Old version of Bluestacks detected as ransomware.

PositiveProtection · July 31, 2018

I have been using an old version of Bluestacks for quite some time. This is a pre-rooted official download that I have modified using the BSTweaker tool, available at xda-developers, only now, after quite some time, the detection happened, and I believe it to be false positive, as logic leads me to assume I would have noticed by now if I have had a ransomware in my system for such a long time. Here's my log:

-Log Details-
Protection Event Date: 7/29/18
Protection Event Time: 12:47 PM
Log File: 90717434-9346-11e8-8c6b-00ac430a045a.json
Administrator: Yes

-Software Information-
Version: 3.5.1.2522
Components Version: 1.0.391
Update Package Version: 1.0.6117
License: Premium

-System Information-
OS: Windows 8.1
CPU: x64
File System: NTFS
User: System

-Ransomware Details-
File: 4
Malware.Ransom.Agent.Generic, C:\DOCUMENTS AND SETTINGS\PUBLIC\Desktop\BlueStacks.lnk, Quarantined, [0], [392685],0.0.0
Malware.Ransom.Agent.Generic, C:\PROGRAMDATA\Microsoft\Windows\Start Menu\BlueStacks.lnk, Quarantined, [0], [392685],0.0.0
Malware.Ransom.Agent.Generic, C:\USERS\PUBLIC\DESKTOP\BlueStacks.lnk, Quarantined, [0], [392685],0.0.0
Malware.Ransom.Agent.Generic, C:\Program Files (x86)\Bluestacks\Bluestacks.exe, Quarantined, [0], [392685],0.0.0

(end)

