Solved Security/malware question about 2 particular websites (and the "files extracted during detonation"):

  • Hi there and welcome to PC Help Forum (PCHF), a more effective way to get the Tech Support you need!
    We have Experts in all areas of Tech, including Malware Removal, Crash Fixing and BSOD's , Microsoft Windows, Computer DIY and PC Hardware, Networking, Gaming, Tablets and iPads, General and Specific Software Support and so much more.

    Why not Click Here To Sign Up and start enjoying great FREE Tech Support.

    This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Status
Not open for further replies.
S

SecurityQuestion

PCHF Member
Jun 17, 2023
7
0
37
The 2 sites (run by the same admin) are:
<REDACTED>

The latter is a file-hoster and offers downloadable files such as this:
<REDACTED>

My Malwarebytes blocked it when I clicked on this download link posted on the forum - blocking the site itself, not the file.



So I just ran a few online tests:



Sitecheck Sucurinother says there's "no malware" - however the forum is "outdated", while the latter has its domain blacklisted by McAfee:
https://sitecheck.sucuri.net/results/mxoemu.info/forum/
https://sitecheck.sucuri.net/results/https/files.rajko.info
https://sitecheck.sucuri.net/results/https/files.rajko.info/music.pro

On reddit I was told that McAfee is unreliable and marks a lot of false positives - and Malwarebytes often overreacts as well.




VirusTotal and Metadefender also say both are clean.




However according to Hybrid-Analysis:
message board: https://www.hybrid-analysis.com/sam...7663ba03a2605a54052d3bb6d03df207db8099f955928
file-hosting site: https://www.hybrid-analysis.com/sam...001816fdd3bc1fd353a71f21702078977515613e786e9
, the former is "no specific threats detected", while the latter was also initially marked as clean, but upon a recent refresh scan is now marked as "malicious".

And independently of that, from the start it identified 3 files "extracted during detonation" as "malicious"/"suspicious" - the same 3 on both sites:
mini-wallet.html: https://www.hybrid-analysis.com/sam...6685ad4024965491e601880daf1fefa3735e769df661b
notification.html: https://www.hybrid-analysis.com/sam...152cedaeb73213cf8940cf8b689794116817d8cc300fe
notification.bundle.js: https://www.hybrid-analysis.com/sam...a673d8df2bc740e6f8f075b90c57c76052958a05baa81


According to a user on r/AskNetsec, they've got something to do with crypto-mining:
Look at whats been flagged as malicious, seems the site has a file called mini-wallet.html
Google search shows a GitHub repo for some kind of Korean Ethereum wallet. Possibly the site accepts Ethereum payments and the virus scanner doesn't like it or its some crypto miner from when Ethereum was pos.
Some of the other files mention donations, seems like a Dev has included the mini wallet to facilitate crypto donations. The mini wallet is written in solidity which I think is flagging the detection.
Click to expand...
Stopped replying to follow-up questions after this though.


And another reply I've received says the following:
The server belongs to Rajkosto - https://github.com/rajkosto/ - and hosts some of their older projects like haxorware and sshnuke. Whether or not the server has been compromised and now hosts phishing frontends, fake tools or other malicious binaries is hard to tell. When and how did you get alerted on that? What have you been visiting/searching/playing when alarms popped up? It's hard to tell without additional context.
Probably each ad ridden niche site you visit will be flagged one way or the other - again hard to tell in advance.
Click to expand...
From all I know, the admin is completely trustworthy, however I'm not sure whether these findings indicate the sites may have been compromised or not, and trying to understand whether they're safe to access + download files from.

Said he couldn't find any of those files on his servers and has no idea where Hybrid may have gotten them from.

The forum (although not the file-hoster, to my knowledge?) uses iframed Google Ads - could those files stem from there, rather than the sites/server themselves? As implied by the last quoted r/AskNetsec responder?
Probably each ad ridden niche site you visit will be flagged one way or the other
Click to expand...


So yeah, would be cool if anyone's got further info or ideas about this.
Seems like false positives, judging by those replies, but is there a way to be a bit more sure?


Thanks in advance!
 
Last edited by a moderator:
I'm not sure on what you are after here?
I mean, you have multiple sources telling you "there be dragons" but you seem intent on disbelieving them.
then you are using other tools that tell you all is fine.

in the end, only you have the decision to proceed or not. :)
back in the days when I used MBAM, I had complete trust in it, if it blocked me from going somewhere, I was "OK, fine" with that.
I've heard no reason to not trust MBAM since the time I last used it about 3 years ago.

at some point, you have to roll the dice and play the odds!
all protection and research are not 100% guaranteed. (y)
 
  • Like
Reactions: xrobwx71
About Mbam, a(n admittedly somewhat laconic) responder on r/antivirus told me: "Likely fine, just Malwarebytes overreacting again."

And here's a thread right from Mbam's forum where an alarm gets confirmed as a false positive:
https://forums.malwarebytes.com/topic/285674-website-detected-as-trojan-false-positive/
Unfortunately I've failed to make an account there and ask about my case, since there's some kinda spam filter that blocked my registration for some reason; should probably try again at some point?


Bruce said:
I'm not sure on what you are after here?
I mean, you have multiple sources telling you "there be dragons" but you seem intent on disbelieving them.
then you are using other tools that tell you all is fine.
Click to expand...

