0xDEADBEEF

Members
  • Content count

    81
  • Joined

  • Last visited

1 Follower

About 0xDEADBEEF

  • Rank
    N/A
  1. Interesting Samples

    ransom SHA256: b3901e5a23ea0ce6d0b05533959ecd5446178680ab969edb4e3085a9f1c00683 Seems it is doing some antidebug tricks? (like parent process detection?). Anyway, ESET missed the sample Again, "next-gen" vendors (regardless of their potentially higher FP and less user base) catch this kind of sample first. Some "traditional" vendors block it by behavior blocking layer.
  2. Interesting Samples

    Yep, livegrid now blacklisted it
  3. Interesting Samples

    SHA256: 276c2887b3a9fd5265792be6a6d933b849d2d9707e1ce581dd84c1d283ed7169 Another ransom bypass both scan and AMS, with already 20 vendors in VT detected
  4. ESET blocks onedrive?

    I start to get frequent prompt of this today: seems the connection is initiated by the Microsoft's Onedrive.exe, is it an FP?
  5. Is ESET discovering Malware ?

    From my perspective, it is really really hard to distinguish ransomware from normal software (without proper use of a reputation system). A misused archive software can easily act much like a ransomware, imagining a user zipping a batch of photos in a document folder with password and delete original files. Ironically, some big vendors ransom protection are tuned to be sooo sensitive that even these legitimate software and actions will also be blocked and quarantined automatically. Current I just use custom HIPS file access rules to serve as the last defense against these attacks. But it is annoying. Users hate to be asked frequently and sometimes even if antivirus ask the question, users might still give the wrong answer. The default settings are merely a balance between security and usability for normal users.
  6. Interesting Samples

    No, I used win7 x64. Will add the smartscreen test once I get a proper win10 license. Hmm, is VoodooShield sort of anti-exec protection software?
  7. Interesting Samples

    Actually, I am more curious about ESET's attitude towards the detection of FlyStudio PUA.
  8. Interesting Samples

    Yes, I was a bit surprised when I saw ESET didn't even block this in the livegrid in a timely manner. My sandbox scored this sample malicious in the first run. This is pretty unusual as the malicious behaviors are very "explicit" and yet LiveGrid didn't respond as quickly as those Feodo samples mentioned below (still no detection until hours later). And interestingly, I have resubmitted the samples several times later, and every time it is scored the same (as very malicious, and captures the injection behavior). I indeed saw some anti sandbox feature in this sample though I have several other Feodo Botnet samples that ESET failed to detect, but after about 10~20 minutes, the LiveGrid start to block these samples (perhaps because the botnet protection detect the connection and trigger LiveGrid to block the sample).
  9. Interesting Samples

    SHA256: a06af1ebeff4795126cbe2765954bbe177b7a34ba11e84631b347e79ef23f6f0
  10. Interesting Samples

    SHA256: 67589ebe860dee5fcd8927d62c7085a23ddaca517657e6bc9e76225df2097544 SHA256: ef9d512a9fb0c93bfda9d6427690c0880f500968798411f85b825c085df1de3b It is detected as potentially unwanted on VT. However, it seems the Chinese version of ESET doesn't flag FlyStudio Packed detection even with PUA on. Since FlyStudio Packed-type malware is very popular in China, this is considered a miss I've seen many Chinese-born FlyStudio malware. I am not sure if ESET will add a secondary detection on those malware even with this PUA detection. If ESET doesn't, then Chinese version ESET might miss many samples.
  11. Interesting Samples

    Yep, continue improving my auto exec and submission system while tightening the control.. I also added some yara rules to scan the samples as a reference. Recently I didn't find any missed samples. Good job ESET
  12. 10.1.219.1 Memory Issue

    We tried again but it still doesn't help. I've sent you the download link of the dump through private message.
  13. The result from SE Lab is a bit counter-intuitive. e.g. Norton generally generates many of FPs in real life use (not only I myself, but also the case from the feedback of many other people). This makes me wondering what their sampling method and sample size are. This also reminds me of AVC's malware protection test. Their test shows that ESET's score is identical before/after execution (so no dynamic detection, unless they also count AMS into "scan"). This strongly implies that their testing samples are too old to reflect the real-world situation.
  14. Interesting Samples

    I've been offline for a while to debug that sample in my testing env, because my cuckoo failed to capture its behaviors. And later I realized it is crashing most of the processes (including cuckoo's agent) when doing manual check, indeed an interesting one. Looking forward to seeing that cuckoo will gradually move from R3 hooks to more reliable ones
  15. Interesting Samples

    The test machine for that screenshot is a bit special (UAC disabled and admin granted, similar to a typical Cuckoo machine setup). Will check on another machine. Usually when I see ESET popping up tens of messages, I know it fails to stop a ransomware (those messages are usually for some ransom notes). This one is, however, a bit more interesting. But I haven't got a time to do any behavioral analysis on it yet.