SpaceMonkey icon indicating copy to clipboard operation
SpaceMonkey copied to clipboard
verified publisher icon PHARTGAMES

Windows Defender detects Wacatac.B!ml trojan

Open dreycos opened this issue 3 years ago • 10 comments

The SpaceMonkeyTP.msi installation file (latest download link on this Git site) has Windows defender detecting the Wacatac.B!ml trojan.

dreycos avatar Aug 28 '22 04:08 dreycos

Hey thanks for the report, I started seeing Backdoor:Win32/Bladabindi!ml after you reported it in the other bug, but no mention of Wacatac.B!ml.

This project use a bunch of sensitive api that allows reading and writing of memory, perhaps that's the issue.

Can you please tell me which file it thinks contains the trojan?

I have uploaded a new installer also that no longer reports Backdoor:Win32/Bladabindi!ml

PHARTGAMES avatar Aug 28 '22 11:08 PHARTGAMES

It detects / reports the .msi installer as well as the exe.

Once the program is running it reports other strange looking temporary files.

dreycos avatar Aug 29 '22 13:08 dreycos

The new .zip download still reports the Wacatac.B!ml trojan.

dreycos avatar Aug 29 '22 14:08 dreycos

wacatac trojan details

dreycos avatar Aug 29 '22 14:08 dreycos

It is detected by the same .dll

dreycos avatar Aug 29 '22 14:08 dreycos

That is the screen shot from yesterday. I just downloaded the new .zip package from git and scanned it and defender detected Wacatac about 30 minutes ago as well.

dreycos avatar Aug 29 '22 14:08 dreycos

For now, I have reverted back to using SRS joystick mode =)

Really appreciate the work you've done with space monkey - amazing solution.

dreycos avatar Aug 29 '22 14:08 dreycos

Yeah, Don't know what to tell you, I don't get that here, I didn't get bladabindi back in May either and the file hadn't changed until I rebuilt it yesterday.. Suuuper weird.

I think these are false positives.

If you upload the msi to virustotal.com it detects some other things as well but I think that's just because of certain API that is used, probably also related to SharpMonoInjector.dll and since SharpMonoInjector.dll is a hacking tool that's freely available you will probably find that it's used in a whole bunch of nasty trojans.

The code that's in SharpMonoInjector.dll however is really simple stuff, there's no socket code in there, the only socket code in SpaceMonkey reads udp from games and sends udp to other apps like SimCommander, Simfeedback etc..

Here's the virustotal listing https://www.virustotal.com/gui/file/f4559c7004224b3a0fb754b645e1e4bbe2689d903f740deedc23919ff41a0e03

PHARTGAMES avatar Aug 30 '22 07:08 PHARTGAMES

https://cuckoo.cert.ee/analysis/3363702/summary/

Main files where sus hash and other code detected:

spacemonkeysfx.msi smtp dcs export plugin.msi smtp gta plugin.msi spacemonkey beamng.drive pluging.msi gametelemetryextractor.dll sharpmonoinjector.dll

dreycos avatar Aug 30 '22 13:08 dreycos

I believe it is a false positive and the combination of the dll and how the telemetry extraction works mimics some trojan methods.

Unfortunately it is block by my enterprise so I cannot test on that laptop - will use on my personal instead.

Thanks for your help.

dreycos avatar Aug 30 '22 13:08 dreycos