Manuel Statik Analiz (LLM Okumali) — HWID Spoofer / Game Cheat Loader | Tehdit: YUKSEK
Dikkat: Fake String Aldatmacasi
Binary icerisinde thisprogramdoesnothavearealratthesearefakestrings!!!!! satirini icermektedir. Bu, AV/sandbox heuristigini yanlitlamak icin tasarlanmis tipik bir aldatmaca teknigidir. Gercek zararli islevler ayni binary icerisinde bulunmaktadir.

Fichier Kimligi

SHA2568d7252df516b2151c36b96ac37f601eba1a9ef71e5e89cd96c23c2413ea2f21c
Orijinal AdAAServicesTemp.exe
Taille17.579.008 byte (~16.7 MB)

C2 Altyapisi

Discord Davethttps://discord.gg/49AXJtCEfu
IP Lookuphttps://api.ipify.org/
TipDiscord C2 + API entegrasyon

Teknik Analiz

Fake String Aldatmacasi

Programin binary'si icerisindeki thisprogramdoesnothavearealratthesearefakestrings!!!! satiri, AV motorlarini ve sandbox sistemlerini yaniltmak amaclidir. Bu teknik genellikle AV heuristiginin string-based tespitini atlamamak icin kullanilir.

HWID Spoofer (Kernel Driver)

write.spoof.driver.sys   <-- Kernel driver
Status Undetected        <-- Oyun anti-cheat bypass durumu
[+] successfully loaded driver.

Anti-Analiz Teknikleri

Asagidaki analiz araci isimleri null byte ile bozulmus sekilde gizlenmistir:

The Wireshark0 Network0 Analyzer   (Wireshark0 = "Wireshark" + null byte)
Progress Telerik0 Folder Web Debugger  (Fiddler)
Process Hack0er 2  (Process Hacker)

Discord Entegrasyonu

start https://discord.gg/49AXJtCEfu

Program UI'si Discord sunucusunu acarak kullanicilara "destek" saglar. Ayni zamanda Discord API'si C2 kanal olarak kullanilabilir.

Stealer Yetenekleri

  • Harici IP tespiti: https://api.ipify.org/
  • MAC adresi toplama (regex: (.{2})(.{2})(.{2})(.{2})(.{2})(.{2}))
  • AV urun tespiti (root\SecurityCenter, root\SecurityCenter2)
  • FileZilla kimlik bilgileri cekme (XML regex parseri)
  • GPU ve sistem bilgisi toplama (WMI: Win32_OperatingSystem, VideoProcessor)

Loader Islevleri

  • Login/Register sistemi — lisans kontrolu
  • Oyun hack yukleyici: "Launching Cheat, stay tuned."
  • HWID spoofing: "Spoofing in progress, please wait..."
  • Temizlik modulu: "Cleaning in progress, please wait..."

IOC

SHA2568d7252df516b2151c36b96ac37f601eba1a9ef71e5e89cd96c23c2413ea2f21c
Discord C2https://discord.gg/49AXJtCEfu
IP Lookuphttps://api.ipify.org/
Kernel Driverwrite.spoof.driver.sys
AldatmacaFake string: "thisprogramdoesnothavearealratthesearefakestrings"

Nasil Kaldirilir?

  1. Tum oyun hile yazilimlarini kaldirilsin
  2. write.spoof.driver.sys surucusu temizlensin
  3. Guncel AV taramasi yapilsin
  4. Oyun hesaplari ve diger hesap sifrelerini degistirilsin

Liste IOC (1 indicateurs)

IOC — GameCheatLoader
# SHA256 8d7252df516b2151c36b96ac37f601eba1a9ef71e5e89cd96c23c2413ea2f21c
TypeValeurNote
sha256 8d7252df516b2151c36b96ac37f601eba1a9ef71e5e89cd96c23c2413ea2f21c

Serveurs C2 (2 serveurs enregistrés pour cette famille)

Adresse Type Port Protocole Statut Pays
api.ipify.org domain 443 HTTPS active &mdash;
discord.gg/49AXJtCEfu domain 443 &mdash; inactive &mdash;

Les adresses C2 proviennent uniquement d'échantillons de malwares vérifiés manuellement par l'équipe KEYDAL. Toute utilisation commerciale est interdite.

Tags
hwid-spoofergame-cheatdiscord-c2stealeranti-analysisfake-stringskernel-driveroyun-hileleri