Multiple False Positives with various Anti-Virus product files and few updates
Q7ak5 opened this issue · 1 comments
Spark-Core is a little bit trigger happy now.
First time that warnings for processes were issued. All belong to Anti-malware products.
I received a lot of alerts with score <100 for Anti-Virus product files, because only one Yara rule was met, but it says not so much about a threat. Some other files were labled as warnings of the same reason. Details can be found below.:
Warning ProcessCheck YARA rule match on process memory SCORE: 75 NAME: RadeonSettings.exe DESC: - PID: 7480 CMD: "C:\Program Files\AMD\CNext\CNext\RadeonSettings.exe" atlogon RULE: hatman_dividers REFERENCE: - USER: HP-ZBOOK-15U-G5\selten TAGS:
Warning ProcessCheck YARA rule match on process memory SCORE: 75 NAME: mbar.exe DESC: Detects a malware related to Putter Panda PID: 12656 CMD: "C:\Users\selten\Desktop\mbar\mbar.exe" RULE: APT_Malware_PutterPanda_WUAUCLT REFERENCE: VT Analysis TAGS: USER: HP-ZBOOK-15U-G5\selten
Warning ProcessCheck YARA rule match on process memory SCORE: 75 NAME: mbar.exe DESC: Detects a PID: 12656 CMD: "C:\Users\selten\Desktop\mbar\mbar.exe" RULE: StreamEx_ShellCrew REFERENCE: https://blog.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar USER: HP-ZBOOK-15U-G5\selten TAGS:
Alert Filescan Malicious file found
FILE: C:\Program Files\Bitdefender\Bitdefender Security\ctc\ctc_00014_002\ctc.dll SCORE: 80
MD5: 7d485dcf1a51aaca2a30a36a1ed7c7d5
SHA1: aee2619248b60b6edd8f80f9c3c1e0da30de00ce
SHA256: 99861ea2d2a8c723319856007d93ae113579ad4d152d27ecda8a5795d8e06bd2
SIZE: 733952 TYPE: UNKNOWN FIRSTBYTES: 4d5a90000300000004000000ffff0000b8000000 / MZ
CREATED: 2019-05-07T12:00:53Z MODIFIED: 2019-05-07T12:00:54Z ACCESSED: 2019-05-07T12:00:54Z EXT: .dll
REASON_1: YARA rule lsadump / LSA dump programe (bootkey/syskey) - pwdump and others MATCHED_1: Str1: "\domains\account" SUBSCORE_1: 80 REF_1: not set
Alert Filescan Malicious file found
FILE: C:\Program Files\Bitdefender\Bitdefender Security\ctc\ctc_00015_003\ctc.dll SCORE: 80
MD5: 55029462b7cf9bde2b9971e71ba0a0e1
SHA1: 783bc257db55768042d7f579aa0dd8d5ca2cc07e
SHA256: 8923e1eaf2373e79ab2183a42629f6befc46ff689fbdbbbefab55c46d6c36877
SIZE: 733952 TYPE: UNKNOWN FIRSTBYTES: 4d5a90000300000004000000ffff0000b8000000 / MZ
CREATED: 2019-05-09T10:47:44Z MODIFIED: 2019-05-09T10:47:44Z ACCESSED: 2019-05-09T10:47:44Z EXT: .dll
REASON_1: YARA rule lsadump / LSA dump programe (bootkey/syskey) - pwdump and others MATCHED_1: Str1: "\domains\account" SUBSCORE_1: 80 REF_1: not set
Alert Filescan Malicious file found
FILE: C:\Program Files\WindowsApps\37833NikRolls.uBlockOrigin_1.15.24.0_neutral__f8jsg5mm64m62\Extension\assets\thirdparties\www.malwaredomainlist.com\hostslist\hosts.txt SCORE: 80
MD5: b9068a6ee02c0bc4cb86edd719924993
SHA1: 3e8d9447aa992a976114e455a6bf3ae2a4b1ae07
SHA256: e921a42b02af26a4c5abac3b81959d2aac42f3600a603912d6091989e74e4b53
SIZE: 36511 TYPE: UNKNOWN FIRSTBYTES: 232020202020202020202020202020204d616c77 / # Malw
CREATED: 2019-03-17T14:22:03Z MODIFIED: 2019-03-17T14:22:05Z ACCESSED: 2019-03-17T14:22:05Z EXT: .txt
REASON_1: YARA rule APT10_Malware_Sample_Gen / APT 10 / Cloud Hopper malware campaign MATCHED_1: Str1: "ad.getfond.info" Str2: "getfond.info" SUBSCORE_1: 80 REF_1: https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html
Warning LogScan Suspicious log entry found SCORE: 70 DESC: HP Keylogging Audio Driver https://goo.gl/BSQWzw ELEMENT: 7.200.0.2 : 09:22:38.314 : pszFileToDelete = C:\Users\Public\MicTray.log, dwFlags = 2 OBJECT: C:\ProgramData\UIU\InstallerLogs\MicTray\x64\UIU_INSTALL64.Setup64exe.LOG MATCHED_STRINGS: \Users\Public\MicTray.log
