Author Topic: Report trusted and whitelisted malware here- 2018 (NO LIVE MALWARE!)  (Read 12442 times)

Offline Chunli

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 2584
Re: Report trusted and whitelisted malware here- 2018 (NO LIVE MALWARE!)
« Reply #15 on: March 14, 2018, 06:18:24 PM »
Hi, pio

Thank you for your submission.
We'll check them and if found to be malware detection will be added.

Best regards
Chunli.chen

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 625
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Re: Report trusted and whitelisted malware here- 2018 (NO LIVE MALWARE!)
« Reply #16 on: April 03, 2018, 11:51:25 PM »
Still unprocessed , please take a look at this !!! Thank you !!!

File is unjustifiably FULLY trusted !!!

PUA.Adware.Variant.InstallCore - Certificate "issued" by Thawte & "countersigned" by Comodo & USERTrust

https://valkyrie.comodo.com/get_info?sha1=bfa372c778d40be998f4ec2cfc77c3fc9d46a34d

https://www.virustotal.com/#/file/bc657ebd6bf63fe477a808e99b6b6feba7f678a5c2e43f1c085e5f7461c4f4fd/detection

Some suspicious/malicious Indicators : Compiler/Packer/Crypter/Scrambler Signature >  Compiler : Nullsoft PiMP Stub , File has multiple binary anomalies ( Embeds another file ( type : Nullsoft , location : overlay ) , File ignores DEP , File ignores Code Integrity , CRC value set in PE header does not match actual value ,  Imports a anonymous function ) , Tries to delay the Analysis , Contains ability to open the clipboard , Found  potentially Anti-VM Strings ( Checks amount of System Memory , Queries the Disk Size , Checks Adapter Addresses ) ,  References Windows built-in privileges , Creates guarded memory sections , Sets the process error mode to suppress error box , Writes a PE file header to Disc , Opens a file in a system directory , Reads system information using WMIC , Reads the active computer name , Reads the cryptographic machine GUID , Reads configuration files , Spawns a lot of processes , Runs shell commands , Duplicates the process handle of an other process to obtain access rights to that process , Makes a code branch decision directly after an API that is environment aware  ( Found API call GetVersionExA[at]KERNEL32.DLL ) , Opens the MountPointManager , Opens the Kernel Security Device Driver , Modifies proxy settings , Queries sensitive IE security settings , Accesses sensitive information from local browsers , Found malicious network releated activity >>> HTTP request contains Base64 encoded artifacts , File GETS Data from >>> "148.251.68.18:80 (fetch.jdcdn.org) " > https://www.virustotal.com/#/ip-address/148.251.68.18 & "85.131.130.148:80" (installer.jdownloader.org) > https://www.virustotal.com/#/ip-address/85.131.130.148

Certificate Details :

Algorithm:                   rsaEncryption
Version:                      3
Issuer:                       /C=US/O=Thawte, Inc./CN=Thawte Code Signing CA - G2
Serial:                       754879579763311850463317485396909484
Serial (Hex):            91626fd168636edd78a174e8b75dac

Valid from:                  Aug 15 00:00:00 2014 GMT
Valid until:                 Aug 15 23:59:59 2015 GMT

C (countryName):                 DE
CN (commonName):              Appwork GmbH
L (localityName):                   Fuerth
O (organizationName):         Appwork GmbH
ST (stateOrProvinceName):   Bayern

The File has correct and positive detection from Valykrie as PUA , but still NO Signature !!!

File is unjustifiably FULLY trusted !!!

PUA.Adware.Variant.OpenCandy - Certificate "issued" by VeriSign  & "countersigned" by Symantec & Thawte

https://valkyrie.comodo.com/get_info?sha1=5aff1256fa475b6e24e0658b50b4e5dd571404a8

https://www.virustotal.com/#/file/9b107f25cfb5c77f13cec0b3ff3e38bf51b301044f349d39b7a079f6b845baa1/detection

