Q&A Is F-Secure sleeping again?

Status
Not open for further replies.

marcopaone

Level 5
Verified
Jul 15, 2016
204
HI!

On VirusTotal Avira detect the ransomware as JAVA/SMSSend.zgxoh. But why not f-secure?
EDIT:
I tried to open it and anyway f-secure does not block it.
Result. System is Infected and files are encrypted.
1607278100517.png

1607278129974.png

1607278150626.png
 
Last edited:

upnorth

Moderator
Verified
Staff member
Malware Hunter
Jul 27, 2015
4,164
Good question. I mean it! Maybe, because many AVs/tools have problems with script files as can been seen here :


That's the exact same sample btw and would be interesting to know with a dynamic test/scan. It's also a possible POC sample so that can very well be a reason. Maybe it needs to be submitted?
 

marcopaone

Level 5
Verified
Jul 15, 2016
204
Good question. I mean it! Maybe, because many AVs/tools have problems with script files as can been seen here :


That's the exact same sample btw and would be interesting to know with a dynamic test/scan. It's also a possible POC sample so that can very well be a reason. Maybe it needs to be submitted?
Also I tried to open it and anyway f-secure does not block it.
System is Infected and files are encrypted .
 

McMcbrad

Level 23
Oct 16, 2020
1,253
First test:
AVG Internet Security 20.9 + Shadow Defender on Windows 10 20H2

Static Scan doesn't detect anything.
Upon execution, behavioural blocker also seems not to detect anything, but ransomware protection set in "Normal Mode", not "Strict" blocks the encryption.
The process javaw.exe is terminated shortly after. I inspected both protected and not protected folders and nothing seems to be encrypted.

Protected folder:
1607281472839.png


Not protected folder:
1607281577158.png


1607281369331.png


Thanks to @upnorth and @marcopaone who both sent me the sample.
Now Windows Defender test.
 

Nightwalker

Level 22
Verified
Trusted
Content Creator
May 26, 2014
1,108
F-Secure Capricorn engine (Avira) may have a small delay time in updates compared to Avira proprietary solutions, but it isnt anything significant, just today were released 15 updates to it, so we can assume that the detection was included after you tested with a database update.

Anyway F-Secure DeepGuard should protect the machine in those situations, but unfortunately it didnt happen.

F-Secure Latest Database Updates for F-Secure Capricorn (f-secure.com)
 

McMcbrad

Level 23
Oct 16, 2020
1,253
Windows Defender with Latest Updates + Shadow Defender Latest + Windows 10 20H2
1607282340809.png


Windows Defender doesn't do anything and system is encrypted. The javaw.exe process terminates seconds after launching the *.jar file.
The following file is dropped on Desktop and auto-opened:
1607282393028.png


My pictures are also gone:
1607282422948.png

Not all files seem to be encrypted, only common user directories are affected.

Once again, thanks to @upnorth and @marcopaone, who both sent me the Pegasus sample.
 
Status
Not open for further replies.
Top