From d6a1c3980fcea3cb5a0d783e679a186e98beea5d Mon Sep 17 00:00:00 2001 From: Jai Minton Date: Wed, 10 Apr 2024 11:45:20 +0930 Subject: [PATCH 01/26] ASUS vulnerable atkexComSvc.exe commit --- yml/3rd_party/asus/asio.yml | 27 +++++++++++++++++++++++++++ yml/3rd_party/asus/asus_wmi.yml | 27 +++++++++++++++++++++++++++ 2 files changed, 54 insertions(+) create mode 100644 yml/3rd_party/asus/asio.yml create mode 100644 yml/3rd_party/asus/asus_wmi.yml diff --git a/yml/3rd_party/asus/asio.yml b/yml/3rd_party/asus/asio.yml new file mode 100644 index 00000000..df3dbc3e --- /dev/null +++ b/yml/3rd_party/asus/asio.yml @@ -0,0 +1,27 @@ +--- +Name: asio.dll +Author: Jai Minton, HuntressLabs +Created: 2024-04-10 +Vendor: Asus +ExpectedLocations: + - '%PROGRAMFILES%\ASUS\AXSP\%VERSION%' + - '%PROGRAMFILES(x86)%\ASUS\AXSP\%VERSION%' +VulnerableExecutables: + - Path: '%PROGRAMFILES(x86)%\ASUS\AXSP\4.02.12\atkexComSvc.exe' + Type: Sideloading|Search Order + ExpectedSignatureInformation: + - Subject: C=TW, L=Taipei City, O=ASUSTeK Computer Inc., CN=ASUSTeK Computer Inc. + Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2) + Type: Authenticode + ExpectedVersionInformation: + - OriginalFilename: atkexComSvc.exe + InternalName: atkexComSvc.exe + FileDescription: ASUS Com Service + SHA256: + - '12c22ba646232d5d5087d0300d5cfd46fed424f26143a02dc866f1bfceab3c10' +Resources: + - https://www.virustotal.com/gui/file/006f91524d53d483074335f74c2ca2c10cab9b64de86f6151eedfa53174434f2/relations + - https://www.virustotal.com/gui/file/7f4689de97d97ddb6e788119ebf0dc3707c66f8216d7cbc79ea329d0c3df63bf/details +Acknowledgements: + - Name: Jai Minton + Twitter: '@cyberrraiju' \ No newline at end of file diff --git a/yml/3rd_party/asus/asus_wmi.yml b/yml/3rd_party/asus/asus_wmi.yml new file mode 100644 index 00000000..359c85fa --- /dev/null +++ b/yml/3rd_party/asus/asus_wmi.yml @@ -0,0 +1,27 @@ +--- +Name: asus_wmi.dll +Author: Jai Minton, HuntressLabs +Created: 2024-04-10 +Vendor: Asus +ExpectedLocations: + - '%PROGRAMFILES%\ASUS\AXSP\%VERSION%' + - '%PROGRAMFILES(x86)%\ASUS\AXSP\%VERSION%' +VulnerableExecutables: + - Path: '%PROGRAMFILES(x86)%\ASUS\AXSP\4.02.12\atkexComSvc.exe' + Type: Sideloading|Search Order + ExpectedSignatureInformation: + - Subject: C=TW, L=Taipei City, O=ASUSTeK Computer Inc., CN=ASUSTeK Computer Inc. + Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2) + Type: Authenticode + ExpectedVersionInformation: + - OriginalFilename: atkexComSvc.exe + InternalName: atkexComSvc.exe + FileDescription: ASUS Com Service + SHA256: + - '12c22ba646232d5d5087d0300d5cfd46fed424f26143a02dc866f1bfceab3c10' +Resources: + - https://www.virustotal.com/gui/file/006f91524d53d483074335f74c2ca2c10cab9b64de86f6151eedfa53174434f2/relations + - https://www.virustotal.com/gui/file/7f4689de97d97ddb6e788119ebf0dc3707c66f8216d7cbc79ea329d0c3df63bf/details +Acknowledgements: + - Name: Jai Minton + Twitter: '@cyberrraiju' \ No newline at end of file From 019fa574291d5be32971fc294cb7c9b959827bf7 Mon Sep 17 00:00:00 2001 From: Jai Minton Date: Wed, 10 Apr 2024 12:24:27 +0930 Subject: [PATCH 02/26] Commit Asus, GloryLogic and Cisco 3 executables from 3rd parties vulnerable to DLL sideloading a malicious DLL and actively used in the wild --- yml/3rd_party/asus/asus_wmi.yml | 4 ++-- yml/3rd_party/cisco/wcldll.yml | 24 ++++++++++++++++++++++++ yml/3rd_party/glorylogic/badata_x64.yml | 21 +++++++++++++++++++++ 3 files changed, 47 insertions(+), 2 deletions(-) create mode 100644 yml/3rd_party/cisco/wcldll.yml create mode 100644 yml/3rd_party/glorylogic/badata_x64.yml diff --git a/yml/3rd_party/asus/asus_wmi.yml b/yml/3rd_party/asus/asus_wmi.yml index 359c85fa..3e82639e 100644 --- a/yml/3rd_party/asus/asus_wmi.yml +++ b/yml/3rd_party/asus/asus_wmi.yml @@ -7,7 +7,7 @@ ExpectedLocations: - '%PROGRAMFILES%\ASUS\AXSP\%VERSION%' - '%PROGRAMFILES(x86)%\ASUS\AXSP\%VERSION%' VulnerableExecutables: - - Path: '%PROGRAMFILES(x86)%\ASUS\AXSP\4.02.12\atkexComSvc.exe' + - Path: '%PROGRAMFILES(x86)%\ASUS\AXSP\%VERSION%\atkexComSvc.exe' Type: Sideloading|Search Order ExpectedSignatureInformation: - Subject: C=TW, L=Taipei City, O=ASUSTeK Computer Inc., CN=ASUSTeK Computer Inc. @@ -24,4 +24,4 @@ Resources: - https://www.virustotal.com/gui/file/7f4689de97d97ddb6e788119ebf0dc3707c66f8216d7cbc79ea329d0c3df63bf/details Acknowledgements: - Name: Jai Minton - Twitter: '@cyberrraiju' \ No newline at end of file + Twitter: '@cyberrraiju' \ No newline at end of file diff --git a/yml/3rd_party/cisco/wcldll.yml b/yml/3rd_party/cisco/wcldll.yml new file mode 100644 index 00000000..8ffdfc2d --- /dev/null +++ b/yml/3rd_party/cisco/wcldll.yml @@ -0,0 +1,24 @@ +--- +Name: wcldll.dll +Author: Jai Minton, HuntressLabs +Created: 2024-04-10 +Vendor: Cisco +ExpectedLocations: + - '%PROGRAMFILES(x86)%\Cisco Systems\Cisco Jabber' + - '%PROGRAMFILES(x86)%\webex\' +VulnerableExecutables: + - Path: '%PROGRAMFILES(x86)%\webex\ptInst.exe' + Type: Sideloading|Search Order + ExpectedVersionInformation: + - OriginalFilename: ptInst.exe + InternalName: ptInst + FileDescription: WebEx PT ptInst Module + SHA256: + - 'bf1a0c67b433f52ebd304553f022baa34bfbca258c932d2b4b8b956b1467bfa5' +Resources: + - https://www.virustotal.com/gui/file/bf1a0c67b433f52ebd304553f022baa34bfbca258c932d2b4b8b956b1467bfa5/details + - https://www.virustotal.com/gui/file/26227914bdad9baf491a9b966e6301fc997cff35c677dcfd9628654f4f6bc9fc/relations + - https://www.virustotal.com/gui/file/fa1443219f210bdcf3a25b311342851f61378536eb11810366468156fbd5c051 +Acknowledgements: + - Name: Jai Minton + Twitter: '@cyberrraiju' \ No newline at end of file diff --git a/yml/3rd_party/glorylogic/badata_x64.yml b/yml/3rd_party/glorylogic/badata_x64.yml new file mode 100644 index 00000000..db94af53 --- /dev/null +++ b/yml/3rd_party/glorylogic/badata_x64.yml @@ -0,0 +1,21 @@ +--- +Name: badata_x64.dll +Author: Jai Minton, HuntressLabs +Created: 2024-04-10 +Vendor: Cisco +ExpectedLocations: + - '%PROGRAMFILES%\True Burner' +VulnerableExecutables: + - Path: '%PROGRAMFILES%\True Burner\TrueBurner.exe' + Type: Sideloading|Search Order + ExpectedVersionInformation: + - FileDescription: True Burner + Comments: http://www.glorylogic.com + SHA256: + - '3e190f160218ad78c85c169dfd0828d36e4a366a3e2a61337391f0d7599a7558' +Resources: + - https://www.virustotal.com/gui/file/3e190f160218ad78c85c169dfd0828d36e4a366a3e2a61337391f0d7599a7558/relations + - https://www.virustotal.com/gui/file/9326dd40e37d720f15a0104f89d6e76eb7a75b6e1fad14018326dbaa01681e74/relations +Acknowledgements: + - Name: Jai Minton + Twitter: '@cyberrraiju' \ No newline at end of file From 37ce6f7bce409a66b2e020eccda02c47b491c893 Mon Sep 17 00:00:00 2001 From: Jai Minton Date: Wed, 10 Apr 2024 12:39:06 +0930 Subject: [PATCH 03/26] Fixes for type and author fields --- yml/3rd_party/asus/asio.yml | 4 ++-- yml/3rd_party/asus/asus_wmi.yml | 4 ++-- yml/3rd_party/cisco/wcldll.yml | 4 ++-- yml/3rd_party/glorylogic/badata_x64.yml | 4 ++-- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/yml/3rd_party/asus/asio.yml b/yml/3rd_party/asus/asio.yml index df3dbc3e..36710ec8 100644 --- a/yml/3rd_party/asus/asio.yml +++ b/yml/3rd_party/asus/asio.yml @@ -1,6 +1,6 @@ --- Name: asio.dll -Author: Jai Minton, HuntressLabs +Author: Jai Minton - HuntressLabs Created: 2024-04-10 Vendor: Asus ExpectedLocations: @@ -8,7 +8,7 @@ ExpectedLocations: - '%PROGRAMFILES(x86)%\ASUS\AXSP\%VERSION%' VulnerableExecutables: - Path: '%PROGRAMFILES(x86)%\ASUS\AXSP\4.02.12\atkexComSvc.exe' - Type: Sideloading|Search Order + Type: Sideloading ExpectedSignatureInformation: - Subject: C=TW, L=Taipei City, O=ASUSTeK Computer Inc., CN=ASUSTeK Computer Inc. Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2) diff --git a/yml/3rd_party/asus/asus_wmi.yml b/yml/3rd_party/asus/asus_wmi.yml index 3e82639e..87d8b4e2 100644 --- a/yml/3rd_party/asus/asus_wmi.yml +++ b/yml/3rd_party/asus/asus_wmi.yml @@ -1,6 +1,6 @@ --- Name: asus_wmi.dll -Author: Jai Minton, HuntressLabs +Author: Jai Minton - HuntressLabs Created: 2024-04-10 Vendor: Asus ExpectedLocations: @@ -8,7 +8,7 @@ ExpectedLocations: - '%PROGRAMFILES(x86)%\ASUS\AXSP\%VERSION%' VulnerableExecutables: - Path: '%PROGRAMFILES(x86)%\ASUS\AXSP\%VERSION%\atkexComSvc.exe' - Type: Sideloading|Search Order + Type: Sideloading ExpectedSignatureInformation: - Subject: C=TW, L=Taipei City, O=ASUSTeK Computer Inc., CN=ASUSTeK Computer Inc. Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2) diff --git a/yml/3rd_party/cisco/wcldll.yml b/yml/3rd_party/cisco/wcldll.yml index 8ffdfc2d..ebfe9035 100644 --- a/yml/3rd_party/cisco/wcldll.yml +++ b/yml/3rd_party/cisco/wcldll.yml @@ -1,6 +1,6 @@ --- Name: wcldll.dll -Author: Jai Minton, HuntressLabs +Author: Jai Minton - HuntressLabs Created: 2024-04-10 Vendor: Cisco ExpectedLocations: @@ -8,7 +8,7 @@ ExpectedLocations: - '%PROGRAMFILES(x86)%\webex\' VulnerableExecutables: - Path: '%PROGRAMFILES(x86)%\webex\ptInst.exe' - Type: Sideloading|Search Order + Type: Sideloading ExpectedVersionInformation: - OriginalFilename: ptInst.exe InternalName: ptInst diff --git a/yml/3rd_party/glorylogic/badata_x64.yml b/yml/3rd_party/glorylogic/badata_x64.yml index db94af53..ec5892ec 100644 --- a/yml/3rd_party/glorylogic/badata_x64.yml +++ b/yml/3rd_party/glorylogic/badata_x64.yml @@ -1,13 +1,13 @@ --- Name: badata_x64.dll -Author: Jai Minton, HuntressLabs +Author: Jai Minton - HuntressLabs Created: 2024-04-10 Vendor: Cisco ExpectedLocations: - '%PROGRAMFILES%\True Burner' VulnerableExecutables: - Path: '%PROGRAMFILES%\True Burner\TrueBurner.exe' - Type: Sideloading|Search Order + Type: Sideloading ExpectedVersionInformation: - FileDescription: True Burner Comments: http://www.glorylogic.com From ee7550527866bfca979a2fcc1fe8109b85eda3cd Mon Sep 17 00:00:00 2001 From: Jai Minton Date: Wed, 10 Apr 2024 12:41:08 +0930 Subject: [PATCH 04/26] Update wcldll.yml Fixed typo in expected locations --- yml/3rd_party/cisco/wcldll.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yml/3rd_party/cisco/wcldll.yml b/yml/3rd_party/cisco/wcldll.yml index ebfe9035..594622a2 100644 --- a/yml/3rd_party/cisco/wcldll.yml +++ b/yml/3rd_party/cisco/wcldll.yml @@ -5,7 +5,7 @@ Created: 2024-04-10 Vendor: Cisco ExpectedLocations: - '%PROGRAMFILES(x86)%\Cisco Systems\Cisco Jabber' - - '%PROGRAMFILES(x86)%\webex\' + - '%PROGRAMFILES(x86)%\webex' VulnerableExecutables: - Path: '%PROGRAMFILES(x86)%\webex\ptInst.exe' Type: Sideloading From 2a8fd490dee12618ca9a5e432c8ee13717449b97 Mon Sep 17 00:00:00 2001 From: Jai Minton Date: Wed, 10 Apr 2024 12:43:07 +0930 Subject: [PATCH 05/26] Update badata_x64.yml Fixed vendor typo --- yml/3rd_party/glorylogic/badata_x64.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yml/3rd_party/glorylogic/badata_x64.yml b/yml/3rd_party/glorylogic/badata_x64.yml index ec5892ec..bc1f9025 100644 --- a/yml/3rd_party/glorylogic/badata_x64.yml +++ b/yml/3rd_party/glorylogic/badata_x64.yml @@ -2,7 +2,7 @@ Name: badata_x64.dll Author: Jai Minton - HuntressLabs Created: 2024-04-10 -Vendor: Cisco +Vendor: Glorylogic ExpectedLocations: - '%PROGRAMFILES%\True Burner' VulnerableExecutables: From 8a5fc2eb3ec7270797460b7c6426de4bbaec471a Mon Sep 17 00:00:00 2001 From: Jai Minton Date: Wed, 10 Apr 2024 12:45:19 +0930 Subject: [PATCH 06/26] Update badata_x64.yml Remove undefined coments field in version information --- yml/3rd_party/glorylogic/badata_x64.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/yml/3rd_party/glorylogic/badata_x64.yml b/yml/3rd_party/glorylogic/badata_x64.yml index bc1f9025..0080a62b 100644 --- a/yml/3rd_party/glorylogic/badata_x64.yml +++ b/yml/3rd_party/glorylogic/badata_x64.yml @@ -10,7 +10,6 @@ VulnerableExecutables: Type: Sideloading ExpectedVersionInformation: - FileDescription: True Burner - Comments: http://www.glorylogic.com SHA256: - '3e190f160218ad78c85c169dfd0828d36e4a366a3e2a61337391f0d7599a7558' Resources: From 9e80670802b65afa1224e7e9b0c66b2437fcf679 Mon Sep 17 00:00:00 2001 From: Jai Minton Date: Wed, 10 Apr 2024 14:08:48 +0930 Subject: [PATCH 07/26] Update wcldll.yml --- yml/3rd_party/cisco/wcldll.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/yml/3rd_party/cisco/wcldll.yml b/yml/3rd_party/cisco/wcldll.yml index 594622a2..db40e6f5 100644 --- a/yml/3rd_party/cisco/wcldll.yml +++ b/yml/3rd_party/cisco/wcldll.yml @@ -5,9 +5,10 @@ Created: 2024-04-10 Vendor: Cisco ExpectedLocations: - '%PROGRAMFILES(x86)%\Cisco Systems\Cisco Jabber' - - '%PROGRAMFILES(x86)%\webex' + - '%PROGRAMFILES(x86)%\Webex\Applications' + - '%PROGRAMFILES(x86)%\Webex\Plugins' VulnerableExecutables: - - Path: '%PROGRAMFILES(x86)%\webex\ptInst.exe' + - Path: '%PROGRAMFILES(x86)%\Webex\Applications\ptInst.exe' Type: Sideloading ExpectedVersionInformation: - OriginalFilename: ptInst.exe From ba72840150e9438a261efb0b8f171c4609688c09 Mon Sep 17 00:00:00 2001 From: Wietze Date: Fri, 12 Apr 2024 19:34:40 +0100 Subject: [PATCH 08/26] Minor fixes --- yml/3rd_party/asus/asio.yml | 11 +++++------ yml/3rd_party/asus/asus_wmi.yml | 11 +++++------ yml/3rd_party/cisco/wcldll.yml | 16 ++++++++-------- 3 files changed, 18 insertions(+), 20 deletions(-) diff --git a/yml/3rd_party/asus/asio.yml b/yml/3rd_party/asus/asio.yml index 36710ec8..0c4da6e5 100644 --- a/yml/3rd_party/asus/asio.yml +++ b/yml/3rd_party/asus/asio.yml @@ -1,13 +1,12 @@ --- -Name: asio.dll +Name: asio.dll Author: Jai Minton - HuntressLabs Created: 2024-04-10 Vendor: Asus -ExpectedLocations: +ExpectedLocations: - '%PROGRAMFILES%\ASUS\AXSP\%VERSION%' - - '%PROGRAMFILES(x86)%\ASUS\AXSP\%VERSION%' VulnerableExecutables: - - Path: '%PROGRAMFILES(x86)%\ASUS\AXSP\4.02.12\atkexComSvc.exe' + - Path: '%PROGRAMFILES%\ASUS\AXSP\4.02.12\atkexComSvc.exe' Type: Sideloading ExpectedSignatureInformation: - Subject: C=TW, L=Taipei City, O=ASUSTeK Computer Inc., CN=ASUSTeK Computer Inc. @@ -17,11 +16,11 @@ VulnerableExecutables: - OriginalFilename: atkexComSvc.exe InternalName: atkexComSvc.exe FileDescription: ASUS Com Service - SHA256: + SHA256: - '12c22ba646232d5d5087d0300d5cfd46fed424f26143a02dc866f1bfceab3c10' Resources: - https://www.virustotal.com/gui/file/006f91524d53d483074335f74c2ca2c10cab9b64de86f6151eedfa53174434f2/relations - https://www.virustotal.com/gui/file/7f4689de97d97ddb6e788119ebf0dc3707c66f8216d7cbc79ea329d0c3df63bf/details Acknowledgements: - Name: Jai Minton - Twitter: '@cyberrraiju' \ No newline at end of file + Twitter: '@cyberrraiju' diff --git a/yml/3rd_party/asus/asus_wmi.yml b/yml/3rd_party/asus/asus_wmi.yml index 87d8b4e2..efd6e24c 100644 --- a/yml/3rd_party/asus/asus_wmi.yml +++ b/yml/3rd_party/asus/asus_wmi.yml @@ -1,13 +1,12 @@ --- -Name: asus_wmi.dll +Name: asus_wmi.dll Author: Jai Minton - HuntressLabs Created: 2024-04-10 Vendor: Asus -ExpectedLocations: +ExpectedLocations: - '%PROGRAMFILES%\ASUS\AXSP\%VERSION%' - - '%PROGRAMFILES(x86)%\ASUS\AXSP\%VERSION%' VulnerableExecutables: - - Path: '%PROGRAMFILES(x86)%\ASUS\AXSP\%VERSION%\atkexComSvc.exe' + - Path: '%PROGRAMFILES%\ASUS\AXSP\%VERSION%\atkexComSvc.exe' Type: Sideloading ExpectedSignatureInformation: - Subject: C=TW, L=Taipei City, O=ASUSTeK Computer Inc., CN=ASUSTeK Computer Inc. @@ -17,11 +16,11 @@ VulnerableExecutables: - OriginalFilename: atkexComSvc.exe InternalName: atkexComSvc.exe FileDescription: ASUS Com Service - SHA256: + SHA256: - '12c22ba646232d5d5087d0300d5cfd46fed424f26143a02dc866f1bfceab3c10' Resources: - https://www.virustotal.com/gui/file/006f91524d53d483074335f74c2ca2c10cab9b64de86f6151eedfa53174434f2/relations - https://www.virustotal.com/gui/file/7f4689de97d97ddb6e788119ebf0dc3707c66f8216d7cbc79ea329d0c3df63bf/details Acknowledgements: - Name: Jai Minton - Twitter: '@cyberrraiju' \ No newline at end of file + Twitter: '@cyberrraiju' diff --git a/yml/3rd_party/cisco/wcldll.yml b/yml/3rd_party/cisco/wcldll.yml index db40e6f5..287729ec 100644 --- a/yml/3rd_party/cisco/wcldll.yml +++ b/yml/3rd_party/cisco/wcldll.yml @@ -1,20 +1,20 @@ --- -Name: wcldll.dll +Name: wcldll.dll Author: Jai Minton - HuntressLabs Created: 2024-04-10 Vendor: Cisco -ExpectedLocations: - - '%PROGRAMFILES(x86)%\Cisco Systems\Cisco Jabber' - - '%PROGRAMFILES(x86)%\Webex\Applications' - - '%PROGRAMFILES(x86)%\Webex\Plugins' +ExpectedLocations: + - '%PROGRAMFILES%\Cisco Systems\Cisco Jabber' + - '%PROGRAMFILES%\Webex\Applications' + - '%PROGRAMFILES%\Webex\Plugins' VulnerableExecutables: - - Path: '%PROGRAMFILES(x86)%\Webex\Applications\ptInst.exe' + - Path: '%PROGRAMFILES%\Webex\Applications\ptInst.exe' Type: Sideloading ExpectedVersionInformation: - OriginalFilename: ptInst.exe InternalName: ptInst FileDescription: WebEx PT ptInst Module - SHA256: + SHA256: - 'bf1a0c67b433f52ebd304553f022baa34bfbca258c932d2b4b8b956b1467bfa5' Resources: - https://www.virustotal.com/gui/file/bf1a0c67b433f52ebd304553f022baa34bfbca258c932d2b4b8b956b1467bfa5/details @@ -22,4 +22,4 @@ Resources: - https://www.virustotal.com/gui/file/fa1443219f210bdcf3a25b311342851f61378536eb11810366468156fbd5c051 Acknowledgements: - Name: Jai Minton - Twitter: '@cyberrraiju' \ No newline at end of file + Twitter: '@cyberrraiju' From 2412a36e5ae9ed60482cf4fbf69ea2e2d22e07ce Mon Sep 17 00:00:00 2001 From: Wietze Date: Fri, 12 Apr 2024 19:38:17 +0100 Subject: [PATCH 09/26] Minor fixes --- yml/3rd_party/glorylogic/badata_x64.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/yml/3rd_party/glorylogic/badata_x64.yml b/yml/3rd_party/glorylogic/badata_x64.yml index 0080a62b..2f2d8e2a 100644 --- a/yml/3rd_party/glorylogic/badata_x64.yml +++ b/yml/3rd_party/glorylogic/badata_x64.yml @@ -3,18 +3,18 @@ Name: badata_x64.dll Author: Jai Minton - HuntressLabs Created: 2024-04-10 Vendor: Glorylogic -ExpectedLocations: +ExpectedLocations: - '%PROGRAMFILES%\True Burner' VulnerableExecutables: - Path: '%PROGRAMFILES%\True Burner\TrueBurner.exe' Type: Sideloading ExpectedVersionInformation: - FileDescription: True Burner - SHA256: + SHA256: - '3e190f160218ad78c85c169dfd0828d36e4a366a3e2a61337391f0d7599a7558' Resources: - https://www.virustotal.com/gui/file/3e190f160218ad78c85c169dfd0828d36e4a366a3e2a61337391f0d7599a7558/relations - https://www.virustotal.com/gui/file/9326dd40e37d720f15a0104f89d6e76eb7a75b6e1fad14018326dbaa01681e74/relations Acknowledgements: - Name: Jai Minton - Twitter: '@cyberrraiju' \ No newline at end of file + Twitter: '@cyberrraiju' From ca652a88069abfe4f4143dcd593d0d960e53ac81 Mon Sep 17 00:00:00 2001 From: Jai Minton Date: Tue, 16 Apr 2024 11:40:09 +0930 Subject: [PATCH 10/26] Update 11 DLLs actively used maliciously ITW --- yml/3rd_party/adobe/sqlite.yml | 21 +++++++++++++++++ yml/3rd_party/flexera/fnp_act_installer.yml | 23 ++++++++++++++++++ yml/3rd_party/oracle/qtcorevbox4.yml | 21 +++++++++++++++++ yml/3rd_party/oracle/vboxrt.yml | 22 +++++++++++++++++ yml/3rd_party/pspad/libeay32.yml | 24 +++++++++++++++++++ yml/3rd_party/thinprint/tpsvc.yml | 26 +++++++++++++++++++++ yml/3rd_party/vlc/libvlccore.yml | 20 ++++++++++++++++ yml/3rd_party/wireshark/libglib-2.0-0.yml | 22 +++++++++++++++++ yml/3rd_party/wireshark/libwsutil.yml | 23 ++++++++++++++++++ yml/microsoft/external/mpgear.yml | 22 +++++++++++++++++ yml/microsoft/external/tedutil.yml | 22 +++++++++++++++++ 11 files changed, 246 insertions(+) create mode 100644 yml/3rd_party/adobe/sqlite.yml create mode 100644 yml/3rd_party/flexera/fnp_act_installer.yml create mode 100644 yml/3rd_party/oracle/qtcorevbox4.yml create mode 100644 yml/3rd_party/oracle/vboxrt.yml create mode 100644 yml/3rd_party/pspad/libeay32.yml create mode 100644 yml/3rd_party/thinprint/tpsvc.yml create mode 100644 yml/3rd_party/vlc/libvlccore.yml create mode 100644 yml/3rd_party/wireshark/libglib-2.0-0.yml create mode 100644 yml/3rd_party/wireshark/libwsutil.yml create mode 100644 yml/microsoft/external/mpgear.yml create mode 100644 yml/microsoft/external/tedutil.yml diff --git a/yml/3rd_party/adobe/sqlite.yml b/yml/3rd_party/adobe/sqlite.yml new file mode 100644 index 00000000..425eec32 --- /dev/null +++ b/yml/3rd_party/adobe/sqlite.yml @@ -0,0 +1,21 @@ +--- +Name: sqlite.dll +Author: Jai Minton - HuntressLabs +Created: 2024-04-15 +Vendor: Adobe +ExpectedLocations: + - '%PROGRAMFILES%\Adobe\Acrobat Reader DC\Reader' +VulnerableExecutables: + - Path: '%PROGRAMFILES%\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe' + Type: Sideloading + SHA256: + - 1f64f01063b26bf05d4b076d54816e54dacd08b7fd6e5bc9cc5d11a548ff2215 +Resources: + - https://asec.ahnlab.com/en/58319/ + - https://www.virustotal.com/gui/file/1f64f01063b26bf05d4b076d54816e54dacd08b7fd6e5bc9cc5d11a548ff2215 + - https://www.virustotal.com/gui/file/802bad293e5d5e75ffac3df3dd5301315a886534011871275a1b41c9cec1f298 +Acknowledgements: + - Name: Jai Minton + Twitter: '@cyberrraiju' + - Name: Huntress + Twitter: '@HuntressLabs' diff --git a/yml/3rd_party/flexera/fnp_act_installer.yml b/yml/3rd_party/flexera/fnp_act_installer.yml new file mode 100644 index 00000000..17180ae5 --- /dev/null +++ b/yml/3rd_party/flexera/fnp_act_installer.yml @@ -0,0 +1,23 @@ +--- +Name: fnp_act_installer.dll +Author: Jai Minton - HuntressLabs +Created: 2024-04-15 +Vendor: Flexera +ExpectedLocations: + - '%PROGRAMFILES%\InstallShield\%VERSION%\System' +VulnerableExecutables: + - Path: '%PROGRAMFILES%\InstallShield\%VERSION%\System\TSConfig.exe' + Type: Sideloading + ExpectedVersionInformation: + - FileDescription: InstallShield Activation Wizard + SHA256: + - 'b5f9377bd27fcf48fb3d81d0196021681739f42a198e8340c27d55192d4bd3ac' +Resources: + - https://asec.ahnlab.com/en/58319/ + - https://www.virustotal.com/gui/file/b5f9377bd27fcf48fb3d81d0196021681739f42a198e8340c27d55192d4bd3ac + - https://www.virustotal.com/gui/file/e7b69768215453b2c648d7060161ce9b9eaf1ace631eb2ac11b60a7195e2263e +Acknowledgements: + - Name: Jai Minton + Twitter: '@cyberrraiju' + - Name: Huntress + Twitter: '@HuntressLabs' diff --git a/yml/3rd_party/oracle/qtcorevbox4.yml b/yml/3rd_party/oracle/qtcorevbox4.yml new file mode 100644 index 00000000..beb3b151 --- /dev/null +++ b/yml/3rd_party/oracle/qtcorevbox4.yml @@ -0,0 +1,21 @@ +--- +Name: qtcorevbox4.dll +Author: Jai Minton - HuntressLabs +Created: 2024-04-15 +Vendor: Oracle +ExpectedLocations: + - '%PROGRAMFILES%\Oracle\VirtualBox' +VulnerableExecutables: + - Path: '%PROGRAMFILES%\Oracle\VirtualBox\VBoxTestOGL.exe' + Type: Sideloading + SHA256: + - 'e631bf67c349ce3afc7d5960b0247af9466292bc314ff393dee0716f3a50fd5f' +Resources: + - https://asec.ahnlab.com/en/58319/ + - https://www.virustotal.com/gui/file/cf801023465679ec34084bdb1adb9f54b2fc3130925a4b8fdc10b11639b4a7cd + - https://www.virustotal.com/gui/file/a6e6b1a47021fa1e4d36b047f5326eb04d5f545907fc6ac3730162a07cc792ff +Acknowledgements: + - Name: Jai Minton + Twitter: '@cyberrraiju' + - Name: Huntress + Twitter: '@HuntressLabs' diff --git a/yml/3rd_party/oracle/vboxrt.yml b/yml/3rd_party/oracle/vboxrt.yml new file mode 100644 index 00000000..9e8a8772 --- /dev/null +++ b/yml/3rd_party/oracle/vboxrt.yml @@ -0,0 +1,22 @@ +--- +Name: vboxrt.dll +Author: Jai Minton - HuntressLabs +Created: 2024-04-15 +Vendor: Oracle +ExpectedLocations: + - '%PROGRAMFILES%\Oracle\VirtualBox' +VulnerableExecutables: + - Path: '%PROGRAMFILES%\Oracle\VirtualBox\VBoxSVC.exe' + Type: Sideloading + ExpectedVersionInformation: + - FileDescription: VirtualBox Interface + SHA256: + - '448402c129a721812fa1c5f279f5ca906b9c8bbca652a91655d144d20ce5e6b4' +Resources: + - https://asec.ahnlab.com/en/58319/ + - https://www.virustotal.com/gui/file/cf801023465679ec34084bdb1adb9f54b2fc3130925a4b8fdc10b11639b4a7cd +Acknowledgements: + - Name: Jai Minton + Twitter: '@cyberrraiju' + - Name: Huntress + Twitter: '@HuntressLabs' diff --git a/yml/3rd_party/pspad/libeay32.yml b/yml/3rd_party/pspad/libeay32.yml new file mode 100644 index 00000000..d8871362 --- /dev/null +++ b/yml/3rd_party/pspad/libeay32.yml @@ -0,0 +1,24 @@ +--- +Name: libeay32.dll +Author: Jai Minton - HuntressLabs +Created: 2024-04-15 +Vendor: PSPad +ExpectedLocations: + - '%PROGRAMFILES%\PSPad editor' +VulnerableExecutables: + - Path: '%PROGRAMFILES%\PSPad editor\PSPad.exe' + Type: Sideloading + ExpectedVersionInformation: + - FileDescription: Text editor + SHA256: + - '0a97c374a6cc14b54b01deb3be77b28e274ced8c0627efba6b84712284332a7a' +Resources: + - https://asec.ahnlab.com/en/58319/ + - https://www.virustotal.com/gui/file/cf801023465679ec34084bdb1adb9f54b2fc3130925a4b8fdc10b11639b4a7cd + - https://www.virustotal.com/gui/file/7add49ed95d6a9e90988dcbfc54cdb727e0c705e3d79879717849798354e3e25 + - https://www.virustotal.com/gui/file/a13c09f41979df8717a9d39e15e6ce960c1c4ba6af456a563fa3ff1b8b4d388c +Acknowledgements: + - Name: Jai Minton + Twitter: '@cyberrraiju' + - Name: Huntress + Twitter: '@HuntressLabs' diff --git a/yml/3rd_party/thinprint/tpsvc.yml b/yml/3rd_party/thinprint/tpsvc.yml new file mode 100644 index 00000000..04603ca5 --- /dev/null +++ b/yml/3rd_party/thinprint/tpsvc.yml @@ -0,0 +1,26 @@ +--- +Name: tpsvc.dll +Author: Jai Minton - HuntressLabs +Created: 2024-04-15 +Vendor: ThinPrint +ExpectedLocations: + - '%PROGRAMFILES%\VMWare\VMWare Tools' + - '%PROGRAMFILES%\Common Files\ThinPrint' +VulnerableExecutables: + - Path: '%PROGRAMFILES%\VMWare\VMWare Tools\TPAutoConnect.exe' + Type: Sideloading + SHA256: + - 'e631bf67c349ce3afc7d5960b0247af9466292bc314ff393dee0716f3a50fd5f' + - Path: '%PROGRAMFILES%\Common Files\ThinPrint\TPAutoConnect.exe' + Type: Sideloading + SHA256: + - 'e631bf67c349ce3afc7d5960b0247af9466292bc314ff393dee0716f3a50fd5f' +Resources: + - https://asec.ahnlab.com/en/58319/ + - https://www.virustotal.com/gui/file/cf801023465679ec34084bdb1adb9f54b2fc3130925a4b8fdc10b11639b4a7cd + - https://www.virustotal.com/gui/file/a6e6b1a47021fa1e4d36b047f5326eb04d5f545907fc6ac3730162a07cc792ff +Acknowledgements: + - Name: Jai Minton + Twitter: '@cyberrraiju' + - Name: Huntress + Twitter: '@HuntressLabs' diff --git a/yml/3rd_party/vlc/libvlccore.yml b/yml/3rd_party/vlc/libvlccore.yml new file mode 100644 index 00000000..bba2b270 --- /dev/null +++ b/yml/3rd_party/vlc/libvlccore.yml @@ -0,0 +1,20 @@ +--- +Name: libvlccore.dll +Author: Jai Minton - HuntressLabs +Created: 2024-04-15 +Vendor: VLC +ExpectedLocations: + - '%PROGRAMFILES%\VideoLAN\VLC' +VulnerableExecutables: + - Path: '%PROGRAMFILES%\VideoLAN\VLC\vlc.exe' + Type: Sideloading + SHA256: + - 1fcd04fe1a3d519c7d585216b414cd947d16997d77d81a2892821f588c630937 +Resources: + - https://asec.ahnlab.com/en/58319/ + - https://www.virustotal.com/gui/file/33c08eeaff6e9aa686a14144cb84d1895f260d28b767a0d2a10dbe427a65d7c0 +Acknowledgements: + - Name: Jai Minton + Twitter: '@cyberrraiju' + - Name: Huntress + Twitter: '@HuntressLabs' diff --git a/yml/3rd_party/wireshark/libglib-2.0-0.yml b/yml/3rd_party/wireshark/libglib-2.0-0.yml new file mode 100644 index 00000000..0ec26b13 --- /dev/null +++ b/yml/3rd_party/wireshark/libglib-2.0-0.yml @@ -0,0 +1,22 @@ +--- +Name: libglib-2.0-0.dll +Author: Jai Minton - HuntressLabs +Created: 2024-04-15 +Vendor: Wireshark +ExpectedLocations: + - '%PROGRAMFILES%\Wireshark' +VulnerableExecutables: + - Path: '%PROGRAMFILES%\Wireshark\Mergecap.exe' + Type: Sideloading + ExpectedVersionInformation: + - FileDescription: Mergecap + SHA256: + - 'ac7a321a7b00b4adb5863b9a7e91e69afe9ce1953317234a2bd1bee97de744da' +Resources: + - https://asec.ahnlab.com/en/58319/ + - https://www.virustotal.com/gui/file/fcb0272d586fff854ce9b329fbbba26902984a112a1afe96a149dbb2011ad289 +Acknowledgements: + - Name: Jai Minton + Twitter: '@cyberrraiju' + - Name: Huntress + Twitter: '@HuntressLabs' diff --git a/yml/3rd_party/wireshark/libwsutil.yml b/yml/3rd_party/wireshark/libwsutil.yml new file mode 100644 index 00000000..31c93e67 --- /dev/null +++ b/yml/3rd_party/wireshark/libwsutil.yml @@ -0,0 +1,23 @@ +--- +Name: libwsutil.dll +Author: Jai Minton - HuntressLabs +Created: 2024-04-15 +Vendor: Wireshark +ExpectedLocations: + - '%PROGRAMFILES%\Wireshark' +VulnerableExecutables: + - Path: '%PROGRAMFILES%\Wireshark\Mergecap.exe' + Type: Sideloading + ExpectedVersionInformation: + - FileDescription: Mergecap + SHA256: + - 'ac7a321a7b00b4adb5863b9a7e91e69afe9ce1953317234a2bd1bee97de744da' +Resources: + - https://asec.ahnlab.com/en/58319/ + - https://www.virustotal.com/gui/file/fcb0272d586fff854ce9b329fbbba26902984a112a1afe96a149dbb2011ad289 + - https://www.virustotal.com/gui/file/e91c4f990c1b0b58d69f3c3e80916463e5cc87011fd418d610c5264f7d5ecc9b +Acknowledgements: + - Name: Jai Minton + Twitter: '@cyberrraiju' + - Name: Huntress + Twitter: '@HuntressLabs' diff --git a/yml/microsoft/external/mpgear.yml b/yml/microsoft/external/mpgear.yml new file mode 100644 index 00000000..dc1feac1 --- /dev/null +++ b/yml/microsoft/external/mpgear.yml @@ -0,0 +1,22 @@ +--- +Name: mpgear.dll +Author: Jai Minton - HuntressLabs +Created: 2024-04-15 +Vendor: Microsoft +ExpectedLocations: + - '%PROGRAMFILES%\Windows Defender Advanced Threat Protection\Classification' +VulnerableExecutables: + - Path: '%PROGRAMFILES%\Windows Defender Advanced Threat Protection\Classification\SenseCE.exe' + Type: Sideloading + SHA256: + - '8dc4d5deef19fb4da195c270819a6ee283b67408fc9ee187216a0ce80ee61bab' +Resources: + - https://asec.ahnlab.com/en/58319/ + - https://www.virustotal.com/gui/file/8dc4d5deef19fb4da195c270819a6ee283b67408fc9ee187216a0ce80ee61bab + - https://www.virustotal.com/gui/file/1643a9c54e5d730fb0ebf4ab49e6c1d3a09dcd2c3a0282674330346d90990ab0 + - https://www.virustotal.com/gui/file/e1316301e7904a415fdd2a1707d1a48220cce055aab17b36a48e67bf0369edba +Acknowledgements: + - Name: Jai Minton + Twitter: '@cyberrraiju' + - Name: Huntress + Twitter: '@HuntressLabs' diff --git a/yml/microsoft/external/tedutil.yml b/yml/microsoft/external/tedutil.yml new file mode 100644 index 00000000..79261884 --- /dev/null +++ b/yml/microsoft/external/tedutil.yml @@ -0,0 +1,22 @@ +--- +Name: tedutil.dll +Author: Jai Minton - HuntressLabs +Created: 2024-04-15 +Vendor: Microsoft +ExpectedLocations: + - '%PROGRAMFILES%\Microsoft SDKs\Windows\%VERSION%\Bin' +VulnerableExecutables: + - Path: '%PROGRAMFILES%\Microsoft SDKs\Windows\%VERSION%\Bin\TopoEdit.exe' + Type: Sideloading + SHA256: + - 'b874e5abdd7c008d47560fda4e84db893ac63c18c3a5a450d25f4e62ed8e8d8c' +Resources: + - https://asec.ahnlab.com/en/58319/ + - https://www.virustotal.com/gui/file/b874e5abdd7c008d47560fda4e84db893ac63c18c3a5a450d25f4e62ed8e8d8c + - https://www.virustotal.com/gui/file/eb014e37fdcaf42c93f606058896ccb47eed56be5e1701c7b9744bac0003a8e8/details + - https://learn.microsoft.com/en-us/windows/win32/medfound/topoedit-modules +Acknowledgements: + - Name: Jai Minton + Twitter: '@cyberrraiju' + - Name: Huntress + Twitter: '@HuntressLabs' From 6d621626e17279f59ddb12ce762c80c3f858560e Mon Sep 17 00:00:00 2001 From: Wietze Date: Sat, 27 Apr 2024 12:31:13 +0100 Subject: [PATCH 11/26] Minor changes --- .github/schema/schema.yml | 5 ++++- yml/3rd_party/adobe/sqlite.yml | 4 +--- yml/3rd_party/flexera/fnp_act_installer.yml | 4 +--- yml/3rd_party/oracle/qtcorevbox4.yml | 3 +-- yml/3rd_party/oracle/vboxrt.yml | 3 +-- yml/3rd_party/pspad/libeay32.yml | 3 +-- yml/3rd_party/thinprint/tpsvc.yml | 9 ++------- yml/3rd_party/vlc/libvlccore.yml | 3 +-- yml/3rd_party/wireshark/libglib-2.0-0.yml | 3 +-- yml/3rd_party/wireshark/libwsutil.yml | 3 +-- yml/microsoft/external/mpgear.yml | 4 +--- yml/microsoft/external/tedutil.yml | 4 +--- 12 files changed, 16 insertions(+), 32 deletions(-) diff --git a/.github/schema/schema.yml b/.github/schema/schema.yml index 461275ab..4340e37b 100644 --- a/.github/schema/schema.yml +++ b/.github/schema/schema.yml @@ -155,10 +155,13 @@ mapping: func: not_empty required: true mapping: - Name: + Name: &Individual type: str pattern: '^\w[\w\s\-'']+\w$' required: true + Company: + type: str + required: false Twitter: type: str pattern: '^@(\w){1,15}$' diff --git a/yml/3rd_party/adobe/sqlite.yml b/yml/3rd_party/adobe/sqlite.yml index 425eec32..767ad575 100644 --- a/yml/3rd_party/adobe/sqlite.yml +++ b/yml/3rd_party/adobe/sqlite.yml @@ -12,10 +12,8 @@ VulnerableExecutables: - 1f64f01063b26bf05d4b076d54816e54dacd08b7fd6e5bc9cc5d11a548ff2215 Resources: - https://asec.ahnlab.com/en/58319/ - - https://www.virustotal.com/gui/file/1f64f01063b26bf05d4b076d54816e54dacd08b7fd6e5bc9cc5d11a548ff2215 - https://www.virustotal.com/gui/file/802bad293e5d5e75ffac3df3dd5301315a886534011871275a1b41c9cec1f298 Acknowledgements: - Name: Jai Minton + Company: Huntress Twitter: '@cyberrraiju' - - Name: Huntress - Twitter: '@HuntressLabs' diff --git a/yml/3rd_party/flexera/fnp_act_installer.yml b/yml/3rd_party/flexera/fnp_act_installer.yml index 17180ae5..f9b24fca 100644 --- a/yml/3rd_party/flexera/fnp_act_installer.yml +++ b/yml/3rd_party/flexera/fnp_act_installer.yml @@ -14,10 +14,8 @@ VulnerableExecutables: - 'b5f9377bd27fcf48fb3d81d0196021681739f42a198e8340c27d55192d4bd3ac' Resources: - https://asec.ahnlab.com/en/58319/ - - https://www.virustotal.com/gui/file/b5f9377bd27fcf48fb3d81d0196021681739f42a198e8340c27d55192d4bd3ac - https://www.virustotal.com/gui/file/e7b69768215453b2c648d7060161ce9b9eaf1ace631eb2ac11b60a7195e2263e Acknowledgements: - Name: Jai Minton + Company: Huntress Twitter: '@cyberrraiju' - - Name: Huntress - Twitter: '@HuntressLabs' diff --git a/yml/3rd_party/oracle/qtcorevbox4.yml b/yml/3rd_party/oracle/qtcorevbox4.yml index beb3b151..b7e2fd7d 100644 --- a/yml/3rd_party/oracle/qtcorevbox4.yml +++ b/yml/3rd_party/oracle/qtcorevbox4.yml @@ -16,6 +16,5 @@ Resources: - https://www.virustotal.com/gui/file/a6e6b1a47021fa1e4d36b047f5326eb04d5f545907fc6ac3730162a07cc792ff Acknowledgements: - Name: Jai Minton + Company: Huntress Twitter: '@cyberrraiju' - - Name: Huntress - Twitter: '@HuntressLabs' diff --git a/yml/3rd_party/oracle/vboxrt.yml b/yml/3rd_party/oracle/vboxrt.yml index 9e8a8772..de1582aa 100644 --- a/yml/3rd_party/oracle/vboxrt.yml +++ b/yml/3rd_party/oracle/vboxrt.yml @@ -17,6 +17,5 @@ Resources: - https://www.virustotal.com/gui/file/cf801023465679ec34084bdb1adb9f54b2fc3130925a4b8fdc10b11639b4a7cd Acknowledgements: - Name: Jai Minton + Company: Huntress Twitter: '@cyberrraiju' - - Name: Huntress - Twitter: '@HuntressLabs' diff --git a/yml/3rd_party/pspad/libeay32.yml b/yml/3rd_party/pspad/libeay32.yml index d8871362..763d922e 100644 --- a/yml/3rd_party/pspad/libeay32.yml +++ b/yml/3rd_party/pspad/libeay32.yml @@ -19,6 +19,5 @@ Resources: - https://www.virustotal.com/gui/file/a13c09f41979df8717a9d39e15e6ce960c1c4ba6af456a563fa3ff1b8b4d388c Acknowledgements: - Name: Jai Minton + Company: Huntress Twitter: '@cyberrraiju' - - Name: Huntress - Twitter: '@HuntressLabs' diff --git a/yml/3rd_party/thinprint/tpsvc.yml b/yml/3rd_party/thinprint/tpsvc.yml index 04603ca5..6c5562a2 100644 --- a/yml/3rd_party/thinprint/tpsvc.yml +++ b/yml/3rd_party/thinprint/tpsvc.yml @@ -7,11 +7,7 @@ ExpectedLocations: - '%PROGRAMFILES%\VMWare\VMWare Tools' - '%PROGRAMFILES%\Common Files\ThinPrint' VulnerableExecutables: - - Path: '%PROGRAMFILES%\VMWare\VMWare Tools\TPAutoConnect.exe' - Type: Sideloading - SHA256: - - 'e631bf67c349ce3afc7d5960b0247af9466292bc314ff393dee0716f3a50fd5f' - - Path: '%PROGRAMFILES%\Common Files\ThinPrint\TPAutoConnect.exe' + - Path: 'TPAutoConnect.exe' Type: Sideloading SHA256: - 'e631bf67c349ce3afc7d5960b0247af9466292bc314ff393dee0716f3a50fd5f' @@ -21,6 +17,5 @@ Resources: - https://www.virustotal.com/gui/file/a6e6b1a47021fa1e4d36b047f5326eb04d5f545907fc6ac3730162a07cc792ff Acknowledgements: - Name: Jai Minton + Company: Huntress Twitter: '@cyberrraiju' - - Name: Huntress - Twitter: '@HuntressLabs' diff --git a/yml/3rd_party/vlc/libvlccore.yml b/yml/3rd_party/vlc/libvlccore.yml index bba2b270..9f02384e 100644 --- a/yml/3rd_party/vlc/libvlccore.yml +++ b/yml/3rd_party/vlc/libvlccore.yml @@ -15,6 +15,5 @@ Resources: - https://www.virustotal.com/gui/file/33c08eeaff6e9aa686a14144cb84d1895f260d28b767a0d2a10dbe427a65d7c0 Acknowledgements: - Name: Jai Minton + Company: Huntress Twitter: '@cyberrraiju' - - Name: Huntress - Twitter: '@HuntressLabs' diff --git a/yml/3rd_party/wireshark/libglib-2.0-0.yml b/yml/3rd_party/wireshark/libglib-2.0-0.yml index 0ec26b13..53db9e5f 100644 --- a/yml/3rd_party/wireshark/libglib-2.0-0.yml +++ b/yml/3rd_party/wireshark/libglib-2.0-0.yml @@ -17,6 +17,5 @@ Resources: - https://www.virustotal.com/gui/file/fcb0272d586fff854ce9b329fbbba26902984a112a1afe96a149dbb2011ad289 Acknowledgements: - Name: Jai Minton + Company: Huntress Twitter: '@cyberrraiju' - - Name: Huntress - Twitter: '@HuntressLabs' diff --git a/yml/3rd_party/wireshark/libwsutil.yml b/yml/3rd_party/wireshark/libwsutil.yml index 31c93e67..d7fda73d 100644 --- a/yml/3rd_party/wireshark/libwsutil.yml +++ b/yml/3rd_party/wireshark/libwsutil.yml @@ -18,6 +18,5 @@ Resources: - https://www.virustotal.com/gui/file/e91c4f990c1b0b58d69f3c3e80916463e5cc87011fd418d610c5264f7d5ecc9b Acknowledgements: - Name: Jai Minton + Company: Huntress Twitter: '@cyberrraiju' - - Name: Huntress - Twitter: '@HuntressLabs' diff --git a/yml/microsoft/external/mpgear.yml b/yml/microsoft/external/mpgear.yml index dc1feac1..5b8fe2c2 100644 --- a/yml/microsoft/external/mpgear.yml +++ b/yml/microsoft/external/mpgear.yml @@ -12,11 +12,9 @@ VulnerableExecutables: - '8dc4d5deef19fb4da195c270819a6ee283b67408fc9ee187216a0ce80ee61bab' Resources: - https://asec.ahnlab.com/en/58319/ - - https://www.virustotal.com/gui/file/8dc4d5deef19fb4da195c270819a6ee283b67408fc9ee187216a0ce80ee61bab - https://www.virustotal.com/gui/file/1643a9c54e5d730fb0ebf4ab49e6c1d3a09dcd2c3a0282674330346d90990ab0 - https://www.virustotal.com/gui/file/e1316301e7904a415fdd2a1707d1a48220cce055aab17b36a48e67bf0369edba Acknowledgements: - Name: Jai Minton + Company: Huntress Twitter: '@cyberrraiju' - - Name: Huntress - Twitter: '@HuntressLabs' diff --git a/yml/microsoft/external/tedutil.yml b/yml/microsoft/external/tedutil.yml index 79261884..44a4f6dd 100644 --- a/yml/microsoft/external/tedutil.yml +++ b/yml/microsoft/external/tedutil.yml @@ -12,11 +12,9 @@ VulnerableExecutables: - 'b874e5abdd7c008d47560fda4e84db893ac63c18c3a5a450d25f4e62ed8e8d8c' Resources: - https://asec.ahnlab.com/en/58319/ - - https://www.virustotal.com/gui/file/b874e5abdd7c008d47560fda4e84db893ac63c18c3a5a450d25f4e62ed8e8d8c - https://www.virustotal.com/gui/file/eb014e37fdcaf42c93f606058896ccb47eed56be5e1701c7b9744bac0003a8e8/details - https://learn.microsoft.com/en-us/windows/win32/medfound/topoedit-modules Acknowledgements: - Name: Jai Minton + Company: Huntress Twitter: '@cyberrraiju' - - Name: Huntress - Twitter: '@HuntressLabs' From f55959e2b7b729cdbfe4dbebc89a6422e0437bc0 Mon Sep 17 00:00:00 2001 From: Wietze Date: Sat, 27 Apr 2024 12:35:53 +0100 Subject: [PATCH 12/26] Schema adjustments --- .github/schema/schema.yml | 4 ++-- docs/SCHEMA.md | 1 + 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/schema/schema.yml b/.github/schema/schema.yml index 4340e37b..b61ff6eb 100644 --- a/.github/schema/schema.yml +++ b/.github/schema/schema.yml @@ -147,7 +147,7 @@ mapping: unique: true pattern: '^([^:\/?#]+:)(?:\/\/([^\/?#]*))?([^?#]+)?(\?[^#]*)?(#.