False positive?

What is Moss ? Forums Bugs False positive?

This topic contains 2 replies, has 2 voices, and was last updated by  datboi 2 months, 1 week ago.

Viewing 3 posts - 1 through 3 (of 3 total)
  • Author
    Posts
  • #3550

    datboi
    Participant

    Hi, I’m just asking if MOSS is actually safe.
    Anti-Virus detection:
    https://www.virustotal.com/#/file/4fb0f76b62c208660e6b1b8a47d23332d627b9d264c54df5cfbdf80f5874e8ae/detection

    Moss VM behaviour:
    https://www.virustotal.com/#/file/4fb0f76b62c208660e6b1b8a47d23332d627b9d264c54df5cfbdf80f5874e8ae/behavior
    MOSS is mostly detected as Dropper Snojan, of which means that the AVs are detecting it as a PUP and a downloader, which is to be expected as the x86 version of MOSS is presumably running on an x64 VM. This is evident as it contacts these websites:

    [EDITED BY ADMIN]

    However the unexplained detections (not including generic, PUP, and downloader detections), such as Artemis!1A23AFD455F6 (A trojan that disables Task Manager, Folder Option, Registry and the command prompt by adding values to the registry key)

    Thanks!

    BTW: Here’s a Log of the VM:
    SHA256: 4fb0f76b62c208660e6b1b8a47d23332d627b9d264c54df5cfbdf80f5874e8ae
    File type: EXE
    Copyright: N0hope
    Version: 4.6.6.0—4,6,6,0
    Shell or compiler: COMPILER:Microsoft Visual Studio .NET 2005 — 2008 -> Microsoft Corporation *
    Sub-file information:
    C:\Documents and Settings\Administrator\Local Settings\Temp\EB93A6\996E.exe.dump\2001dumpFile / d0944f9f1db8d36f9940aedaef93b832 / DLL
    Key behaviour
    Behaviour: Set special directory property
    Detail info:
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files

    C:\Documents and Settings\Administrator\Local Settings\History

    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5

    C:\Documents and Settings\Administrator\Cookies

    C:\Documents and Settings\Administrator\Local Settings\History\History.IE5

    File
    Behaviour: Create file
    Detail info:
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\2865[1]

    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\ga[1].php

    Behaviour: Set special directory property
    Detail info:
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files

    C:\Documents and Settings\Administrator\Local Settings\History

    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5

    C:\Documents and Settings\Administrator\Cookies

    C:\Documents and Settings\Administrator\Local Settings\History\History.IE5

    Behaviour: File remove
    Detail info:
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\ga[1].php

    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\2865[1]

    Behaviour: Find file
    Detail info:
    FileName = C:\Documents and Settings

    FileName = C:\Documents and Settings\Administrator

    FileName = C:\Documents and Settings\Administrator\Local Settings

    FileName = C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\*.pbk

    FileName = C:\WINDOWS\system32\Ras\*.pbk

    FileName = C:\Documents and Settings\Administrator\Application Data\Microsoft\Network\Connections\Pbk\*.pbk

    Network
    Behaviour: Open Url
    Detail info:
    [EDITED BY ADMIN]

    [EDITED BY ADMIN]

    0x00cc0008, Flags = 0x80000d10

    Behaviour: Connect to host
    Detail info:
    InternetConnectA: ServerName = no****eu, PORT = 80, UserName = , Password = , hSession = 0x00cc0008, hConnect = 0x00cc0014, Flags = 0x80000d10

    InternetConnectA: ServerName = no****eu, PORT = 80, UserName = , Password = , hSession = 0x00cc0008, hConnect = 0x00cc001c, Flags = 0x80000d10

    Behaviour: Open Http connection
    Detail info:
    InternetOpenA: UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36, hSession = 0x00cc0004

    InternetOpenA: UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36, hSession = 0x00cc0008

    InternetOpenA: UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36, hSession = 0x00cc000c

    InternetOpenA: UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36, hSession = 0x00cc0010

    Behaviour: Connect to host
    Detail info:
    URL: no****eu, IP: **.133.40.**:80, SOCKET = 0x000001a8

    URL: no****eu, IP: **.133.40.**:80, SOCKET = 0x000001b4

    Behaviour: Read internet file
    Detail info:
    hFile = 0x00cc0018, BytesToRead =100000, BytesRead = 100000.

    hFile = 0x00cc0020, BytesToRead =100000, BytesRead = 100000.

