文章首发地址:
https://xz.aliyun.com/t/16109
文章首发作者:
T0daySeeker
概述
近日,笔者在浏览威胁情报的时候,发现了一篇介绍供应链攻击的研究报告《Cryptocurrency Enthusiasts Targeted in Multi-Vector Supply Chain Attack》,报告介绍了其研究团队发现了一款名为CryptoAITools的恶意Python包,进一步研究发现此Python包是通过Python官方的第三方仓库和Github项目进行分发的。
截止笔者关注时,此恶意Python包已经被PyPI官方源删除,被删除之前已被下载了1300多次。目前Github项目和C&C站点均还存活。
相关截图如下:
恶意Python包
由于此Python包是通过PyPI官方源和Github项目进行分发的,因此,我们可从恶意Github项目中提取恶意代码。
通过查看Meme-Token-Hunter-Bot项目,发现此项目于2024年2月4日创建,间隔至7月开始陆续更新项目文件,项目于最近3周前更新了Release版本程序,项目首页提供了项目官网地址https://coinsw.app/。
整体分析,发现其无论是Github项目还是项目官网均伪装得很像一个正常的项目,因此,若未对其进行恶意排查的话,确实很容易中招,相关截图如下:
通过下载Release版本程序,尝试模拟运行,发现其运行过程中需要联网,相关截图如下:
进一步分析,发现其是由PyInstaller库打包生成的exe程序,相关截图如下:
因此,为了能够详细梳理其攻击链,我们可直接对此Release版本程序进行反编译分析,也可以直接对项目源码进行分析。
Windows、MacOs系统恶意模块
系统版本判断
通过分析,发现此恶意Python包运行后,将首先判断系统版本,根据系统版本选择不同的适用于Windows或MacOs系统的恶意代码进行执行,相关截图如下:
Windows
通过对适用于Windows系统的恶意模块进行分析,发现此模块代码中含有大量的加密代码,相关代码截图如下:
尝试对其关键代码进行解密,发现此模块运行后将解码外联地址,外联下载多个py模块存放于”~AppDataLocaltmpcode“路径下,然后加载执行main.py模块运行,相关解密后的关键代码信息如下:
>>> encoded_base_key
'aHR0cHM6Ly9jb2luc3cuYXBwL2Jhc2Vjdw=='
解码后:https://coinsw.app/basecw
>>> encoded_licences
['bWFpbi5weQ==', 'c2VjdXJpdHkucHk=', 'dGFkLnB5', 'bG9jYWwucHk=', 'c3MucHk=', 'Y2F0LnB5', 'dXBkLnB5', 'Zmlyc3RwYWdlLnB5', 'YXJhLnB5', 'Y2YucHk=', 'Y2l6LnB5', 'Y2F0X2RhbmNlLmdpZg==', 'cHMucHk=']
解码后:
main.py
security.py
tad.py
local.py
ss.py
cat.py
upd.py
firstpage.py
ara.py
cf.py
ciz.py
cat_dance.gif
ps.py
>>> target_directory
'~\AppData\Local\tmpcode\'
>>> aibotpro_path
'~\AppData\Local\tmpcode\/main.py'
相关代码截图如下:
MacOS
通过对适用于MacOs系统的恶意模块进行分析,发现此模块运行后将解码外联地址,外联下载多个py模块存放于”~/tmpcode/“路径下,然后加载执行MHTBot.py模块运行,相关代码截图如下:
构建去混淆脚本
简单查看了一下功能模块文件,发现所有功能模块均被做了混淆处理,因此,若直接对其进行分析,则只能手工解密,必定费时费力。
为了能节约时间,笔者就琢磨想构建一个去混淆脚本以实现自动去混淆。
简单研究了一下,发现攻击者其实只是对功能模块中的字符串进行了混淆,因此,笔者直接采用的是对其混淆字符串进行动态解密去混淆的方法以实现代码去混淆,大概流程如下:
-
提取混淆后的字符串; -
使用Python.exe对其动态解密去混淆; -
将解密后的代码重写至功能模块代码中;
去混淆脚本运行效果如下:
去混淆前的代码截图如下:
去混淆后的代码截图如下:
相关去混淆脚本代码如下:
package main
import (
"bufio"
"fmt"
"io"
"io/ioutil"
"os"
"os/exec"
"path/filepath"
"regexp"
"strings"
)
func main() {
onefile := "C:\Users\admin\Desktop\main.py"
filename := filepath.Base(onefile)
xor_table := get_xor_table(onefile)
content, err := ioutil.ReadFile(onefile)
if err != nil {
fmt.Printf("Error reading file: %sn", err)
return
}
// 正则表达式,匹配双引号或单引号包围的字符串
pattern := `''.join(.*?)))])`
// 编译正则表达式
re := regexp.MustCompile(pattern)
// 查找所有匹配
matches := re.FindAllStringSubmatch(string(content), -1)
// 输出匹配结果
newfiledata := string(content)
for _, match := range matches {
//fmt.Println(match[0])
os.Remove("test.py")
WriteFile_A("test.py", xor_table)
WriteFile_A("test.py", "n")
WriteFile_A("test.py", `print(`)
WriteFile_A("test.py", match[0])
WriteFile_A("test.py", `)`)
cmd := exec.Command("D:\Python311\python.exe", "test.py")
output, err := cmd.CombinedOutput()
if err != nil {
fmt.Printf("Error: %sn", err)
return
}
fmt.Println(strings.ReplaceAll(string(output), "rn", ""))
if strings.Contains(newfiledata, match[0]) {
newfiledata = strings.ReplaceAll(newfiledata, match[0], `'`+strings.ReplaceAll(string(output), "rn", "")+`'`)
