Number Of samples
9
Verified Malware Samples
Yes, this only contains malware
Threat Analysis report
https://www.virustotal.com/en/file/4453fab729b83f602ccc562c5380cfc42a5af0919e43689995c7bfcf1c1e0acd/analysis/1546950320/
https://www.virustotal.com/en/file/0f05e4cdd95ec9cbc1391025120812e722bb423523f115c30f4762175ee8f92b/analysis/1546950415/
https://www.virustotal.com/en/file/a8e6826b283353e4546436096cff00d6b50b4756860e77a8a34217a466d79a58/analysis/1546950465/
https://www.virustotal.com/en/file/4e4a79c3e0cf73eae9a482f258653ac605580c741f62bb599db5f20d484d0e8e/analysis/1546950563/
https://www.virustotal.com/en/file/d2379ef1b13c110236ce5e4a59a2a4bd6886b30bca3787c73622ceaa9f11408a/analysis/1546950615/
https://www.virustotal.com/en/file/d9222c2fd8db85ca6c81f5e146ca6c6392e7c33280293034f4db8fdf46c178ea/analysis/1546950677/
https://www.virustotal.com/en/file/8b3ff5fb17e9ede477465bea850115f7c3527c509fe81b914d77487c82d54d83/analysis/1546950886/
https://www.virustotal.com/en/file/5468c1f8f790401f6403f99e80baeec21aacf2a3f06148dc455c55f8d3825ad4/analysis/1546950940/
https://www.virustotal.com/en/file/cc313253f8ca4f4914c865a0e8ca871c9c89ffa11dba15c3744458f926c78579/analysis/1546950996/

https://www.hybrid-analysis.com/sample/4453fab729b83f602ccc562c5380cfc42a5af0919e43689995c7bfcf1c1e0acd?environmentId=120
https://www.hybrid-analysis.com/sample/0f05e4cdd95ec9cbc1391025120812e722bb423523f115c30f4762175ee8f92b?environmentId=100
https://www.hybrid-analysis.com/sample/a8e6826b283353e4546436096cff00d6b50b4756860e77a8a34217a466d79a58?environmentId=100
https://www.hybrid-analysis.com/sample/4e4a79c3e0cf73eae9a482f258653ac605580c741f62bb599db5f20d484d0e8e?environmentId=100
https://www.hybrid-analysis.com/sample/d2379ef1b13c110236ce5e4a59a2a4bd6886b30bca3787c73622ceaa9f11408a?environmentId=100
https://www.hybrid-analysis.com/sample/d9222c2fd8db85ca6c81f5e146ca6c6392e7c33280293034f4db8fdf46c178ea?environmentId=100
https://www.hybrid-analysis.com/sample/8b3ff5fb17e9ede477465bea850115f7c3527c509fe81b914d77487c82d54d83
https://www.hybrid-analysis.com/sample/5468c1f8f790401f6403f99e80baeec21aacf2a3f06148dc455c55f8d3825ad4?environmentId=100
https://www.hybrid-analysis.com/sample/cc313253f8ca4f4914c865a0e8ca871c9c89ffa11dba15c3744458f926c78579?environmentId=100
Disclaimer

This test shows how an antivirus behaves with certain threats, in a specific environment and under certain conditions.
We encourage you to compare these results with others and take informed decisions on what security products to use.
Before buying an antivirus you should consider factors such as price, ease of use, compatibility and support. Installing a free trial version allows an antivirus to be tested in everyday use before purchase.

Lord Ami

Level 17
MWT-Tester
Verified
Joined
Sep 14, 2014
Messages
839
Antivirus
F-Secure
#2
Containment: VMware® Workstation Pro 15.0.2 build-10952284
Guest/OS: W8.1 X64
Product: fs protection 17.5 beta 14
Static (On-demand scan): 5/9
Dynamic (On execution): 4/4
Total: 9/9
SUD: 4
VPN: Windscribe Pro
System Status: Protected
Files encrypted: No
1546963212994.png
Cute_Cats runs and starts installer. Installed file is blocked by DeepGuard (upon execution)
1546963270088.png 1546963278631.png 1546963294205.png

Fridy2.0 is instantly blocked
1546963376279.png

Ill just be a meme to you, OK extracts 2 files which are removed
1546963392771.png 1546963444754.png

Trojan.Win32.TrashCan is blocked
1546963467630.png
1546963559249.png 1546963663098.png 1546963678056.png
* Autoruns entries are safe. Same goes for NPE. I've modified some Windows settings to lower telemetry.
 

