Author Topic: malwr.com Trustworthy? (Read 3002 times)

Michael (alan1998) · « **on:** May 27, 2015, 01:26:48 AM »

Yeah, so. A few of the experts here will know this site. It will be unfamiliar to a lot of you guys though!

https://malwr.com/analysis/YjkwZTRhNGI4NjViNGExODk5Nzg5M2YwNDhjYmI0MDQ/. Conclusion, it's ransomware (Malwr's Analysis!). I edited to tags to become a little more accurate.

Actual conclusion though revealed by personal testing and screenshots. It's a fake Anti-Virus.

Can we conclude that we should be able to trust malwr.com for accurate and precise reports regarding uploaded samples?

According to that report, I think not..

Looking at that FRST report, and malwr.com's report, the do, are very dissimilar!

Michael (alan1998) · « **Reply #1 on:** May 27, 2015, 01:28:25 AM »

And yes, Windows is fake. Downloaded an ISO file for a demo purpose for class tomorrow.

essexboy · « **Reply #2 on:** May 27, 2015, 04:19:37 PM »

Fake AV not ransom

Pondus · « **Reply #3 on:** May 27, 2015, 04:26:26 PM »

Quote from: essexboy on May 27, 2015, 04:19:37 PM

Fake AV not ransom

yea, but you have to pay to get the full fake protection

Michael (alan1998) · « **Reply #4 on:** May 27, 2015, 04:55:33 PM »

Quote from: Pondus on May 27, 2015, 04:26:26 PM

Quote from: essexboy on May 27, 2015, 04:19:37 PM
Fake AV not ransom
yea, but you have to pay to get the full fake protection

Technically, it can be classed as Ransom because of that, and it's extremely difficult to use the system under "Normal" terms. However, bear in mind the Tag:Urausy.

http://www.bleepingcomputer.com/virus-removal/remove-urausy-fbi-ransomware

That, is not Urausy!!

I'm curious, how did malwr.com mess this up? Made for an interestinng removal case (Wasn't expecting that, although the process is the same... Safe Mode w/ CMD > Open explorer > run FRST > Create a Fixlist > Run and reboot!) but. That is obviously not Urausy.

Edit:

=============================================================

Fixlist looked like this:

Code: [Select]

CloseProcesses:

HKU\S-1-5-21-953904158-1915589922-4174002194-1000\...\RunOnce: [18AFB925B8834DCF000018AFA07A5209] => C:\ProgramData\18AFB925B8834DCF000018AFA07A5209\18AFB925B8834DCF000018AFA07A5209.exe [399360 2015-05-26] ()
2015-05-26 18:08 - 2015-05-26 18:08 - 00399360 _____ () C:\Users\John\Desktop\5902daf659559dd976f9e662f782d877dd4da4b90ca1ac44aa26a224919da779.exe
2015-05-26 18:07 - 2015-05-26 18:23 - 00001184 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-05-26 18:07 - 2015-05-26 18:23 - 00001184 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-05-26 18:21 - 2015-05-26 18:21 - 00002048 _____ () C:\Users\John\Desktop\System Care Antivirus.lnk
2015-05-26 18:21 - 2015-05-26 18:21 - 00000000 ____D () C:\Users\John\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Care Antivirus
2015-05-26 18:13 - 2015-05-26 18:21 - 00000000 ____D () C:\ProgramData\18AFB925B8834DCF000018AFA07A5209

Due to the fact that this was run in Safe Mode, CreateRestorePoint: was not inlcuded because it can't be done while in Safe Mode w/ CMD.

Also, EmptyTemp: was excluded because it's a new system, although I would normally include it anyways.

Edit 2: In case anyone is curious why it's named John for a user, I copied Windows example for a User Name :-). Wouldn't put anything that might reveal personal info in there.

Author Topic: malwr.com Trustworthy? (Read 3002 times)

Michael (alan1998)

malwr.com Trustworthy?

Michael (alan1998)

Re: malwr.com Trustworthy?

essexboy

Re: malwr.com Trustworthy?

Pondus

Re: malwr.com Trustworthy?

Michael (alan1998)

Re: malwr.com Trustworthy?