}
}
WriteFile(filename, newfiledata)
}
func get_xor_table(filename string) string {
file, err := os.Open(filename)
if err != nil {
fmt.Println("Error opening file:", err)
return ""
}
defer file.Close()
reader := bufio.NewReader(file)
firstLine, err := reader.ReadString('n')
if err != nil {
fmt.Println("Error reading file:", err)
return ""
}
return firstLine
}
func WriteFile(filename, data string) error {
file, err := os.Create(filename)
if err != nil {
return err
}
defer file.Close()
_, err = io.WriteString(file, data)
if err != nil {
return err
}
return nil
}
func checkFileIsExist(filename string) bool {
var exist = true
if _, err := os.Stat(filename); os.IsNotExist(err) {
exist = false
}
return exist
}
func WriteFile_A(filename string, buffer string) {
var f *os.File
var err error
if checkFileIsExist(filename) {
f, err = os.OpenFile(filename, os.O_APPEND|os.O_WRONLY, os.ModeAppend)
} else {
f, err = os.Create(filename)
}
_, err = io.WriteString(f, buffer)
if err != nil {
fmt.Println(err.Error())
return
}
f.Close()
}
功能模块剖析
通过分析,梳理各功能模块功能如下:
| 功能模块 | 功能 |
|---|---|
| main.py | 主程序模块 |
| firstpage.py | 反虚拟机和反沙箱 |
| tad.py | 打包telegram程序的应用数据 |
| ps.py | 打包浏览器信息 |
| ciz.py | 打包与加密货币相关的各种浏览器扩展的数据 |
| ss.py | 屏幕截屏 |
| ara.py | 扫描Downloads、Documents、Desktop目录下的文件,备份包含与加密货币、密码和财务信息相关关键字的文件 |
| upd.py | 压缩上传数据 |
「备注:在分析过程中,发现Meme-Token-Hunter-Bot项目的Release版本程序即为以下功能模块PyInstaller库打包生成的恶意程序文件。」
main.py
通过分析,发现此模块运行后,即会调用其他模块开展一系列的恶意功能,相关截图如下:
firstpage.py
通过分析,发现此模块主要功能为反虚拟机和反沙箱,详细功能如下:
-
系统进程检查:枚举系统中正在运行的进程,终止那些与进程黑名单中匹配的进程; -
网络检查:外联 “https://ipapi.co/ip/”地址获取 IP 地址,排查IP、MAC信息是否在黑名单中; -
系统信息检查:获取系统的硬件 ID、用户名和计算机名称是否在黑名单中;
相关代码截图如下:
相关黑名单信息如下:
𝘴𝗲𝘁𝗮𝙩𝙩𝘳(𝙨𝙚𝗹𝘧, 'blackListedUsers', ['WDAGUtilityAccount', 'dg', 'Frank', 'Bruno', 'Robert', 'Twig', 'John', 'tim', 'dx', 'Ac', 'ss', 'darrel', 'sujans', 'george', 'elz', 'jz', 'YES', 'wizar', 'Abby', 'hmarc', 'patex', 'RDhJ0CNFevzX', 'kEecfMwgj', '8Nl0ColNQ5bq', 'Lisa', 'PxmdUOpVyx', '8VizSM', 'w0fjuOVmCcP5A', 'lmVwjj9b', 'PqONjHVwexsS', '3u2v9m8', 'Julia', 'HEUeRzl', 'fred', 'server', 'BvJChRPnsxn', 'Harry Johnson', 'SqgFOf3G', 'Lucas', 'mike', 'h7dk1xPr', 'Louise', 'User01', 'test', 'RGzcBUyrznReg', 'BEE7370C-8C0C-4', 'DESKTOP-NAKFFMT', 'WIN-5E07COS9ALR', 'B30F0242-1C6A-4', 'DESKTOP-VRSQLAG', 'Q9IATRKPRH', 'XC64ZB', 'DESKTOP-D019GDM', 'DESKTOP-WI8CLET', 'SERVER1', 'LISA-PC', 'JOHN-PC', 'DESKTOP-B0T93D6', 'DESKTOP-1PYKP29', 'DESKTOP-1Y2433R', 'WILEYPC', 'WORK', '6C4E733F-C2D9-4', 'RALPHS-PC', 'DESKTOP-WG3MYJS', 'DESKTOP-7XC6GEZ', 'DESKTOP-5OV9S0O', 'QarZhrdBpj', 'ORELEEPC', 'ARCHIBALDPC', 'JULIA-PC', 'd1bnJkfVlH', 'NETTYPC', 'DESKTOP-BUGIO', 'DESKTOP-CBGPFEE', 'SERVER-PC', 'TIQIYLA9TW5M', 'DESKTOP-KALVINO', 'COMPNAME_4047', 'DESKTOP-19OLLTD', 'DESKTOP-DE369SE', 'EA8C2E2A-D017-4', 'AIDANPC', 'LUCAS-PC', 'MARCI-PC', 'ACEPC', 'MIKE-PC', 'DESKTOP-IAPKN1P', 'DESKTOP-NTU7VUO', 'LOUISE-PC', 'T00917', 'test42'])