Not so much "intent on disbelieving them", although sure I'd prefer the warnings to be unfounded lol?

Obviously rn trying to see if there's anything further one could learn about this - specifically these "crypto mining"(?) files that keep popping up?





Also, few days ago I just spontaneously decided to check what Hybrid Analysis had to say about a regular site like, well, Reddit, and... it also raised an alarm about it:


Result page for https://www.reddit.com:
https://www.hybrid-analysis.com/sam...1100471788e2291dbbaa950a72fe8497b07bbc16a5697

Marked as "malicious", threat score 100/100 - apparently due to the "Falcon Sandbox Reports" section,
as well as the "files extracted during detonation" - 1 of them, "widevinecdm.dll", marked as " "suspicious":
https://www.hybrid-analysis.com/sam...6273f4e6c218b2c44f02b3726c3dee4d56b6428bb0ddf

As I've been told since, that file is in fact a normal file that functions as a "Windows requirement for Edge": https://community.norton.com/en/forums/widevinecdmdll-1


And then https://old.reddit.com:
https://www.hybrid-analysis.com/sam...cf22bdf50286fe40db375c3b8cee96c430c462416e4bf

Marked as "suspicious" - again due to the "Falcon Sandbox Reports",
as well as the "malicious" file "mini-wallet.html" found on it - one of the 3 already encountered in my case, next to "notification.html" and "notification.bundle.js".



So if 1 of those 3 files is found even on old.reddit.com, and Hybrid Analysis is marking both that and the regular Reddit site as "malicious", then doesn't that mean it severely overreacts as well and its flagging of those 2 other sites from my OP doesn't necessarily mean much?




PS:
In case there's nothing further that can be learned about this:

Are there like "proxy"/"buffer" sites onto which one can download files from suspected sites and have them go through an AV scan? And then if clean, proceed to download it onto one's own device?
Maybe a way to circumvent this whole issue in that way...
 
as to your "download files from suspected sites and have them go through an AV scan" - maybe something like one of these;
  • Sandboxie - isolation software
  • Deep Freeze - nothing is kept, PC reverts to set state at next reboot
  • Virtual software like VMWare Workstation or Oracle VirtuaBox
  • separate, non-network connected PC
it all depends on how much you want to balance security against productivity.
 
I’m gonna be honest. My win 7 laptop got liquid spilt on it. I bought a machine and no matter what I do when I reboot the machine is making connections, that I do not want.

I refuse to use a version of windows I can’t fully control. I’m not gonna have everything I do online documented.

Windows 10 is straight spyware. I’m tooling around with Linux. If I do not have absolute control over what my machine is doing I will not go online.
 
When you surf the web cookies are stored. What you do is logged especially by social media.

I suggest if you have social media accounts you have a separate browser
 
Bruce said:
as to your "download files from suspected sites and have them go through an AV scan" - maybe something like one of these;
  • Sandboxie - isolation software
  • Deep Freeze - nothing is kept, PC reverts to set state at next reboot
  • Virtual software like VMWare Workstation or Oracle VirtuaBox
  • separate, non-network connected PC
it all depends on how much you want to balance security against productivity.
Click to expand...

Hm which of those 3 has the most security? Is Sandboxie Plus safe enough, i.e. doesn't leak any malware to the outside?
 
personally, never used Sandboxie, but used to be on another forum, and a few of the other volunteers loved it.
I've used Deep Freeze and it's excellent - whatever you do in the current session gets completely wiped back to a saved baseline the next time you boot, without any noticeable startup delay.
VM's are good, but they can 'leak' purely because you have to setup connections to your CD, USB, RAM etc. but hey, if malware can exploit those 'leaks', who knows.

the only real 100% answer is to not go online, simple as that.
anything else, and you will always run the risk of things going sideways. it's just that simple.

it is your classic Catch-22 scenario - you obviously have to go online for whatever reason, even just a quick in & out, and once you are, you will always have a chance of getting an infection or even just leaving your footprint somewhere. it's a fact of modern day life.

and as much as you protect yourself, you will get infected one day.
that is why the flip side of the security coin is having a robust backup regime. (y)
 
SecurityQuestion Yesterday at 9:37 PM
Ah, sry for the delayed response - ended up using Sandboxie to visit the file host site and download the files from it - then scanned them with Windows Defender and Mbam for good measure (although the files themselves weren't sus' to begin with, just the sites), subsequent computer scans by both of those AVs also were fine.

cont.
Click to expand...
SecurityQuestion Yesterday at 9:38 PM
So that immediate issue looks solved now - however I'm still curious about what those "mini-wallet.html" (crypto-mining?) files are and what it means when they're found on a website like this; and whether it means a website relevant to me that's found with this stuff by Hybrid Analysis is "compromised" or not etc.;

so I suppose we'll see if it can be figured out or not at some point.
Click to expand...
 
Oh, no new insights or incidents since then, as of now.

Guess kind of a tangential question here, how reliable are AIs like BAIchat when answering such questions (about computing, security etc.)? Have they been exposed to correct info from all kinds of computer experts, or are they just pastiching stuff (with no ability to ditinguish between correct/reputable forum answers and not) and can "hallucinate" on this subject as well? Had a convo with one like a few weeks ago, but yeah not sure how reliable those answers were (they contained no further information on these files either though).
 
Status
Not open for further replies.
Top Bottom