Jump to content

JJSPLOIT et al. False-positive?


DR_M

Recommended Posts

Is this a false-positive detection? 

Malware.AI.4165278293, C:\USERS\MAXXY\APPDATA\LOCAL\PROGRAMS\JJSPLOIT\INDICIUM SUPRA.DLL, No Action By User, 1000000, -129689003, 1.0.65833, AD234CD8EBC05C4EF8451A55, dds, 02173581, 42CD8AC756011A21FBAE0FE95DE11D0E, DFF16A67DE18B2D9F8437796FAE6BC6CEFF9E7C953249089ACED406924A55190

Also, I don't remember seeing this before:

Trojan.Agent, C:\USERS\MAXXY\APPDATA\ROAMING\WINDOWS\TELEMETRY\SIHOST64.EXE, No Action By User, 472, 988375, 1.0.65833, A61F6631BDA1F0A476F0E28D, dds, 02173581, 85BB1E5D26DB9E800D6F66803876F4B6, 9E154B4D2A6BBCBF0F97A5141A769B9B306D6FC46A3DC52074A41E97F5897A51

Thank you. :)

Link to post
Share on other sites

  • Staff

Hello,

Looking at the jjsploit file. Don't know yet if it is a false positive.


The second file you listed indeed looks like malware. It may have a brother in the same folder: UpdateService.exe (what else is in there? I don't even have a directory by that name)
https://www.virustotal.com/gui/file/9e154b4d2a6bbcbf0f97a5141a769b9b306d6fc46a3dc52074a41e97f5897a51/detection

  • Like 1
Link to post
Share on other sites

  • Staff

That driver can be used in both legit and non legit applications. Makes it kinda vulnerable.
I've seen it in gaming, coin mining, infostealing, hardware monitoring software (fans, vid cards, etc)and so on.

https://github.com/GermanAizek/WinRing0 gives you an idea what it is about.


Given its location in this case, it was probably part of whatever malware that user had.
I imagine you had them do some FRST logs and such. Was there a registry driver entry associated with this?

Link to post
Share on other sites

Yes, in this case believe it is part of malware.

From here:

This Coinminer adds the following folders:

%Application Data%\Microsoft\Libs


It drops the following files:

    %Application Data%\Microsoft\Libs\sihost64.exe
    %Application Data%\Microsoft\Libs\WR64.sys
    %User Temp%\Services.exe

 

It's not exactly the same folder names but, as you said, the location places it in the same category.

C:\USERS\MAXXY\APPDATA\ROAMING\WINDOWS\TELEMETRY\SIHOST64.EXE

C:\USERS\MAXXY\APPDATA\ROAMING\WINDOWS\Libs\WR64.sys

 

I asked fresh FRST logs to remove any item left behind. The topic is here.

 

Edited by DR_M
Corrected the last path
Link to post
Share on other sites

I thank you, blender. I really appreciate you took time to check this.

Talking about false-positives, the same MBAM scan detected these:

Malware.AI.2563702741, C:\USERS\MAXXY\APPDATA\ROAMING\KRNL\KRNLUI.EXE, No Action By User, 1000000, -1731264555, 1.0.65833, A8A98DB71490F14698CEFFD5, dds, 02173581, 39ED86952A1E7926924A18802C0B75E4, B84CEB86E9A8EBA4D168F2CC6C9010C93779641E595F900AAFE8CFEF6165C126
 
Malware.AI.4290638100, C:\USERS\MAXXY\APPDATA\ROAMING\KRNL\KRNL.DLL, No Action By User, 1000000, -4329196, 1.0.65833, 53C1C875A695C8F7FFBDF114, dds, 02173581, DD2CEAD4E9DDED0E029457061C4DCFD5, BB8125901CA3CAF7DD5F726085F21D08B2E3736F4109E0530DA118E3DC54CB1B
 
Although I deleted those files, it seems that they are part of Roblox. It seems that most of game related software include ... weird things, let say...
 
Link to post
Share on other sites

  • Staff

I sort of looked at those, but since you removed them, I thought nothing further of it.

First glance, it looks like a lot of the AV at VT detects them as well.

UI - https://www.virustotal.com/gui/file/b84ceb86e9a8eba4d168f2cc6c9010c93779641e595f900aafe8cfef6165c126/detection
dll - https://www.virustotal.com/gui/file/bb8125901ca3caf7dd5f726085f21d08b2e3736f4109e0530da118e3dc54cb1b/detection

Indeed AI on most AV/Antimalware including MBAM would hit on those due to the very nature of how it works. I mean, the dll is injected into the game and it can then run scrips. (normally just to enhance gameplay but can also be used to run/download malware, steal data, etc)

Many "game enhancement" software created to help users in game that is not from the game creators themselves can be risky. One needs to trust the source.

I'm going to check with some of my colleagues before I whitelist these files. In the meantime though, if he plans to use it again and trusts the download source, he can exclude that directory from scanning.
If one can create scripts with it, I would think one can use scripts others created as well?
If he gets scripts shared from discord or something for it, they would need to make sure they trust whoever created said script. 

More about krnl here: https://krnl.place/faq.html

 

  • Like 1
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.