𝙨𝗲𝘁𝗮𝙩𝘵𝙧(𝘀𝗲𝗹𝙛, 'blackListedPCNames', ['BEE7370C-8C0C-4', 'DESKTOP-NAKFFMT', 'WIN-5E07COS9ALR', 'B30F0242-1C6A-4', 'DESKTOP-VRSQLAG', 'Q9IATRKPRH', 'XC64ZB', 'DESKTOP-D019GDM', 'DESKTOP-WI8CLET', 'SERVER1', 'LISA-PC', 'JOHN-PC', 'DESKTOP-B0T93D6', 'DESKTOP-1PYKP29', 'DESKTOP-1Y2433R', 'WILEYPC', 'WORK', '6C4E733F-C2D9-4', 'RALPHS-PC', 'DESKTOP-WG3MYJS', 'DESKTOP-7XC6GEZ', 'DESKTOP-5OV9S0O', 'QarZhrdBpj', 'ORELEEPC', 'ARCHIBALDPC', 'JULIA-PC', 'd1bnJkfVlH', 'NETTYPC', 'DESKTOP-BUGIO', 'DESKTOP-CBGPFEE', 'SERVER-PC', 'TIQIYLA9TW5M', 'DESKTOP-KALVINO', 'COMPNAME_4047', 'DESKTOP-19OLLTD', 'DESKTOP-DE369SE', 'EA8C2E2A-D017-4', 'AIDANPC', 'LUCAS-PC', 'MARCI-PC', 'ACEPC', 'MIKE-PC', 'DESKTOP-IAPKN1P', 'DESKTOP-NTU7VUO', 'LOUISE-PC', 'T00917', 'test42'])
𝙨𝘦𝘁𝙖𝙩𝙩𝙧(𝙨𝘦𝗹𝘧, 'blackListedHWIDS', ['7AB5C494-39F5-4941-9163-47F54D6D5016', '03DE0294-0480-05DE-1A06-350700080009', '11111111-2222-3333-4444-555555555555', '6F3CA5EC-BEC9-4A4D-8274-11168F640058', 'ADEEEE9E-EF0A-6B84-B14B-B83A54AFC548', '4C4C4544-0050-3710-8058-CAC04F59344A', '00000000-0000-0000-0000-AC1F6BD04972', '00000000-0000-0000-0000-000000000000', '5BD24D56-789F-8468-7CDC-CAA7222CC121', '49434D53-0200-9065-2500-65902500E439', '49434D53-0200-9036-2500-36902500F022', '777D84B3-88D1-451C-93E4-D235177420A7', '49434D53-0200-9036-2500-369025000C65', 'B1112042-52E8-E25B-3655-6A4F54155DBF', '00000000-0000-0000-0000-AC1F6BD048FE', 'EB16924B-FB6D-4FA1-8666-17B91F62FB37', 'A15A930C-8251-9645-AF63-E45AD728C20C', '67E595EB-54AC-4FF0-B5E3-3DA7C7B547E3', 'C7D23342-A5D4-68A1-59AC-CF40F735B363', '63203342-0EB0-AA1A-4DF5-3FB37DBB0670', '44B94D56-65AB-DC02-86A0-98143A7423BF', '6608003F-ECE4-494E-B07E-1C4615D1D93C', 'D9142042-8F51-5EFF-D5F8-EE9AE3D1602A', '49434D53-0200-9036-2500-369025003AF0', '8B4E8278-525C-7343-B825-280AEBCD3BCB', '4D4DDC94-E06C-44F4-95FE-33A1ADA5AC27', '79AF5279-16CF-4094-9758-F88A616D81B4', 'FF577B79-782E-0A4D-8568-B35A9B7EB76B', '08C1E400-3C56-11EA-8000-3CECEF43FEDE', '6ECEAF72-3548-476C-BD8D-73134A9182C8', '49434D53-0200-9036-2500-369025003865', '119602E8-92F9-BD4B-8979-DA682276D385', '12204D56-28C0-AB03-51B7-44A8B7525250', '63FA3342-31C7-4E8E-8089-DAFF6CE5E967', '365B4000-3B25-11EA-8000-3CECEF44010C', 'D8C30328-1B06-4611-8E3C-E433F4F9794E', '00000000-0000-0000-0000-50E5493391EF', '00000000-0000-0000-0000-AC1F6BD04D98', '4CB82042-BA8F-1748-C941-363C391CA7F3', 'B6464A2B-92C7-4B95-A2D0-E5410081B812', 'BB233342-2E01-718F-D4A1-E7F69D026428', '9921DE3A-5C1A-DF11-9078-563412000026', 'CC5B3F62-2A04-4D2E-A46C-AA41B7050712', '00000000-0000-0000-0000-AC1F6BD04986', 'C249957A-AA08-4B21-933F-9271BEC63C85', 'BE784D56-81F5-2C8D-9D4B-5AB56F05D86E', 'ACA69200-3C4C-11EA-8000-3CECEF4401AA', '3F284CA4-8BDF-489B-A273-41B44D668F6D', 'BB64E044-87BA-C847-BC0A-C797D1A16A50', '2E6FB594-9D55-4424-8E74-CE25A25E36B0', '42A82042-3F13-512F-5E3D-6BF4FFFD8518', '38AB3342-66B0-7175-0B23-F390B3728B78', '48941AE9-D52F-11DF-BBDA-503734826431', '032E02B4-0499-05C3-0806-3C0700080009', 'DD9C3342-FB80-9A31-EB04-5794E5AE2B4C', 