From 0595772be17501e6841d9c9b3754edc757e15289 Mon Sep 17 00:00:00 2001 From: Jai Minton Date: Wed, 15 May 2024 05:28:24 +0930 Subject: [PATCH] Add multiple new DLLs and new vendors (#76) Co-authored-by: Wietze --- yml/3rd_party/anymp4/avdevice-54.yml | 23 +++++++++++++++++++++++ yml/3rd_party/digiarty/ci.yml | 22 ++++++++++++++++++++++ yml/3rd_party/icq/liteskinutils.yml | 25 +++++++++++++++++++++++++ yml/3rd_party/icq/skinutils.yml | 25 +++++++++++++++++++++++++ yml/3rd_party/iobit/register.yml | 23 +++++++++++++++++++++++ yml/3rd_party/mobatek/libxfont-1.yml | 27 +++++++++++++++++++++++++++ yml/3rd_party/python/python310.yml | 21 +++++++++++++++++++++ yml/3rd_party/softperfect/sqlite.yml | 21 +++++++++++++++++++++ yml/3rd_party/trendmicro/tmtap.yml | 1 - 9 files changed, 187 insertions(+), 1 deletion(-) create mode 100644 yml/3rd_party/anymp4/avdevice-54.yml create mode 100644 yml/3rd_party/digiarty/ci.yml create mode 100644 yml/3rd_party/icq/liteskinutils.yml create mode 100644 yml/3rd_party/icq/skinutils.yml create mode 100644 yml/3rd_party/iobit/register.yml create mode 100644 yml/3rd_party/mobatek/libxfont-1.yml create mode 100644 yml/3rd_party/python/python310.yml create mode 100644 yml/3rd_party/softperfect/sqlite.yml diff --git a/yml/3rd_party/anymp4/avdevice-54.yml b/yml/3rd_party/anymp4/avdevice-54.yml new file mode 100644 index 00000000..1d96a3b3 --- /dev/null +++ b/yml/3rd_party/anymp4/avdevice-54.yml @@ -0,0 +1,23 @@ +--- +Name: avdevice-54.dll +Author: Jai Minton - HuntressLabs +Created: 2024-05-06 +Vendor: AnyMP4 +ExpectedLocations: + - '%PROGRAMFILES%\AnyMP4 Studio\AnyMP4 Blu-ray Creator' +VulnerableExecutables: + - Path: '%PROGRAMFILES%\AnyMP4 Studio\AnyMP4 Blu-ray Creator\AnyMP4 Blu-ray Creator.exe' + Type: Sideloading + ExpectedVersionInformation: + - OriginalFilename: AnyMP4 Blu-ray Creator.exe + InternalName: AnyMP4 Blu-ray Creator + FileDescription: AnyMP4 Blu-ray Creator + SHA256: + - '98c9c45cf18434fe9ab79c9db2e88c1f1db48c95338864421e4d761d71c2fbc6' +Acknowledgements: + - Name: Chad Hudson + Company: Huntress + Twitter: '@0xBurgers' + - Name: Jai Minton + Company: Huntress + Twitter: '@cyberrraiju' diff --git a/yml/3rd_party/digiarty/ci.yml b/yml/3rd_party/digiarty/ci.yml new file mode 100644 index 00000000..46037229 --- /dev/null +++ b/yml/3rd_party/digiarty/ci.yml @@ -0,0 +1,22 @@ +--- +Name: ci.dll +Author: Jai Minton - HuntressLabs +Created: 2024-05-06 +Vendor: Digiarty +ExpectedLocations: + - '%PROGRAMFILES%\Digiarty\WinX Blu-ray Decrypter' +VulnerableExecutables: + - Path: '%PROGRAMFILES%\Digiarty\WinX Blu-ray Decrypter\WinX Blu-ray Decrypter.exe' + Type: Sideloading + ExpectedVersionInformation: + - FileDescription: WinX Blu-ray Decrypter + SHA256: + - '1fd92aa46464f8453e33dc7461f80ee7b441f9042e9d0110086226c5f725bd9f' +Resources: + - https://www.virustotal.com/gui/file/2560b7390da7c7a1d92050d9c1f5e3a8025cd35fff5360fe73583b5e3f48731e + - https://www.virustotal.com/gui/file/ae2453d0e03d72759d5239dcfe9518d6a721319006613a41f8bb53d37d4d1391/details + - https://www.virustotal.com/gui/file/7306316b53f915aaff06f00896829884db857b7e5c2747188ae080cad5b8c0e1 +Acknowledgements: + - Name: Jai Minton + Company: Huntress + Twitter: '@cyberrraiju' diff --git a/yml/3rd_party/icq/liteskinutils.yml b/yml/3rd_party/icq/liteskinutils.yml