0xDEADBEEF 43 Posted August 15, 2018 Share Posted August 15, 2018 (edited) ESET detects a popular official game downloader as Generik trojan for some days. The sample 768596273459d8c3e01c77ffcc0f631bf79f3b6c.zip is uploaded to ftp server. Original file is downloaded from here Also I am wondering if these two apks (in the ftp server d693ae624fa9c0ebfbbf019cb53def036a51e719d693a.zip and fc3a46a4bbbee9ca2c053b388873bfdb9bd93f57.zip) are malicious or not. ESET detects them as a variant of Android/Obfus.AY and a variant of Android/TrojanDownloader.Agent.KU. They both are relatively popular android apps downloaded from the official website. This game file is detected as malicious by ESET (82233f28e7badb481d7cb016b791056fc48fa71582233.zip in the ftp server), not sure if it is correct or not. Edited August 15, 2018 by 0xDEADBEEF Link to comment Share on other sites More sharing options...
ESET Moderators Peter Randziak 1,130 Posted August 16, 2018 ESET Moderators Share Posted August 16, 2018 Hello @0xDEADBEEF, I will have it checked by the lab. Regards, P.R. Link to comment Share on other sites More sharing options...
0xDEADBEEF 43 Posted August 20, 2018 Author Share Posted August 20, 2018 (edited) On 8/15/2018 at 8:01 AM, 0xDEADBEEF said: The sample 768596273459d8c3e01c77ffcc0f631bf79f3b6c.zip Is this sample indeed malicious/PUA? Though I didn't do careful analysis on this sample, judging from the source and digital sig it is likely to be benign with not-so-few users (according to LiveGrid). It is a bit unusual to see ESET holding a potential FP for such long time. Edited August 20, 2018 by 0xDEADBEEF Link to comment Share on other sites More sharing options...
itman 1,659 Posted August 20, 2018 Share Posted August 20, 2018 On 8/15/2018 at 9:01 AM, 0xDEADBEEF said: Original file is downloaded from here What is downloaded from the link you posted is an .exe file; not any .zip file. Also Eset detects it as malicious per the below screen shot. What is most interesting is first, detection took a few seconds after download was completed. Perhaps indicative of a LiveGrid upload? Next note that the file was detected and deleted from IE11's cache and also my download directory. However, an entry still exists in the download directory but its file size is 0 bytes. Link to comment Share on other sites More sharing options...
0xDEADBEEF 43 Posted August 20, 2018 Author Share Posted August 20, 2018 (edited) 1 hour ago, itman said: What is downloaded from the link you posted is an .exe file; not any .zip file Yes I have the habit of zipping the sample sand name it using the sha1 hash before submission. 1 hour ago, itman said: However, an entry still exists in the download directory but its file size is 0 bytes. I have observed this for months(I was using Chrome), and I think it is a bug. Previously opera has this issue with vpn on, then this issue propagate to chrome and potentially more browsers. If you use the built in vpn in opera, you will find the quarantined sample downloaded through opera can’t even be restored to its original place btw, nearly all FPs I’ve encountered in ESET product is such Generik detection, which makes sense Edited August 20, 2018 by 0xDEADBEEF Link to comment Share on other sites More sharing options...
Recommended Posts