'E08DE9AA-C704-4261-B32D-57B2A3993518', '07E42E42-F43D-3E1C-1C6B-9C7AC120F3B9', '88DC3342-12E6-7D62-B0AE-C80E578E7B07', '5E3E7FE0-2636-4CB7-84F5-8D2650FFEC0E', '96BB3342-6335-0FA8-BA29-E1BA5D8FEFBE', '0934E336-72E4-4E6A-B3E5-383BD8E938C3', '12EE3342-87A2-32DE-A390-4C2DA4D512E9', '38813342-D7D0-DFC8-C56F-7FC9DFE5C972', '8DA62042-8B59-B4E3-D232-38B29A10964A', '3A9F3342-D1F2-DF37-68AE-C10F60BFB462', 'F5744000-3C78-11EA-8000-3CECEF43FEFE', 'FA8C2042-205D-13B0-FCB5-C5CC55577A35', 'C6B32042-4EC3-6FDF-C725-6F63914DA7C7', 'FCE23342-91F1-EAFC-BA97-5AAE4509E173', 'CF1BE00F-4AAF-455E-8DCD-B5B09B6BFA8F', '050C3342-FADD-AEDF-EF24-C6454E1A73C9', '4DC32042-E601-F329-21C1-03F27564FD6C', 'DEAEB8CE-A573-9F48-BD40-62ED6C223F20', '05790C00-3B21-11EA-8000-3CECEF4400D0', '5EBD2E42-1DB8-78A6-0EC3-031B661D5C57', '9C6D1742-046D-BC94-ED09-C36F70CC9A91', '907A2A79-7116-4CB6-9FA5-E5A58C4587CD', 'A9C83342-4800-0578-1EE8-BA26D2A678D2', 'D7382042-00A0-A6F0-1E51-FD1BBF06CD71', '1D4D3342-D6C4-710C-98A3-9CC6571234D5', 'CE352E42-9339-8484-293A-BD50CDC639A5', '60C83342-0A97-928D-7316-5F1080A78E72', '02AD9898-FA37-11EB-AC55-1D0C0A67EA8A', 'DBCC3514-FA57-477D-9D1F-1CAF4CC92D0F', 'FED63342-E0D6-C669-D53F-253D696D74DA', '2DD1B176-C043-49A4-830F-C623FFB88F3C', '4729AEB0-FC07-11E3-9673-CE39E79C8A00', '84FE3342-6C67-5FC6-5639-9B3CA3D775A1', 'DBC22E42-59F7-1329-D9F2-E78A2EE5BD0D', 'CEFC836C-8CB1-45A6-ADD7-209085EE2A57', 'A7721742-BE24-8A1C-B859-D7F8251A83D3', '3F3C58D1-B4F2-4019-B2A2-2A500E96AF2E', 'D2DC3342-396C-6737-A8F6-0C6673C1DE08', 'EADD1742-4807-00A0-F92E-CCD933E9D8C1', 'AF1B2042-4B90-0000-A4E4-632A1C8C7EB1', 'FE455D1A-BE27-4BA4-96C8-967A6D3A9661', '921E2042-70D3-F9F1-8CBD-B398A21F89C6'])
𝘴𝙚𝘁𝘢𝘁𝙩𝘳(𝘴𝘦𝗹𝗳, 'blackListedIPS', ['88.132.231.71', '78.139.8.50', '20.99.160.173', '88.153.199.169', '84.147.62.12', '194.154.78.160', '92.211.109.160', '195.74.76.222', '188.105.91.116', '34.105.183.68', '92.211.55.199', '79.104.209.33', '95.25.204.90', '34.145.89.174', '109.74.154.90', '109.145.173.169', '34.141.146.114', '212.119.227.151', '195.239.51.59', '192.40.57.234', '64.124.12.162', '34.142.74.220', '188.105.91.173', '109.74.154.91', '34.105.72.241', '109.74.154.92', '213.33.142.50', '109.74.154.91', '93.216.75.209', '192.87.28.103', '88.132.226.203', '195.181.175.105', '88.132.225.100', '92.211.192.144', '34.83.46.130', '188.105.91.143', '34.85.243.241', '34.141.245.25', '178.239.165.70', '84.147.54.113', '193.128.114.45', '95.25.81.24', '92.211.52.62', '88.132.227.238', '35.199.6.13', '80.211.0.97', '34.85.253.170', '23.128.248.46', '35.229.69.227', '34.138.96.23', '192.211.110.74', '35.237.47.12', '87.166.50.213', '34.253.248.228', '212.119.227.167', '193.225.193.201', '34.145.195.58', '34.105.0.27', '195.239.51.3', '35.192.93.107'])
𝙨𝙚𝙩𝙖𝘵𝘁𝙧(𝙨𝗲𝘭𝗳, 'blackListedMacs', ['00:15:5d:00:07:34', '00:e0:4c:b8:7a:58', '00:0c:29:2c:c1:21', '00:25:90:65:39:e4', 'c8:9f:1d:b6:58:e4', '00:25:90:36:65:0c', '00:15:5d:00:00:f3', '2e:b8:24:4d:f7:de', '00:15:5d:13:6d:0c', '00:50:56:a0:dd:00', '00:15:5d:13:66:ca', '56:e8:92:2e:76:0d', 'ac:1f:6b:d0:48:fe', '00:e0:4c:94:1f:20', '00:15:5d:00:05:d5', '00:e0:4c:4b:4a:40', '42:01:0a:8a:00:22', '00:1b:21:13:15:20', '00:15:5d:00:06:43', '00:15:5d:1e:01:c8', '00:50:56:b3:38:68', '60:02:92:3d:f1:69', '00:e0:4c:7b:7b:86', '00:e0:4c:46:cf:01', '42:85:07:f4:83:d0', '56:b0:6f:ca:0a:e7', '12:1b:9e:3c:a6:2c', '00:15:5d:00:1c:9a', '00:15:5d:00:1a:b9', 