Lord Ami

Level 17
MWT-Tester
Verified
Joined
Sep 14, 2014
Messages
839
Antivirus
F-Secure
#3
Containment: VMware® Workstation Pro 15.0.2 build-10952284
Guest/OS: W10 X64 1809
Product: AVG Internet Security 19.1.3075
Static (On-demand scan): 7/9
Dynamic (On execution): 0/2
Total: 7/9
SUD: 2
VPN: Windscribe Pro
System Status: Protected*
Files encrypted: No
* After restart
1546964061410.png
Fridy2.0 runs, gets DeepScreened - when I hit OK it just terminates
1546964190262.png

UserManager runs, nothing from AVG
1546964190262.png 1546964221042.png 1546964228317.png
1546964497911.png 1546964552325.png
After restart
1546964785067.png
VirusTotal
 
Last edited:

harlan4096

Moderator
MalwareTips Team
MWT-Tester
Verified
Joined
Apr 28, 2015
Messages
4,203
Operating System
Windows 10
Antivirus
Kaspersky
#4
Containment: VMWare WorkStation Pro 15.0.2-10952284 (running over Windows 10 Pro x64 Build 1809-17763)
Guest/OS: Windows 10 Pro x64 Build 1809-17763
Product: KSCloud Free 2019 19.0.0.1088 / VPN: Kaspersky Secure Connection
Tweaked Settings

Static/Contextual Scan: 8 / 9 - Dynamic/On Execution Scan: 0 / 1 - Total: 8 / 9 - SUD: 1
2 by UDS (Urgent Detection System) / 5 by Heur (Trojan) / 1 by Signatures
Files Encrypted: No - Second Opinion Scanners: All Clean - System Final Status: Protected

Location: Almería (Spain) CET
Samples Pack Posted: 08/01/2019 02:46pm
Static Test Started: 08/01/2019 05:05pm
Dynamic Test Started: 08/01/2019 05:14pm
SUD: 08/01/2019 05:24pm

U.png S.png

ST.png

* (Miss) Fridy2.0.exe: triggered UAC, a small form asking for a password, I type some characters, got a wrong password warning and auto terminated.

1A.png 1B.png

_____________________________________________________________________

After testing samples dynamically I ran AutoRuns and Comodo AutoRuns:

AR.png

Warning: All original samples from the extracted folder were deleted manually before run Second Opinion Scanners, except those who are still active running on system and/or are referred in a registry key in Windows AutoRuns sections.

ZAM (Full System Scan + C:\ProgramData + C:\...\<user account>\),
WiseVector (C:\ProgramData + C:\...\<user account>\ ),
HMP -> All Clean, System Protected:


SOS.png

Thanks to @erreale !

Kaspersky VirusDesk Final Verdict:
Hello, No malicious software was found in the attached file.

Fridy2.0.exe

Best regards,
__________

MWHub Monthly Statistics & Reports
 
Last edited:

Daniel Hidalgo

Level 33
MWT-Tester
Verified
Joined
Mar 17, 2015
Messages
2,261
Operating System
Windows 10
Antivirus
Kaspersky
#5
Containment: VMware® Workstation Pro 14.1.1 build-7528167 & Shadow Defender 1.4.0.672
Guest/OS: Windows 10 PRO 64Bits 1809 Bluid 17763.195
Product: McAfee Internet Security 2019 V. 16.0 (Custom Settings)
Static (On-demand scan): 5/9
Dynamic (On execution): 0/4
Total: 5/9
SUD: YES
VPN: Avira Phatom VPN v. 2.18.1.30309
System Status: INFECTED
Files encrypted: NONE
Firewall
Settings.png
1546965098463.png
1546965570045.png
Sample Fridy2.0.exe MISS
Process Fridy2.0.exe
Connections No connections used
request a password, as it is not deciphered, it ends instantly


1546966218720.png
Sample Ill just be a meme to you, OK.exe MISS
Process Ill just be a meme to you, OK.exe illuminaExecutable.exe
Connections No connections used
the sample extract 2 files, the executable is opened, then it opens a system symbol window, but disappears after a minute
the created trails were left


1546966442122.png 1546966514809.png 1546966548799.png
Sample Trojan.Win32.TrashCan.exe MISS
Process Trojan.Win32.TrashCan.exe, cmd.exe, conhost.exe, net.exe, wscript.exe
Connections No connections used
the sample creates multiple wscript.exe processes, which saturate the system by displaying a message multiple times


1546966977932.png 1546967033159.png 1546967057084.png
Sample UserManager MISS
Process UserManager.exe
Connections No connections used
the sample disabled the task manager and process explorer


1546967381589.png
1546965766714.png
Remove Samples Folder
Run Ccleaner
Process Explorer: INFECTED can not be opened since it was infected (disabled by the last sample)
Autoruns SAFE
1546967761710.png
INFECTED
1546970821656.png
 

Solarquest

Moderator
MalwareTips Team
MWT-Tester
Verified
Joined
Jul 22, 2014
Messages
2,067
#6
Containment: VirtualBox-6.0.0.127566
Host Windows 10 pro 64 bit v1809
Guest/OS: Windows 10, Home v1809 + Java
VPN: Windscribe 1.83
Product: Emsisoft 12 AM 2018.12.1.9144, default settings + Emsisoft Browser security
Static (On-demand scan): 4*/9 (*5 detected in 4 files)
Dynamic (On execution): 0 /5
Total: 4*/9
SUD: 4 (bomber too large to be uploaded)
2nd opinion detection of new files or in memory: Zemana: 0 HMP:0 autoruns:0 PE: 0 NPE:0
File encrypted: no but deleted
Final status: System infected

Additional notes:Thank you @ Erreale for the samples!
(I decided to keep the missed/not deleted samples in the malware folder to see if 2nd opinion scanners detect them.)

[ SUD+ update sud.jpg updated signatures.jpg /SPOILER]


[ static.jpg /SPOILER]


[

B17 bomber.exe- UAC, starts, error message-> in memory.
bomber.PNG

cute cats.exe- UAC, then it alerts that it is a virus....I proceed anyway with the setup since we are testing....conhost-cmd-> files are deleted...system is shut down...on reboot, only few links, HMP and PE survived on desktop; most of files in download folder were deleted too....missed
cute.PNG cute2.PNG cute3.PNG cute4.PNG cute5.PNG

refreshed VM

fridy 2.0 .exe- UAC, then it asks for a password. Klicking "o.k" or trying something pops a wrong password window and it terminates.
fridy.PNG fridy2.PNG

phoenix.exe- starts, Net error is dysplayed, after "continue" is chisen, a moving window with alert of phoenix virus is created.
desktop is black; it can be killed with task manager but desktop access is lost. Missed.
Rebooted with task manager, dasktop and normal access are back. No apparent changes in desktop, download, docs and pics.


phoenix.PNG phoenix2.PNG phoenix3.PNG


user manager.exe- UAC, in memory with icon "form 1" on taskbar, nothing from Emsi.

user.PNG




/SPOILER]


[
files in MW folder:5

2nd opinion scanners:
PE.PNG Autoruns compare.PNG Autoruns compare2.PNG HMP.PNG
NPE.PNG then system froze.


/SPOILER]
 

askalan

Level 14
MWT-Tester
Verified
Joined
Jul 27, 2017
Messages
667
Operating System
Linux
#7
Product: Windows SmartScreen (activated by Hard_Configurator with recommended SRP and restrictions)

Disclaimer: Experimental setup for testing the effectiveness of Windows SmartScreen and script restrictions against 0-day malware samples. This test is suitable for users with more knowledge about Windows built-in security features.

Code:
1. Containment: VirtualBox 5.1.38
2. Windows: 10 LTSB
3. VPN: CyberGhost
4. Office: LibreOffice (standard settings)

Samples that have harmed the system/changed system configuration: 0/9

The presented system configuration has successfully blocked all malware. No files were encrypted.
Before the second opinion scan the samples were deleted.

The video is still being processed. It will take about 5 minutes to 30 minutes. Please be patient.


Thanks for the samples @erreale
@Andy Ful

Hard_Configurator
 

Daniel Hidalgo

Level 33
MWT-Tester
Verified
Joined
Mar 17, 2015
Messages
2,261
Operating System
Windows 10
Antivirus
Kaspersky
#8
Containment: VMware® Workstation Pro 14.1.1 build-7528167 & Shadow Defender 1.4.0.672
Guest/OS: Windows 8.1 HOME build 9600 x64 bits
Product: ESET Internet Security 2019 V. 12.0.31.0 (Custom Settings)
Static (On-demand scan): 4/9
Dynamic (On execution): 0/5
Total: 4/9
SUD: YES
VPN: Avira Phatom VPN v. 2.18.1.30309
System Status: INFECTED
Files encrypted: NONE
Caputra de configuracion 1.png Caputra de configuracion 2.png Caputra de configuracion 3.png Caputra de configuracion 4.png Caputra de configuracion 5.png Caputra de configuracion 6.png Caputra de configuracion 7.png Caputra de configuracion 8.png Caputra de configuracion 9.png
1547009482674.png
1547009907781.png
Sample B17 bomber.exe MISS
Process B17 bomber.exe, cmd.exe, conhost.exe, cscript.exe, PING.EXE, explorer.exe, taskill.exe
Connections No connections used
the sample causes the windows explorer to restart, the system works slowly due to the number of processes it creates at the same time and which remains active
The system collapses and restarts only

1547010227017.png 1547010251578.png 1547010592197.png
Sample cute cats.exe MISS
Process cute cats.exe , cmd.exe, conhost.exe
Connections No connection sused
the sample uses an installer which warns that it is a virus, then delete personal files and turn off the system
The system again infected and collapsed

1547016452977.png 1547016473089.png 1547016496717.png 1547016507400.png 1547016527021.png 1547016543491.png 1547016590475.png
Sample Fridy2.0.exe MISS
Process Fridy2.0.exe
Connections No connections used
request a password, as it is not deciphered, it ends instantly


1547017468062.png
Sample phoenix.exe MISS
Process phoenix.exe cmd.exe, conhost.exe, taskill.exe
Connections No connections
shows an execution error, restarts the windows explorer, and shows a window that constantly moves
the process is manually closed to continue the test

1547017572335.png 1547017601108.png 1547017778233.png
Sample UserManager MISS
Process UserManager.exe
Connections No connections used
the sample disabled the task manager and process explorer

1547017931270.png
1547009970026.png
the system was infected multiple times it had to be restarted several times to be able to conclude the test
Run Ccleaner
Process Explorer: INFECTED can not be opened since it was infected (disabled by the last sample)
Autoruns SAFE
1547018270298.png
INFECTED
1547021492680.png