Jump to content

Game downloader false positive?


Recommended Posts

ESET detects a popular official game downloader as Generik trojan for some days. The sample 768596273459d8c3e01c77ffcc0f631bf79f3b6c.zip is uploaded to ftp server.

Original file is downloaded from here

 

Also I am wondering if these two apks (in the ftp server d693ae624fa9c0ebfbbf019cb53def036a51e719d693a.zip and fc3a46a4bbbee9ca2c053b388873bfdb9bd93f57.zip) are malicious or not. ESET detects them as a variant of Android/Obfus.AY and a variant of Android/TrojanDownloader.Agent.KU. They both are relatively popular android apps downloaded from the official website. 

This game file is detected as malicious by ESET (82233f28e7badb481d7cb016b791056fc48fa71582233.zip in the ftp server), not sure if it is correct or not.

Edited by 0xDEADBEEF
Link to comment
Share on other sites

On 8/15/2018 at 8:01 AM, 0xDEADBEEF said:

The sample 768596273459d8c3e01c77ffcc0f631bf79f3b6c.zip

Is this sample indeed malicious/PUA? Though I didn't do careful analysis on this sample, judging from the source and digital sig it is likely to be benign with not-so-few users (according to LiveGrid). It is a bit unusual to see ESET holding a potential FP for such long time.

Edited by 0xDEADBEEF
Link to comment
Share on other sites

On ‎8‎/‎15‎/‎2018 at 9:01 AM, 0xDEADBEEF said:

Original file is downloaded from here

What is downloaded from the link you posted is an .exe file; not any .zip file. Also Eset detects it as malicious per the below screen shot.

What is most interesting is first, detection took a few seconds after download was completed. Perhaps indicative of a LiveGrid upload? Next note that the file was detected and deleted from IE11's cache and also my download directory. However, an entry still exists in the download directory but its file size is 0 bytes.

Eset_Malware.png.9fef2bb1229b16cfac8bef5d326f939e.png

Link to comment
Share on other sites

1 hour ago, itman said:

What is downloaded from the link you posted is an .exe file; not any .zip file

Yes I have the habit of zipping the sample sand name it using the sha1 hash before submission.

1 hour ago, itman said:

However, an entry still exists in the download directory but its file size is 0 bytes.

I have observed this for months(I was using Chrome), and I think it is a bug. Previously opera has this issue with vpn on, then this issue propagate to chrome and potentially more browsers. If you use the built in vpn in opera, you will find the quarantined sample downloaded through opera can’t even be restored to its original place

btw, nearly all FPs I’ve encountered in ESET product is such Generik detection, which makes sense

Edited by 0xDEADBEEF
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...