Jump to content

MingW Git recognized as Generic Ransom


Davis309

Recommended Posts

Ran into what looks like a false positive after returning to the computer (ran a powershell command to git pull from child directories)

This appears to be the MingW installation coupled with Git (downloaded from the official git-scm) of git-bash and whatever else it installs. I'm not sure why this would be running (as the git env path defaults to the "Program Files\Git" directory)

Thank you!

Seemingly relevant bits of log:

08/16/22	" 07:37:54.623"	193568625	3624	3c14	INFO	ARWControllerImpl	mb::arwcontrollerimpl::ArwControllerImpl::ArwShimDetectionCallback	"arwcontrollerimplhelper.cpp"	1414	"Received threat detection callback from ARW SDK, ObjectPath=C:\Program Files\Git\mingw64\libexec\git-core\git.exe, Sha256Hash=cc3175f05c883fb47f8bc1dfcd90d24073d53c6f7e773796701e2227cbdc3359"
08/16/22	" 07:37:54.650"	193568656	3624	3c14	INFO	CleanControllerImpl	mb::cleanctlrimpl::whitelist::SystemProtectedWhiteLister::IsFileWhiteListed	"systemprotectedwhitelister.cpp"	126	"Checking limited system protected white listing for 'C:\Program Files\Git\mingw64\libexec\git-core\git.exe'"
08/16/22	" 07:37:56.090"	193570093	3624	3c14	INFO	CleanControllerImpl	mb::cleanctlrimpl::whitelist::HubbleWhiteLister::AreFilesWhiteListed	"hubblewhitelister.cpp"	526	"Response body from Hubble request: {""results"":[{""sha256"":""cc3175f05c883fb47f8bc1dfcd90d24073d53c6f7e773796701e2227cbdc3359"",""md5"":""7110e4bae1e289fa4949c2ad88025340"",""classification"":""UNKNOWN"",""trust_always"":true,""reclassify"":true,""send_file"":false}]}"
08/16/22	" 07:37:56.090"	193570093	3624	3c14	INFO	CleanControllerImpl	mb::cleanctlrimpl::whitelist::WhiteListManager::LogWhiteListStatus	"whitelistmanager.cpp"	302	"White list status: File 'C:\Program Files\Git\mingw64\libexec\git-core\git.exe' 7110E4BAE1E289FA4949C2AD88025340  => None:Unknown"
08/16/22	" 07:37:56.091"	193570093	3624	3c14	INFO	ARWControllerImpl	mb::arwcontrollerimpl::ArwControllerImpl::ArwShimDetectionCallback	"arwcontrollerimplhelper.cpp"	1474	"The detected file is NOT whitelisted, sending an action request to the SDK to kill this process. ObjectPath=C:\Program Files\Git\mingw64\libexec\git-core\git.exe, id=0x0"


08/16/22	" 07:37:58.083"	193572078	3624	4100	WARNING	ARWCleanupSched	mb::arwcontrollerimpl::ArwCleanupScheduler::Cleanup	"arwcleanupscheduler.cpp"	572	"The ArwSDK failed to perform the requested action. Still proceeding to try to quarantine the threat. ObjectPath=C:\Program Files\Git\mingw64\libexec\git-core\git.exe."
08/16/22	" 07:37:58.089"	193572093	3624	4100	INFO	ArwControllerCOM	CArwController::SubmitToCleanNotification	"arwcontroller.cpp"	1157	"Successfully submitted detection results for cleaning."
08/16/22	" 07:37:58.092"	193572093	3624	2418	INFO	CleanControllerImpl	Cleaner::Clean	"cleaner.cpp"	60	"Start of clean, client '', detection results 'C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\ArwDetections\df4563b4-1d57-11ed-852c-107b4492d59a.json'"
08/16/22	" 07:38:01.558"	193575562	3624	2418	INFO	BrowserSDK	mb::browsersdk::chromium::ChromiumUtils::GetAppPathsAndVersion	"chromiumutils.cpp"	113	"Unable to find chrome.exe installation path"
08/16/22	" 07:38:01.581"	193575578	3624	2418	INFO	CleanControllerImpl	mb::cleanctlrimpl::whitelist::SystemProtectedWhiteLister::IsFileWhiteListed	"systemprotectedwhitelister.cpp"	126	"Checking limited system protected white listing for 'C:\Program Files\Git\mingw64\libexec\git-core\git.exe'"
08/16/22	" 07:38:01.807"	193575812	3624	2418	INFO	CleanControllerImpl	mb::cleanctlrimpl::whitelist::HubbleWhiteLister::AreFilesWhiteListed	"hubblewhitelister.cpp"	526	"Response body from Hubble request: {""results"":[{""sha256"":""cc3175f05c883fb47f8bc1dfcd90d24073d53c6f7e773796701e2227cbdc3359"",""md5"":""7110e4bae1e289fa4949c2ad88025340"",""classification"":""UNKNOWN"",""trust_always"":true,""reclassify"":true,""send_file"":false}]}"
08/16/22	" 07:38:01.808"	193575812	3624	2418	INFO	CleanControllerImpl	mb::cleanctlrimpl::whitelist::WhiteListManager::LogWhiteListStatus	"whitelistmanager.cpp"	302	"White list status: File 'C:\Program Files\Git\mingw64\libexec\git-core\git.exe' 7110e4bae1e289fa4949c2ad88025340  => None:Unknown"