new file mode 100644 index 00000000..4047fd05 --- /dev/null +++ b/yml/3rd_party/icq/liteskinutils.yml @@ -0,0 +1,25 @@ +--- +Name: liteskinutils.dll +Author: Jai Minton - HuntressLabs +Created: 2024-05-06 +Vendor: ICQ +ExpectedLocations: + - '%PROGRAMFILES%\ICQLite' +VulnerableExecutables: + - Path: '%PROGRAMFILES%\ICQLite\ICQLite.exe' + Type: Sideloading + ExpectedVersionInformation: + - OriginalFilename: ICQLite.exe + InternalName: ICQ Lite + FileDescription: ICQLite + SHA256: + - 'e6baea057b35e495a3fc3cdf3b95d503c3abc63c371fbb0067f1052798ce3601' +Resources: + - https://www.virustotal.com/gui/file/e5e53392b29b74545e463b65052e0b6b07e8299d709f07501fb0f31b97a679ab/details + - https://www.virustotal.com/gui/file/a278d5604a93e93a5580845da93af6c316a37a4cd35c1fc9348958ae1bebdb90/details + - https://www.virustotal.com/gui/file/104ca4690b0ff17eb55e1330c5baf5580a731b6834f0716c483e646d6030855c/relations + - https://www.virustotal.com/gui/file/010f55aef8ccba2ea1307d934decd577a08fa21547d1db30e01f3ae5ff1cce07/relations +Acknowledgements: + - Name: Jai Minton + Company: Huntress + Twitter: '@cyberrraiju' diff --git a/yml/3rd_party/icq/skinutils.yml b/yml/3rd_party/icq/skinutils.yml new file mode 100644 index 00000000..70885ad0 --- /dev/null +++ b/yml/3rd_party/icq/skinutils.yml @@ -0,0 +1,25 @@ +--- +Name: skinutils.dll +Author: Jai Minton - HuntressLabs +Created: 2024-05-06 +Vendor: ICQ +ExpectedLocations: + - '%PROGRAMFILES%\ICQLite' +VulnerableExecutables: + - Path: '%PROGRAMFILES%\ICQLite\ICQLite.exe' + Type: Sideloading + ExpectedVersionInformation: + - OriginalFilename: ICQLite.exe + InternalName: ICQ Lite + FileDescription: ICQLite + SHA256: + - 'e6baea057b35e495a3fc3cdf3b95d503c3abc63c371fbb0067f1052798ce3601' +Resources: + - https://www.virustotal.com/gui/file/e5e53392b29b74545e463b65052e0b6b07e8299d709f07501fb0f31b97a679ab/details + - https://www.virustotal.com/gui/file/a278d5604a93e93a5580845da93af6c316a37a4cd35c1fc9348958ae1bebdb90/details + - https://www.virustotal.com/gui/file/104ca4690b0ff17eb55e1330c5baf5580a731b6834f0716c483e646d6030855c/relations + - https://www.virustotal.com/gui/file/010f55aef8ccba2ea1307d934decd577a08fa21547d1db30e01f3ae5ff1cce07/relations +Acknowledgements: + - Name: Jai Minton + Company: Huntress + Twitter: '@cyberrraiju' diff --git a/yml/3rd_party/iobit/register.yml b/yml/3rd_party/iobit/register.yml new file mode 100644 index 00000000..9b228372 --- /dev/null +++ b/yml/3rd_party/iobit/register.yml @@ -0,0 +1,23 @@ +--- +Name: register.dll +Author: Jai Minton - HuntressLabs +Created: 2024-05-06 +Vendor: IObit +ExpectedLocations: + - '%PROGRAMFILES%\IObit\Driver Booster\%VERSION%' +VulnerableExecutables: + - Path: '%PROGRAMFILES%\IObit\Driver Booster\%VERSION%\DriverBooster.exe' + Type: Sideloading + ExpectedVersionInformation: + - OriginalFilename: RttHlp.exe + InternalName: RttHlp.exe + FileDescription: IObit RttHlp + SHA256: + - '8aed681ad8d660257c10d2f0e85ae673184055a341901643f27afc38e5ef8473' +Resources: + - https://www.virustotal.com/gui/file/0500e5ad7e344d32ee26da988aeb30f6344a0c89a68eacce5d6a5683d1fee0e1/relations + - https://www.virustotal.com/gui/file/cdfe0f80cd3dc1914c7ad1a6305c0c1116168a37c5cfe8ff51650e2ac814b818/details +Acknowledgements: + - Name: Jai Minton + Company: Huntress + Twitter: '@cyberrraiju' diff --git a/yml/3rd_party/mobatek/libxfont-1.yml b/yml/3rd_party/mobatek/libxfont-1.yml new file mode 100644 index 00000000..9faf1625 --- /dev/null +++ b/yml/3rd_party/mobatek/libxfont-1.yml @@ -0,0 +1,27 @@ +--- +Name: libxfont-1.dll +Author: Jai Minton - HuntressLabs +Created: 2024-05-10 +Vendor: Mobatek +ExpectedLocations: + - '%PROGRAMFILES%\Mobatek\MobaXterm Personal Edition' + - '%PROGRAMFILES%\Mobatek\MobaXterm' +ExpectedSignatureInformation: + - Subject: C=FR, PostalCode=31830, S=Midi-Pyrénées, L=Plaisance du Touch, STREET=13 rue Paul Bernadot, O=Mobatek, CN=Mobatek + Issuer: C=GB, S=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Code Signing CA + Type: Authenticode +VulnerableExecutables: + - Path: '%PROGRAMFILES%\Mobatek\MobaXterm Personal Edition\MobaXterm.exe' + Type: Sideloading + SHA256: + - '35132e05638b942403b8a813925de7b54e2e2e35b6ba7a8a081e8b96edd4c0aa' + - Path: '%PROGRAMFILES%\Mobatek\MobaXterm\MobaXterm.exe' + Type: Sideloading + SHA256: + - '35132e05638b942403b8a813925de7b54e2e2e35b6ba7a8a081e8b96edd4c0aa' +Resources: + - https://www.virustotal.com/gui/file/b99bd7ffb7634749487570d0b3a7e423047de4ab13a10c2d912660aec322618e/details +Acknowledgements: + - Name: Jai Minton + Company: Huntress + Twitter: '@cyberrraiju' diff --git a/yml/3rd_party/python/python310.yml b/yml/3rd_party/python/python310.yml new file mode 100644 index 00000000..6335f29b --- /dev/null +++ b/yml/3rd_party/python/python310.yml @@ -0,0 +1,21 @@ +--- +Name: python310.dll +Author: Jai Minton +Created: 2024-05-08 +Vendor: Python +ExpectedLocations: + - '%PROGRAMFILES%\Python310' + - '%LOCALAPPDATA%\Temp\%VERSION%' + - '%PROGRAMFILES%\DWAgent\runtime' + - '%USERPROFILE%\anaconda3' +VulnerableExecutables: + - Path: 'pythonw.exe' + Type: Sideloading + - Path: 'dwagent.exe' + Type: Sideloading +Resources: + - https://www.virustotal.com/gui/file/115fba7a9ea7d2e38d042c7fa5f81209e0d712c107ceb2eafe2f27f94c8f6054/details +Acknowledgements: + - Name: Jai Minton + Company: Huntress + Twitter: '@cyberrraiju' diff --git a/yml/3rd_party/softperfect/sqlite.yml b/yml/3rd_party/softperfect/sqlite.yml new file mode 100644 index 00000000..9501799a --- /dev/null +++ b/yml/3rd_party/softperfect/sqlite.yml @@ -0,0 +1,21 @@ +--- +Name: sqlite.dll +Author: Jai Minton - HuntressLabs +Created: 2024-05-06 +Vendor: SoftPerfect +ExpectedLocations: + - '%PROGRAMFILES%\NetWorx' +VulnerableExecutables: + - Path: '%PROGRAMFILES%\NetWorx\networx.exe' + Type: Sideloading + ExpectedVersionInformation: + - FileDescription: NetWorx Application (64-bit) + SHA256: + - '29345d9c6ff0106c9032b15e2c88f17bc8972ed843d1b5c044cf17d00f1d45c5' +Resources: + - https://www.virustotal.com/gui/file/0271e401ca9e430868f45148a04680295929450aecc537285359a28605645daf + - https://www.virustotal.com/gui/file/4489bffe08dcbd1e9741f9b66f8ba10b7526318a1dc8d190aef13bbc1599b0f7/details +Acknowledgements: + - Name: Jai Minton + Company: Huntress + Twitter: '@cyberrraiju' diff --git a/yml/3rd_party/trendmicro/tmtap.yml b/yml/3rd_party/trendmicro/tmtap.yml index 8819ed99..87fd6033 100644 --- a/yml/3rd_party/trendmicro/tmtap.yml +++ b/yml/3rd_party/trendmicro/tmtap.yml @@ -13,4 +13,3 @@ VulnerableExecutables: Resources: - https://medium.com/@infiniti_css/trend-micro-password-manager-dll-hijack-fa839acaad59 -