0590655c-baa2-481a-b909-463534bd7a5e

daxin_blank5.sys :inline :inline

Description

Driver used in the Daxin malware campaign.

  • UUID: 0590655c-baa2-481a-b909-463534bd7a5e
  • Created: 2023-02-28
  • Author: Michael Haag
  • Acknowledgement: |

DownloadBlock

This download link contains the malicious driver!

Commands

sc.exe create daxin_blank5.sys binPath=C:\windows\temp\daxin_blank5.sys     type=kernel && sc.exe start daxin_blank5.sys
Use CasePrivilegesOperating System
Elevate privilegeskernelWindows 10

Detections

YARA 🏹

Expand

Exact Match

with header and size limitation

Threat Hunting

without header and size limitation

Sigma 🛡️

Expand

Names

detects loading using name only

Hashes

detects loading using hashes only

Sysmon 🔎

Expand

Block

on hashes

Alert

on hashes

Resources


  • https://gist.github.com/MHaggis/9ab3bb795a6018d70fb11fa7c31f8f48
  • https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/daxin-backdoor-espionage

    • Known Vulnerable Samples

    PropertyValue
    Filenamedaxin_blank5.sys
    Creation Timestamp2008-07-17 19:29:43
    MD5f242cffd9926c0ccf94af3bf16b6e527
    SHA153f776d9a183c42b93960b270dddeafba74eb3fb
    SHA2569c2f3e9811f7d0c7463eaa1ee6f39c23f902f3797b80891590b43bbe0fdf0e51
    Authentihash MD5da0d70a9fd3a61a2802af4a07bed29d4
    Authentihash SHA199a969b2deded8b2d403268cd49139463c06b484
    Authentihash SHA256954789c665098cf491a9bdf4e04886bad8992a393f91ccbca239bff40cc6dca6
    RichPEHeaderHash MD56c5319c52cabf708cac1121ed7df420b
    RichPEHeaderHash SHA14d9f5c969d83ff20b202263d6d4a38aed8deb9f3
    RichPEHeaderHash SHA256cb3c84a0789027aef0c0aef452da254f600b2f17ed53054a5a68765f708302d4
    Publishern/a

    Download

    Imports

    Expand
    • ntoskrnl.exe
    • HAL.dll
    • NDIS.SYS

    Imported Functions

    Expand
    • MmUnlockPages
    • KeInsertQueueApc
    • strncmp
    • KeInitializeApc
    • MmProbeAndLockPages
    • IoAllocateMdl
    • _except_handler3
    • IoQueueWorkItem
    • KeAttachProcess
    • KeDetachProcess
    • IoGetCurrentProcess
    • IoFreeWorkItem
    • RtlFreeUnicodeString
    • ZwClose
    • ZwWriteFile
    • ZwCreateFile
    • RtlAnsiStringToUnicodeString
    • IofCompleteRequest
    • ExFreePool
    • ExAllocatePoolWithTag
    • InterlockedDecrement
    • MmMapLockedPagesSpecifyCache
    • IoFreeMdl
    • InterlockedExchange
    • InterlockedIncrement
    • swprintf
    • RtlCopyUnicodeString
    • ExfInterlockedInsertTailList
    • wcsncmp
    • IoCreateSymbolicLink
    • RtlInitUnicodeString
    • IoCreateDevice
    • IoDeleteSymbolicLink
    • KeInitializeSpinLock
    • IoDeleteDevice
    • _strnicmp
    • ExfInterlockedRemoveHeadList
    • IoAllocateWorkItem
    • KfAcquireSpinLock
    • KfReleaseSpinLock
    • NdisAllocateMemory
    • NdisFreePacket
    • NdisAllocatePacket
    • NdisResetEvent
    • NdisCloseAdapter
    • NdisAllocateBuffer
    • NdisInitializeEvent
    • NdisOpenAdapter
    • NdisFreeMemory
    • NdisQueryAdapterInstanceName
    • NdisDeregisterProtocol
    • NdisSetEvent
    • NdisFreeBufferPool
    • NdisAllocatePacketPool
    • NdisFreePacketPool
    • NdisRegisterProtocol
    • NdisWaitEvent
    • NdisAllocateBufferPool
    • NdisCopyFromPacketToPacket

    Exported Functions

    Expand

    Sections

    Expand
    • .text
    • .rdata
    • .data
    • INIT
    • .reloc

    Signature

    Expand

    source

    last_updated: 2024-09-26