Zcash': 'C:\Users\%USERNAME%\AppData\Roaming\Zcash\wallets\', 'Ripple (XRP)': 'C:\Users\%USERNAME%\AppData\Roaming\Ripple\wallets\', 'Binance Chain Wallet': 'C:\Users\%USERNAME%\AppData\Roaming\Binance\Wallets\', 'Trust Wallet': 'C:\Users\%USERNAME%\AppData\Roaming\Trust\keystore\', 'Trezor Suite': 'C:\Users\%USERNAME%\AppData\Roaming\TrezorSuite\', 'Wasabi Wallet': 'C:\Users\%USERNAME%\AppData\Roaming\WasabiWallet\Client\Wallets\', 'Armory': 'C:\Users\%USERNAME%\AppData\Roaming\Armory\wallets\', 'BRD': 'C:\Users\%USERNAME%\AppData\Roaming\BRD\wallets\', 'Jaxx Liberty': 'C:\Users\%USERNAME%\AppData\Roaming\Jaxx\wallets\', 'Guarda': 'C:\Users\%USERNAME%\AppData\Roaming\Guarda\wallets\', 'Edge Wallet': 'C:\Users\%USERNAME%\AppData\Roaming\Edge\wallets\', 'Ledger Live': 'C:\Users\%USERNAME%\AppData\Roaming\Ledger Live\accounts\'}

ss.py

通过分析,发现此模块主要功能为屏幕截屏,相关代码截图如下:

ara.py

通过分析,发现此模块主要功能为扫描Downloads、Documents、Desktop目录下的文件,备份包含与加密货币、密码和财务信息相关关键字的文件,相关代码截图如下:

相关关键字信息如下:

trade_keywords = ['passw', 'mdp', 'motdepasse', 'mot_de_passe', 'login', 'solana', 'phantom', 'solflare', 'keystore', 'secret', 'bot', 'atomic', 'account', 'acount', 'paypal', 'banque', 'bot', 'metamask', 'wallet', 'crypto', 'exodus', 'discord', '2fa', 'code', 'memo', 'compte', 'token', 'backup', 'yedek', 'secret', 'seed', 'mnemonic', 'memoric', 'private', 'key', 'passphrase', 'pass', 'phrase', 'steal', 'bank', 'info', 'casino', 'prv', 'priv¨¦', 'prive', 'telegram', 'identifiant', 'personnel', 'trading', 'bitcoin', 'sauvegarde', 'funds', 'r¨¦cup¨¦', 'recup', 'note', 'stake', 'defi', 'mm']

trade_profile = os.getenv('USERPROFILE')

trade_directories = [os.path.join(trade_profile, 'Desktop'), os.path.join(trade_profile, 'Documents'), os.path.join(trade_profile, 'Downloads')]

detected_files = []

important_files = ['.env', 'config.json', 'config.php', 'config.py', '.env.example']

ignored_files = ['README.md', 'package.json']

valid_extensions = ['txt', 'csv', 'json', 'xls', 'xlsx', 'doc', 'docx']

upd.py

通过分析,发现此模块主要功能为压缩上传数据,上传地址为“https://www.tinyvago.com/pip/x/requirements.php”,相关代码截图如下:

通信请求数据结构如下:

0 条评论
某人
表情
可输入 255