Open naks110 opened 1 year ago
randomascii
commented
1 year ago This change removes one of the files:
https://github.com/google/UIforETW/commit/c5c14ff820714df96a20e31195ccf995e3105136
I'm not convinced that the reports are real so, absent more information, this is all that I will be doing.
naks110
commented
1 year ago checked the new version, same detections: https://www.virustotal.com/graph/03bd38b3aaa13dd15c48b884d240e36cc7e22f9e996985edf83eb0707756ab72
red files indicate detection: e4629333dec7d596ba57bedd6e7bd0b2ab1a8638c83d0ea63832313e40cb682b ETWProviders.dll (1 detection- secureage/apex)
214b00ec64d6999957554828b86d0232f92860a6358ae5c6ad5b48a825dde361 DelayedCreateProcess.exe Google -Detected, Ikarus -Trojan.Win32.Swrort
randomascii
commented
1 year ago I'm not convinced the reports are real. In particular note that the detections aren't really "the same" because before ETWEventDemo_deb64.exe was flagged as malicious and that file doesn't even exist anymore. Meanwhile ETWProviders.dll was "fine" before but is now suspicious but when I compared the disassemblies between the two versions I saw few differences and none that looked plausibly malicious.
I think these are false positives. Absent more information it's not even clear that there is anything that I can do.
naks110
commented
1 year ago Hmm, apologies. I meant same "crowsourced sigma rules". Floxif Trojan This Trojan can change legitimate files into infected files. Then the infected files act as a backdoor, giving the threat actor control over the machine (Malwarebytes) SOC Prime Threat Detection Marketplace - Ariel Millahuel Context for the matching events EventID:11 ProcessId:6352 TargetFilename:C:\Users\george\AppData\Local\Temp\et3j0mdf.c3h\etwpackage\bin\symsrv.dll RuleName:DLL CreationUtcTime:1686914585 UtcTime:1686914585 ProcessGuid:{C784477D-4618-648C-BA0A-000000004A00} Image:C:\Windows\SysWOW64\7za.exe
Detection rule: logsource: product: windows service: sysmon detection: selection1: EventID: 11 TargetFilename|contains:
Thanks though for looking into it & quickly making releases.
randomascii
commented
1 year ago If any of these detections are accurate then it's a very serious problem, especially since it implies that the machine where I am doing these builds is infected with something. Whether it's Floxif Trojan or anything.
But, I am skeptical about these reports. And, VirusTotal's reports are not the slightest bit clear about what the information means or how to validate it. That's why I feel like I have no choice but to ignore these.
I can't tell what the latest comment is saying. Did something patch symsrv.dll to make it malicious? If so, what?
aldi-ms
commented
9 months ago @randomascii I am not sure this is the place, but I didn't want to create a new issue. Running the UIForETW & collecting a trace works fine. The issue with me happens when I try to open the created etl trace, the wpa app crashes on startup with following WEV log:
Application: wpa.exe CoreCLR Version: 4.700.22.16002 .NET Core Version: Description: The process was terminated due to an unhandled exception. Exception Info: System.IO.FileLoadException: Could not load file or assembly 'Microsoft.Performance.XPerfPlugIn.Extensions, Version=11.2.0.0, Culture=neutral, PublicKeyToken=null'. Operation did not complete successfully because the file contains a virus or potentially unwanted software. (0x800700E1) File name: 'Microsoft.Performance.XPerfPlugIn.Extensions, Version=11.2.0.0, Culture=neutral, PublicKeyToken=null' at Microsoft.Performance.Analyzer.Program.Main(String[] args)
Bear in mind this is a company machine and as such there is a virus defense setup which I cannot disable easily.
randomascii
commented
9 months ago You're seeing a WPA issue rather than a UIforETW issue. It looks like some sort of install problem so I would try resolving it yourself because it is likely that others cannot help you. You could always move the traces to another machine - they don't need to be resolved on the machine they are recorded on. Even a VM could work.
For further discussion please open a new issue rather than repurposing an unrelated issue.
https://www.virustotal.com/gui/file/e9b723d24ba5435b0185526e1185d42064f7a3c6832820e73a75cf7c10bb4518/detection
Please mitigate these detections:
Google: Detected Ikarus: Trojan.Win32.Swrort
1-Matches rule Floxif Trojan by Ariel Millahuel at SOC Prime Threat Detection Marketplace 2-Matches rule Password Protected Compressed File Extraction Via 7Zip by Nasreddine Bencherchali (Nextron Systems) at Sigma Integrated Rule Set (GitHub) 3-Matches rule Creation of an Executable by an Executable by frack113 at Sigma Integrated Rule Set (GitHub)