Alert Filescan Malicious file found
FILE: C:\Users\oefters.HP-ZBOOK-15U-G5\AppData\Local\Bromium\vSentry\BrChromium\User Data\Default\Extensions\cjpalhdlnbpafiamejdnhcphjbkeiagm\1.18.8_0\assets\thirdparties\www.malwaredomainlist.com\hostslist\hosts.txt SCORE: 80
MD5: 6cd5ba233db4f27a04d14837de155b03
SHA1: 3dbdd15b5e3551e12e8308bdcba6f72e78dcde4c
SHA256: 61f37fd1486bc05b27e7a5157c0b2af3024331c1080157a1234fc5db66402e1c
SIZE: 35737 TYPE: UNKNOWN FIRSTBYTES: 232020202020202020202020202020204d616c77 / # Malw
CREATED: 2019-03-23T15:12:40Z MODIFIED: 2019-03-13T13:22:50Z ACCESSED: 2019-03-23T15:12:40Z EXT: .txt
REASON_1: YARA rule APT10_Malware_Sample_Gen / APT 10 / Cloud Hopper malware campaign MATCHED_1: Str1: "ad.getfond.info" Str2: "getfond.info" SUBSCORE_1: 80 REF_1: https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html
Alert Filescan Malicious file found
FILE: C:\Users\oefters.HP-ZBOOK-15U-G5\AppData\Local\Google\Chrome\User Data\Default\Extensions\cjpalhdlnbpafiamejdnhcphjbkeiagm\1.18.16_1\assets\thirdparties\www.malwaredomainlist.com\hostslist\hosts.txt SCORE: 80
MD5: 6cd5ba233db4f27a04d14837de155b03
SHA1: 3dbdd15b5e3551e12e8308bdcba6f72e78dcde4c
SHA256: 61f37fd1486bc05b27e7a5157c0b2af3024331c1080157a1234fc5db66402e1c
SIZE: 35737 TYPE: UNKNOWN FIRSTBYTES: 232020202020202020202020202020204d616c77 / # Malw
CREATED: 2019-04-10T17:32:47Z MODIFIED: 2019-04-02T18:22:16Z ACCESSED: 2019-04-10T17:32:47Z EXT: .txt
REASON_1: YARA rule APT10_Malware_Sample_Gen / APT 10 / Cloud Hopper malware campaign MATCHED_1: Str1: "ad.getfond.info" Str2: "getfond.info" SUBSCORE_1: 80 REF_1: https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html
Alert Filescan Malicious file found
FILE: C:\Users\selten\AppData\Local\Bromium\vSentry\BrChromium\User Data\Default\Extensions\cjpalhdlnbpafiamejdnhcphjbkeiagm\1.18.8_0\assets\thirdparties\www.malwaredomainlist.com\hostslist\hosts.txt SCORE: 80
MD5: 6cd5ba233db4f27a04d14837de155b03
SHA1: 3dbdd15b5e3551e12e8308bdcba6f72e78dcde4c
SHA256: 61f37fd1486bc05b27e7a5157c0b2af3024331c1080157a1234fc5db66402e1c
SIZE: 35737 TYPE: UNKNOWN FIRSTBYTES: 232020202020202020202020202020204d616c77 / # Malw
CREATED: 2019-04-03T11:30:06Z MODIFIED: 2019-03-13T13:22:50Z ACCESSED: 2019-04-03T11:30:06Z EXT: .txt
REASON_1: YARA rule APT10_Malware_Sample_Gen / APT 10 / Cloud Hopper malware campaign MATCHED_1: Str1: "ad.getfond.info" Str2: "getfond.info" SUBSCORE_1: 80 REF_1: https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html
Alert Filescan Malicious file found
FILE: C:\Users\selten\AppData\Local\Google\Chrome\User Data\Default\Extensions\cjpalhdlnbpafiamejdnhcphjbkeiagm\1.18.8_0\assets\thirdparties\www.malwaredomainlist.com\hostslist\hosts.txt SCORE: 80
MD5: 6cd5ba233db4f27a04d14837de155b03
SHA1: 3dbdd15b5e3551e12e8308bdcba6f72e78dcde4c
SHA256: 61f37fd1486bc05b27e7a5157c0b2af3024331c1080157a1234fc5db66402e1c
SIZE: 35737 TYPE: UNKNOWN FIRSTBYTES: 232020202020202020202020202020204d616c77 / # Malw
CREATED: 2019-03-17T14:49:43Z MODIFIED: 2019-03-13T13:22:50Z ACCESSED: 2019-03-17T14:49:43Z EXT: .txt
REASON_1: YARA rule APT10_Malware_Sample_Gen / APT 10 / Cloud Hopper malware campaign MATCHED_1: Str1: "ad.getfond.info" Str2: "getfond.info" SUBSCORE_1: 80 REF_1: https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html
Info LogScan access error FILE: C:\Users\selten\AppData\Local\Microsoft\Internet Explorer\CacheStorage\edb.log ERROR: open C:\Users\selten\AppData\Local\Microsoft\Internet Explorer\CacheStorage\edb.log: Der Prozess kann nicht auf die Datei zugreifen, da sie von einem anderen Prozess verwendet wird.
