From bd3d926ee30c3cd2d80fbdbe007fd052dd0d6488 Mon Sep 17 00:00:00 2001 From: Jai Minton Date: Fri, 6 Sep 2024 22:15:50 +0930 Subject: [PATCH] 3 items related to APT32 operations (#86) --- yml/3rd_party/calibre/calibre-launcher.yml | 25 ++++++++++++++++ yml/3rd_party/dropbox/goopdate.yml | 35 ++++++++++++++++++++++ yml/3rd_party/mcafee/mcutil.yml | 28 +++++++++++++++++ 3 files changed, 88 insertions(+) create mode 100644 yml/3rd_party/calibre/calibre-launcher.yml create mode 100644 yml/3rd_party/dropbox/goopdate.yml create mode 100644 yml/3rd_party/mcafee/mcutil.yml diff --git a/yml/3rd_party/calibre/calibre-launcher.yml b/yml/3rd_party/calibre/calibre-launcher.yml new file mode 100644 index 0000000..0a77d22 --- /dev/null +++ b/yml/3rd_party/calibre/calibre-launcher.yml @@ -0,0 +1,25 @@ +--- +Name: calibre-launcher.dll +Author: Jai Minton - HuntressLabs +Created: 2024-08-07 +Vendor: Calibre +ExpectedLocations: + - '%PROGRAMFILES%\Calibre2' +VulnerableExecutables: + - Path: 'calibre.exe' + Type: Sideloading + ExpectedVersionInformation: + - OriginalFilename: calibre.exe + InternalName: calibre + FileDescription: The main calibre program + SHA256: + - 735e7b33b97bff3cf6416ed3b8ed7213d7258eec05202cbf8f8f8002c6435fd1 +Resources: + - https://www.huntress.com/blog/advanced-persistent-threat-targeting-vietnamese-human-rights-defenders +Acknowledgements: + - Name: Jai Minton + Company: Huntress + Twitter: '@cyberrraiju' + - Name: Craig Sweeney + Company: Huntress + Twitter: '@bumbucha' diff --git a/yml/3rd_party/dropbox/goopdate.yml b/yml/3rd_party/dropbox/goopdate.yml new file mode 100644 index 0000000..7153bc0 --- /dev/null +++ b/yml/3rd_party/dropbox/goopdate.yml @@ -0,0 +1,35 @@ +--- +Name: goopdate.dll +Author: Jai Minton - HuntressLabs +Created: 2024-08-08 +Vendor: Dropbox +ExpectedLocations: + - '%PROGRAMFILES%\Dropbox\Update' + - '%PROGRAMFILES%\Dropbox\Update\%VERSION%' + - '%LOCALAPPDATA%\DropboxUpdate\Update' +VulnerableExecutables: + - Path: 'DropboxUpdate.exe' + Type: Sideloading + ExpectedVersionInformation: + - OriginalFilename: DropboxUpdate.exe + InternalName: Dropbox Update + FileDescription: Dropbox Update + SHA256: + - 47839789332aaf8861f7731bf2d3fbb5e0991ea0d0b457bb4c8c1784f76c73dc + - Path: 'DropboxCrashHandler.exe' + Type: Sideloading + ExpectedVersionInformation: + - OriginalFilename: DropboxUpdate.exe + InternalName: Dropbox Update + FileDescription: Dropbox Update + SHA256: + - 47839789332aaf8861f7731bf2d3fbb5e0991ea0d0b457bb4c8c1784f76c73dc +Resources: + - https://www.huntress.com/blog/advanced-persistent-threat-targeting-vietnamese-human-rights-defenders +Acknowledgements: + - Name: Jai Minton + Company: Huntress + Twitter: '@cyberrraiju' + - Name: Craig Sweeney + Company: Huntress + Twitter: '@bumbucha' diff --git a/yml/3rd_party/mcafee/mcutil.yml b/yml/3rd_party/mcafee/mcutil.yml new file mode 100644 index 0000000..d2c3bca --- /dev/null +++ b/yml/3rd_party/mcafee/mcutil.yml @@ -0,0 +1,28 @@ +--- +Name: mcutil.dll +Author: Jai Minton - HuntressLabs +Created: 2024-08-07 +Vendor: McAfee +ExpectedLocations: + - '%PROGRAMFILES%\McAfee Inc.\McAfee Total Protection 2009' +VulnerableExecutables: + - Path: 'mcoemcpy.exe' + Type: Sideloading + ExpectedVersionInformation: + - OriginalFilename: mcoemcpy.exe + InternalName: mcoemcpy + FileDescription: McAfee OEM Info Copy Files + SHA256: + - 3124fcb79da0bdf9d0d1995e37b06f7929d83c1c4b60e38c104743be71170efe +Resources: + - https://www.virustotal.com/gui/file/3bcb28d19a779b6da0c42c1506cd1908f9bcceeffff45f572677e032551f9a96/relations + - https://www.virustotal.com/gui/file/b0263de0622050091a0fbf06428229e5da291b87926ca29c8ee3b01a2a514e4f/detection + - https://web-assets.esetstatic.com/wls/2018/03/ESET_OceanLotus.pdf + - https://www.huntress.com/blog/advanced-persistent-threat-targeting-vietnamese-human-rights-defenders +Acknowledgements: + - Name: Jai Minton + Company: Huntress + Twitter: '@cyberrraiju' + - Name: Craig Sweeney + Company: Huntress + Twitter: '@bumbucha'