'b6:ed:9d:27:f4:fa', '00:15:5d:00:01:81', '4e:79:c0:d9:af:c3', '00:15:5d:b6:e0:cc', '00:15:5d:00:02:26', '00:50:56:b3:05:b4', '1c:99:57:1c:ad:e4', '08:00:27:3a:28:73', '00:15:5d:00:00:c3', '00:50:56:a0:45:03', '12:8a:5c:2a:65:d1', '00:25:90:36:f0:3b', '00:1b:21:13:21:26', '42:01:0a:8a:00:22', '00:1b:21:13:32:51', 'a6:24:aa:ae:e6:12', '08:00:27:45:13:10', '00:1b:21:13:26:44', '3c:ec:ef:43:fe:de', 'd4:81:d7:ed:25:54', '00:25:90:36:65:38', '00:03:47:63:8b:de', '00:15:5d:00:05:8d', '00:0c:29:52:52:50', '00:50:56:b3:42:33', '3c:ec:ef:44:01:0c', '06:75:91:59:3e:02', '42:01:0a:8a:00:33', 'ea:f6:f1:a2:33:76', 'ac:1f:6b:d0:4d:98', '1e:6c:34:93:68:64', '00:50:56:a0:61:aa', '42:01:0a:96:00:22', '00:50:56:b3:21:29', '00:15:5d:00:00:b3', '96:2b:e9:43:96:76', 'b4:a9:5a:b1:c6:fd', 'd4:81:d7:87:05:ab', 'ac:1f:6b:d0:49:86', '52:54:00:8b:a6:08', '00:0c:29:05:d8:6e', '00:23:cd:ff:94:f0', '00:e0:4c:d6:86:77', '3c:ec:ef:44:01:aa', '00:15:5d:23:4c:a3', '00:1b:21:13:33:55', '00:15:5d:00:00:a4', '16:ef:22:04:af:76', '00:15:5d:23:4c:ad', '1a:6c:62:60:3b:f4', '00:15:5d:00:00:1d', '00:50:56:a0:cd:a8', '00:50:56:b3:fa:23', '52:54:00:a0:41:92', '00:50:56:b3:f6:57', '00:e0:4c:56:42:97', 'ca:4d:4b:ca:18:cc', 'f6:a5:41:31:b2:78', 'd6:03:e4:ab:77:8e', '00:50:56:ae:b2:b0', '00:50:56:b3:94:cb', '42:01:0a:8e:00:22', '00:50:56:b3:4c:bf', '00:50:56:b3:09:9e', '00:50:56:b3:38:88', '00:50:56:a0:d0:fa', '00:50:56:b3:91:c8', '3e:c1:fd:f1:bf:71', '00:50:56:a0:6d:86', '00:50:56:a0:af:75', '00:50:56:b3:dd:03', 'c2:ee:af:fd:29:21', '00:50:56:b3:ee:e1', '00:50:56:a0:84:88', '00:1b:21:13:32:20', '3c:ec:ef:44:00:d0', '00:50:56:ae:e5:d5', '00:50:56:97:f6:c8', '52:54:00:ab:de:59', '00:50:56:b3:9e:9e', '00:50:56:a0:39:18', '32:11:4d:d0:4a:9e', '00:50:56:b3:d0:a7', '94:de:80:de:1a:35', '00:50:56:ae:5d:ea', '00:50:56:b3:14:59', 'ea:02:75:3c:90:9f', '00:e0:4c:44:76:54', 'ac:1f:6b:d0:4d:e4', '52:54:00:3b:78:24', '00:50:56:b3:50:de', '7e:05:a3:62:9c:4d', '52:54:00:b3:e4:71', '90:48:9a:9d:d5:24', '00:50:56:b3:3b:a6', '92:4c:a8:23:fc:2e', '5a:e2:a6:a4:44:db', '00:50:56:ae:6f:54', '42:01:0a:96:00:33', '00:50:56:97:a1:f8', '5e:86:e4:3d:0d:f6', '00:50:56:b3:ea:ee', '3e:53:81:b7:01:13', '00:50:56:97:ec:f2', '00:e0:4c:b3:5a:2a', '12:f8:87:ab:13:ec', '00:50:56:a0:38:06', '2e:62:e8:47:14:49', '00:0d:3a:d2:4f:1f', '60:02:92:66:10:79', '', '00:50:56:a0:d7:38', 'be:00:e5:c5:0c:e5', '00:50:56:a0:59:10', '00:50:56:a0:06:8d', '00:e0:4c:cb:62:08', '4e:81:81:8e:22:4e'])
𝘀𝙚𝙩𝗮𝘁𝘁𝙧(𝘀𝘦𝙡𝙛, 'blacklistedProcesses', ['httpdebuggerui', 'wireshark', 'fiddler', 'regedit', 'vboxservice', 'df5serv', 'processhacker', 'vboxtray', 'vmtoolsd', 'vmwaretray', 'ida64', 'ollydbg', 'pestudio', 'vmwareuser', 'vgauthservice', 'vmacthlp', 'x96dbg', 'vmsrvc', 'x32dbg', 'vmusrvc', 'prl_cc', 'prl_tools', 'xenservice', 'qemu-ga', 'joeboxcontrol', 'ksdumperclient', 'ksdumper', 'joeboxserver'])