90717434-9346-11e8-8c6b-00ac430a045a.json

82083EF1EC1ABDBBE16DF3535CA207A1BAA3C52195781B8AEB4EFDBF2C759DE0
{
   "applicationVersion" : "3.5.1.2522",
   "clientID" : "",
   "clientType" : "other",
   "componentsUpdatePackageVersion" : "1.0.391",
   "cpu" : "x64",
   "dbSDKUpdatePackageVersion" : "1.0.6117",
   "detectionDateTime" : "2018-07-29T15:47:04Z",
   "fileSystem" : "NTFS",
   "id" : "90717434-9346-11e8-8c6b-00ac430a045a",
   "isUserAdmin" : true,
   "licenseState" : "licensed",
   "linkagePhaseComplete" : true,
   "loggedOnUserName" : "System",
   "machineID" : "",
   "os" : "Windows 8.1",
   "schemaVersion" : 10,
   "sourceDetails" : {
      "type" : "arw"
   },
   "threats" : [
      {
         "linkedTraces" : [
            {
               "cleanAction" : "quarantine",
               "cleanResult" : "successful",
               "cleanResultErrorCode" : 0,
               "cleanTime" : "2018-07-29T15:47:20Z",
               "generatedByPostCleanupAction" : false,
               "id" : "acb5e8d2-9346-11e8-baff-00ac430a045a",
               "linkType" : "linkedTrace",
               "objectMD5" : "F2A48C82BD63457B59BC232CD8B96294",
               "objectPath" : "C:\\DOCUMENTS AND SETTINGS\\PUBLIC\\Desktop\\BlueStacks.lnk",
               "objectSha256" : "EAF39E302DC78E97B949253764DE9C9D22F71AC98BBBEF09039D400FE0ED6F9B",
               "objectType" : "file",
               "suggestedAction" : {
                  "chromeExtensionOther" : false,
                  "chromeExtensionPreferences" : false,
                  "chromeExtensionSecurePreferences" : false,
                  "chromeExtensionSyncData" : false,
                  "chromeUrlOther" : false,
                  "chromeUrlSecurePreferences" : false,
                  "chromeUrlSyncData" : false,
                  "chromeUrlWebData" : false,
                  "fileDelete" : true,
                  "fileReplace" : false,
                  "fileTxtReplace" : false,
                  "folderDelete" : false,
                  "isChromeObject" : false,
                  "isExternalDetection" : false,
                  "isWMIEventConsumer" : false,
                  "killProcess" : false,
                  "minimalWhiteListing" : false,
                  "moduleUnload" : false,
                  "noLinking" : false,
                  "physicalSectorReplace" : false,
                  "priorityHigh" : false,
                  "priorityNormal" : false,
                  "priorityUrgent" : false,
                  "processUnload" : false,
                  "regKeyDelete" : false,
                  "regValueDelete" : false,
                  "regValueReplace" : false,
                  "shortcutReplace" : false,
                  "treatAsRootkit" : false,
                  "useDDA" : false
               }
            },
            {
               "cleanAction" : "quarantine",
               "cleanResult" : "successful",
               "cleanResultErrorCode" : 0,
               "cleanTime" : "2018-07-29T15:47:20Z",
               "generatedByPostCleanupAction" : false,
               "id" : "ad105d94-9346-11e8-bd2a-00ac430a045a",
               "linkType" : "linkedTrace",
               "objectMD5" : "F2A48C82BD63457B59BC232CD8B96294",
               "objectPath" : "C:\\PROGRAMDATA\\Microsoft\\Windows\\Start Menu\\BlueStacks.lnk",
               "objectSha256" : "EAF39E302DC78E97B949253764DE9C9D22F71AC98BBBEF09039D400FE0ED6F9B",
               "objectType" : "file",
               "suggestedAction" : {
                  "chromeExtensionOther" : false,
                  "chromeExtensionPreferences" : false,
                  "chromeExtensionSecurePreferences" : false,
                  "chromeExtensionSyncData" : false,
                  "chromeUrlOther" : false,
                  "chromeUrlSecurePreferences" : false,
                  "chromeUrlSyncData" : false,
                  "chromeUrlWebData" : false,
                  "fileDelete" : true,
                  "fileReplace" : false,
                  "fileTxtReplace" : false,
                  "folderDelete" : false,
                  "isChromeObject" : false,
                  "isExternalDetection" : false,
                  "isWMIEventConsumer" : false,
                  "killProcess" : false,
                  "minimalWhiteListing" : false,
                  "moduleUnload" : false,
                  "noLinking" : false,
                  "physicalSectorReplace" : false,
                  "priorityHigh" : false,
                  "priorityNormal" : false,
                  "priorityUrgent" : false,
                  "processUnload" : false,
                  "regKeyDelete" : false,
                  "regValueDelete" : false,
                  "regValueReplace" : false,
                  "shortcutReplace" : false,
                  "treatAsRootkit" : false,
                  "useDDA" : false
               }
            },
            {
               "cleanAction" : "quarantine",
               "cleanResult" : "successful",
               "cleanResultErrorCode" : 2,
               "cleanTime" : "2018-07-29T15:47:20Z",