Info LogScan access error FILE: C:\Users\selten\AppData\Local\Microsoft\Windows\WebCache\V01.log ERROR: open C:\Users\selten\AppData\Local\Microsoft\Windows\WebCache\V01.log: Der Prozess kann nicht auf die Datei zugreifen, da sie von einem anderen Prozess verwendet wird.
Info LogScan access error FILE: C:\Users\selten\AppData\Local\Microsoft\Windows\WebCache\V01tmp.log ERROR: open C:\Users\selten\AppData\Local\Microsoft\Windows\WebCache\V01tmp.log: Der Prozess kann nicht auf die Datei zugreifen, da sie von einem anderen Prozess verwendet wird.
Alert Filescan Malicious file found
FILE: C:\Users\surfer\AppData\Local\Google\Chrome\User Data\Default\Extensions\cjpalhdlnbpafiamejdnhcphjbkeiagm\1.18.8_0\assets\thirdparties\www.malwaredomainlist.com\hostslist\hosts.txt SCORE: 80
MD5: 6cd5ba233db4f27a04d14837de155b03
SHA1: 3dbdd15b5e3551e12e8308bdcba6f72e78dcde4c
SHA256: 61f37fd1486bc05b27e7a5157c0b2af3024331c1080157a1234fc5db66402e1c
SIZE: 35737 TYPE: UNKNOWN FIRSTBYTES: 232020202020202020202020202020204d616c77 / # Malw
CREATED: 2019-03-19T12:47:35Z MODIFIED: 2019-03-13T13:22:50Z ACCESSED: 2019-03-19T12:47:35Z EXT: .txt
REASON_1: YARA rule APT10_Malware_Sample_Gen / APT 10 / Cloud Hopper malware campaign MATCHED_1: Str1: "ad.getfond.info" Str2: "getfond.info" SUBSCORE_1: 80 REF_1: https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html
Alert Filescan Malicious file found
FILE: C:\Users\surfer\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjpalhdlnbpafiamejdnhcphjbkeiagm\000022.log SCORE: 80
MD5: 4c1459f73d8519aad0deb6b60e35ecd5
SHA1: 976364618b2dc7cdf9d41942c556e20c69242161
SHA256: 59a4454bcbb53c1d3c1603782bbd822c10d48380124b3add9466d55d7f52dc89
SIZE: 2519319 TYPE: UNKNOWN FIRSTBYTES: 1d6062e70c00015c000000000000000000000053 / b\S CREATED: 2019-03-19T12:48:46Z MODIFIED: 2019-03-19T12:48:52Z ACCESSED: 2019-03-19T12:48:52Z EXT: .log REASON_1: YARA rule APT10_Malware_Sample_Gen / APT 10 / Cloud Hopper malware campaign MATCHED_1: Str1: "ad.getfond.info" Str2: "getfond.info" SUBSCORE_1: 80 REF_1: https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html Alert Filescan Malicious file found FILE: C:\Users\surfer\AppData\Local\Google\Chrome\User Data\Default\Extensions\cjpalhdlnbpafiamejdnhcphjbkeiagm\1.18.8_0\assets\thirdparties\www.malwaredomainlist.com\hostslist\hosts.txt SCORE: 80 MD5: 6cd5ba233db4f27a04d14837de155b03 SHA1: 3dbdd15b5e3551e12e8308bdcba6f72e78dcde4c SHA256: 61f37fd1486bc05b27e7a5157c0b2af3024331c1080157a1234fc5db66402e1c SIZE: 35737 TYPE: UNKNOWN FIRSTBYTES: 232020202020202020202020202020204d616c77 / # Malw CREATED: 2019-03-19T12:47:35Z MODIFIED: 2019-03-13T13:22:50Z ACCESSED: 2019-03-19T12:47:35Z EXT: .txt REASON_1: YARA rule APT10_Malware_Sample_Gen / APT 10 / Cloud Hopper malware campaign MATCHED_1: Str1: "ad.getfond.info" Str2: "getfond.info" SUBSCORE_1: 80 REF_1: https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html Alert Filescan Malicious file found FILE: C:\Users\surfer\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjpalhdlnbpafiamejdnhcphjbkeiagm\000022.log SCORE: 80 MD5: 4c1459f73d8519aad0deb6b60e35ecd5 SHA1: 976364618b2dc7cdf9d41942c556e20c69242161 SHA256: 59a4454bcbb53c1d3c1603782bbd822c10d48380124b3add9466d55d7f52dc89 SIZE: 2519319 TYPE: UNKNOWN FIRSTBYTES: 1d6062e70c00015c000000000000000000000053 / b\S
