Is this file malicious or not

[0xDEADBEEF 43]

SHA1:19eee9336a4527eb76cd2ac69321727f159ad057

I submitted this to eset yesterday but it is not added to the detection so far. Meanwhile the detection on VT is increasing. It is exhibiting some suspicious behavior but I feel it is a bit strange. Is this file malicious?

[Daedalus 16]

I think it is safe to say that the file is not clean:
https://www.virustotal.com/en/file/67a241d4845bd929b6345059c030f9392477d2179bde86d2109bd5371ad1f004/analysis/

Looks like ESET is running a bit behind on this one.

If you got the file you can also upload it on the following site to see what is does:
https://www.hybrid-analysis.com/ (P.S. website does not work in Chrome)

Edited November 10, 2017 by Daedalus

[0xDEADBEEF 43]

14 hours ago, Daedalus said:

I think it is safe to say that the file is not clean:
https://www.virustotal.com/en/file/67a241d4845bd929b6345059c030f9392477d2179bde86d2109bd5371ad1f004/analysis/

Looks like ESET is running a bit behind on this one.

If you got the file you can also upload it on the following site to see what is does:
https://www.hybrid-analysis.com/ (P.S. website does not work in Chrome)

This originally comes from a potentially phishing mail (so social engineering wise, it is already suspicious enough)

It is exhibiting some very suspicious behavior, like vbs drop, add autostart, query security products and UUID, and write files to sensitive paths... But I am not sure about if these are enough to be categorized as "malicious". Most detections of this file on VT are either machine learning/heur and generated by auto pipeline, no concrete signature detections so far though.

On VT, the first detection is by Kaspersky, Bitdefender and Cyren, and then followed by avast and avira. I was waiting ESET's verdict for two days and we will see.

Edited November 11, 2017 by 0xDEADBEEF

[Daedalus 16]

37 minutes ago, 0xDEADBEEF said:

This originally comes from a potentially phishing mail (so social engineering wise, it is already suspicious enough)

It is exhibiting some very suspicious behavior, like vbs drop, add autostart, query security products and UUID, and write files to sensitive paths... But I am not sure about if these are enough to be verdicted as "malicious". Most detections of this file on VT are either machine learning/heur and generated by auto pipeline, no concrete signature detections so far though.

On VT, the first detection is by Kaspersky, Bitdefender and Cyren, and then followed by avast and avira. I was waiting ESET's verdict for two days and we will see.

Thanks for the clarification!

[itman 1,659]

It's Java malware; QUOTATIONS.jar . So unless you have Java installed, you are save.

[0xDEADBEEF 43]

1 hour ago, itman said:

It's Java malware; QUOTATIONS.jar . So unless you have Java installed, you are save.

Hmm... If it is indeed malware, I'd be surprised that ESET still doesn't add detection days after the sample submission.

[BALTAGY 32]

13 minutes ago, 0xDEADBEEF said:

Hmm... If it is indeed malware, I'd be surprised that ESET still doesn't add detection days after the sample submission.

It's added https://www.virustotal.com/#/file/67a241d4845bd929b6345059c030f9392477d2179bde86d2109bd5371ad1f004/detection

[0xDEADBEEF 43]

Just now, BALTAGY said:

It's added https://www.virustotal.com/#/file/67a241d4845bd929b6345059c030f9392477d2179bde86d2109bd5371ad1f004/detection

ah, generik detection, after two days of my submission  

[novice 20]

This seems to be the new normal for ESET: add the definitions days after all other major players...

[itman 1,659]

Well, McAfee, Microsoft, Sophos, Symantec, Vipre, and Webroot to name a few are still not detecting it. Add none of the Next Gen/AI solutions since they don't scan .jar files.

[persian-boy 22]

What about the dynamic detection?

Edited November 11, 2017 by persian-boy

[illumination 5]

2 hours ago, persian-boy said:

What about the dynamic detection?

Your on the right track, there is more to Eset then just signatures. 

Edited November 11, 2017 by illumination

[0xDEADBEEF 43]

3 hours ago, persian-boy said:

What about the dynamic detection?

