Shell test delivered as part of lighttable-0.8.1-linux editor and parts of wine reported as malware

Question

Shell test delivered as part of lighttable-0.8.1-linux editor and parts of wine reported as malware

JuergenKindler opened this issue 6 years ago · 0 comments

It seems that this is a false positive:

[ALERT] 
FILE: /opt/lighttable/lighttable-0.8.1-linux/resources/app/core/node_modules/shelljs/test/resources/issue44/main.js SCORE: 100 TYPE: UNKNOWN SIZE: 3 
FIRST_BYTES: 313233 / 123 
MD5: 202cb962ac59075b964b07152d234b70 
SHA1: 40bd001563085fc35165329ea1ff5c5ecbdbbeef 
SHA256: a665a45920422f9d417e4867efdc4fb8a04a1f3fff1fa07e998e86f7f7a27ae3 CREATED: Thu Mar 29 14:53:33 2018 MODIFIED: Fri Jan 22 01:24:42 2016 ACCESSED: Wed Oct  3 13:07:02 2018 
REASON_1: Malware Hash TYPE: MD5 HASH: 202cb962ac59075b964b07152d234b70 SUBSCORE: 100 DESC: APTnotes 2012 PEST-CONTROL.pdf

For wine it looks like, the suspicious part is based on file sizes:

[ALERT] 
FILE: /usr/lib/i386-linux-gnu/wine/fakedlls/explorer.exe SCORE: 115 TYPE: EXE SIZE: 6616 
FIRST_BYTES: 4d5a40000100000006000000ffff0000b8000000 / MZ@ 
MD5: 5ebe7a2ebf5f3e49a8c724a548feac21 
SHA1: 19e334ba229778b42b28c0fd6c0edfd39875f06f 
SHA256: 4d4232d2737d29f3507d153871c5304904d963da1c354c70080326612921b499 CREATED: Sat Jul 28 17:26:23 2018 MODIFIED: Wed Jan 24 11:24:52 2018 ACCESSED: Wed Oct  3 13:24:51 2018 
REASON_1: Yara Rule MATCH: explorer_ANOMALY SUBSCORE: 55 
DESCRIPTION: Abnormal explorer.exe - typical strings not found in file REF: -
REASON_2: Yara Rule MATCH: Suspicious_Size_explorer_exe SUBSCORE: 60 
DESCRIPTION: Detects uncommon file size of explorer.exe REF: -

[ALERT] 
FILE: /usr/lib/i386-linux-gnu/wine/fakedlls/svchost.exe SCORE: 115 TYPE: EXE SIZE: 1032 
FIRST_BYTES: 4d5a40000100000006000000ffff0000b8000000 / MZ@ 
MD5: 92cc8268e782ec7f35eb127b99e8e095 
SHA1: 866ec0697687a3ba9323c4cdb53daa5e55ac687a 
SHA256: c42e03cd5645cc818b8688a26bd7881fedc28327396b04c1b8a7ed38ea19d33f CREATED: Sat Jul 28 17:26:23 2018 MODIFIED: Wed Jan 24 11:24:52 2018 ACCESSED: Wed Oct  3 13:24:53 2018 
REASON_1: Yara Rule MATCH: svchost_ANOMALY SUBSCORE: 55 
DESCRIPTION: Abnormal svchost.exe - typical strings not found in file REF: -
REASON_2: Yara Rule MATCH: Suspicious_Size_svchost_exe SUBSCORE: 60 
DESCRIPTION: Detects uncommon file size of svchost.exe REF: -