False positive?

[datboi]

Hi, I’m just asking if MOSS is actually safe.
Anti-Virus detection:
https://www.virustotal.com/#/file/4fb0f76b62c208660e6b1b8a47d23332d627b9d264c54df5cfbdf80f5874e8ae/detection

Moss VM behaviour:
https://www.virustotal.com/#/file/4fb0f76b62c208660e6b1b8a47d23332d627b9d264c54df5cfbdf80f5874e8ae/behavior
MOSS is mostly detected as Dropper Snojan, of which means that the AVs are detecting it as a PUP and a downloader, which is to be expected as the x86 version of MOSS is presumably running on an x64 VM. This is evident as it contacts these websites:

[EDITED BY ADMIN]

However the unexplained detections (not including generic, PUP, and downloader detections), such as Artemis!1A23AFD455F6 (A trojan that disables Task Manager, Folder Option, Registry and the command prompt by adding values to the registry key)

Thanks!

BTW: Here’s a Log of the VM:
SHA256: 4fb0f76b62c208660e6b1b8a47d23332d627b9d264c54df5cfbdf80f5874e8ae
File type: EXE
Copyright: N0hope
Version: 4.6.6.0—4,6,6,0
Shell or compiler: COMPILER:Microsoft Visual Studio .NET 2005 — 2008 -> Microsoft Corporation *
Sub-file information:
C:\Documents and Settings\Administrator\Local Settings\Temp\EB93A6\996E.exe.dump\2001dumpFile / d0944f9f1db8d36f9940aedaef93b832 / DLL
Key behaviour
Behaviour: Set special directory property
Detail info:
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files

C:\Documents and Settings\Administrator\Local Settings\History

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5

C:\Documents and Settings\Administrator\Cookies

C:\Documents and Settings\Administrator\Local Settings\History\History.IE5

File
Behaviour: Create file
Detail info:
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\2865[1]

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\ga[1].php

Behaviour: Set special directory property
Detail info:
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files

C:\Documents and Settings\Administrator\Local Settings\History

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5

C:\Documents and Settings\Administrator\Cookies

C:\Documents and Settings\Administrator\Local Settings\History\History.IE5

Behaviour: File remove
Detail info:
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\ga[1].php

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\2865[1]

Behaviour: Find file
Detail info:
FileName = C:\Documents and Settings

FileName = C:\Documents and Settings\Administrator

FileName = C:\Documents and Settings\Administrator\Local Settings

FileName = C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\*.pbk

FileName = C:\WINDOWS\system32\Ras\*.pbk

FileName = C:\Documents and Settings\Administrator\Application Data\Microsoft\Network\Connections\Pbk\*.pbk

Network
Behaviour: Open Url
Detail info:
[EDITED BY ADMIN]

[EDITED BY ADMIN]

0x00cc0008, Flags = 0x80000d10

Behaviour: Connect to host
Detail info:
InternetConnectA: ServerName = no****eu, PORT = 80, UserName = , Password = , hSession = 0x00cc0008, hConnect = 0x00cc0014, Flags = 0x80000d10

InternetConnectA: ServerName = no****eu, PORT = 80, UserName = , Password = , hSession = 0x00cc0008, hConnect = 0x00cc001c, Flags = 0x80000d10

Behaviour: Open Http connection
Detail info:
InternetOpenA: UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36, hSession = 0x00cc0004

InternetOpenA: UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36, hSession = 0x00cc0008

InternetOpenA: UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36, hSession = 0x00cc000c

InternetOpenA: UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36, hSession = 0x00cc0010

Behaviour: Connect to host
Detail info:
URL: no****eu, IP: **.133.40.**:80, SOCKET = 0x000001a8

URL: no****eu, IP: **.133.40.**:80, SOCKET = 0x000001b4

Behaviour: Read internet file
Detail info:
hFile = 0x00cc0018, BytesToRead =100000, BytesRead = 100000.

hFile = 0x00cc0020, BytesToRead =100000, BytesRead = 100000.

Behaviour: Send Http request
Detail info:

[EDITED BY ADMIN]

Behaviour: Get host address by name
Detail info:
GetAddrInfoW: no****eu

Registry
Behaviour: Modify registry
Detail info:
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings

Behaviour: Delete registry item
Detail info:
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer

\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride

\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL

Other
Behaviour: Detect debug environment
Detail info:
IsDebuggerPresent

Behaviour: Create mutex
Detail info:
ZonesCounterMutex

ZonesCacheCounterMutex

ZonesLockedCacheCounterMutex

oleacc-msaa-loaded

RasPbFile

CTF.LBES.MutexDefaultS-*

CTF.Compart.MutexDefaultS-*

CTF.Asm.MutexDefaultS-*

CTF.Layouts.MutexDefaultS-*

CTF.TMD.MutexDefaultS-*

CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*

MSCTF.Shared.MUTEX.EBH

Behaviour: Create event
Detail info:
EventName = DINPUTWINMM

EventName = Global\crypt32LogoffEvent

EventName = Global\userenv: User Profile setup event

Behaviour: Find specific window
Detail info:
NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]

Behaviour: Window information
Detail info:
Pid = 2432, Hwnd=0x10318, Text = 确定, ClassName = Button.

Pid = 2432, Hwnd=0x1031a, Text = Cant Update! error 1, ClassName = Static.

Pid = 2432, Hwnd=0x40314, Text = MOSS, ClassName = #32770.

Behaviour: Open event
Detail info:
HookSwitchHookEnabledEvent

Global\crypt32LogoffEvent

\SECURITY\LSA_AUTHENTICATION_INITIALIZED

Global\SvcctrlStartEvent_A3752DX

\INSTALLATION_SECURITY_HOLD

CTF.ThreadMIConnectionEvent.00000714.00000000.00000012

CTF.ThreadMarshalInterfaceEvent.00000714.00000000.00000012

MSCTF.SendReceiveConection.Event.EBH.IC

MSCTF.SendReceive.Event.EBH.IC

Behaviour: Open mutex
Detail info:
_!MSFTHISTORY!_

c:!documents and settings!administrator!local settings!temporary internet files!content.ie5!

c:!documents and settings!administrator!cookies!

c:!documents and settings!administrator!local settings!history!history.ie5!

WininetStartupMutex

WininetConnectionMutex

WininetProxyRegistryMutex

RasPbFile

ShimCacheMutex

• This topic was modified 3 years, 1 month ago by datboi.
• This topic was modified 3 years, 1 month ago by datboi.
• This topic was modified 3 years, 1 month ago by ADM_nohope.
• This topic was modified 3 years, 1 month ago by ADM_nohope.

[ADM_nohope]

well, first you are not allowed to attempt to reverse engineer Moss and even less to publish the content and URL, I removed the information from your post
then yes Moss acces to Internet to :
– auto update
– give me Google analytics anonimous stats
– give a server Date ( not a pc one)
– get the player public IP , traced in log on C class

nothing more , nothing less.

so no definitively it’s not a virus , trojan , adware or whatever.
it’s only based on windows API and a trusted ZIP lib, rest is my C code

[datboi]

OK, Thanks so much! Sorry for the inconvenience, I was not trying to reverse engineer MOSS, the URLs and IPs were in the log and I didn’t realise that they were there, so sorry for the confusion and sorry for the hassle. Thank you so much for clearing up the confusion! BTW, delete the post if you want to, cos the Virustotal and scan and VM URL is still there, there might be some sensitive stuff so you might wanna delete that. I’m really sorry about that.

• This reply was modified 3 years, 1 month ago by datboi.

[Author]

Posts