CREATED: 2019-03-19T12:48:46Z MODIFIED: 2019-03-19T12:48:52Z ACCESSED: 2019-03-19T12:48:52Z EXT: .log
REASON_1: YARA rule APT10_Malware_Sample_Gen / APT 10 / Cloud Hopper malware campaign MATCHED_1: Str1: "ad.getfond.info" Str2: "getfond.info" SUBSCORE_1: 80 REF_1: https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html
Warning Filescan Suspicious file found
FILE: C:\Windows\servicing\LCU\Package_for_RollupFix31bf3856ad364e35amd6417763.379.1.11\amd64_microsoft-windows-audio-volumecontrol_31bf3856ad364e35_10.0.17763.348_none_3af3ff278d2136dc\f\sndvol.exe SCORE: 7517763.379.1.11\amd64_microsoft-windows-audio-volumecontrol_31bf3856ad364e35_10.0.17763.348_none_3af3ff278d2136dc\r\sndvol.exe SCORE: 75
MD5: bc95f80df235d184bb506e0838606c93
SHA1: b9716655e907337ae2988643bf64ce55458ec73c
SHA256: 7adce02927edbff8c0fb42cf515866ef48c524432ff82532f4ce38bf84d4aa06
SIZE: 143 TYPE: UNKNOWN FIRSTBYTES: 76447de4504133305e93c8f3af4cd401b05e10d0 / vD}PA30^L^
CREATED: 2019-03-17T09:55:51Z MODIFIED: 2019-03-08T08:24:18Z ACCESSED: 2019-03-17T09:55:51Z EXT: .exe
REASON_1: YARA rule SndVol_ANOMALY / Anomaly rule looking for certain strings in a system file (maybe false positive on certain systems) - file SndVol.exe SUBSCORE_1: 75 REF_1: not set
Warning Filescan Suspicious file found
FILE: C:\Windows\servicing\LCU\Package_for_RollupFix31bf3856ad364e35amd64
MD5: bc95f80df235d184bb506e0838606c93
SHA1: b9716655e907337ae2988643bf64ce55458ec73c
SHA256: 7adce02927edbff8c0fb42cf515866ef48c524432ff82532f4ce38bf84d4aa06
SIZE: 143 TYPE: UNKNOWN FIRSTBYTES: 76447de4504133305e93c8f3af4cd401b05e10d0 / vD}PA30^L^
CREATED: 2019-03-17T09:55:51Z MODIFIED: 2019-03-08T08:24:18Z ACCESSED: 2019-03-17T09:55:51Z EXT: .exe
REASON_1: YARA rule SndVol_ANOMALY / Anomaly rule looking for certain strings in a system file (maybe false positive on certain systems) - file SndVol.exe SUBSCORE_1: 75 REF_1: not set
We typically filter out matches on AV libraries and signatures after the scan and don't try to handle them to prevent these matches. AV Engines need to do this to avoid unwanted cleanups of legitimate files.
In our case an analyst reviews the results and evaluates the matches.
Like you, he's usually able to spot the FPs right away.
I'll check the "hatman_dividers" False Positive on the Radeon tool's process memory. It isn't my own rule. Maybe I'll just delete it from the repo.
The "lsadump" rule is from Benjamin Delphy. I've just recently added a string that should avoid matches on Bitdefender DLLs.
I'll think about the Cloud Hopper domains, that appear in the Browser extensions.