08/16/22	" 07:38:07.780"	193581781	3624	2418	INFO	CleanControllerImpl	DOREngine::PreCleanIsRebootRequired	"dorengine.cpp"	183	"Must reboot, process found C:\Program Files\Git\mingw64\libexec\git-core\git.exe"
08/16/22	" 07:38:07.780"	193581781	3624	2418	INFO	CleanControllerImpl	QuarantineEngine::QuarantineFile	"quarantineengine.cpp"	531	"Quarantining C:\Program Files\Git\mingw64\libexec\git-core\git.exe"
08/16/22	" 07:38:07.794"	193581796	3624	2418	INFO	CleanControllerImpl	Cleaner::RemediateAndWriteMetadata	"cleaner.cpp"	346	"Starting cleaning of File C:\Program Files\Git\mingw64\libexec\git-core\git.exe"
08/16/22	" 07:38:07.795"	193581796	3624	2418	INFO	CleanControllerImpl	RemovalEngine::RemediateFile	"removalengine.cpp"	1473	"Cleaning file 'C:\Program Files\Git\mingw64\libexec\git-core\git.exe', anti-rootkit = false"
08/16/22	" 07:38:07.799"	193581796	3624	2418	INFO	CleanControllerImpl	RemovalEngine::DeleteFileAPI	"removalengine.cpp"	1800	"Deleting file 'C:\Program Files\Git\mingw64\libexec\git-core\git.exe', resolved path = 'C:\Program Files\Git\mingw64\libexec\git-core\git.exe'"
08/16/22	" 07:38:07.805"	193581812	3624	2418	WARNING	CleanControllerImpl	mb::common::io::NtFileSystemUtils::DeleteFileObject	"ntfilesystemutils.cpp"	224	"Error deleting '\??\C:\Program Files\Git\mingw64\libexec\git-core\git.exe', error = 'Access is denied. ' (0xc0000121)"
08/16/22	" 07:38:07.860"	193581859	3624	2418	INFO	CleanControllerImpl	RemovalEngine::DeleteFileAPI	"removalengine.cpp"	1896	"Verify file C:\Program Files\Git\mingw64\libexec\git-core\git.exe has been deleted"
08/16/22	" 07:38:08.140"	193582140	3624	2418	WARNING	CleanControllerImpl	RemovalEngine::DeleteFileAPI	"removalengine.cpp"	1906	"Verification of deleting file C:\Program Files\Git\mingw64\libexec\git-core\git.exe failed!"
08/16/22	" 07:38:08.140"	193582140	3624	2418	INFO	CleanControllerImpl	RemovalEngine::LogCleanResult	"removalengine.cpp"	2028	"Scheduling DOR cleaning for file 'C:\Program Files\Git\mingw64\libexec\git-core\git.exe' "
08/16/22	" 07:38:08.140"	193582140	3624	2418	INFO	CleanControllerImpl	QuarantineEngine::CopyMetadataToQuarantine	"quarantineengine.cpp"	181	"Copying quarantine metadata for C:\Program Files\Git\mingw64\libexec\git-core\git.exe"
08/16/22	" 07:38:08.142"	193582140	3624	2418	INFO	CleanController	CCleanController::SendQuarantineActionDataToTelemetry	"cleancontroller.cpp"	2694	"Sending quarantine action data to telemetry controller, id=df746de4-1d57-11ed-9965-107b4492d59a, action=1"
08/16/22	" 07:38:08.144"	193582140	3624	2418	INFO	CleanControllerImpl	QuarantineEngine::LogQuarantineResult	"quarantineengine.cpp"	1011	"Completed quarantining and DOR queueing File 'C:\Program Files\Git\mingw64\libexec\git-core\git.exe'"