*)?' - Acknowledgements: + Acknowledgements: &Individuals type: seq required: false sequence: @@ -155,7 +155,7 @@ mapping: func: not_empty required: true mapping: - Name: &Individual + Name: type: str pattern: '^\w[\w\s\-'']+\w$' required: true diff --git a/docs/SCHEMA.md b/docs/SCHEMA.md index 8feca755..3363120b 100644 --- a/docs/SCHEMA.md +++ b/docs/SCHEMA.md @@ -53,6 +53,7 @@ A simple template can be found [here](/template.yml). | Field | Type | Required | Format | Description | | ----- | ---- | -------- | ------ | ----------- | | `Name` | String | ✅ | | Full name (or Twitter screen name) of the person who should be acknowledged. | +| `Company` | String | Optional | Name of the acknowledged person's employer, should it be relevant to their contribution. | | `Twitter` | String | Optional | Has to start with `@` | The Twitter handle of the person who should be acknowledged. | [^1]: This field supports environment variables such as `%SYSTEM32%`, `%SYSWOW64%`, `%PROGRAMFILES%`, `%PROGRAMDATA%`, `%APPDATA%`, `%LOCALAPPDATA%`, and so on. Please use this where possible. Variable `%VERSION%` is also available if a path contains a version number that is likely to change. From 4ce3d831a97081c186e16b5e2221cd8a6b62c4ca Mon Sep 17 00:00:00 2001 From: Wietze Date: Sat, 27 Apr 2024 12:38:10 +0100 Subject: [PATCH 13/26] Adding 'company' field to previous Huntress entries --- yml/3rd_party/apple/corefoundation.yml | 1 + yml/3rd_party/asus/asio.yml | 1 + yml/3rd_party/asus/asus_wmi.yml | 1 + yml/3rd_party/cisco/wcldll.yml | 1 + yml/3rd_party/nvidia/libcef.yml | 1 + yml/3rd_party/qfx/keyscramblerie.yml | 1 + 6 files changed, 6 insertions(+) diff --git a/yml/3rd_party/apple/corefoundation.yml b/yml/3rd_party/apple/corefoundation.yml index 43a12ff1..f0f9f1d8 100644 --- a/yml/3rd_party/apple/corefoundation.yml +++ b/yml/3rd_party/apple/corefoundation.yml @@ -24,4 +24,5 @@ Resources: - https://iosninja.io/dll/download/corefoundation-dll Acknowledgements: - Name: Matt Anderson + Company: Huntress Twitter: '@nosecurething' diff --git a/yml/3rd_party/asus/asio.yml b/yml/3rd_party/asus/asio.yml index 0c4da6e5..39d2521b 100644 --- a/yml/3rd_party/asus/asio.yml +++ b/yml/3rd_party/asus/asio.yml @@ -23,4 +23,5 @@ Resources: - https://www.virustotal.com/gui/file/7f4689de97d97ddb6e788119ebf0dc3707c66f8216d7cbc79ea329d0c3df63bf/details Acknowledgements: - Name: Jai Minton + Company: Huntress Twitter: '@cyberrraiju' diff --git a/yml/3rd_party/asus/asus_wmi.yml b/yml/3rd_party/asus/asus_wmi.yml index efd6e24c..fe2fddac 100644 --- a/yml/3rd_party/asus/asus_wmi.yml +++ b/yml/3rd_party/asus/asus_wmi.yml @@ -23,4 +23,5 @@ Resources: - https://www.virustotal.com/gui/file/7f4689de97d97ddb6e788119ebf0dc3707c66f8216d7cbc79ea329d0c3df63bf/details Acknowledgements: - Name: Jai Minton + Company: Huntress Twitter: '@cyberrraiju' diff --git a/yml/3rd_party/cisco/wcldll.yml b/yml/3rd_party/cisco/wcldll.yml index 287729ec..9cfab178 100644 --- a/yml/3rd_party/cisco/wcldll.yml +++ b/yml/3rd_party/cisco/wcldll.yml @@ -22,4 +22,5 @@ Resources: - https://www.virustotal.com/gui/file/fa1443219f210bdcf3a25b311342851f61378536eb11810366468156fbd5c051 Acknowledgements: - Name: Jai Minton + Company: Huntress Twitter: '@cyberrraiju' diff --git a/yml/3rd_party/nvidia/libcef.yml b/yml/3rd_party/nvidia/libcef.yml index 5e3c49b9..89262aa5 100644 --- a/yml/3rd_party/nvidia/libcef.yml +++ b/yml/3rd_party/nvidia/libcef.yml @@ -16,4 +16,5 @@ Resources: - https://www.virustotal.com/gui/file/64d0fc47fd77eb300942602a912ea9403960acd4f2ed33a8e325594bf700d65f Acknowledgements: - Name: Matt Anderson + Company: Huntress Twitter: '@nosecurething' diff --git a/yml/3rd_party/qfx/keyscramblerie.yml b/yml/3rd_party/qfx/keyscramblerie.yml index 73c2f013..9393d152 100644 --- a/yml/3rd_party/qfx/keyscramblerie.yml +++ b/yml/3rd_party/qfx/keyscramblerie.yml @@ -21,6 +21,7 @@ Resources: - https://www.virustotal.com/gui/file/9cfdc3fe2a10fe2b514fc224c9c8740e1de039d90b9c17f85b64ff29d4a4ebb1 Acknowledgements: - Name: Matt Anderson + Company: Huntress Twitter: '@nosecurething' - Name: Swachchhanda Shrawan Poudel Twitter: '@_swachchhanda_' From e130b7f795b0cbad846d47d986bf5d1602de96a1 Mon Sep 17 00:00:00 2001 From: Jai Minton Date: Mon, 6 May 2024 11:15:25 +0930 Subject: [PATCH 14/26] Add register and ci DLLs Adding 2 new DLLs and executables currently being used in active initial access operations --- yml/3rd_party/digiarty/ci.yml | 22 ++++++++++++++++++++++ yml/3rd_party/iobit/register.yml | 27 +++++++++++++++++++++++++++ 2 files changed, 49 insertions(+) create mode 100644 yml/3rd_party/digiarty/ci.yml create mode 100644 yml/3rd_party/iobit/register.yml diff --git a/yml/3rd_party/digiarty/ci.yml b/yml/3rd_party/digiarty/ci.yml new file mode 100644 index 00000000..7e92567e --- /dev/null +++ b/yml/3rd_party/digiarty/ci.yml @@ -0,0 +1,22 @@ +--- +Name: ci.yml +Author: Jai Minton - HuntressLabs +Created: 2024-05-06 +Vendor: Digiarty +ExpectedLocations: + - '%PROGRAMFILES%\Digiarty\WinX Blu-ray Decrypter' +VulnerableExecutables: + - Path: '%PROGRAMFILES%\Digiarty\WinX Blu-ray Decrypter\WinX Blu-ray Decrypter.exe' + Type: Sideloading + ExpectedVersionInformation: + - FileDescription: WinX Blu-ray Decrypter + SHA256: + - '1fd92aa46464f8453e33dc7461f80ee7b441f9042e9d0110086226c5f725bd9f' +Resources: + - https://www.virustotal.com/gui/file/2560b7390da7c7a1d92050d9c1f5e3a8025cd35fff5360fe73583b5e3f48731e + - https://www.virustotal.com/gui/file/ae2453d0e03d72759d5239dcfe9518d6a721319006613a41f8bb53d37d4d1391/details + - https://www.virustotal.com/gui/file/7306316b53f915aaff06f00896829884db857b7e5c2747188ae080cad5b8c0e1 +Acknowledgements: + - Name: Jai Minton + Company: Huntress + Twitter: '@cyberrraiju' \ No newline at end of file diff --git a/yml/3rd_party/iobit/register.yml b/yml/3rd_party/iobit/register.yml new file mode 100644 index 00000000..aa62b936 --- /dev/null +++ b/yml/3rd_party/iobit/register.yml @@ -0,0 +1,27 @@ +--- +Name: register.dll +Author: Jai Minton - HuntressLabs +Created: 2024-05-06 +Vendor: IObit +ExpectedLocations: + - '%PROGRAMFILES%\IObit\Driver Booster\%VERSION%' +VulnerableExecutables: + - Path: '%PROGRAMFILES%\IObit\Driver Booster\%VERSION%\DriverBooster.exe' + Type: Sideloading + ExpectedSignatureInformation: + - Subject: C=CN, PostalCode=610042, S=Sichuan Sheng, L=Chengdu Shi, STREET=No. 605, 6th Floor, Unit 1, Building 1, STREET=45 Renmin South Road, O=IObit CO., LTD, CN=IObit CO., LTD + Issuer: C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Code Signing CA + Type: Authenticode + ExpectedVersionInformation: + - OriginalFilename: RttHlp.exe + InternalName: RttHlp.exe + FileDescription: IObit RttHlp + SHA256: + - '8aed681ad8d660257c10d2f0e85ae673184055a341901643f27afc38e5ef8473' +Resources: + - https://www.virustotal.com/gui/file/0500e5ad7e344d32ee26da988aeb30f6344a0c89a68eacce5d6a5683d1fee0e1/relations + - https://www.virustotal.com/gui/file/cdfe0f80cd3dc1914c7ad1a6305c0c1116168a37c5cfe8ff51650e2ac814b818/details +Acknowledgements: + - Name: Jai Minton + Company: Huntress + Twitter: '@cyberrraiju' \ No newline at end of file From 9f418a9de83958c125a687b027c15020c607b150 Mon Sep 17 00:00:00 2001 From: Jai Minton Date: Mon, 6 May 2024 11:23:27 +0930 Subject: [PATCH 15/26] Update ci.yml --- yml/3rd_party/digiarty/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yml/3rd_party/digiarty/ci.yml b/yml/3rd_party/digiarty/ci.yml index 7e92567e..630f6af5 100644 --- a/yml/3rd_party/digiarty/ci.yml +++ b/yml/3rd_party/digiarty/ci.yml @@ -1,5 +1,5 @@ --- -Name: ci.yml +Name: ci.dll Author: Jai Minton - HuntressLabs Created: 2024-05-06 Vendor: Digiarty From c3827396317c3c7f140bc32ae59a269877b43596 Mon Sep 17 00:00:00 2001 From: Jai Minton Date: Mon, 6 May 2024 11:27:27 +0930 Subject: [PATCH 16/26] Remove expected signature info from register Removal of expected signature information from register.dll as it is failing the LINT check for some reason --- yml/3rd_party/iobit/register.