From dc9c9f2f94e6872051dab58fbafb043fdd8b4176 Mon Sep 17 00:00:00 2001 From: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com> Date: Wed, 2 Oct 2024 13:53:53 +0545 Subject: [PATCH] Added python311.dll sideloading (#90) Co-authored-by: Swachchhanda Shrawan Poudel Co-authored-by: Wietze --- yml/3rd_party/python/python311.yml | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 yml/3rd_party/python/python311.yml diff --git a/yml/3rd_party/python/python311.yml b/yml/3rd_party/python/python311.yml new file mode 100644 index 0000000..3f606d4 --- /dev/null +++ b/yml/3rd_party/python/python311.yml @@ -0,0 +1,27 @@ +--- +Name: python311.dll +Author: Swachchhanda Shrawan Poudel +Created: 2024-10-02 +Vendor: Python +ExpectedLocations: + - '%PROGRAMFILES%\Python311' + - '%LOCALAPPDATA%\Programs\Python\Python311' +VulnerableExecutables: + - Path: 'pythonw.exe' + Type: Sideloading + SHA256: + - 24385D352B83222DC5AB92FA57B6649854ECD74DE378E279D8AC20A0B3B16009 + ExpectedVersionInformation: + - OriginalFilename: pythonw.exe + ProductName: Python + InternalName: Python Application + CompanyName: Python Software Foundation + FileDescription: Python +Resources: + - https://www.securonix.com/blog/seolurker-attack-campaign-uses-seo-poisoning-fake-google-ads-to-install-malware/ + - https://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-ends-with-blackcat-ransomware/ + - https://www.virustotal.com/gui/file/9514035fea8000a664799e369ae6d3af6abfe8e5cda23cdafbede83051692e63 + - https://www.rapid7.com/blog/post/2024/05/13/ongoing-malvertising-campaign-leads-to-ransomware/ +Acknowledgements: + - Name: Swachchhanda Shrawan Poudel + Twitter: '@_swachchhanda_'