What is Moss ? › Forums › Bugs › False positive?
- This topic has 2 replies, 2 voices, and was last updated 2 years, 4 months ago by
datboi.
-
AuthorPosts
-
September 9, 2018 at 3:21 am #3550
datboi
ParticipantHi, I’m just asking if MOSS is actually safe.
Anti-Virus detection:
https://www.virustotal.com/#/file/4fb0f76b62c208660e6b1b8a47d23332d627b9d264c54df5cfbdf80f5874e8ae/detectionMoss VM behaviour:
https://www.virustotal.com/#/file/4fb0f76b62c208660e6b1b8a47d23332d627b9d264c54df5cfbdf80f5874e8ae/behavior
MOSS is mostly detected as Dropper Snojan, of which means that the AVs are detecting it as a PUP and a downloader, which is to be expected as the x86 version of MOSS is presumably running on an x64 VM. This is evident as it contacts these websites:[EDITED BY ADMIN]
However the unexplained detections (not including generic, PUP, and downloader detections), such as Artemis!1A23AFD455F6 (A trojan that disables Task Manager, Folder Option, Registry and the command prompt by adding values to the registry key)
Thanks!
BTW: Here’s a Log of the VM:
SHA256: 4fb0f76b62c208660e6b1b8a47d23332d627b9d264c54df5cfbdf80f5874e8ae
File type: EXE
Copyright: N0hope
Version: 4.6.6.0—4,6,6,0
Shell or compiler: COMPILER:Microsoft Visual Studio .NET 2005 — 2008 -> Microsoft Corporation *
Sub-file information:
C:\Documents and Settings\Administrator\Local Settings\Temp\EB93A6\996E.exe.dump\2001dumpFile / d0944f9f1db8d36f9940aedaef93b832 / DLL
Key behaviour
Behaviour: Set special directory property
Detail info:
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet FilesC:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Cookies
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
File
Behaviour: Create file
Detail info:
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\2865[1]C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\ga[1].php
Behaviour: Set special directory property
Detail info:
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet FilesC:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Cookies
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
Behaviour: File remove
Detail info:
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\ga[1].phpC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\2865[1]
Behaviour: Find file
Detail info:
FileName = C:\Documents and SettingsFileName = C:\Documents and Settings\Administrator
FileName = C:\Documents and Settings\Administrator\Local Settings
FileName = C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\*.pbk
FileName = C:\WINDOWS\system32\Ras\*.pbk
FileName = C:\Documents and Settings\Administrator\Application Data\Microsoft\Network\Connections\Pbk\*.pbk
Network
Behaviour: Open Url
Detail info:
[EDITED BY ADMIN][EDITED BY ADMIN]
0x00cc0008, Flags = 0x80000d10
Behaviour: Connect to host
Detail info:
InternetConnectA: ServerName = no****eu, PORT = 80, UserName = , Password = , hSession = 0x00cc0008, hConnect = 0x00cc0014, Flags = 0x80000d10InternetConnectA: ServerName = no****eu, PORT = 80, UserName = , Password = , hSession = 0x00cc0008, hConnect = 0x00cc001c, Flags = 0x80000d10
Behaviour: Open Http connection
Detail info:
InternetOpenA: UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36, hSession = 0x00cc0004InternetOpenA: UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36, hSession = 0x00cc0008
InternetOpenA: UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36, hSession = 0x00cc000c
InternetOpenA: UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36, hSession = 0x00cc0010
Behaviour: Connect to host
Detail info:
URL: no****eu, IP: **.133.40.**:80, SOCKET = 0x000001a8URL: no****eu, IP: **.133.40.**:80, SOCKET = 0x000001b4
Behaviour: Read internet file
Detail info:
hFile = 0x00cc0018, BytesToRead =100000, BytesRead = 100000.hFile = 0x00cc0020, BytesToRead =100000, BytesRead = 100000.
Behaviour: Send Http request
Detail info:[EDITED BY ADMIN]
Behaviour: Get host address by name
Detail info:
GetAddrInfoW: no****euRegistry
Behaviour: Modify registry
Detail info:
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettingsBehaviour: Delete registry item
Detail info:
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
Other
Behaviour: Detect debug environment
Detail info:
IsDebuggerPresentBehaviour: Create mutex
Detail info:
ZonesCounterMutexZonesCacheCounterMutex
ZonesLockedCacheCounterMutex
oleacc-msaa-loaded
RasPbFile
CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
MSCTF.Shared.MUTEX.EBH
Behaviour: Create event
Detail info:
EventName = DINPUTWINMMEventName = Global\crypt32LogoffEvent
EventName = Global\userenv: User Profile setup event
Behaviour: Find specific window
Detail info:
NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]Behaviour: Window information
Detail info:
Pid = 2432, Hwnd=0x10318, Text = 确定, ClassName = Button.Pid = 2432, Hwnd=0x1031a, Text = Cant Update! error 1, ClassName = Static.
Pid = 2432, Hwnd=0x40314, Text = MOSS, ClassName = #32770.
Behaviour: Open event
Detail info:
HookSwitchHookEnabledEventGlobal\crypt32LogoffEvent
\SECURITY\LSA_AUTHENTICATION_INITIALIZED
Global\SvcctrlStartEvent_A3752DX
\INSTALLATION_SECURITY_HOLD
CTF.ThreadMIConnectionEvent.00000714.00000000.00000012
CTF.ThreadMarshalInterfaceEvent.00000714.00000000.00000012
MSCTF.SendReceiveConection.Event.EBH.IC
MSCTF.SendReceive.Event.EBH.IC
Behaviour: Open mutex
Detail info:
_!MSFTHISTORY!_c:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
c:!documents and settings!administrator!cookies!
c:!documents and settings!administrator!local settings!history!history.ie5!
WininetStartupMutex
WininetConnectionMutex
WininetProxyRegistryMutex
RasPbFile
ShimCacheMutex
-
This topic was modified 2 years, 4 months ago by
datboi.
-
This topic was modified 2 years, 4 months ago by
datboi.
-
This topic was modified 2 years, 4 months ago by
ADM_nohope.
-
This topic was modified 2 years, 4 months ago by
ADM_nohope.
September 9, 2018 at 9:47 am #3556ADM_nohope
Keymasterwell, first you are not allowed to attempt to reverse engineer Moss and even less to publish the content and URL, I removed the information from your post
then yes Moss acces to Internet to :
– auto update
– give me Google analytics anonimous stats
– give a server Date ( not a pc one)
– get the player public IP , traced in log on C classnothing more , nothing less.
so no definitively it’s not a virus , trojan , adware or whatever.
it’s only based on windows API and a trusted ZIP lib, rest is my C codeSeptember 9, 2018 at 11:11 am #3557datboi
ParticipantOK, Thanks so much! Sorry for the inconvenience, I was not trying to reverse engineer MOSS, the URLs and IPs were in the log and I didn’t realise that they were there, so sorry for the confusion and sorry for the hassle. Thank you so much for clearing up the confusion! BTW, delete the post if you want to, cos the Virustotal and scan and VM URL is still there, there might be some sensitive stuff so you might wanna delete that. I’m really sorry about that.
-
This reply was modified 2 years, 4 months ago by
datboi.
-
This topic was modified 2 years, 4 months ago by
-
AuthorPosts
- You must be logged in to reply to this topic.