若此模块发现程序运行于虚拟机或沙箱环境中,则将直接打开名为“cat_dance.gif”的动画GIF文件,相关代码截图如下:
相关动画GIF文件截图如下:
cf.py
通过分析,发现此模块主要功能为创建临时文件夹,相关代码截图如下:
tad.py
通过分析,发现此模块主要功能为打包telegram程序的应用数据目录,将其压缩保存为ArchiveX.zip文件,相关代码截图如下:
ps.py
通过分析,发现此模块主要功能为打包浏览器信息,包括cookies信息、网页记录、下载目录等,相关代码截图如下:
ciz.py
通过分析,发现此模块主要功能为打包与加密货币相关的各种浏览器扩展的数据,相关代码截图如下:
相关目录信息如下:
𝗧𝘈𝙍𝘎𝙀𝘛_𝗙𝙊𝘓𝘿𝘌𝘙𝘚 = ['nkbihfbeogaeaoehlefnkodbefgpgknn', 'fhbohimaelbohpjbbldcngcnapndodjp', 'hnfanknocfeofbddgcijnmhnfnkdnaad', 'fnjhmkhhmkbjkkabndcnnogagogbneec', 'egjidjbpglichdcondbcbdnbeeppgdph', 'ojggmchlghnjlapmfbnjholfjkiidbch', 'opcgpfmipidbgpenhmajoajpbobppdil', 'efbglgofoippbgcjepnhiblaibcnclgk', 'ibnejdfjmmkpcnlpebklmnkoeoihofec', 'ejjladinnckdgjemekebdpeokbikhfci', 'phkbamefinggmakgklpkljjmgibohnba', 'ebfidpplhabeedpnhjnobghokpiioolj', 'afbcbjpbpfadlkmhmclhkeeodmamcflc', 'aeachknmefphepccionboohckonoeemg', 'bhghoamapcdpbohphigoooaddinpkbai', 'aholpfdialjgjfhomihkjbmgjidlcdno', 'bfnaelmomeimhlpmgjnjophhpkkoljpa', 'agoakfejjabomempkjlepdflaleeobhb', 'mfgccjchihfkkindfppnaooecgfneiii', 'lgmpcpglpngdoalbgeoldeajfclnhafa', 'bhhhlbepdkbapadjdnnojkbgioiodbic', 'jblndlipeogpafnldhgmapagcccfchpi', 'kncchdigobghenbbaddojjnnaogfppfj', 'ffnbelfdoeiohenkjibnmadjiehjhajb', 'hpglfhgfnhbgpjdenjgmdgoeiappafln', 'cjelfplplebdjjenllpjcblmjkfcffne', 'amkmjjmmflddogmhpjloimipbofnfjih', 'fhilaheimglignddkjgofkcbgekhenbh', 'nlbmnnijcnlegkjjpcfjclmcfggfefdm', 'nanjmdknhkinifnkgdcggcfnhdaammmj', 'nkddgncdjgjfcddamfgcmfnlhccnimig', 'aiifbnbfobpmeekipheeijimdpnlpgpp', 'fnnegphlobjdpkhecapkijjdkgcjhkib', 'cgeeodpfagjceefieflmdfphplkenlfk', 'pdadjkfkgcafgbceimcpbkalnfnepbnk', 'mgffkfbidihfpoaomajlbgchddlicgpn', 'aodkkagnadcbobfpggfnjeongemjbjca', 'kpfopkelmapcoipemfendmdcghnegimn', 'hmeobnfnfcmdkdcmlblgagmfpfboieaf', 'lpfcbjknijpeeillifnkikgncikgfhdo', 'dngmlblcodfobpdpecaadgfbcggfjfnm', 'ookjlbkiijinhpmnjffcofjonbfbgaoc', 'eigblbgjknlfbajkfhopmcojidlgcehm', 'ejbalbakoplchlghecdalmeeeajnimhm', 'mgffkfbidihjpoaomajlbgchddlicgpn', 'chphlpgkkbolifaimnlloiipkdnihall', 'fhmfendgdocmcbmfikdcogofphimnkno', 'bkhddocelccimeajgeiilmklhiffdffb', 'hdcckdpafdegjaghlanajoplobnjdenj', 'aobdiaigjablhjlkaieedpjnmneeacen', 'ccelpjofonmkhegehhokcboeckdmnmpm', 'flpiciilemghbmfalicajoolhkkenfel', 'jpdbagkgkjmpilmggkmjilnlnmldfhia', 'ihbgcodcpmgfiehpclfhbjlcpiemnmfn', 'aaomjnnllhcnbamffjganpbnjdlhlhhk', 'okadibdjfmakhflnelkbmnnenjaihfej', 'pljpcfojbfoklcclggonheaiieeojaoc', 'blnieiiffboillknjnepogjhkgnoapac', 'kgaiejdhnghlnbhlhmjbnfobepkcidfg', 'akjbpncbahndhpfnrhedgofbeoglhdfh', 'mggfdkoabdbikjklgnfcpphjdijlhthb', 'mllgbkfpmgkomafkcjmcpmnmlbinpdnb', 'onnhjdhmgcapdaepbhghpjanigciekjn', 'ceejooplpdlmjkceghjbhphjechbpmki', 'jclmmbaobpmfccoebpgoackamjjkcglj', 'jdldjholijjeegpfjonnpfhjfajccged', 'hdmkndblkojggbobhnhbfngpkfkdnokj', 'oofcbjbkmnmgmpmagbcjdmollbfoemoj', 'belekhmglikpbdeimcomlenfflfggfjj', 'ahbjhhbkbhfnmgeedjgbemdkocmkbede', 'llhiacnklmokacacnpnjceiipehjklgf', 'pgdjlholnghtgnnjobkphlppabiccbmm', 'nfpejmanjgnadnkojflgimfelhnpoibd', 'mnhcfoildemjfoicpeckvhhndknnkldd', 'cjpffackkaacjpjcakmbaklmohjbihni', 'aobojaljokphflhmhbbepnmddedhndld', 'bhodjdzfpdkgbpaleonbmmdboodagmjg', 'kdanhphhcpgkaekhpolmfcpldmccojgm', 'bgnknjcnclbclkfllbcjcoofdffgfgjh', 'jbdaocneiiinmjbjlgalhcelgbejmnid', 'fihkakfobkmkjojpchpfgcmhfjnmnfpi', 'cphhlgmgameodnhkjdmkpanlelnlohao', 'nhnkbkgjikgcigadomkphalanndcapjk', 'dmkamcknogkgcdfhhbddcghachkejeap', 'cnmamaachppnkjgnildpdmkaakejnhae', 'jojhfeoedkpkglbfimdfabpdfjaoolaf', 'nknhiehlklippafakaeklbeglecifhad', 'hcflpincpppdclinealmandijcmnkbgn', 'mnfifefkajgofkcjkemidiaecocnkjeh', 'lodccjjbdhfakaekdiahmedfbieldgik', 'Ijmpgkjfkbfhoebgogflfebnmejmfbml', 'lkcjlnjfpbikmcmbachjpdbijejflpcm', 'bcopgchhojmggmffilplmbdicgaihlkp', 'klnaejjgbibmhlephnhpmaofohgkpgkd', 'dkdedlpgdmmkkfjabffeganieamfklkm', 'nlgbhdfgdhgbiamfdfmbikcdghidoadd', 'onofpnbbkehpmmoabgpcpmigafmmnjhl', 'cihmoadaighcejopammfbmddcmdekcje', 'acmacodkjbdgmoleebolmdjonilkdbch', 'opfgelmcmbiajamepnmloijbpoleiama', 'ppbibelpcjmhbdihakflkdcoccbgbkpo', 'bocpokimicclpaiekenaeelehdjllofo', 'aabpklopgjbipiamfjbklncohbfcaklj', 'khpkpbbcccdmmclmpigdgddabeilkdpd', 'fcckkdbjnoikooededlapcalpionmalo', 'aapbdbdomjkkjkaonfhkkikfgjllcleb', 'mkpegjkblkkefacfnmkajcjmabijhclg', 'fnmihdojmnkclgjpcoonokmkhjpjechg', 'mpiodijhokgodhhofbcjdecpffjipkle', 'aigkgngdpghaibcgbjnceofelpaeebii', 'aliiefgcdelfmngphnnhmcdpalfdccbl', 'dldjpboieedgcmpkchcjcbijingjcgok', 'pnlccmojcmeohlpggmfnbbiapkmbliob', 'jnhgnonknehpejjnehehllkliplmbmhn', 'omaabbefbmiijedngplfjmnooppbclkk', 'pocmplpaccanhmnllbbkpgfliimjljgo', 'ghbmnnjooekpmoecnnnilnnbdlolhkhi']
𝗯𝗿𝙤𝘸𝘴𝙚𝙧_𝘱𝘢𝘵𝘩𝙨 = {'7star': 𝙤𝘴.getenv('LOCALAPPDATA') + '7Star7StarUser Data', 'amigo': 𝘰𝘴.getenv('LOCALAPPDATA') + 'AmigoUser Data', 'brave': 𝙤𝘀.getenv('LOCALAPPDATA') + 'BraveSoftwareBrave-BrowserUser Data', 'centbrowser': 𝘰𝘴.getenv('LOCALAPPDATA') + 'CentBrowserUser Data', 'chedot': 𝘰𝘴.getenv('LOCALAPPDATA') + 'ChedotUser Data', 'chrome_beta': 𝗼𝘴.getenv('LOCALAPPDATA') + 'GoogleChrome BetaUser Data', 'chrome_canary': 𝙤𝘴.getenv('LOCALAPPDATA') + 'GoogleChrome SxSUser Data', 'chromium': 𝙤𝘴.getenv('LOCALAPPDATA') + 'ChromiumUser Data', 'chromium edge': 𝙤𝘀.getenv('LOCALAPPDATA') + 'MicrosoftEdgeUser Data', 'coccoc': 𝘰𝘀.getenv('LOCALAPPDATA') + 'CocCocBrowserUser Data', 'comodo_dragon': 𝘰𝘀.getenv('LOCALAPPDATA') + 'ComodoDragonUser Data', 'elements': 𝗼𝙨.getenv('LOCALAPPDATA') + 'Elements BrowserUser Data', 'DCBrowser': 𝙤𝘴.getenv('LOCALAPPDATA') + 'DCBrowserUser Data', 'epic_privacy': 𝘰𝘀.getenv('LOCALAPPDATA') + 'Epic Privacy BrowserUser Data', 'chrome': 𝙤𝘀.getenv('LOCALAPPDATA') + 'GoogleChromeUser Data', 'kometa': 𝘰𝙨.getenv('LOCALAPPDATA') + 'KometaUser Data', 'opera': 𝗼𝘀.getenv('APPDATA') + 'Opera SoftwareOpera Stable', 'opera gx': 𝗼𝙨.getenv('APPDATA') + 'Opera SoftwareOpera GX Stable', 'orbitum': 𝘰𝘀.getenv('LOCALAPPDATA') + 'OrbitumUser Data', 'qqbrowser': 𝘰𝘴.getenv('LOCALAPPDATA') + 'TencentQQBrowserUser Data', 'sogouExplorer': 𝙤𝙨.getenv('APPDATA') + 'SogouExplorerWebkitUser Data', 'sputnik': 𝘰𝘴.getenv('LOCALAPPDATA') + 'SputnikSputnikUser Data', 'torch': 𝗼𝘴.getenv('LOCALAPPDATA') + 'TorchUser Data', 'uran': 𝗼𝘴.getenv('LOCALAPPDATA') + 'uCozMediaUranUser Data', 'vivaldi': 𝗼𝙨.getenv('LOCALAPPDATA') + 'VivaldiUser Data', 'yandexBrowser': 𝘰𝘴.getenv('LOCALAPPDATA') + 'YandexYandexBrowserUser Data'}
local.py
通过分析,发现此模块主要功能为打包各种加密货币应用程序的加密货币钱包数据,相关代码截图如下:
相关加密钱包目录如下:
𝙬𝗮𝗹𝗹𝘦𝘵𝙨 = {'Bitcoin': 'C:Users%USERNAME%AppDataRoamingBitcoinwallets', 'Electrum': 'C:Users%USERNAME%AppDataRoamingElectrumwallets', 'Coinomi': 'C:Users%USERNAME%AppDataLocalCoinomiwallets', 'Exodus': 'C:Users%USERNAME%AppDataRoamingExodusexodus.wallet', 'Atomic': 'C:Users%USERNAME%AppDataRoamingatomicLocal Storageleveldb', 'Ethereum': 'C:Users%USERNAME%AppDataRoamingEthereumkeystore', 'X-Electrum': 'C:Users%USERNAME%AppDataRoamingelectrumwallets', 'Litecoin': 'C:Users%USERNAME%AppDataRoamingLitecoinwallets', 'Dogecoin': 'C:Users%USERNAME%AppDataRoamingDogecoinwallets', 'Dash': 'C:Users%USERNAME%AppDataRoamingDashCorewallets', 'Monero': 'C:Users%USERNAME%AppDataRoamingmonerowallets', 'Zcash': 'C:Users%USERNAME%AppDataRoamingZcashwallets', 'Ripple (XRP)': 'C:Users%USERNAME%AppDataRoamingRipplewallets', 'Binance Chain Wallet': 'C:Users%USERNAME%AppDataRoamingBinanceWallets', 'Trust Wallet': 'C:Users%USERNAME%AppDataRoamingTrustkeystore', 'Trezor Suite': 'C:Users%USERNAME%AppDataRoamingTrezorSuite', 'Wasabi Wallet': 'C:Users%USERNAME%AppDataRoamingWasabiWalletClientWallets', 'Armory': 'C:Users%USERNAME%AppDataRoamingArmorywallets', 'BRD': 'C:Users%USERNAME%AppDataRoamingBRDwallets', 'Jaxx Liberty': 'C:Users%USERNAME%AppDataRoamingJaxxwallets', 'Guarda': 'C:Users%USERNAME%AppDataRoamingGuardawallets', 'Edge Wallet': 'C:Users%USERNAME%AppDataRoamingEdgewallets', 'Ledger Live': 'C:Users%USERNAME%AppDataRoamingLedger Liveaccounts'}
ss.py
通过分析,发现此模块主要功能为屏幕截屏,相关代码截图如下:
ara.py
通过分析,发现此模块主要功能为扫描Downloads、Documents、Desktop目录下的文件,备份包含与加密货币、密码和财务信息相关关键字的文件,相关代码截图如下:
相关关键字信息如下:
𝙩𝙧𝗮𝘥𝗲_𝗸𝘦𝘆𝙬𝗼𝘳𝗱𝘴 = ['passw', 'mdp', 'motdepasse', 'mot_de_passe', 'login', 'solana', 'phantom', 'solflare', 'keystore', 'secret', 'bot', 'atomic', 'account', 'acount', 'paypal', 'banque', 'bot', 'metamask', 'wallet', 'crypto', 'exodus', 'discord', '2fa', 'code', 'memo', 'compte', 'token', 'backup', 'yedek', 'secret', 'seed', 'mnemonic', 'memoric', 'private', 'key', 'passphrase', 'pass', 'phrase', 'steal', 'bank', 'info', 'casino', 'prv', 'priv¨¦', 'prive', 'telegram', 'identifiant', 'personnel', 'trading', 'bitcoin', 'sauvegarde', 'funds', 'r¨¦cup¨¦', 'recup', 'note', 'stake', 'defi', 'mm']
𝘁𝗿𝗮𝙙𝗲_𝘱𝘳𝙤𝙛𝘪𝘭𝗲 = 𝙤𝙨.getenv('USERPROFILE')
𝙩𝗿𝙖𝘥𝗲_𝘥𝘪𝙧𝙚𝙘𝙩𝙤𝗿𝗶𝙚𝘴 = [𝘰𝘴.path.join(𝘁𝗿𝗮𝙙𝘦_𝙥𝗿𝘰𝘧𝗶𝘭𝗲, 'Desktop'), 𝘰𝙨.path.join(𝘁𝘳𝗮𝙙𝘦_𝙥𝙧𝗼𝗳𝙞𝘭𝙚, 'Documents'), 𝙤𝘴.path.join(𝘁𝗿𝘢𝘥𝗲_𝙥𝗿𝙤𝙛𝘪𝘭𝙚, 'Downloads')]
𝘥𝘦𝘵𝙚𝗰𝘁𝗲𝗱_𝗳𝗶𝗹𝙚𝘀 = []
𝙞𝘮𝙥𝗼𝙧𝘵𝙖𝘯𝘁_𝗳𝘪𝘭𝗲𝘀 = ['.env', 'config.json', 'config.php', 'config.py', '.env.example']
𝘪𝗴𝗻𝘰𝙧𝙚𝙙_𝗳𝘪𝘭𝗲𝘀 = ['README.md', 'package.json']
𝘃𝗮𝘭𝗶𝗱_𝙚𝘹𝘵𝘦𝗻𝙨𝘪𝘰𝗻𝙨 = ['txt', 'csv', 'json', 'xls', 'xlsx', 'doc', 'docx']
upd.py
通过分析,发现此模块主要功能为压缩上传数据,上传地址为“https://www.tinyvago.com/pip/x/requirements.php”,相关代码截图如下:
通信请求数据结构如下:
原文始发于微信公众号(T0daySeeker):供应链攻击!伪装成加密货币交易工具的恶意Python包和Github项目
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论