What is Reddit's opinion of
Joe Sandbox ?
From 3.5 billion Reddit comments
➔ Joe Sandbox website
By popularity on Reddit, this Service is:
33 reviews of this app found across Reddit:
You're fine.
If they were targeting you for infection they would have likely sent a link. If image based malware via SMS was happening it would be a lot more rampant or used on someone of importance. No one would burn that kind of exploit on some random person and risk Google patching it.
If you're still worried about it run it through Joe's Sandbox https://www.joesandbox.com/#android
Analysis:
https://www.joesandbox.com/analysis/39495/0/html
https://www.joesandbox.com/analysis/39495/0/pdf#page=26
> Intent: com.google.android.gms.gcm.ACTION_TASK_READY (Priority 0)
> You're Wyatt? Colonel, she says we got an enemy comin' intent on keepin' us from marchin' for Glory in the mornin'.
> But Virustotal doesn't check for RATs and other malware that relies on vulnerabilities in software like PDF readers.
Virustotal doesn't "check" for anything, it's an array of AV solutions that scan a file and returns a list of results. Nothing more. AV scanners are perfectly capable of determining if there are exploits, or exploit-like objects, within a file.
With that being said, just use a Sandbox that can handle apks, such as https://www.joesandbox.com/#android
Edit 0: formatting
Edit 1: I have now downloaded the file - I'd assumed you meant an apk as you said "it was designed to run on Android", but it's a plain PDF - no scripts, attachments, no obvious shellcode or anything similar. In fact, beside plaintext, the only things of note are 3 different fonts and 1 image.
Just out of interest, what happened? Looking at similar scams, automated scans like this one show it is just some random nonesense spredsheet. I wonder what the ultimate goal is?
Hi /u/knowyourcoin_
So it's totally natural to be concerned when your AV software flagged the wallet as malware; always good security practice to be fully aware of what you're downloading and installing onto your computer.
At any rate, Norton was being a bit too enthusiastic about flagging the new wallet as malware :) there's nothing to worry about. Here's a comprehensive analysis I've just ran for you on version 1.2
https://www.joesandbox.com/analysis/55657/0/html
If you need any explanation about what the report entails, feel free to comment or PM me. Not sure when I'll be able to respond, as I'm away on holiday for the rest of the week. The sum of it is that the wallet is safe and you should consider changing your AV solution to something better ;)
(I won't lie, I strongly dislike Norton, use Windows Defender if possible!)
Edit: I made a silly error; I didn't wait to upload the file entirely before I had downloaded it 😑 so I'm doing the scan again. Will update this comment once it's done. In the meantime, I replaced the link with the scan I've done on version 1.2 of the new wallet for you to look over.
Edit 2: okay so here's the updated scan
https://www.joesandbox.com/analysis/57550/0/html
It was marked as malicious only because of the virustotal report of a few AV solutions flagging it as malware. However, if you actually go through all of analysis and see what every function does, you'll find that without the AV flags from VirusTotal (which aggregates AV solution results for a particular file), the wallet is harmless. But obviously you should go through the entire analysis and read it thoroughly for your own knowledge. If you need anything clarified from the report, again don't hesitate in reaching out to me.
This comes up as part of a malicious program, as reported by Joe Sandbox:
https://www.joesandbox.com/analysis/797154
I read you already used Avast. Please install the free edition of MalwareBytes and have that check your computer, too.
https://www.joesandbox.com/ This site will tell you everything you need and then some. It also provides you with a full report and will run links and files within a virtual machine with just a few clicks. I highly recommend.
I know Im a little late here, but I ran across this in my network today and as far as I can tell so far its some form of adware/spyware that embeds itself in chrome as an extension
This website provides report's for suspicious malware stuff. It says it is an evader and an ransomware. Obvs its gonna evade the system cos its
piracy program, so we can rule that out. But I do not believe it is ransomware - no one has reported it as such. https://www.joesandbox.com/analysis/353879/0/html
Crowdstrike and Virus Total both have the site labeled as clean. That does not mean what you download on such a site does not contain malware, but visiting the link itself won't do any harm. And that link itself did not attempt anything malicious when I visited it according to my AV. You can see a report on this website here, which Crowdstrike is kind enough to offer resources for searched urls: https://www.joesandbox.com/analysis/242318/0/pdf
I also found a security report on it and the link to the extension (.crx) file.