08/16/22	" 07:38:08.144"	193582140	3624	2418	INFO	CleanControllerImpl	Cleaner::RemediateAndWriteMetadata	"cleaner.cpp"	346	"Starting cleaning of Process C:\Program Files\Git\mingw64\libexec\git-core\git.exe"
08/16/22	" 07:38:08.144"	193582140	3624	2418	INFO	CleanControllerImpl	QuarantineEngine::LogQuarantineResult	"quarantineengine.cpp"	995	"Succeeded remediating (but did not quarantine) Process 'C:\Program Files\Git\mingw64\libexec\git-core\git.exe'"
08/16/22	" 07:38:08.144"	193582140	3624	2418	INFO	CleanControllerImpl	Cleaner::RemediateAndWriteMetadata	"cleaner.cpp"	346	"Starting cleaning of Module C:\Program Files\Git\mingw64\libexec\git-core\git.exe"
08/16/22	" 07:38:08.144"	193582140	3624	2418	INFO	CleanControllerImpl	QuarantineEngine::LogQuarantineResult	"quarantineengine.cpp"	995	"Succeeded remediating (but did not quarantine) Module 'C:\Program Files\Git\mingw64\libexec\git-core\git.exe'"
08/16/22	" 07:38:08.144"	193582140	3624	2418	INFO	CleanControllerImpl	Cleaner::RemediateAndWriteMetadata	"cleaner.cpp"	346	"Starting cleaning of Process C:\Program Files\Git\mingw64\libexec\git-core\git.exe"
08/16/22	" 07:38:08.144"	193582140	3624	2418	INFO	CleanControllerImpl	QuarantineEngine::LogQuarantineResult	"quarantineengine.cpp"	995	"Succeeded remediating (but did not quarantine) Process 'C:\Program Files\Git\mingw64\libexec\git-core\git.exe'"
08/16/22	" 07:38:08.144"	193582140	3624	2418	INFO	CleanControllerImpl	Cleaner::RemediateAndWriteMetadata	"cleaner.cpp"	346	"Starting cleaning of Module C:\Program Files\Git\mingw64\libexec\git-core\git.exe"
08/16/22	" 07:38:08.145"	193582140	3624	2418	INFO	CleanControllerImpl	QuarantineEngine::LogQuarantineResult	"quarantineengine.cpp"	995	"Succeeded remediating (but did not quarantine) Module 'C:\Program Files\Git\mingw64\libexec\git-core\git.exe'"
08/16/22	" 07:38:08.145"	193582140	3624	2418	INFO	CleanControllerImpl	Cleaner::RemediateAndWriteMetadata	"cleaner.cpp"	346	"Starting cleaning of Process C:\Program Files\Git\mingw64\libexec\git-core\git.exe"
08/16/22	" 07:38:08.145"	193582140	3624	2418	INFO	CleanControllerImpl	QuarantineEngine::LogQuarantineResult	"quarantineengine.cpp"	995	"Succeeded remediating (but did not quarantine) Process 'C:\Program Files\Git\mingw64\libexec\git-core\git.exe'"
08/16/22	" 07:38:08.145"	193582140	3624	2418	INFO	CleanControllerImpl	Cleaner::RemediateAndWriteMetadata	"cleaner.cpp"	346	"Starting cleaning of Module C:\Program Files\Git\mingw64\libexec\git-core\git.exe"
08/16/22	" 07:38:08.145"	193582140	3624	2418	INFO	CleanControllerImpl	QuarantineEngine::LogQuarantineResult	"quarantineengine.cpp"	995	"Succeeded remediating (but did not quarantine) Module 'C:\Program Files\Git\mingw64\libexec\git-core\git.exe'"

 

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.