    Behaviour: Send Http request
    Detail info:

    [EDITED BY ADMIN]

    Behaviour: Get host address by name
    Detail info:
    GetAddrInfoW: no****eu

    Registry
    Behaviour: Modify registry
    Detail info:
    \REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings

    Behaviour: Delete registry item
    Detail info:
    \REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer

    \REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride

    \REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL

    Other
    Behaviour: Detect debug environment
    Detail info:
    IsDebuggerPresent

    Behaviour: Create mutex
    Detail info:
    ZonesCounterMutex

    ZonesCacheCounterMutex

    ZonesLockedCacheCounterMutex

    oleacc-msaa-loaded

    RasPbFile

    CTF.LBES.MutexDefaultS-*

    CTF.Compart.MutexDefaultS-*

    CTF.Asm.MutexDefaultS-*

    CTF.Layouts.MutexDefaultS-*

    CTF.TMD.MutexDefaultS-*

    CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*

    MSCTF.Shared.MUTEX.EBH

    Behaviour: Create event
    Detail info:
    EventName = DINPUTWINMM

    EventName = Global\crypt32LogoffEvent

    EventName = Global\userenv: User Profile setup event

    Behaviour: Find specific window
    Detail info:
    NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]

    Behaviour: Window information
    Detail info:
    Pid = 2432, Hwnd=0x10318, Text = 确定, ClassName = Button.

    Pid = 2432, Hwnd=0x1031a, Text = Cant Update! error 1, ClassName = Static.

    Pid = 2432, Hwnd=0x40314, Text = MOSS, ClassName = #32770.

    Behaviour: Open event
    Detail info:
    HookSwitchHookEnabledEvent

    Global\crypt32LogoffEvent

    \SECURITY\LSA_AUTHENTICATION_INITIALIZED

    Global\SvcctrlStartEvent_A3752DX

    \INSTALLATION_SECURITY_HOLD

    CTF.ThreadMIConnectionEvent.00000714.00000000.00000012

    CTF.ThreadMarshalInterfaceEvent.00000714.00000000.00000012

    MSCTF.SendReceiveConection.Event.EBH.IC

    MSCTF.SendReceive.Event.EBH.IC

    Behaviour: Open mutex
    Detail info:
    _!MSFTHISTORY!_

    c:!documents and settings!administrator!local settings!temporary internet files!content.ie5!

    c:!documents and settings!administrator!cookies!

    c:!documents and settings!administrator!local settings!history!history.ie5!

    WininetStartupMutex

    WininetConnectionMutex

    WininetProxyRegistryMutex

    RasPbFile

    ShimCacheMutex

    • This topic was modified 2 months, 1 week ago by  datboi.
    • This topic was modified 2 months, 1 week ago by  datboi.
    • This topic was modified 2 months, 1 week ago by  nohope.
    • This topic was modified 2 months, 1 week ago by  nohope.
    #3556

    nohope
    Keymaster

    well, first you are not allowed to attempt to reverse engineer Moss and even less to publish the content and URL, I removed the information from your post
    then yes Moss acces to Internet to :
    – auto update
    – give me Google analytics anonimous stats
    – give a server Date ( not a pc one)
    – get the player public IP , traced in log on C class

    nothing more , nothing less.

    so no definitively it’s not a virus , trojan , adware or whatever.
    it’s only based on windows API and a trusted ZIP lib, rest is my C code

    #3557

    datboi
    Participant

    OK, Thanks so much! Sorry for the inconvenience, I was not trying to reverse engineer MOSS, the URLs and IPs were in the log and I didn’t realise that they were there, so sorry for the confusion and sorry for the hassle. Thank you so much for clearing up the confusion! BTW, delete the post if you want to, cos the Virustotal and scan and VM URL is still there, there might be some sensitive stuff so you might wanna delete that. I’m really sorry about that.

    • This reply was modified 2 months, 1 week ago by  datboi.
Viewing 3 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic.