search

hasherezade / pe-sieve

Scans a given process. Recognizes and dumps a variety of potentially malicious implants (replaced/injected PEs, shellcodes, hooks, in-memory patches).
https://hshrzd.wordpress.com/pe-sieve/
BSD 2-Clause "Simplified" License
2.97k stars 420 forks source link

found Chrome.exe as suspicios #106

Closed xblack199 closed 1 year ago

xblack199 commented 2 years ago

I found 14 alerts while checking with hollows-hunter

all of them are regarded chrome.exe

replaced the module file with mapped file.

is this a false positive?

by the way I found these warnings in multiple servers

xblack199 commented 2 years ago

is this because of the multiple users using the same server and chrome?

hasherezade commented 2 years ago

hi! can you paste the full scan report? also, check the FAQ, especially:

xblack199 commented 2 years ago

loki_JPW-OL5-WAP06_2022-06-27_19-18-21.log

here is the full loki report scan_report.txt

summary.txt

here are the reports

hasherezade commented 2 years ago

ok, thanks. can send me the whole directory (process_<pid>), including the dumped chrome binary. you can pack it and attach here, or if it doesn't work, please send to my e-mail: hasherezade-at-protonmail.com

hasherezade commented 2 years ago

@xblack199 - from the scan report it seems that indeed this chrome executable was replaced by a different one:

 "scans" : [
  {
   "mapping_scan" : {
    "module" : "7ff709870000",
    "module_file" : "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe",
    "mapped_file" : "C:\\Program Files\\Google\\Chrome\\Temp\\scoped_dir27748_1322145550\\old_chrome.exe",
    "status" : 1
   }
  },
  {
   "headers_scan" : {
    "module" : "7ff709870000",
    "module_size" : "28f000",
    "module_file" : "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe",
    "status" : 1,
    "is_connected_to_peb" : 1,
    "is_pe_replaced" : 1,
    "dos_hdr_modified" : 0,
    "file_hdr_modified" : 1,
    "nt_hdr_modified" : 1,
    "ep_modified" : 1,
    "sec_hdr_modified" : 1
   }
  }

maybe this replacement was done for a legitimate reason, but PE-sieve is not to judge the reasons, but to provide the indicators - and it did its job.

If you can share with me the dumped executables, I will check them. To me it looks like some backward compatibility - an app old_chrome.exe was mapped and attached to the PEB instead of chrome.exe...

if this disturbs you, you can disable scanning chrome.exe by /mignore chrome.exe - details here