kthordarson
commented
5 years ago I got a similar issue. In my case Trojan:Win32/Skeeyah.B!rfn was also sitting in \AppData\Local\Temp\WCS9E13.tmp.
Open liamkennedy opened 5 years ago
kthordarson
commented
5 years ago I got a similar issue. In my case Trojan:Win32/Skeeyah.B!rfn was also sitting in \AppData\Local\Temp\WCS9E13.tmp.
ddrager
commented
5 years ago See malware detection from VirusTotal. Further analysis from Hybrid Analysis.
Although this looks suspicious, the network addresses it looks to be reaching out to are 87.236.156.136 and 93.184.221.240 which map to 2 CDN providers. It appears the .exe is a compiled python2.7 binary which may just be downloading files to your system for update - the 'ota' name, or "over the air" extension would match up with that analysis. @Heltec-Aaron-Lee can you please provide the source for this file?
xieliwei
commented
5 years ago The source is available in the general ESP32 repository.
https://github.com/espressif/arduino-esp32/blob/master/tools/espota.py
This looks suspicious, since the OTA tool is for direct connection between the Arduino computer and the ESP32, it should not be accessing anything on the internet. Follow the main thread on the arduino-esp32 issue for updates as well:
buccaneer-jak
commented
5 years ago 24th Dec, 2 Trojans reported by windows Defender
Following the installation instructions here
git clone https://github.com/Heltec-Aaron-Lee/WiFi_Kit_series.git heltecMy windows defender reported a trojan present inC:\Users\username\OneDrive\Documents\Arduino\hardware\heltec\esp32\tools\espota.exeWhat the heck?
I realize this may be a false positive. It was odd this notification came seconds after beginning the git clone command above. Oddly Windows Defender also pointed to espota.exe in other directories too (the generic esp32 hardware folder etc.