Neo23x0/Loki

loki itself detected loki and spark core files as Malware with score 450:(

cuckoo-linux opened this issue · 3 comments

cuckoo-linux commented

ALERT]
FILE: /home/test/Loki-0.28.1/test/yara/JFolder.jsp SCORE: 450 TYPE: JSP SIZE: 31057
FIRST_BYTES: 3c250a2f2a2a0a4a46696c654d616e2056312e30 / <%/**JFileMan V1.0
MD5: 8979594423b68489024447474d113894
SHA1: e5c63e8a655f8f03566c39c84c4aa417e194db14
SHA256: c953f215c5b45546fb790990e62d2c2c92fcc44c12e4bf7d49582f4621c6505c CREATED: Wed Aug 29 11:33:25 2018 MODIFIED: Thu May 24 15:14:26 2018 ACCESSED: Wed Aug 29 12:24:50 2018
REASON_1: Malware Hash TYPE: MD5 HASH: 8979594423b68489024447474d113894 SUBSCORE: 100 DESC: Misc Webshells
REASON_2: Yara Rule MATCH: webshell_browser_201_3_400_in_JFolder_jfolder01_jsp_leo_ma_warn_webshell_nc_download SUBSCORE: 70
DESCRIPTION: Web Shell REF: -
MATCHES: Str1: UplInfo info = UploadMonitor.getInfo(fi.clientFileName); Str2: long time = (System.currentTimeMillis() - starttime) / 1000l;
Virustotal result:
https://www.virustotal.com/#/file/c953f215c5b45546fb790990e62d2c2c92fcc44c12e4bf7d49582f4621c6505c/detection

[ALERT]
FILE: /home/test/spark-core-linux-pack/test_spark_2018-08-07.log SCORE: 280 TYPE: UNKNOWN SIZE: 338833
FIRST_BYTES: 323031382d30382d30375430363a34313a30355a / 2018-08-07T06:41:05Z
MD5: b27ab687224b9963cb3cbb7cb50c3ea0
SHA1: 1d87a19513c4980d10c8ec09a818e09f6fc97a9d
SHA256: 061bc1a129e72aadd04e1500c3df54a27bf6099ae9e531cfc22fbae7f8bb9385 CREATED: Tue Aug 7 12:09:11 2018 MODIFIED: Tue Aug 7 12:09:11 2018 ACCESSED: Wed Aug 29 12:20:08 2018
REASON_1: Yara Rule MATCH: EquationDrug_HDDSSD_Op SUBSCORE: 70
DESCRIPTION: EquationDrug - HDD/SSD firmware operation - nls_933w.dll REF: http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/
MATCHES: Str1: nls_933w.dll
REASON_2: Yara Rule MATCH: APT10_Malware_Sample_Gen SUBSCORE: 80
DESCRIPTION: APT 10 / Cloud Hopper malware campaign REF: https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html
MATCHES: Str1: 002562066559681.r3u8.com Str2: 031168053846049.r3u8.com Str3: 0625.have8000.com Str4: 1.gadskysun.com Str5: ad.getfond.info Str6: gad ... (truncated)

This file cannot be uploaded on virustotal

Neo23x0 commented

  1. Finding
    Yes, scanning the ./test sub folder, will result in Alert messages.

  2. Finding
    It does not detect its current log file but older log files left on the drives. Those should always be removed to avoid that attackers find them. Future versions have a very strict method to check for the logs.

cuckoo-linux commented

but virustotal also detect /home/test/Loki-0.28.1/test/yara/JFolder.jsp as malware as 23/59 anti viruses.

Neo23x0 commented

It is a web shell. Yes.