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/yml/3rd_party/iobit/register.yml b/yml/3rd_party/iobit/register.yml index aa62b936..a6608268 100644 --- a/yml/3rd_party/iobit/register.yml +++ b/yml/3rd_party/iobit/register.yml @@ -8,10 +8,6 @@ ExpectedLocations: VulnerableExecutables: - Path: '%PROGRAMFILES%\IObit\Driver Booster\%VERSION%\DriverBooster.exe' Type: Sideloading - ExpectedSignatureInformation: - - Subject: C=CN, PostalCode=610042, S=Sichuan Sheng, L=Chengdu Shi, STREET=No. 605, 6th Floor, Unit 1, Building 1, STREET=45 Renmin South Road, O=IObit CO., LTD, CN=IObit CO., LTD - Issuer: C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Code Signing CA - Type: Authenticode ExpectedVersionInformation: - OriginalFilename: RttHlp.exe InternalName: RttHlp.exe From f3ca67ef8d90b627c49d3f8c15c00f0c4b1b5bbd Mon Sep 17 00:00:00 2001 From: Jai Minton Date: Mon, 6 May 2024 11:48:01 +0930 Subject: [PATCH 17/26] Add sqlite.dll used by networx Adding another dll used by SoftPerfect Networx software which is being abused through sideloading --- yml/3rd_party/softperfect/sqlite.yml | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 yml/3rd_party/softperfect/sqlite.yml diff --git a/yml/3rd_party/softperfect/sqlite.yml b/yml/3rd_party/softperfect/sqlite.yml new file mode 100644 index 00000000..af6a1cad --- /dev/null +++ b/yml/3rd_party/softperfect/sqlite.yml @@ -0,0 +1,22 @@ +--- +Name: sqlite.dll +Author: Jai Minton - HuntressLabs +Created: 2024-05-06 +Vendor: SoftPerfect +ExpectedLocations: + - '%PROGRAMFILES%\NetWorx' +VulnerableExecutables: + - Path: '%PROGRAMFILES%\NetWorx\networx.exe' + Type: Sideloading + ExpectedVersionInformation: + - FileDescription: NetWorx Application (64-bit) + SHA256: + - '29345d9c6ff0106c9032b15e2c88f17bc8972ed843d1b5c044cf17d00f1d45c5' +Resources: + - https://www.virustotal.com/gui/file/0271e401ca9e430868f45148a04680295929450aecc537285359a28605645daf + - https://www.virustotal.com/gui/file/29345d9c6ff0106c9032b15e2c88f17bc8972ed843d1b5c044cf17d00f1d45c5/relations + - https://www.virustotal.com/gui/file/4489bffe08dcbd1e9741f9b66f8ba10b7526318a1dc8d190aef13bbc1599b0f7/details +Acknowledgements: + - Name: Jai Minton + Company: Huntress + Twitter: '@cyberrraiju' \ No newline at end of file From 18299968e64a4f9bf2f79db7161e09c9fcebcf0e Mon Sep 17 00:00:00 2001 From: Jai Minton Date: Mon, 6 May 2024 12:12:47 +0930 Subject: [PATCH 18/26] Additional entry for vulnerable ICQLite binary Adding additional entry for vulnerable ICQLite binary which was seen sideloading malicious DLLs called both skinutils.dll and liteskinutils.dll --- yml/3rd_party/icq/liteskinutils.yml | 25 +++++++++++++++++++++++++ yml/3rd_party/icq/skinutils.yml | 25 +++++++++++++++++++++++++ 2 files changed, 50 insertions(+) create mode 100644 yml/3rd_party/icq/liteskinutils.yml create mode 100644 yml/3rd_party/icq/skinutils.yml diff --git a/yml/3rd_party/icq/liteskinutils.yml b/yml/3rd_party/icq/liteskinutils.yml new file mode 100644 index 00000000..b8e29441 --- /dev/null +++ b/yml/3rd_party/icq/liteskinutils.yml @@ -0,0 +1,25 @@ +--- +Name: liteskinutils.dll +Author: Jai Minton - HuntressLabs +Created: 2024-05-06 +Vendor: ICQ +ExpectedLocations: + - '%PROGRAMFILES%\ICQLite' +VulnerableExecutables: + - Path: '%PROGRAMFILES%\ICQLite\ICQLite.exe' + Type: Sideloading + ExpectedVersionInformation: + - OriginalFilename: ICQLite.exe + InternalName: ICQ Lite + FileDescription: ICQLite + SHA256: + - 'e6baea057b35e495a3fc3cdf3b95d503c3abc63c371fbb0067f1052798ce3601' +Resources: + - https://www.virustotal.com/gui/file/e5e53392b29b74545e463b65052e0b6b07e8299d709f07501fb0f31b97a679ab/details + - https://www.virustotal.com/gui/file/a278d5604a93e93a5580845da93af6c316a37a4cd35c1fc9348958ae1bebdb90/details + - https://www.virustotal.com/gui/file/104ca4690b0ff17eb55e1330c5baf5580a731b6834f0716c483e646d6030855c/relations + - https://www.virustotal.com/gui/file/010f55aef8ccba2ea1307d934decd577a08fa21547d1db30e01f3ae5ff1cce07/relations +Acknowledgements: + - Name: Jai Minton + Company: Huntress + Twitter: '@cyberrraiju' \ No newline at end of file diff --git a/yml/3rd_party/icq/skinutils.yml b/yml/3rd_party/icq/skinutils.yml new file mode 100644 index 00000000..d206595d --- /dev/null +++ b/yml/3rd_party/icq/skinutils.yml @@ -0,0 +1,25 @@ +--- +Name: skinutils.dll +Author: Jai Minton - HuntressLabs +Created: 2024-05-06 +Vendor: ICQ +ExpectedLocations: + - '%PROGRAMFILES%\ICQLite' +VulnerableExecutables: + - Path: '%PROGRAMFILES%\ICQLite\ICQLite.exe' + Type: Sideloading + ExpectedVersionInformation: + - OriginalFilename: ICQLite.exe + InternalName: ICQ Lite + FileDescription: ICQLite + SHA256: + - 'e6baea057b35e495a3fc3cdf3b95d503c3abc63c371fbb0067f1052798ce3601' +Resources: + - https://www.virustotal.com/gui/file/e5e53392b29b74545e463b65052e0b6b07e8299d709f07501fb0f31b97a679ab/details + - https://www.virustotal.com/gui/file/a278d5604a93e93a5580845da93af6c316a37a4cd35c1fc9348958ae1bebdb90/details + - https://www.virustotal.com/gui/file/104ca4690b0ff17eb55e1330c5baf5580a731b6834f0716c483e646d6030855c/relations + - https://www.virustotal.com/gui/file/010f55aef8ccba2ea1307d934decd577a08fa21547d1db30e01f3ae5ff1cce07/relations +Acknowledgements: + - Name: Jai Minton + Company: Huntress + Twitter: '@cyberrraiju' \ No newline at end of file From 4743160301d9bd9c6efba588ccd0522d264beae4 Mon Sep 17 00:00:00 2001 From: Jai Minton Date: Mon, 6 May 2024 15:28:38 +0930 Subject: [PATCH 19/26] Create avdevice-54.yml Add in another which is being deployed via malicious MSI files. Public reporting on this looks sparse but I can provide evidence if need be. --- yml/3rd_party/anymp4/avdevice-54.yml | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 yml/3rd_party/anymp4/avdevice-54.yml diff --git a/yml/3rd_party/anymp4/avdevice-54.yml b/yml/3rd_party/anymp4/avdevice-54.yml new file mode 100644 index 00000000..c496169a --- /dev/null +++ b/yml/3rd_party/anymp4/avdevice-54.yml @@ -0,0 +1,25 @@ +--- +Name: avdevice-54.dll +Author: Jai Minton - HuntressLabs +Created: 2024-05-06 +Vendor: AnyMP4 +ExpectedLocations: + - '%PROGRAMFILES%\AnyMP4 Studio\AnyMP4 Blu-ray Creator' +VulnerableExecutables: + - Path: '%PROGRAMFILES%\AnyMP4 Studio\AnyMP4 Blu-ray Creator\AnyMP4 Blu-ray Creator.exe' + Type: Sideloading + ExpectedVersionInformation: + - OriginalFilename: AnyMP4 Blu-ray Creator.exe + InternalName: AnyMP4 Blu-ray Creator + FileDescription: AnyMP4 Blu-ray Creator + SHA256: + - '98c9c45cf18434fe9ab79c9db2e88c1f1db48c95338864421e4d761d71c2fbc6' +Resources: + - https://www.virustotal.com/gui/file/98c9c45cf18434fe9ab79c9db2e88c1f1db48c95338864421e4d761d71c2fbc6/details +Acknowledgements: + - Name: Chad Hudson + Company: Huntress + Twitter: '@0xBurgers' + - Name: Jai Minton + Company: Huntress + Twitter: '@cyberrraiju' \ No newline at end of file From 06ce20f3d8e94ef3754e8af54805b4ee69c09714 Mon Sep 17 00:00:00 2001 From: Jai Minton Date: Wed, 8 May 2024 15:36:21 +0930 Subject: [PATCH 20/26] Create python310.yml Add python DLL used ITW against pythonw.exe --- yml/3rd_party/python/python310.yml | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 yml/3rd_party/python/python310.yml diff --git a/yml/3rd_party/python/python310.yml b/yml/3rd_party/python/python310.yml new file mode 100644 index 00000000..45b24d99 --- /dev/null +++ b/yml/3rd_party/python/python310.yml @@ -0,0 +1,21 @@ +--- +Name: python310.dll +Author: Jai Minton +Created: 2024-05-08 +Vendor: Python +ExpectedLocations: + - '%PROGRAMFILES%\Python310' + - '%LOCALAPPDATA%\Temp\%VERSION%' + - '%PROGRAMFILES%\DWAgent\runtime' + - '%USERPROFILE%\anaconda3' +VulnerableExecutables: + - Path: 'pythonw.exe' + Type: Sideloading + - Path: 'dwagent.exe' + Type: Sideloading +Resources: + - https://www.virustotal.com/gui/file/115fba7a9ea7d2e38d042c7fa5f81209e0d712c107ceb2eafe2f27f94c8f6054/details +Acknowledgements: + - Name: Jai Minton + Company: Huntress + Twitter: '@cyberrraiju' \ No newline at end of file From 1a357b14f614d8b76e62e3f4b401710c7044761b Mon Sep 17 00:00:00 2001 From: Jai Minton Date: Fri, 10 May 2024 09:05:45 +0930 Subject: [PATCH 21/26] Create libXfont-1.yml Add Mobatek exploited executable ITW as part of IDAT Loader Operations --- yml/3rd_party/Mobatek/libXfont-1.yml | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 yml/3rd_party/Mobatek/libXfont-1.yml diff --git a/yml/3rd_party/Mobatek/libXfont-1.yml b/yml/3rd_party/Mobatek/libXfont-1.yml new file mode 100644 index 00000000..b747402d --- /dev/null +++ b/yml/3rd_party/Mobatek/libXfont-1.yml @@ -0,0 +1,27 @@ +--- +Name: libXfont-1.dll +Author: Jai Minton - HuntressLabs +Created: 2024-05-10 +Vendor: Mobatek +ExpectedLocations: + - '%PROGRAMFILES%\Mobatek\MobaXterm Personal Edition' + - '%PROGRAMFILES%\Mobatek\MobaXterm' +ExpectedSignatureInformation: + - Subject: C=FR, PostalCode=31830, S=Midi-Pyrénées, L=Plaisance du Touch, STREET=13 rue Paul Bernadot, O=Mobatek, CN=Mobatek + Issuer: C=GB, S=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Code Signing CA + Type: Authenticode +VulnerableExecutables: + - Path: '%PROGRAMFILES%\Mobatek\MobaXterm Personal Edition\MobaXterm.exe' + Type: Sideloading + SHA256: + - '35132e05638b942403b8a813925de7b54e2e2e35b6ba7a8a081e8b96edd4c0aa' + - Path: '%PROGRAMFILES%\Mobatek\MobaXterm\MobaXterm.exe' + Type: Sideloading + SHA256: + - '35132e05638b942403b8a813925de7b54e2e2e35b6ba7a8a081e8b96edd4c0aa' +Resources: + - https://www.virustotal.com/gui/file/b99bd7ffb7634749487570d0b3a7e423047de4ab13a10c2d912660aec322618e/details +Acknowledgements: + - Name: Jai Minton + Company: Huntress + Twitter: '@cyberrraiju' \ No newline at end of file From 65d9d02f4a9f06c0ab279917bbeb49412aabda9a Mon Sep 17 00:00:00 2001 From: Jai Minton Date: Fri, 10 May 2024 09:17:16 +0930 Subject: [PATCH 22/26] Rename libXfont-1.yml to libxfont-1.yml --- yml/3rd_party/Mobatek/{libXfont-1.yml => libxfont-1.yml} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename yml/3rd_party/Mobatek/{libXfont-1.yml => libxfont-1.yml} (97%) diff --git a/yml/3rd_party/Mobatek/libXfont-1.yml b/yml/3rd_party/Mobatek/libxfont-1.yml similarity index 97% rename from yml/3rd_party/Mobatek/libXfont-1.yml rename to yml/3rd_party/Mobatek/libxfont-1.yml index b747402d..b3e83afc 100644 --- a/yml/3rd_party/Mobatek/libXfont-1.yml +++ b/yml/3rd_party/Mobatek/libxfont-1.yml @@ -24,4 +24,4 @@ Resources: Acknowledgements: - Name: Jai Minton Company: Huntress - Twitter: '@cyberrraiju' \ No newline at end of file + Twitter: '@cyberrraiju' From 0bd7985837d7b081a4fa33586a7b30427740daab Mon Sep 17 00:00:00 2001 From: Jai Minton Date: Fri, 10 May 2024 09:18:57 +0930 Subject: [PATCH 23/26] temp change so folder can be made lowercase Required as Github sucks at changing this stuff and allowing you to commit --- yml/3rd_party/{Mobatek/libXfont-1.yml => mobateks/libxfont-1.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename yml/3rd_party/{Mobatek/libXfont-1.yml => mobateks/libxfont-1.yml} (100%) diff --git a/yml/3rd_party/Mobatek/libXfont-1.yml b/yml/3rd_party/mobateks/libxfont-1.yml similarity index 100% rename from yml/3rd_party/Mobatek/libXfont-1.yml rename to yml/3rd_party/mobateks/libxfont-1.yml From 4281a2ddddbf31e9dc7df9b5fa93bba01aa3ce61 Mon Sep 17 00:00:00 2001 From: Jai Minton Date: Fri, 10 May 2024 09:19:37 +0930 Subject: [PATCH 24/26] lowercase folder commit --- yml/3rd_party/{mobateks => mobatek}/libxfont-1.yml | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename yml/3rd_party/{mobateks => mobatek}/libxfont-1.yml (100%) diff --git a/yml/3rd_party/mobateks/libxfont-1.yml b/yml/3rd_party/mobatek/libxfont-1.yml similarity index 100% rename from yml/3rd_party/mobateks/libxfont-1.yml rename to yml/3rd_party/mobatek/libxfont-1.yml From 4a84f21476c45da36548550c5bce8ba65edee27a Mon Sep 17 00:00:00 2001 From: Jai Minton Date: Fri, 10 May 2024 09:21:14 +0930 Subject: [PATCH 25/26] Update libxfont-1.yml --- yml/3rd_party/mobatek/libxfont-1.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yml/3rd_party/mobatek/libxfont-1.yml b/yml/3rd_party/mobatek/libxfont-1.yml index b3e83afc..9faf1625 100644 --- a/yml/3rd_party/mobatek/libxfont-1.yml +++ b/yml/3rd_party/mobatek/libxfont-1.yml @@ -1,5 +1,5 @@ --- -Name: libXfont-1.dll +Name: libxfont-1.dll Author: Jai Minton - HuntressLabs Created: 2024-05-10 Vendor: Mobatek From f0d5a41181ba0a403f26d0c81f5a12aec1e60f7a Mon Sep 17 00:00:00 2001 From: Wietze Date: Tue, 14 May 2024 20:56:10 +0100 Subject: [PATCH 26/26] Minor fixes --- yml/3rd_party/anymp4/avdevice-54.yml | 4 +--- yml/3rd_party/digiarty/ci.yml | 2 +- yml/3rd_party/icq/liteskinutils.yml | 2 +- yml/3rd_party/icq/skinutils.yml | 2 +- yml/3rd_party/iobit/register.yml | 2 +- yml/3rd_party/python/python310.yml | 2 +- yml/3rd_party/softperfect/sqlite.yml | 3 +-- yml/3rd_party/trendmicro/tmtap.yml | 1 - 8 files changed, 7 insertions(+), 11 deletions(-) diff --git a/yml/3rd_party/anymp4/avdevice-54.yml b/yml/3rd_party/anymp4/avdevice-54.yml index c496169a..1d96a3b3 100644 --- a/yml/3rd_party/anymp4/avdevice-54.yml +++ b/yml/3rd_party/anymp4/avdevice-54.yml @@ -14,12 +14,10 @@ VulnerableExecutables: FileDescription: AnyMP4 Blu-ray Creator SHA256: - '98c9c45cf18434fe9ab79c9db2e88c1f1db48c95338864421e4d761d71c2fbc6' -Resources: - - https://www.virustotal.com/gui/file/98c9c45cf18434fe9ab79c9db2e88c1f1db48c95338864421e4d761d71c2fbc6/details Acknowledgements: - Name: Chad Hudson Company: Huntress Twitter: '@0xBurgers' - Name: Jai Minton Company: Huntress - Twitter: '@cyberrraiju' \ No newline at end of file + Twitter: '@cyberrraiju' diff --git a/yml/3rd_party/digiarty/ci.yml b/yml/3rd_party/digiarty/ci.yml index 630f6af5..46037229 100644 --- a/yml/3rd_party/digiarty/ci.yml +++ b/yml/3rd_party/digiarty/ci.yml @@ -19,4 +19,4 @@ Resources: Acknowledgements: - Name: Jai Minton Company: Huntress - Twitter: '@cyberrraiju' \ No newline at end of file + Twitter: '@cyberrraiju' diff --git a/yml/3rd_party/icq/liteskinutils.yml b/yml/3rd_party/icq/liteskinutils.yml index b8e29441..4047fd05 100644 --- a/yml/3rd_party/icq/liteskinutils.yml +++ b/yml/3rd_party/icq/liteskinutils.yml @@ -22,4 +22,4 @@ Resources: Acknowledgements: - Name: Jai Minton Company: Huntress - Twitter: '@cyberrraiju' \ No newline at end of file + Twitter: '@cyberrraiju' diff --git a/yml/3rd_party/icq/skinutils.yml b/yml/3rd_party/icq/skinutils.yml index d206595d..70885ad0 100644 --- a/yml/3rd_party/icq/skinutils.yml +++ b/yml/3rd_party/icq/skinutils.yml @@ -22,4 +22,4 @@ Resources: Acknowledgements: - Name: Jai Minton Company: Huntress - Twitter: '@cyberrraiju' \ No newline at end of file + Twitter: '@cyberrraiju' diff --git a/yml/3rd_party/iobit/register.yml b/yml/3rd_party/iobit/register.yml index a6608268..9b228372 100644 --- a/yml/3rd_party/iobit/register.yml +++ b/yml/3rd_party/iobit/register.yml @@ -20,4 +20,4 @@ Resources: Acknowledgements: - Name: Jai Minton Company: Huntress - Twitter: '@cyberrraiju' \ No newline at end of file + Twitter: '@cyberrraiju' diff --git a/yml/3rd_party/python/python310.yml b/yml/3rd_party/python/python310.yml index 45b24d99..6335f29b 100644 --- a/yml/3rd_party/python/python310.yml +++ b/yml/3rd_party/python/python310.yml @@ -18,4 +18,4 @@ Resources: Acknowledgements: - Name: Jai Minton Company: Huntress - Twitter: '@cyberrraiju' \ No newline at end of file + Twitter: '@cyberrraiju' diff --git a/yml/3rd_party/softperfect/sqlite.yml b/yml/3rd_party/softperfect/sqlite.yml index af6a1cad..9501799a 100644 --- a/yml/3rd_party/softperfect/sqlite.yml +++ b/yml/3rd_party/softperfect/sqlite.yml @@ -14,9 +14,8 @@ VulnerableExecutables: - '29345d9c6ff0106c9032b15e2c88f17bc8972ed843d1b5c044cf17d00f1d45c5' Resources: - https://www.virustotal.com/gui/file/0271e401ca9e430868f45148a04680295929450aecc537285359a28605645daf - - https://www.virustotal.com/gui/file/29345d9c6ff0106c9032b15e2c88f17bc8972ed843d1b5c044cf17d00f1d45c5/relations - https://www.virustotal.com/gui/file/4489bffe08dcbd1e9741f9b66f8ba10b7526318a1dc8d190aef13bbc1599b0f7/details Acknowledgements: - Name: Jai Minton Company: Huntress - Twitter: '@cyberrraiju' \ No newline at end of file + Twitter: '@cyberrraiju' diff --git a/yml/3rd_party/trendmicro/tmtap.yml b/yml/3rd_party/trendmicro/tmtap.yml index 8819ed99..87fd6033 100644 --- a/yml/3rd_party/trendmicro/tmtap.yml +++ b/yml/3rd_party/trendmicro/tmtap.yml @@ -13,4 +13,3 @@ VulnerableExecutables: Resources: - https://medium.com/@infiniti_css/trend-micro-password-manager-dll-hijack-fa839acaad59 -