From 31c7d34a00e31e7baa00fc889288de331a4da139 Mon Sep 17 00:00:00 2001
From: jesgal <59289295+jesgal@users.noreply.github.com>
Date: Sun, 1 Nov 2020 19:50:59 +0100
Subject: [PATCH] Create Update.yml

This file describes LoLbin Update.exe deployed in the Whatsapp installation for Windows Operating Systems.
---
 yml/LOLUtilz/OtherBinaries/Update.yml | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)
 create mode 100644 yml/LOLUtilz/OtherBinaries/Update.yml

diff --git a/yml/LOLUtilz/OtherBinaries/Update.yml b/yml/LOLUtilz/OtherBinaries/Update.yml
new file mode 100644
index 0000000..6cfa0a3
--- /dev/null
+++ b/yml/LOLUtilz/OtherBinaries/Update.yml
@@ -0,0 +1,18 @@
+---
+Name: Update.exe
+Description: Binary to update the existing installed Nuget/squirrel package. Part of Whatsapp installation.
+Author: 'Jesus Galvez'
+Created: '2020-11-01'
+  - Command: Update.exe --processStart payload.exe --process-start-args "whatever args"
+    Description: Copy your payload into "%localappdata%\Whatsapp\app-[version]\". Then run the command. Update.exe will execute the file you copied.
+    Usecase: Execute binary
+    Category: Execute
+    Privileges: User
+    MitreID: T1218
+    MitreLink: https://attack.mitre.org/techniques/T1218/
+    OperatingSystem: Windows 7 and up with Whatsapp installed
+Full_Path:
+  - Path: '%localappdata%\Whatsapp\Update.exe'
+Detection: 
+  - IOC: "%localappdata%\Whatsapp\Update.exe" spawned an unknown process
+---