Some suspicious/malicious Indicators : Compiler/Packer/Crypter/Scrambler Signature >  Packer/Scrambler : UPX Compressor 3.0 , File has multiple binary anomalies ( File ignores Code Integrity , PE file has unusual entropy sections , PE file is packed with UPX , CRC value set in PE header does not match actual value , Entrypoint in PE header is within an uncommon section , Contains zero-size sections , The file has "2" writable and executable sections ) , Spawns a file that was identified as malicious at VT ( 33/73 Antivirus vendors marked dropped file "uttC133.tmp" as "Adware.OpenCandy" ) , Uses Windows APIs to generate a cryptographic key , Found a dropped file containing the Windows username , Uses a User Agent typical for browsers, although no browser was ever launched  ( Found user agents : Mozilla/4.0 ) , Found  potentially Anti-VM Strings ( Queries the Disk Size , Checks adapter Addresses , Detects the presence of Wine emulator via Registry ) , Reads the active computer name , Reads the cryptographic machine GUID , Reads configuration files , Reads Windows Trust Settings , Scanning for window names , Reads the registry for installed applications , Queries volume information of an entire harddrive , Writes data to another process (  "rundll32.exe") , Creates or modifies windows services ,  Opens the Kernel Security Device Driver , Modifies Software Policy Settings , Modifies proxy settings , Queries sensitive IE security settings , Accesses and Modifies System Certificates Settings , Found malicious network releated activity , Sends UDP traffic to various IP´s , POSTs files to a webserver , HTTP request contains Base64 encoded artifacts , Contacts 32 domains and 143 hosts

Certificate Details :

Algorithm:                  rsaEncryption
Version:                     3
Issuer:                       /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/CN=VeriSign Class 3 Code Signing 2010 CA
Serial:                       115906371898387214641412410377105632520
Serial (Hex):            5732c1574e6af828e1b4f93abb34ed08

Valid from:                 Jun  5 00:00:00 2013 GMT
Valid until:                 Sep  3 23:59:59 2016 GMT
 
C (countryName):                     US [5553]
CN (commonName):                  BitTorrent Inc
L (localityName):                       San Francisco
O (organizationName):             BitTorrent Inc
OU (organizationalUnitName):  Digital ID Class 3 - Microsoft Software Validation v2
ST (stateOrProvinceName):      California
« Last Edit: April 03, 2018, 11:59:16 PM by pio »
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline Chunli

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 2584
Re: Report trusted and whitelisted malware here- 2018 (NO LIVE MALWARE!)
« Reply #17 on: April 04, 2018, 01:15:52 AM »
Hi,pio

Thank you for your submission.
We'll check these.

Best regards
Chunli.chen

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 625
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Re: Report trusted and whitelisted malware here- 2018 (NO LIVE MALWARE!)
« Reply #18 on: April 08, 2018, 07:14:18 PM »
Thank you for reviewing the Files !!! Unfortunately , not everything is right after 5 days .  :a0

VT : Correctly detected from Comodo as ApplicUnwnt.Win32.InstallCore.~
Valkyrie : NOT detected
CIS : Still NO Signature Detection

PUA.Adware.Variant.InstallCore - Certificate "issued" by Thawte & "countersigned" by Comodo & USERTrust

https://valkyrie.comodo.com/get_info?sha1=bfa372c778d40be998f4ec2cfc77c3fc9d46a34d

https://www.virustotal.com/#/file/bc657ebd6bf63fe477a808e99b6b6feba7f678a5c2e43f1c085e5f7461c4f4fd/detection

VT :  Correctly detected from Comodo as ApplicUnwnt.Win32.Adware.OpenCandy.
Valkyrie : Detected correctly as PUAApplicUnwnt.Win32.Adware.OpenCandy.
CIS : Still NO Signature Detection

PUA.Adware.Variant.OpenCandy - Certificate "issued" by VeriSign  & "countersigned" by Symantec & Thawte

https://valkyrie.comodo.com/get_info?sha1=5aff1256fa475b6e24e0658b50b4e5dd571404a8

https://www.virustotal.com/#/file/9b107f25cfb5c77f13cec0b3ff3e38bf51b301044f349d39b7a079f6b845baa1/detection
« Last Edit: April 08, 2018, 07:16:03 PM by pio »
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline Qiuhui.Wang

  • Comodo Staff
  • Comodo's Hero
  • *****
  • Posts: 2103
Re: Report trusted and whitelisted malware here- 2018 (NO LIVE MALWARE!)
« Reply #19 on: April 08, 2018, 08:01:49 PM »
Hi pio,

Thank you for your submission.
We'll recheck them and if found to be malware detection will be added.

Best regards
Qiuhui.Wang


Offline andrei.savin

  • Comodo Staff
  • Comodo Loves me
  • *****
  • Posts: 197
Re: Report trusted and whitelisted malware here- 2018 (NO LIVE MALWARE!)
« Reply #21 on: April 10, 2018, 12:28:35 PM »
Hi Felipe,
Thanks for the submission, we'll check the file and take appropriate measures.

Best regards,
Andrei Savin
If possible please post your malware submissions as SHA1 lists (created with HashMyFiles or any other software). Always make sure first you have submitted the samples through CIS.

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 625
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Re: Report trusted and whitelisted malware here- 2018 (NO LIVE MALWARE!)
« Reply #22 on: April 14, 2018, 04:48:30 PM »
File is unjustifiably FULLY trusted !!!

