Open dreycos opened 1 year ago
Hey thanks for the report, I started seeing Backdoor:Win32/Bladabindi!ml after you reported it in the other bug, but no mention of Wacatac.B!ml.
This project use a bunch of sensitive api that allows reading and writing of memory, perhaps that's the issue.
Can you please tell me which file it thinks contains the trojan?
I have uploaded a new installer also that no longer reports Backdoor:Win32/Bladabindi!ml
It detects / reports the .msi installer as well as the exe.
Once the program is running it reports other strange looking temporary files.
The new .zip download still reports the Wacatac.B!ml trojan.
It is detected by the same .dll
That is the screen shot from yesterday. I just downloaded the new .zip package from git and scanned it and defender detected Wacatac about 30 minutes ago as well.
For now, I have reverted back to using SRS joystick mode =)
Really appreciate the work you've done with space monkey - amazing solution.
Yeah, Don't know what to tell you, I don't get that here, I didn't get bladabindi back in May either and the file hadn't changed until I rebuilt it yesterday.. Suuuper weird.
I think these are false positives.
If you upload the msi to virustotal.com it detects some other things as well but I think that's just because of certain API that is used, probably also related to SharpMonoInjector.dll and since SharpMonoInjector.dll is a hacking tool that's freely available you will probably find that it's used in a whole bunch of nasty trojans.
The code that's in SharpMonoInjector.dll however is really simple stuff, there's no socket code in there, the only socket code in SpaceMonkey reads udp from games and sends udp to other apps like SimCommander, Simfeedback etc..
Here's the virustotal listing https://www.virustotal.com/gui/file/f4559c7004224b3a0fb754b645e1e4bbe2689d903f740deedc23919ff41a0e03
https://cuckoo.cert.ee/analysis/3363702/summary/
Main files where sus hash and other code detected:
spacemonkeysfx.msi smtp dcs export plugin.msi smtp gta plugin.msi spacemonkey beamng.drive pluging.msi gametelemetryextractor.dll sharpmonoinjector.dll
I believe it is a false positive and the combination of the dll and how the telemetry extraction works mimics some trojan methods.
Unfortunately it is block by my enterprise so I cannot test on that laptop - will use on my personal instead.
Thanks for your help.
The SpaceMonkeyTP.msi installation file (latest download link on this Git site) has Windows defender detecting the Wacatac.B!ml trojan.