I found the below domains in a JoeSandbox link which is posted in the thread OP linked. Its worth blocking them because the initial .EXE downloads components from them. I suspect if these are blocked then the install might fail or at least it won't be able to extract your data. I will test on a machine that's firewalled off and report results. It also reaches out to China so a geo IP rule on your firewall won't hurt.
>cdn.wavebrowserbase.com
>
>api.wavebrowserbase.com
>
>api.wavebrowser.co
>
><code>www.mywavehome.net</code>
Lastly if you have AppLocker deployed you could block the signature of the .EXE easily enough because its signed by "Wavesor Software" or if you have an EDR tool deployed you might be able to block the hash and or signer. SHA265 of this particular sample is: 33111d45c6e463b267685b51faefb49565d3e517a30940338e285c52e019e1a6
1000% sure it’s malicious. It’s a browser hijacker. Details in some posts relative to it. Also the only way to remove all traces and to prevent reinfection is to use MBAM.
https://www.joesandbox.com/analysis/407799/0/html
https://www.bleepingcomputer.com/forums/t/750419/wavebrowserco/
Thanks.
Virustotal didn't detect anything.
But there's a link to this page that someone left https://www.joesandbox.com/analysis/446422/0/html
And there the apk (I guess someone else uploaded it) is marked as malicious.
You can check pretty much anything here:
urlscan https://urlscan.io/ free
Joes https://www.joesandbox.com/ freemium
Anyrun https://any.run/ free version meh? Cool thing about paid version is you don’t have to dl the file, it’ll download from url
Also if you don’t have it, get duck duck go; they’re also about to start handing out .duck email addresses; waiting list.
Hope it helps 🤙
Still not satisfied with this case... After looking at aliunce website, it seems there is a lot of amateur radio stuff there, that don't match with malware.
So I submited the programming software to joesanbox, it has not shown a bad behavior : https://www.joesandbox.com/analysis/442038/0/html
Same for the firmware updater : https://www.joesandbox.com/analysis/442054/0/html it gets a warning, seems to be dropping a file but it's just the installer "dropping" the actual executable file.
Weird, maybe they are not following software development best practices, it wouldn't be a first with small companies and niche products.
I guess it's somewhat safe to use it then. Maybe on some old PC instead of your main PC. It's up to your appreciation.
Yes, and it’s finally confirmed. It’s essentially a time bomb / dead man’s switch. It delays the malware attack, or leaves residual files that activate when uninstalled. It’s a very evasive technique that prevents Malware Detection VMs from identifying it. Check out this report
I checked out the comments for the scan I did. Based on what I'm reading here, I'm gonna have to pass on this until they clean up this app. That's too bad - I was looking forward to using this.
https://www.joesandbox.com/analysis/337783/0/html
By the way, not too long ago I installed and set up the IPFS Desktop app (which, as far as I know, operates in a similar manner) and it raised NO flags at VirusTotal.com.
Nope, no way...
Did anybody seen this: a sandbox simulation of Gen P 2.6 I`d like to know what you think. Especially regarding the obfuscation and potential mining signatures..
https://www.joesandbox.com/analysis/304820/0/html#graph_1-95597
I have a client that's been hit with this. Malwarebytes and Webroot found nothing. Used the Malwarebytes Breach Remediation tool and it found nothing. Windows Defender kills the powershell miner during boot, but when we reboot it's there again. Manually removed all malicious WMI objects through powershell and renamed malicious "WinRing0x64.sys" file to render it useless. At this point it seems like the worm aspect of this malware is disabled. We still get commandline running the base64-encoded miner at boot, regardless of user, even in Safe Mode. More info here: https://www.joesandbox.com/analysis/298584/0/html#584032569E403279B3FD2EDB7EBD036273FA
​
Anyone have any more ideas? We are all nailing our heads against the wall and need to come up with a cleanup policy. Going to reach out to Webroot and Malwarebytes and try to get them involved.
​
When we run an SFC scan, there are TONS of Windows system files that do not match up and are repaired, but we don't appear to be making progress.
BTW if you have an actual link you think may be malicious and have no concerns that it may be targeted personally to you, sites like https://www.joesandbox.com/#windows will actually visit the link and, if it is malicious, show what it attempts to do. Do this at your own risk, since the information, at least in the link given, is publicly available in the free version.
First of all, never open any attachments to inspect them on company owned equipment or on an end users computer. Ever. Stand up a non-domain joined box and run it there with a direct internet connection if you need to.
If you want to analyze headers or mail metadata, Outlook API and powershell is pretty awesome if you want to analyze hundreds or thousands of headers and e-mail html metadata.