               "generatedByPostCleanupAction" : false,
               "id" : "ad3b229a-9346-11e8-8dfb-00ac430a045a",
               "linkType" : "linkedTrace",
               "objectMD5" : "F2A48C82BD63457B59BC232CD8B96294",
               "objectPath" : "C:\\USERS\\PUBLIC\\DESKTOP\\BlueStacks.lnk",
               "objectSha256" : "EAF39E302DC78E97B949253764DE9C9D22F71AC98BBBEF09039D400FE0ED6F9B",
               "objectType" : "file",
               "suggestedAction" : {
                  "chromeExtensionOther" : false,
                  "chromeExtensionPreferences" : false,
                  "chromeExtensionSecurePreferences" : false,
                  "chromeExtensionSyncData" : false,
                  "chromeUrlOther" : false,
                  "chromeUrlSecurePreferences" : false,
                  "chromeUrlSyncData" : false,
                  "chromeUrlWebData" : false,
                  "fileDelete" : true,
                  "fileReplace" : false,
                  "fileTxtReplace" : false,
                  "folderDelete" : false,
                  "isChromeObject" : false,
                  "isExternalDetection" : false,
                  "isWMIEventConsumer" : false,
                  "killProcess" : false,
                  "minimalWhiteListing" : false,
                  "moduleUnload" : false,
                  "noLinking" : false,
                  "physicalSectorReplace" : false,
                  "priorityHigh" : false,
                  "priorityNormal" : false,
                  "priorityUrgent" : false,
                  "processUnload" : false,
                  "regKeyDelete" : false,
                  "regValueDelete" : false,
                  "regValueReplace" : false,
                  "shortcutReplace" : false,
                  "treatAsRootkit" : false,
                  "useDDA" : false
               }
            }
         ],
         "mainTrace" : {
            "cleanAction" : "quarantine",
            "cleanResult" : "successful",
            "cleanResultErrorCode" : 0,
            "cleanTime" : "2018-07-29T15:47:19Z",
            "generatedByPostCleanupAction" : false,
            "id" : "a446c842-9346-11e8-b5a5-00ac430a045a",
            "linkType" : "none",
            "objectMD5" : "ed774be458dbc9a7022e51849483713c",
            "objectPath" : "C:\\Program Files (x86)\\Bluestacks\\Bluestacks.exe",
            "objectSha256" : "1bb4b1eb8a126efd77656295d8c930bec0ffc40c1b3c1e50729d616eb78a71f8",
            "objectType" : "file",
            "suggestedAction" : {
               "chromeExtensionOther" : false,
               "chromeExtensionPreferences" : false,
               "chromeExtensionSecurePreferences" : false,
               "chromeExtensionSyncData" : false,
               "chromeUrlOther" : false,
               "chromeUrlSecurePreferences" : false,
               "chromeUrlSyncData" : false,
               "chromeUrlWebData" : false,
               "fileDelete" : true,
               "fileReplace" : false,
               "fileTxtReplace" : false,
               "folderDelete" : false,
               "isChromeObject" : false,
               "isExternalDetection" : false,
               "isWMIEventConsumer" : false,
               "killProcess" : false,
               "minimalWhiteListing" : false,
               "moduleUnload" : false,
               "noLinking" : false,
               "physicalSectorReplace" : false,
               "priorityHigh" : false,
               "priorityNormal" : false,
               "priorityUrgent" : false,
               "processUnload" : false,
               "regKeyDelete" : false,
               "regValueDelete" : false,
               "regValueReplace" : false,
               "shortcutReplace" : false,
               "treatAsRootkit" : false,
               "useDDA" : false
            }
         },
         "ruleID" : 392685,
         "rulesVersion" : "0.0.0",
         "threatID" : 0,
         "threatName" : "Malware.Ransom.Agent.Generic"
      }
   ],
   "threatsDetected" : 1
}

miekiemoes · July 31, 2018

Hi,

Thanks for reporting. This has been fixed and should no longer be detected.

PositiveProtection · July 31, 2018

Thanks. Out of curiosity, what caused it to be detected as ransomware?

miekiemoes · July 31, 2018

Unsure what exactly, but the Antiransomware detection is based on behavior detection, so something triggered this when running Bluestacks. Maybe because it was enumerating/injecting/modifying quite a bit of files (which I believe is the case when using the BSTweaker tool)?

Sign In

Old version of Bluestacks detected as ransomware.

Recommended Posts

PositiveProtection

Link to post

Share on other sites

miekiemoes

Link to post

Share on other sites

PositiveProtection

Link to post

Share on other sites

miekiemoes

Link to post

Share on other sites

Create an account or sign in to comment

Create an account

Sign in

Recently Browsing 0 members

Browse

Activity

Personal

Business

Business Modules

Partners

Learn

Start here

Type of malware/attacks

How does it get on my computer?

Scams and grifts

Support

Important Information