文章总结： 文档分析名为SecretPictures的Golang恶意样本，MD5为fd46d178474f32f596641ff0f7bb337e。样本复制自身至Systemlogs文件夹并修改注册表持久化，调用GetDriveType检测驱动器，利用NewTicker周期性连接malware.invalid.com发送包含name和version的POST请求，并用base64解码响应。 综合评分： 90 文章分类： 恶意软件,逆向分析,CTF,二进制安全

SecretPictures

原创

漫路修行

微痕鉴远

2025年12月25日 14:23 广东

The university’s IT team began receiving reports of strange activity on library computers. Students noticed hidden files appearing on their USB drives and disappearing moments later. An investigation revealed a single suspicious file named “SecretPictures.” When opened, it vanished instantly without leaving a trace, and no antivirus tool could identify it. The IT team isolated the file and provided it for your analysis. As a cybersecurity analyst, your task is to determine what this malware does, how it spreads, and how to stop it before it affects more systems.

What is the MD5 hash of the malware?

fd46d178474f32f596641ff0f7bb337e

What programming language is used to write the malware?

golang

What is the name of the folder the malware copies itself to after the initial run?

Systemlogs

What registry key does the malware modify to achieve persistence?

What FQDN does the malware attempt to connect to?

malware.invalid.com

Which Windows API function does the malware call to check drive types?

GetDriveType

Which Go standard library function does the malware use to schedule periodic execution?

NewTicker

What encoding does the malware use to decode server responses?

base64

The malware communicates with a backend server via a POST request. What are the names of the fields in the request body, separated by commas and listed alphabetically?

Filter “&” 有发现：

name,version

免责声明：

本文所载程序、技术方法仅面向合法合规的安全研究与教学场景，旨在提升网络安全防护能力，具有明确的技术研究属性。

任何单位或个人未经授权，将本文内容用于攻击、破坏等非法用途的，由此引发的全部法律责任、民事赔偿及连带责任，均由行为人独立承担，本站不承担任何连带责任。

本站内容均为技术交流与知识分享目的发布，若存在版权侵权或其他异议，请通过邮件联系处理，具体联系方式可点击页面上方的联系我。

本文转载自：微痕鉴远 漫路修行《SecretPictures》