Official eMule-Board: Virustotal Says Emule 0.60c Is Ransomware - Official eMule-Board

Jump to content


Page 1 of 1

Virustotal Says Emule 0.60c Is Ransomware

#1 User is offline   fragbark 

  • Newbie
  • Pip
  • Group: Members
  • Posts: 14
  • Joined: 14-October 07

Posted 19 June 2021 - 07:57 PM

This is for the community version, not the official version, but it's important enough that I'm posting it here.
For emule0.60c downloaded from emule-project.net on 6/16/2021 at 2:20 PM EST:

MD5 = DFC5AA9FA35F09CE858EAE9DDDCF4DE8
SHA3_256 = F42FADFF190F1E5108A5A7FF3652168B79CA5EC69E0462B6EB264C0781E3EFBC

Virustotal.com gives a very strong indication that this is ransomware.
Note that you must be logged into virustotal.com to get ransomware rule matches.

The emule forum won't allow me to insert a hyperlink--the tool lets me try, but any time I add a hyperlink to the above text, the entire post gets reverted to the prior version after I click "Save Changes".

Crowdsourced Sigma Rule flags:
CRITICAL 53
HIGH 264
MEDIUM 8
LOW 50

1 match for rule TAIDOOR - Chinese RAT by Ariel Millahuel from SOC Prime Threat Detection Marketplace
This RAT was discovered by CISA. Taidoor is installed on a target’s system as a service dynamic link library (DLL) and is comprised of two files. The first file is a loader, which is started as a service. The loader decrypts the second file, and executes it in memory, which is the main Remote Access Trojan (RAT).


52 matches for rule Nibiru detection (Registry event and CommandLine parameters) by Ariel Millahuel from SOC Prime Threat Detection Marketplace
The NIBIRU ransomware encrypts the victim’s files with a strong encryption algorithm until the victim pays a fee to get them back. It's seems to be that a new variant family of NIBIRU ransomware [NIBIRU.RSM] is actively spreading in the wild.


2 matches for rule Disable of ETW Trace by @neu5ron, Florian Roth, Jonhnathan Ribeiro, oscd.community from Sigma Integrated Rule Set (GitHub)
Detects a command that clears or disables any ETW trace log which could indicate a logging evasion.


262 matches for rule Suspicious Eventlog Clear or Configuration Using Wevtutil by Ecco, Daniil Yugoslavskiy, oscd.community from Sigma Integrated Rule Set (GitHub)
Detects clearing or configuration of eventlogs uwing wevtutil, powershell and wmic. Might be used by ransomwares during the attack (seen by NotPetya and others)


1 match for rule Root Certificate Installed by oscd.community, @redcanary, Zach Stanford @svch0st from Sigma Integrated Rule Set (GitHub)
Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.


2 matches for rule Netsh Port or Application Allowed by Markus Neis, Sander Wiebing from Sigma Integrated Rule Set (GitHub)
Allow Incoming Connections by Port or Application on Windows Firewall


1 match for rule Always Install Elevated Windows Installer by Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community from Sigma Integrated Rule Set (GitHub)
This rule will looks for Windows Installer service (msiexec.exe) when it tries to install MSI packages with SYSTEM privilege


2 matches for rule Non Interactive PowerShell by Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements) from Sigma Integrated Rule Set (GitHub)
Detects non-interactive PowerShell activity by looking at powershell.exe with not explorer.exe as a parent.


2 matches for rule Autorun Keys Modification by Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community from Sigma Integrated Rule Set (GitHub)
Detects modification of autostart extensibility point (ASEP) in registry.


2 matches for rule Discovery of a System Time by E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community from Sigma Integrated Rule Set (GitHub)
Identifies use of various commands to query a systems time. This technique may be used before executing a scheduled task or to discover the time zone of a target system.


20 matches for rule Net.exe Execution by Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements) from Sigma Integrated Rule Set (GitHub)
Detects execution of Net.exe, whether suspicious or benign.


20 matches for rule Stop Windows Service by Jakob Weinzettl, oscd.community from Sigma Integrated Rule Set (GitHub)
Detects a windows service to be stopped


8 matches for rule Service Execution by Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community from Sigma Integrated Rule Set (GitHub)
Detects manual service execution (start) via system utilities

This post has been edited by fragbark: 19 June 2021 - 08:11 PM

0

#2 User is offline   Some Support 

  • Last eMule
  • PipPipPipPipPipPipPip
  • Group: Yes
  • Posts: 3656
  • Joined: 27-June 03

Posted 19 June 2021 - 10:10 PM

I'd guess the heuristic is detecting the installer, because installing software requires much of the same actions and access as ransomeware needs. The file linked on emule-project.net is the same as published by fox on github (meaning it hasn't been changed/modified). Have you tried analizing older eMule versions of the installer to see if it comes up with the same result?
I did a test install before publishing and the file has been out for over a months without any reports of trouble. Both is not a sure sign that it's clean, but an indicator at least together with the explanation why the heuristic might misidentify it.
And of course I do trust fox who is creating those versions (but then again, a supply chain attack is always possible, so no reason not to look into it).

#3 User is offline   fox88 

  • Golden eMule
  • PipPipPipPipPipPipPip
  • Group: Members
  • Posts: 4840
  • Joined: 13-May 07

Posted 19 June 2021 - 11:22 PM

View Postfragbark, on 19 June 2021 - 10:57 PM, said:

This is for the community version, not the official version, but it's important enough that I'm posting it here.
For emule0.60c downloaded from emule-project.net on 6/16/2021 at 2:20 PM EST:

MD5 = DFC5AA9FA35F09CE858EAE9DDDCF4DE8
SHA3_256 = F42FADFF190F1E5108A5A7FF3652168B79CA5EC69E0462B6EB264C0781E3EFBC

There were five files uploaded to github releases; and MD5 checksums should be:
dfc5aa9fa35f09ce858eae9dddcf4de8 eMule0.60c-Installer.exe
7c219fedd86127140077687002401de9 eMule0.60c-Installer64.exe
efab711fafec2daa937aa92cc7c512d8 eMule0.60c-Sources.zip
e82562e84ad55ce2566c6471095c05ff eMule0.60c.zip
4d96b2e2731e01aaba6772fce0df7c42 eMule0.60c_x64.zip


I checked in virustotal.com download link to eMule0.60c.zip and extracted 32-bit eMule.exe - all was clean. The same for the link to eMule0.60c-Installer.exe (with the matching MD5).

How you checked it?

PS. It seems those heuristic rules enumerated every action that networking application could ever possibly do. Which makes the check paranoid and barely useful.

This post has been edited by fox88: 20 June 2021 - 12:56 PM

0

#4 User is offline   fragbark 

  • Newbie
  • Pip
  • Group: Members
  • Posts: 14
  • Joined: 14-October 07

Posted 18 July 2021 - 03:01 PM

I've since found that those detection rules fire for a LOT of installers written in 2021, including many open-source projects. Probably that means they're all false positives. (On the other hand, I caught what was probably a ransomware virus--tens of thousands of non-OS but otherwise random files and directories on my C drive disappeared within hours--just a few weeks ago, which almost certainly came from software I paid $160 for and downloaded directly from Nuance. So perhaps we're all swimming in latent ransomware.)
0

  • Member Options

Page 1 of 1

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users