Windows Security Reporting Multiple Trojans Appearing in Box Cache Folder, Possibly tied to Sync Function
This is occurring on two computers (fully updated Windows 10 and fully updated Windows 11) both using the most recent version of Box Drive and both sharing a number of folders through Box Drive.
The reported trojan is: Trojan:JS/Obfuse!MSR
When Box Drive is exchanging files, Windows reports a new instance of the trojan several times a minute (see example screen capture attached). If I close Box Drive or disconnect the computer from the internet, Windows Security stops reporting new instances of the trojan.
So, an obvious question is whether Windows Security is misidentifying box cache files as trojans. Another obvious possibility is that the trojan is being injected into Box cache files.
This began today. Previously there was never a reported occurrence of malware on either computer.
Yesterday, I put both computers on the newest version of Box Drive. They were previously sharing folders with one using Box Sync (W10) and the other using Box Drive (W11). In the last few days, sync between the two computers was not working quickly; so, I put both onto the newest version of Box Drive hoping that would fix it.
Yesterday, I also saved a number of web pages as references for upcoming travel, to the shared Box folders, and had opened and viewed some of them this morning on the W10 computer.
The problem first appeared on the W10 computer. Suspecting Box might have transferred the trojan from one computer to the other, I checked the W11 computer and Windows Security now says it has infected box cache files. Likewise, if it is connected to the internet and Box Drive is open, Windows security regularly reports infected Box cache files.
I'd appreciate any thoughts on this problem and suggestions anyone has on how to eliminate the problem if the computer now has malware. It seems to be reloading the malware as Box Drive is syncing files.
Note, scans of all user folders including AppData and full C drive scans with Windows Security and MalwareBytes do not show other instances of Malware once I’ve removed with via Windows Security and Box Drive is no longer actively connected to the internet and syncing.
Screen Capture:
-
Update: Scanned with Virus Total and Microsoft Online Tools. Both report malware. See below.
After more observation, this is consistently happening when Box Drive is syncing files.
OK, here are both the VirusTotal and Microsoft Scan Results. Virus Total shows 23 of 60 vendors labeling it Malware. Details below.
Copy of details from VT, MS analysis at end.
Basic properties
MD5
971921c91ab4daadf02c7e81010c657f
SHA-1
63677cef8025ef04a309e738d6eba1a5d96fc8ab
SHA-256
59e25f90d720c4f220ec4052920bc154385877f0d138976e1e378eca68499731
Vhash
ddd469b184d2f1bea951050029f6908f
SSDEEP
1536:F9U6muzg9fruXDjI59+Wz2yjf6atoyHoFhtrv:FBM9DunmLCFjy+trv
TLSH
T14D63848073C4BC92164B5B777717F4E5E87A5DACB484888AFA00BC44F1BDA26FAE4570
File type
JavaScript
source
javascript
js
Magic
ASCII text, with very long lines (65536u), with no line terminators
TrID
file seems to be plain text/ASCII (0%)
File size
67.47 KB (69085 bytes)
History
First Submission
2023-09-28 00:58:36 UTC
Last Submission
2023-10-05 20:09:01 UTC
Last Analysis
2023-10-05 18:44:55 UTC
Names
• get.js
• 5901fc20-ec90-4e83-97f1-276ff442e44e
• 0744c3ac-2efd-4a6b-bfe2-4f28e3a89e1d
• 02d3f5a8-e134-40fd-ad1a-8b7706d951ad
• cdn.js
• post.js
• step.js
• start.js
• post.listwithstats.com_post.js
• page.listwithstats.com_stats_start.js
Javascript info
• charCodeAt
• malformed
• fromCharCode
MS Results:
Submission details
6135d5d1-7898-4f90-ad94-1341d5a1f142
Submission ID: 4d340cc4-97b3-48e3-8d25-0eb37be8165b
Status: Submitted
Submitted by: jonathan.zaremski@outlook.com
Submitted: Oct 5, 2023 3:29:00 PM
User Opinion: Incorrect detection
Analyst comments:
No analyst comment provided.
________________________________________
Rescan submission
Last rescan request: Oct 5, 2023 3:29:00 PM
Rescan submission
Search by file name
Search
Filter by determination
Filter by determination
Showing 1 of 1 entries
File name Final determination Protection Current detection Definition version
6135d5d1-7898-4f90-ad94-1341d5a1f142
/ Malware Cloud
________________________________________ Client Trojan:JS/Obfuse!MSR
________________________________________
Trojan:JS/Obfuse!MSR
Online
________________________________________1.399.71.0
-
This is pretty troubling and I'm surprised that no one from Box Support has responded.
Is this a common issue with Box Sync and NOT a virus/trojan problem? On doing internet searches, I see that dropbox has a similar issue and their support team posted that it is part of their sync process and that their sync files are being misidentified as virus/trojans.
OR in this case, is it possible that Box Sync's process have been corrupted and a virus/trojan is being injected?
Either way, shouldn't Box respond?
Please sign in to leave a comment.
Comments
2 comments