Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

VirusTotal reports some detections in etwpackage1.58.zip #164

Open
naks110 opened this issue Jun 15, 2023 · 7 comments
Open

VirusTotal reports some detections in etwpackage1.58.zip #164

naks110 opened this issue Jun 15, 2023 · 7 comments

Comments

@naks110
Copy link

naks110 commented Jun 15, 2023
edited

https://www.virustotal.com/gui/file/e9b723d24ba5435b0185526e1185d42064f7a3c6832820e73a75cf7c10bb4518/detection

Please mitigate these detections:

Google: Detected
Ikarus: Trojan.Win32.Swrort

1-Matches rule Floxif Trojan by Ariel Millahuel at SOC Prime Threat Detection Marketplace
2-Matches rule Password Protected Compressed File Extraction Via 7Zip by Nasreddine Bencherchali (Nextron Systems) at Sigma Integrated Rule Set (GitHub)
3-Matches rule Creation of an Executable by an Executable by frack113 at Sigma Integrated Rule Set (GitHub)
@randomascii
Copy link
Collaborator

This change removes one of the files:

c5c14ff

I'm not convinced that the reports are real so, absent more information, this is all that I will be doing.

@naks110
Copy link
Author

naks110 commented Jun 16, 2023

checked the new version, same detections:
https://www.virustotal.com/graph/03bd38b3aaa13dd15c48b884d240e36cc7e22f9e996985edf83eb0707756ab72

red files indicate detection:
e4629333dec7d596ba57bedd6e7bd0b2ab1a8638c83d0ea63832313e40cb682b
ETWProviders.dll (1 detection- secureage/apex)

214b00ec64d6999957554828b86d0232f92860a6358ae5c6ad5b48a825dde361
DelayedCreateProcess.exe
Google -Detected, Ikarus -Trojan.Win32.Swrort

@randomascii
Copy link
Collaborator

I'm not convinced the reports are real. In particular note that the detections aren't really "the same" because before ETWEventDemo_deb64.exe was flagged as malicious and that file doesn't even exist anymore. Meanwhile ETWProviders.dll was "fine" before but is now suspicious but when I compared the disassemblies between the two versions I saw few differences and none that looked plausibly malicious.

I think these are false positives. Absent more information it's not even clear that there is anything that I can do.

@naks110
Copy link
Author

naks110 commented Jun 17, 2023
edited

Hmm, apologies. I meant same "crowsourced sigma rules".
Floxif Trojan
This Trojan can change legitimate files into infected files. Then the infected files act as a backdoor, giving the threat actor control over the machine (Malwarebytes)
SOC Prime Threat Detection Marketplace - Ariel Millahuel
Context for the matching events
EventID:11
ProcessId:6352
TargetFilename:C:\Users\george\AppData\Local\Temp\et3j0mdf.c3h\etwpackage\bin\symsrv.dll
RuleName:DLL
CreationUtcTime:1686914585
UtcTime:1686914585
ProcessGuid:{C784477D-4618-648C-BA0A-000000004A00}
Image:C:\Windows\SysWOW64\7za.exe

Detection rule:
logsource:
product: windows
service: sysmon
detection:
selection1:
EventID: 11
TargetFilename|contains:
- fzshellext.dll
- \AppData\Local\Temp\conres.dll
- \System\symsrv.dll
- symsrv.dll
condition: selection1
fields:

  • TargetFilename
  • Details
    falsepositives:
  • none
    level: high

Thanks though for looking into it & quickly making releases.

@randomascii
Copy link
Collaborator

If any of these detections are accurate then it's a very serious problem, especially since it implies that the machine where I am doing these builds is infected with something. Whether it's Floxif Trojan or anything.

But, I am skeptical about these reports. And, VirusTotal's reports are not the slightest bit clear about what the information means or how to validate it. That's why I feel like I have no choice but to ignore these.

I can't tell what the latest comment is saying. Did something patch symsrv.dll to make it malicious? If so, what?

@aldi-ms
Copy link

aldi-ms commented Sep 27, 2023

@randomascii
I am not sure this is the place, but I didn't want to create a new issue.
Running the UIForETW & collecting a trace works fine.
The issue with me happens when I try to open the created etl trace, the wpa app crashes on startup with following WEV log:

Application: wpa.exe
CoreCLR Version: 4.700.22.16002
.NET Core Version:
Description: The process was terminated due to an unhandled exception.
Exception Info: System.IO.FileLoadException: Could not load file or assembly 'Microsoft.Performance.XPerfPlugIn.Extensions, Version=11.2.0.0, Culture=neutral, PublicKeyToken=null'. Operation did not complete successfully because the file contains a virus or potentially unwanted software. (0x800700E1)
File name: 'Microsoft.Performance.XPerfPlugIn.Extensions, Version=11.2.0.0, Culture=neutral, PublicKeyToken=null'
at Microsoft.Performance.Analyzer.Program.Main(String[] args)

Bear in mind this is a company machine and as such there is a virus defense setup which I cannot disable easily.

@randomascii
Copy link
Collaborator

You're seeing a WPA issue rather than a UIforETW issue. It looks like some sort of install problem so I would try resolving it yourself because it is likely that others cannot help you. You could always move the traces to another machine - they don't need to be resolved on the machine they are recorded on. Even a VM could work.

For further discussion please open a new issue rather than repurposing an unrelated issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@aldi-ms @randomascii @naks110