If you want to analyze payloads, https://www.joesandbox.com has saved my ass more than once. If you think you are dealing with customized stuff, you'll need to turn up your own sandbox.
>Might save you some time, these guys did a very deep dive analysis:
>
>
>
>https://www.joesandbox.com/analysis/155694/0/html
Ok, several thoughts here: - I found W32.AIDetectVM.malware2 in r/CrackSupport, which is suspicious... - The name of the virus class sounds like AI-supported VM-detection - maybe the game just tries to detect being run in Virtual Machines - maybe it does this to prevent being cracked - maybe it's a malware and tries to hide from malware analysis - If only one engine detects it, that could be a false positive (or a very sensitive AV) - It looks like there is a service stopped, but also it looks like the executable started the service, so it might just make sure to only run one service at once? - maybe it tries to replace a genuine service with a rogue service - Why does a game need a service anyway? - Why does it do WMI stuff? This looks suspicious! - Can you put it into JoeSandbox for me and share the analysis, please? (Leave all options, except for the execution time: Make it 500 seconds instead of 120)
I followed up the ID and came across this site:
https://www.joesandbox.com/analysis/192622/0/html
It looks like the extension was used for phishing. Anyone know what to do?
Here is a generated report https://www.joesandbox.com/analysis/98217/0/html
I am looking at a site that is probably hacked and this script clears the console after it runs.
Looks to be a coinminer:
https://github.com/stamparm/maltrail/blob/master/trails/static/malware/elf_coinminer.txt
https://www.joesandbox.com/analysis/164756/0/html
I would go ahead and drop all traffic to that address and track down the source file on your system.
Hi, I have the exact same issue discussed in this thread. Same behavior also with opening of app store. If I then close it and reopening right after it load properly.
I did not manage to determine the PID triggering such dns resolution, somehow it seems to be related to the commerce PID (part of App Store application)
In past attempt to capture the traffic, I have seen some connection to port 80 for that site (that was a parked domain when I started the investigation) but I did not manage to grap more details.
I opened a case with Umbrella support and they confirmed that site is malicious for phishing attempts.
Hello,Thanks for reaching out to us in regards of this. To confirm, itunes-apple[.]com is a phishing site that targets apple users. The domain was for sale in late 2019, and the purchaser has since been using the domain as a phishing tool.
Virustotal also has an entry for this URL, and Joesandbox has a report when the IP was not yet changed to 240.0.0.1 https://www.joesandbox.com/analysis/320450#iocs
the result was ''malicious'' but it seems was more affecting Win machine (that was the only available to run the test)
That's kinda weird... JoeSandbox says that 7zip https://www.joesandbox.com/analysis/205552/0/html just has some encryption functionality (and only one scanner picked it up as Multi since it can encrypt files).
Remember that 7zip can password lock files so it would make sense to trigger that detection.
Bandizip is throwing WebToolBar meaning it could have one of those annoying tool bars in the installer.
Not sure about userbenchmarks, but I see [cfp]\Device\HarddiskVolume1\Downloads\7z1900-x64.exe (from your other thread) and maybe depending on where you downloaded it from, can create some suspicious activity with a 60% confidence.
Use this, you can get a free account for a few scans a month. It runs the file in a sandbox and checks for connections and a bunch of other things, before giving you a report, and lets you view a video of what it did.
Here’s the the results of analysis from joe sandbox:
🚨Malicious! https://www.joesandbox.com/analysis/164699
Next step, domain suspension!
Registrar WHOIS Server: whois.pananames.com URL: http://www.pananames.com Registrar: URL SOLUTIONS INC. IANA ID: 1449 Abuse Contact Email: Abuse Contact Phone: +1.9727369998
Additional note: uses AWS DNS
Hey there, I read over the scan - I don't have a ton of time right now, but I can explain what some of these items mean:
Contains functionality to dynamically determine API calls - This is going to be to determine coin price, when you have the wallet loaded you can see that the US dollar and BTC price are constantly changing. This app needs to make external calls to APIs to get that information and do some calculation based upon your current coin amount to effectively display you those values.
PE file contains an invalid checksum - most likely an error in the wallet, this explains why some accounts show a different balance in BTC while having the same amount of Electra within them.
Uses code obfuscation techniques (call, push, ret) - This is a standard crypto error that I would expect to see. You are connected to a network and if you are staking, have a certain network weight etc that needs to be pushed and determined by the blockchain for rewards etc...
Edit: I don't see anything that is too alarming for what the wallet is doing. I am currently running this application myself and fully trust it (and understand it better with the AV errors from the scan).