Unfortunately no. I have tested the sample with ESET before submitting it, but it doesn't block anything during the whole execution. After submission I repeatedly scan the sample about every 8 hours but it is only after this afternoon does it start to detect this sample.

[0xDEADBEEF 43]

4 hours ago, itman said:

Well, McAfee, Microsoft, Sophos, Symantec, Vipre, and Webroot to name a few are still not detecting it. Add none of the Next Gen/AI solutions since they don't scan .jar files.

Well at the same time BD and KIS reacted very rapidly after the initial exposure. ESET should be compared with top tier products. I would understand the slow response if there are some nuances in this sample though. Otherwise, two days after receiving the phishing mail is not very responsive anyway. It is even after the source of the malicious file, Mediafire, withdrawing the file from sharing due to malicious content.

Edited November 11, 2017 by 0xDEADBEEF

[itman 1,659]

I would cut Eset a bit "of slack" on this one. Per PayloadSecurity, below is what is contained in the Java archive. Definitely not your "run of the mill' malware that employs a single malware executable:

Quote

WIN_FuzzPlus3_101.exe.bin  threatscore:54/100
document.xml.doc.bin  threatscore:50/100
webSettings.xml.doc.bin  threatscore:85/100
1dbeb317fa9da54da26cef80ae707f6e71599b571cf82b5d914964358923fce0.exe.bin  threatscore:81/100
e266f51d845ef9a25d06c8849229dbff1b1de88489a49b54f1757167bee1e98b.exe.bin  threatscore:85/100
956ffbb8816835273b28c0a9eef97c8761e2d7c74ed42c93b57cba1a2625ead5.exe.bin  threatscore:100/100
b0a15aeac2d98d92ed8e284cfd4ce6497f705c378989214991ce06eb398f419b.exe.bin  threatscore:65/100
130143b2cf718be47ec358cf395f69ba9f3e604916f5e70b4916c5791c3876f0.exe.bin  threatscore:100/100
a510272016be5f51216e6cb794270f2316efc293bb0eee4056e7f1b6faaded71.exe.bin  threatscore:72/100
79548ccbfcb1a6fc48c3c2deffeeee90b523efa93a4bcb7f101222fa320b1876.exe.bin  threatscore:30/100 

 

[novice 20]

I followed (recently) most of the posts of 0xDEADBEEF (thank you for your contribution)

It seems like, in spite of its sophistication, ESET is always behind in detecting new malwares, at least 2-3 days, compared with other major players.

This one, for example:

Reported, and yet detected as "a variant of Generik.ZFIODR". My understanding about "generic" detection is that this kind of detection is generated by a non signatures mechanism (HIPS, behavior blocker) and hence should be somehow instantaneous (not after 3 days)

In fact, after 3 days should be a signature already.

But, of course I may be wrong in my assumptions.

 

 

 

[0xDEADBEEF 43]

47 minutes ago, John Alex said:

ESET is always behind in detecting new malwares, at least 2-3 days, compared with other major players

There is a sampling bias here: the thing I have posted here is sort of uncommon case for ESET (<5% of the fresh new samples I collected personally)

My personal experience is that, the more popular the threat is, the less likely it will slip through ESET's defense (assuming no glitches on their cloud backend ). Perhaps the LiveGrid and human analysis prioritize more popular threats first. For the sample in this thread, the reputation in LiveGrid is still unknown when I first got the sample, so I assume the exposure is still low to other endpoints. But of course, the reaction speed of this sample is way too slow from my personal view. 

In ordinary cases, the fresh samples I have encountered are usually at least blocked by LiveGrid. I have also seen cases that after ~20mins of my running of certain samples that bypassed the ESET, the LiveGrid started to blacklist the sample, which cannot be reflected on virustotal.

But as you can see, no security solution is perfect. A false sense of being 100% secured will be disastrous when one encounter brand new samples which can quickly replicate to other machines (e.g. wannacry), unpopular samples (e.g. threats targeting countries where ESET has few endpoints deployed), custom made samples for specific targets (which are nearly impossible to exhibit malicious behavior in auto analysis pipeline), and other special cases which nearly no one can avoid (e.g. CCleaner incident)

Since sometimes it is hard to know whether you are on the majority or minority side, the general guideline is to always be cautious when treating unknown files, mails, and websites, even with top tier antivirus products installed.

