VirusTotal reports some detections in etwpackage1.58.zip
naks110 opened this issue · comments
Please mitigate these detections:
Google: Detected
Ikarus: Trojan.Win32.Swrort
1-Matches rule Floxif Trojan by Ariel Millahuel at SOC Prime Threat Detection Marketplace
2-Matches rule Password Protected Compressed File Extraction Via 7Zip by Nasreddine Bencherchali (Nextron Systems) at Sigma Integrated Rule Set (GitHub)
3-Matches rule Creation of an Executable by an Executable by frack113 at Sigma Integrated Rule Set (GitHub)
This change removes one of the files:
I'm not convinced that the reports are real so, absent more information, this is all that I will be doing.
checked the new version, same detections:
https://www.virustotal.com/graph/03bd38b3aaa13dd15c48b884d240e36cc7e22f9e996985edf83eb0707756ab72
red files indicate detection:
e4629333dec7d596ba57bedd6e7bd0b2ab1a8638c83d0ea63832313e40cb682b
ETWProviders.dll (1 detection- secureage/apex)
214b00ec64d6999957554828b86d0232f92860a6358ae5c6ad5b48a825dde361
DelayedCreateProcess.exe
Google -Detected, Ikarus -Trojan.Win32.Swrort
I'm not convinced the reports are real. In particular note that the detections aren't really "the same" because before ETWEventDemo_deb64.exe was flagged as malicious and that file doesn't even exist anymore. Meanwhile ETWProviders.dll was "fine" before but is now suspicious but when I compared the disassemblies between the two versions I saw few differences and none that looked plausibly malicious.
I think these are false positives. Absent more information it's not even clear that there is anything that I can do.
Hmm, apologies. I meant same "crowsourced sigma rules".
Floxif Trojan
This Trojan can change legitimate files into infected files. Then the infected files act as a backdoor, giving the threat actor control over the machine (Malwarebytes)
SOC Prime Threat Detection Marketplace - Ariel Millahuel
Context for the matching events
EventID:11
ProcessId:6352
TargetFilename:C:\Users\george\AppData\Local\Temp\et3j0mdf.c3h\etwpackage\bin\symsrv.dll
RuleName:DLL
CreationUtcTime:1686914585
UtcTime:1686914585
ProcessGuid:{C784477D-4618-648C-BA0A-000000004A00}
Image:C:\Windows\SysWOW64\7za.exe
Detection rule:
logsource:
product: windows
service: sysmon
detection:
selection1:
EventID: 11
TargetFilename|contains:
- fzshellext.dll
- \AppData\Local\Temp\conres.dll
- \System\symsrv.dll
- symsrv.dll
condition: selection1
fields:
- TargetFilename
- Details
falsepositives: - none
level: high
Thanks though for looking into it & quickly making releases.
If any of these detections are accurate then it's a very serious problem, especially since it implies that the machine where I am doing these builds is infected with something. Whether it's Floxif Trojan or anything.
But, I am skeptical about these reports. And, VirusTotal's reports are not the slightest bit clear about what the information means or how to validate it. That's why I feel like I have no choice but to ignore these.
I can't tell what the latest comment is saying. Did something patch symsrv.dll to make it malicious? If so, what?
@randomascii
I am not sure this is the place, but I didn't want to create a new issue.
Running the UIForETW & collecting a trace works fine.
The issue with me happens when I try to open the created etl trace, the wpa app crashes on startup with following WEV log:
Application: wpa.exe
CoreCLR Version: 4.700.22.16002
.NET Core Version:
Description: The process was terminated due to an unhandled exception.
Exception Info: System.IO.FileLoadException: Could not load file or assembly 'Microsoft.Performance.XPerfPlugIn.Extensions, Version=11.2.0.0, Culture=neutral, PublicKeyToken=null'. Operation did not complete successfully because the file contains a virus or potentially unwanted software. (0x800700E1)
File name: 'Microsoft.Performance.XPerfPlugIn.Extensions, Version=11.2.0.0, Culture=neutral, PublicKeyToken=null'
at Microsoft.Performance.Analyzer.Program.Main(String[] args)
Bear in mind this is a company machine and as such there is a virus defense setup which I cannot disable easily.
You're seeing a WPA issue rather than a UIforETW issue. It looks like some sort of install problem so I would try resolving it yourself because it is likely that others cannot help you. You could always move the traces to another machine - they don't need to be resolved on the machine they are recorded on. Even a VM could work.
For further discussion please open a new issue rather than repurposing an unrelated issue.