From 0be0d3e7d8687cef83e86cf3c31c357be4bdf3d0 Mon Sep 17 00:00:00 2001
From: Still Hsu <dev@stillu.cc>
Date: Sun, 24 Nov 2024 12:33:58 +0800
Subject: [PATCH] Add zlibwapi.yml

Signed-off-by: Still Hsu <dev@stillu.cc>
---
 yml/3rd_party/zlib/zlibwapi.yml | 34 +++++++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)
 create mode 100644 yml/3rd_party/zlib/zlibwapi.yml

diff --git a/yml/3rd_party/zlib/zlibwapi.yml b/yml/3rd_party/zlib/zlibwapi.yml
new file mode 100644
index 0000000..c12dbf8
--- /dev/null
+++ b/yml/3rd_party/zlib/zlibwapi.yml
@@ -0,0 +1,34 @@
+---
+Name: zlibwapi.dll
+Author: Still Hsu
+Created: 2024-11-24
+Vendor: zlib
+ExpectedLocations:
+  - '%programfiles%\DS Clock'
+VulnerableExecutables:
+- Path: '%PROGRAMFILES%\DS Clock\dsclock.exe'
+  Type: Sideloading
+  ExpectedVersionInformation:
+  - FileDescription: DS Clock
+    LegalCopyright: Copyright ©️ 2001-2023 Duality Software. All rights reserved. Developed by Vladimir Kulemin.
+    InternalName: dsclock.exe
+    OriginalFilename: dsclock.exe
+    ProductName: DS Clock
+    ProductVersion: 5.1.2.0
+  ExpectedSignatureInformation:
+  - Subject: CN=Duality Software LLC, O=Duality Software LLC, L=Saint Petersburg, S=Saint Petersburg, C=RU
+    Issuer: CN=GlobalSign GCC R45 CodeSigning CA 2020, O=GlobalSign nv-sa, C=BE
+    Type: Authenticode
+  SHA256:
+  - f85ce4492e1354f8310027c5f70ef73aae654fcd8fd9a58034e4f82a41a9826b
+Resources:
+  - https://x.com/malwrhunterteam/status/1859316170773397966
+  - https://www.virustotal.com/gui/file/b8d38fc9f4560719fa64227e4b25b732b22602cb596d44cb38418a196c3340be
+  - https://www.virustotal.com/gui/file/f85ce4492e1354f8310027c5f70ef73aae654fcd8fd9a58034e4f82a41a9826b/relations
+  - https://github.com/Still34/malware-lab/tree/main/reworkshop/2024-11-24
+Acknowledgements:
+  - Name: MalwareHunterTeam
+    Twitter: '@malwrhunterteam'
+  - Name: Still Hsu
+    Twitter: '@AzakaSekai_'
+