 

And, my personal suggestion to ESET is that, I would like to see at least some feedback for the sample submission. I have never got feedback for my submission and sometimes felt frustrated. For the samples that are not flagged by ESET days after my submission, I was sometimes not sure if it is indeed clean, or simply didn't catch enough attention like the one in this thread.

Edited November 11, 2017 by 0xDEADBEEF

[itman 1,659]

18 hours ago, 0xDEADBEEF said:

My personal experience is that, the more popular the threat is, the less likely it will slip through ESET's defense (assuming no glitches on their cloud backend

Which I believe pretty much sums up this malware instance. It appears to me to be targeted malware since many folks don't have Java installed.

Common sense also needs to be applied. In a widespread malware instance, you definitely want your security solution to respond ASAP to it. A large number of samples submitted to date in this forum have not been in this category. This again points to another issue with VirusTotal detection; no way to evaluate the actual likelihood you will ever encounter the malware.

Again, Eset arbores false positives. Unless there is some high level internal policy change, that fact is not going to change. As such, Eset is not going to block something suspicious by default until it has been thoroughly analyzed. The user however can use the HIPS to configure execution activity as restrictive as desired. Also Marcos has hinted at an upcoming "application control" feature which I assume is an anti-exec of some sort. 

[Marcos 5,074]

I've checked samples that we have received and the jar file in question was not submitted to samples[at]eset.com. I submitted it on 10. 11. 2017, 12:37 and a detection engineer replied 20 minutes later that the detection would be added in the next update.

[0xDEADBEEF 43]

27 minutes ago, Marcos said:

I've checked samples that we have received and the jar file in question was not submitted to samples[at]eset.com. I submitted it on 10. 11. 2017, 12:37 and a detection engineer replied 20 minutes later that the detection would be added in the next update.

Does it mean the right click submission will not work???? I submitted the sample through right click menu with my email and description around Nov 8 11:00pm CST and it said the sample was submitted to eset.

[Marcos 5,074]

Instructions for proper submission of samples are available at https://support.eset.com/kb141/. Only samples (not jar files) submitted this way are replicated and blocked automatically if malware is matched / detected.

Although it's possible to submit samples via gui, the most of such samples are junk, multimedia files, other clean files, etc.  They are not processed with as high priority as samples submitted to samples[at]eset.com.

[0xDEADBEEF 43]

25 minutes ago, Marcos said:

Instructions for proper submission of samples are available at https://support.eset.com/kb141/. Only samples (not jar files) submitted this way are replicated and blocked automatically if malware is matched / detected.

Although it's possible to submit samples via gui, the most of such samples are junk, multimedia files, other clean files, etc.  They are not processed with as high priority as samples submitted to samples[at]eset.com.

Alright, now I know how low the priority of GUI submission is. Thanks for the clarification.

If the submitted sample through email is clean, will I get a feedback? How about very large samples that cannot be sent through email?

Edited November 12, 2017 by 0xDEADBEEF

[Marcos 5,074]

4 minutes ago, 0xDEADBEEF said:

If the submitted sample through email is clean, will I get a feedback?

We don't guarantee providing a feedback but we usually let the user know the verdict. For instance, no feedback would likely be provided if somebody sent a clean file without any further description.

As for large files, I reckon that even 10-15 MB files should go through alright. Submit only sample in an email unless more samples are related to each other.

[0xDEADBEEF 43]

3 hours ago, itman said:

Also Marcos has hinted at an upcoming "application control" feature which I assume is an anti-exec of some sort. 

Sounds interesting

[0xDEADBEEF 43]

7 minutes ago, Marcos said:

We don't guarantee providing a feedback but we usually let the user know the verdict. For instance, no feedback would likely be provided if somebody sent a clean file without any further description.

As for large files, I reckon that even 10-15 MB files should go through alright. Submit only sample in an email unless more samples are related to each other.

cool.

Two unrelated questions:

1) why currently ESET puts coinminer scripts in potentially unsafe application category that is by default to be off?

2) is there a way to enable PUA flystudio.packed detection on a zh-cn language endpoint client?