Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
Malware Analysis
Python Ransomware
Message
<blockquote data-quote="Andy Ful" data-source="post: 762337" data-attributes="member: 32260"><p>I tested this sample. It uses the legal InnoSetup installer as a wrapper, and drops malicious installation files to the temp folder. There is a lockyfud.exe malware file + some legal DLLs and some Python files. The malware lockyfud.exe is detected by Kaspersky , Cylance, and Trend Micro.</p><p>Kaspersky , Cylance, and Trend Micro do not detect the wrapper installer, because it does not do anything malicious. Anyway, they are block unwrapped malware installation.</p><p><strong>The lesson - sometimes the AV can protect against the malware, even if it is not detected by that AV version on VT.</strong></p><p></p><p><strong>Edit</strong></p><p>The above situation may follow for some reasons. It can be done intentionally or it can follow from dynamic detection. Anyway, the proper signature detection should include also the wrapped installer.</p></blockquote><p></p>
[QUOTE="Andy Ful, post: 762337, member: 32260"] I tested this sample. It uses the legal InnoSetup installer as a wrapper, and drops malicious installation files to the temp folder. There is a lockyfud.exe malware file + some legal DLLs and some Python files. The malware lockyfud.exe is detected by Kaspersky , Cylance, and Trend Micro. Kaspersky , Cylance, and Trend Micro do not detect the wrapper installer, because it does not do anything malicious. Anyway, they are block unwrapped malware installation. [B]The lesson - sometimes the AV can protect against the malware, even if it is not detected by that AV version on VT.[/B] [B]Edit[/B] The above situation may follow for some reasons. It can be done intentionally or it can follow from dynamic detection. Anyway, the proper signature detection should include also the wrapped installer. [/QUOTE]
Insert quotes…
Verification
Post reply
Top