PUA.Variant.InastallCore - Certificate "issued" by VeriSign & Symantec & "countersigned" by Symantec & Thawte
 
https://valkyrie.comodo.com/get_info?sha1=2ce717a97b57367f0e1cc8ce74d3297cd08b7717

https://www.virustotal.com/de/file/28ee7a7ad139235c094a30414db98e23274ad27da66e30576f4dc9508d7ff2a3/analysis/1523737203/

Some suspicious/malicious Indicators : Compiler/Packer signature > Compiler : Borland Dephi 4.0 , Packer : Inno Setup Installer , File has multiple binary anomalies ( Embeds another file ( type : Inno Setup , location : overlay ) , File ignores DEP , File ignores Code Integrity , CRC value set in PE header does not match actual value , PE file contains zero-size sections , The size ( 18328 bytes ) of the certificate is suspicious , The file has "3" shared sections , Contains unknown resources ) , Checks for an ADS , Creates guarded memory sections , Reads the active computer name , Reads the cryptographic machine GUID , Reads the system/video BIOS version , Reads the windows product ID ,  Scanning for window names , Reads the registry for installed applications , Duplicates the process handle of an other process to obtain access rights to that process , Writes bytes to another process ( "%WINDIR%\SysWOW64\regsvr32.exe" ) , Opens the MountPointManager , Uses a User Agent typical for browsers, although no browser was ever launched ( Found user agent : Mozilla/5.0 ) , Modifies proxy settings , Queries sensitive IE security settings , Found malicious network releated activity , POSTs data to a webserver ( "POST / HTTP/1.1Accept: */*Host : 4.tanefedgan.com ,  IP : 54.72.212.121 , User-Agent: Mozilla/5.0

Certificate Details :

Algorithm:                   rsaEncryption
Version:                      3
Issuer:                       /C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 SHA256 Code Signing CA
Serial:                       37764354959338783732895431177534749187
Serial (Hex):            1c692673d01fd2db5c97c2cc2114ba03

Valid from:                  Jul 13 00:00:00 2017 GMT
Valid until:                  Jul 13 23:59:59 2018 GMT

C (countryName):                  US [5553]
CN (commonName):              Andy OS Inc [416E6479204F5320496E63]
L (localityName):                   San Francisco [53616E204672616E636973636F]
O (organizationName):         Andy OS Inc [416E6479204F5320496E63]
ST (stateOrProvinceName):  California [43616C69666F726E6961]

« Last Edit: April 14, 2018, 04:58:49 PM by pio »
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline Aravindhraj J

  • Comodo Staff
  • Comodo Family Member
  • *****
  • Posts: 77
Re: Report trusted and whitelisted malware here- 2018 (NO LIVE MALWARE!)
« Reply #23 on: April 15, 2018, 02:14:37 AM »
Hi pio,

Thank you for your submission.
We'll check them and if found to be malware detection will be added.

Regards,
Aravindhraj J

Offline Felipe Oliveira

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 485
  • Brazilian / Medicine Student / Love Technology
Re: Report trusted and whitelisted malware here- 2018 (NO LIVE MALWARE!)
« Reply #24 on: April 24, 2018, 03:10:36 PM »
Submited 11 days ago, ultil yesterday was "unknown".

Today is "reliable". OMG  :-TD

https://www.virustotal.com/#/file/5395a2d77e0ab7442e74e9a9411849f5792b31086683286fd71908266805fb7b/detection
SHA1: 7471490fb90d87a4ede290287d12c6b71b4c20f5

Offline Chunli

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 2584
Re: Report trusted and whitelisted malware here- 2018 (NO LIVE MALWARE!)
« Reply #25 on: April 25, 2018, 01:24:47 AM »
Hi, Felipe Oliveira

Thank you for your submission.
We'll check it.

Best regards
Chunli.chen


Offline andrei.savin

  • Comodo Staff
  • Comodo Loves me
  • *****
  • Posts: 197
Re: Report trusted and whitelisted malware here- 2018 (NO LIVE MALWARE!)
« Reply #27 on: April 26, 2018, 02:57:58 PM »
Hi Felipe,
Thanks for your submission. We'll check the files and add detection where necesarry.

Best regards,
Andrei Savin
If possible please post your malware submissions as SHA1 lists (created with HashMyFiles or any other software). Always make sure first you have submitted the samples through CIS.


Offline Chunli

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 2584
Re: Report trusted and whitelisted malware here- 2018 (NO LIVE MALWARE!)
« Reply #29 on: May 03, 2018, 02:11:02 AM »
Hi, Felipe Oliveira

Thank you for your submission.
We'll check it.

Best regards
Chunli.chen

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek