TL;DR: A straightforward batch script was converted to an EXE file, causing a bigger variety of virus warns on the endpoints. The evaluation proved that the batch script is totally legitimate and the anti-virus signatures have actually been prompted bereason of the PE area hash produced by the Bat to Exe converter. The blog write-up describes in information the measures taken in the time of the analysis.

You are watching: Trojan:win32/tiggre!rfn

Large number of virus occasions from different clients

The virus scanners of a large variety of clients detected the same file or the very same installation package (MSI file) as malicious within a short time and also relocated the file to the quarantine on the local filesytem.According to the virus message from Windows Defender (which is the energetic virus scanner on the clients), the name of the detected virus is Trojan:Win32/Tiggre!rfn. Following is the path to the file that was detected and quarantined on the clients, as declared in the virus message:

C:WindowsInstaller510f9.msi; file:_C:WindowsInstaller510f9.msi->Binary.NewBinary21As an analyst, it is currently essential to uncover out as easily as feasible whether the file is really malicious or whether there is a false positive in the anti-virus signature. If the file was really malicious, you would certainly need to inspect from which resource the file was downloaded because it was rolled out as component of an installation package on a number of clients. Tbelow can be a danger of a so-called supply chain assault – that a legitimate software source has been hacked and also the actual software or parts of it have actually been replaced. As a first action, we will certainly collect more information about the detection or the underlying signature in order to better assess whether the detection as a virus was legitimate or erroneous. For this objective, we have a look at the main Microsoft Security Intelligence Page via indevelopment around the Trojan Tiggre!rfn <1>.


Encrypted documents which were detected as viruses

We are making use of a Python-Script for the encryption of the files on a Linux host:

$ windows_defender_unquarantine.py 6F973CA30A76EA3D4892856D2EFDDF3495AFEDC56F973CA30A76EA3D4892856D2EFDDF3495AFEDC5_decoded_meta.bin conserved.6F973CA30A76EA3D4892856D2EFDDF3495AFEDC5_decoded.bin saved. Only the file name of the encrypted file is passed to the manuscript as a parameter. If no error occurred two documents need to have actually been developed (named $filename_decoded_meta.bin and also $filename_decoded.bin). Whether we have obtained an executable PE32 file have the right to be conveniently verified via the Linux console regimen file:

$ file *6F973CA30A76EA3D4892856D2EFDDF3495AFEDC5: data6F973CA30A76EA3D4892856D2EFDDF3495AFEDC5_decoded.bin: Composite Document Documents V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer...6F973CA30A76EA3D4892856D2EFDDF3495AFEDC5_decoded_meta.bin: information The Python manuscript was able to decrypt the file effectively according to the output of the file regimen (markes in bold above). We have the right to currently develop the hash sum of this file and examine at VirusTotal whether other anti-virus sellers classify our sample as malicious, or whether Microsoft is the just vendor to classify the file as malicious, which would certainly be a huge sign for a false positive:

$ sha256sum 6F973CA30A76EA3D4892856D2EFDDF3495AFEDC5_decoded.bin5e6763c0b74ab05858074c9fe2685bc354c0ae05f645546429df471ba5f80971 6F973CA30A76EA3D4892856D2EFDDF3495AFEDC5_decoded.binThis file is also known by Microsoft as Trojan:Win32/Tiggre!rfn (noted yellow in the picture below):


*
VirusTotal detections for the MSI file

The detected sample have the right to also be brought back via the consingle routine Mpcmdrun, yet first the anti-virus scanner on the host would need to be detriggered, otherwise the respanned file would certainly be immediately detected as a threat and deleted.Sample contact to Mpcmdrun <5>:

Mpcmdrun -Restore -All -Path "C:Temp"Defender’s detection can also be additionally investigated with PowerCovering, yet we won’t talk about that in this blog post <6,7>.

Extractivity of MSI files

The decrypted MSI file already has actually a fairly high score at VT, but the MSI file was not directly detected as a virus, yet a paper within the MSI file (510f9.msi->Binary.NewBinary21). MSI files can be unpacked like ZIP archives to gain to the underlying records. An basic way to unpack MSI files is via the Linux console routine 7z:


*
VirusTotal detections from a file within the MSI

Automated upfill of records to VT

The MSI file includes a number of various other documents, including other PE32 (executable) documents. Of all these files, manually hashing and also checking on VirusTotal would certainly be tedious and also time-consuming, so the better means is to check the hashes straight with the VirusTotal API.

Analysis through ClamAV

Intermediate state of analysis: We now understand that Microsoft is by much not the just manufacturer that recognizes this file (or files) as possibly malicious. The following step is to gather more information to assess the potential danger to the interior network and other clients.The signatures of Windows Defender cannot sindicate be check out out, so a great strategy is to look at the list of anti-virus merchants that recognize the file as a virus to watch if ClamAV is also listed as an engine. Due to the fact that ClamAV’s signatures are open up source, these signatures carry out a in-depth explanation of why the file was classified as malicious to learn even more about Microsoft’s signatures.

$ clamsdeserve to Binary.NewBinary21 Binary.NewBinary21: Success.Trojan.Generickd-3430 FOUNDThis signature can now be analyzed with the routine sigtool, so that we can discover out precisely why and also through which signature ClamAV known this file <2>:

$ sigtool --find-sigs Victory.Trojan.Generickd-343031232:4c6aea5a778f30ed942d52659c4dd53e:Win.Trojan.Generickd-3430According to the ClamAV homepage, PE section hash signatures are stored in MDB documents (view sigtool’s output above) <4>:

*
ClamAV manual about hash signatures

The output have to be taken as complies with (likewise from the ClamAV homepage <4>):

*
ClamAV manual about PE area hash signatures

Thus the signature triggers, bereason at balance out 31232 within the file the PE area has the MD5 Hash 4c6aea5a778f30ed942d52659c4dd53e. We will certainly analyze this problem in more information in the following section.

See more: Hisense 400-Sq Ft 115-Volt Portable Air Conditioner 115 Volt (Ap12Cr2G)

Analysis of the PE section

With the software program CFF Explorer <9> the sections of a PE file deserve to be viewed. The offset 31232 Decimal of the output of ClamAV corresponds to 7A00 Hex, and thus the recognition pertains to the .text Section:


*
.text Section within CFF Explorer

Interestingly, no engine alone will certainly only recognize the section if you dump it as a file and also uppack it to VirusTotal (the MD5 amount is the exact same as inside the ClamAV signature):


*
Dumped .text section

If you change the .text secion you obtain a various hash, however the matching sample is still well-known by several Anti-Virus engines, yet not by Microsoft and also ClamAV:The resource section of the file also contains the string b2edecompile (watch the picture below), which leads us to the software application Bat To Exe Converter after a short Google search:


*
Resource area within CFF Explorer

Bat-to-EXE

Based on our analysis, we understand that our sample was created through the Bat-to-Exe software, and is actually simply a (legit, not malicious) batch file that was converted to an EXE file. The following is a screenswarm from the website of the manufacturer of the Bat To Exe software program <8>:


*
Screenshot from the Bat to Exe Converter website

We suspect that this Bat-to-Exe software has additionally been offered by cryptominers, which is why the virus scanners are detecting our sample as malicious. The ClamAV signature, for example, motivated on the PE hash, yet this is the exact same for all binaries created from the bat-to-exe converter. As a test, we have created an EXE through this software program, which is additionally well-known by various anti-virus engines as malicious:


*
Bat to Exe converter

Conclusiones

It is exceptionally likely that the analyzed MSI file is a false positive. However, it is questionable why a simple BAT file hregarding be converted into an exe at all, which can definitely be fixed in a different way.However, it seems that tbelow have been various other instances in the previous wright here a Bat to EXE converter caused a false detection of a software:“It may be worth stating that such false flags are not distinctive to “Bat To Exe Converter”, you can use a various routine to package a harmmuch less batch file as an exe and you will aget gain many false positives. It’s likely due to it being thought about a type of obfuscation by certain anti-virus software, and maybe used by someone in the previous to package something malicious. Which is why as you shelp you end up via a bunch of generalised warnings such as “Trojan” and also “malicious confidence“. <4>In our situation, the software program manufacturer would certainly need to be contacted so that the indevelopment in the batch script is no longer dispersed via EXE, yet simply created to the clients via script or another method.

Sources

<1> Trojan:Win32/Tiggre!rfn<2> Decode signatures with Sigtool<3> Data hash signatures<4> Abstractism has actually been removed from the Steam keep after Team Fortress 2 item scamming and alleged Cryptomining_<5> How to restore records quarantined by Endpoint Protection to an alternate location<6> Use PowerShell to See What Windows Defender Detected<7> Managing Windows Defender / System Center Endpoint Security through PowerShell<8> Bat To Exe Converter<9> Explorer Suite