Open dreycos opened 1 year ago
PHARTGAMES
commented
1 year ago Hey thanks for the report, I started seeing Backdoor:Win32/Bladabindi!ml after you reported it in the other bug, but no mention of Wacatac.B!ml.
This project use a bunch of sensitive api that allows reading and writing of memory, perhaps that's the issue.
Can you please tell me which file it thinks contains the trojan?
I have uploaded a new installer also that no longer reports Backdoor:Win32/Bladabindi!ml
dreycos
commented
1 year ago It detects / reports the .msi installer as well as the exe.
Once the program is running it reports other strange looking temporary files.
dreycos
commented
1 year ago The new .zip download still reports the Wacatac.B!ml trojan.
dreycos
commented
1 year ago 
dreycos
commented
1 year ago It is detected by the same .dll
dreycos
commented
1 year ago That is the screen shot from yesterday. I just downloaded the new .zip package from git and scanned it and defender detected Wacatac about 30 minutes ago as well.
dreycos
commented
1 year ago For now, I have reverted back to using SRS joystick mode =)
Really appreciate the work you've done with space monkey - amazing solution.
PHARTGAMES
commented
1 year ago Yeah, Don't know what to tell you, I don't get that here, I didn't get bladabindi back in May either and the file hadn't changed until I rebuilt it yesterday.. Suuuper weird.
I think these are false positives.
If you upload the msi to virustotal.com it detects some other things as well but I think that's just because of certain API that is used, probably also related to SharpMonoInjector.dll and since SharpMonoInjector.dll is a hacking tool that's freely available you will probably find that it's used in a whole bunch of nasty trojans.
The code that's in SharpMonoInjector.dll however is really simple stuff, there's no socket code in there, the only socket code in SpaceMonkey reads udp from games and sends udp to other apps like SimCommander, Simfeedback etc..
Here's the virustotal listing https://www.virustotal.com/gui/file/f4559c7004224b3a0fb754b645e1e4bbe2689d903f740deedc23919ff41a0e03
dreycos
commented
1 year ago https://cuckoo.cert.ee/analysis/3363702/summary/
Main files where sus hash and other code detected:
spacemonkeysfx.msi smtp dcs export plugin.msi smtp gta plugin.msi spacemonkey beamng.drive pluging.msi gametelemetryextractor.dll sharpmonoinjector.dll
dreycos
commented
1 year ago I believe it is a false positive and the combination of the dll and how the telemetry extraction works mimics some trojan methods.
Unfortunately it is block by my enterprise so I cannot test on that laptop - will use on my personal instead.
Thanks for your help.
The SpaceMonkeyTP.msi installation file (latest download link on this Git site) has Windows defender detecting the Wacatac.B!ml trojan.