33a9c9ae-5ca3-442d-9f0f-2615637c1c57

ntbios_2.sys :inline :inline

Description

Driver used in the Daxin malware campaign.

  • UUID: 33a9c9ae-5ca3-442d-9f0f-2615637c1c57
  • Created: 2023-02-28
  • Author: Michael Haag
  • Acknowledgement: |

DownloadBlock

This download link contains the malicious driver!

Commands

sc.exe create ntbios_2.sys binPath=C:\windows\temp \n \n \n  tbios_2.sys type=kernel && sc.exe start ntbios_2.sys
Use CasePrivilegesOperating System
Elevate privilegeskernelWindows 10

Detections

YARA 🏹

Expand

Exact Match

with header and size limitation

Threat Hunting

without header and size limitation

Sigma 🛡️

Expand

Names

detects loading using name only

Hashes

detects loading using hashes only

Sysmon 🔎

Expand

Block

on hashes

Alert

on hashes

Resources


  • https://gist.github.com/MHaggis/9ab3bb795a6018d70fb11fa7c31f8f48
  • https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/daxin-backdoor-espionage

    • Known Vulnerable Samples

    PropertyValue
    Filenamentbios_2.sys
    Creation Timestamp2009-05-17 21:04:06
    MD550b39072d0ee9af5ef4824eca34be6e3
    SHA1064de88dbbea67c149e779aac05228e5405985c7
    SHA256c0d88db11d0f529754d290ed5f4c34b4dba8c4f2e5c4148866daabeab0d25f9c
    Authentihash MD5a8e3b56b72814a842b557bfb6638b484
    Authentihash SHA150231e21b8d8b2916d0fd53f3f58c6314473de1f
    Authentihash SHA25659177fb7a0b11837368af1cc115f0d011ea19551070bd153795204ae1bd12e52
    RichPEHeaderHash MD5ebd225fe8cf34907033d6b6123047339
    RichPEHeaderHash SHA1642936e6d95c6231c8427a1c7a76dd99910fc635
    RichPEHeaderHash SHA256b04e0a7d507b0838174bb9df686e4ce60c5b81e183867441ed5951a5d3555510
    Publishern/a
    CompanyMicrosoft Corporation
    Descriptionntbios driver
    ProductMicrosoft(R) Windows (R) NT Operating System
    OriginalFilenamentbios.sys

    Download

    Imports

    Expand
    • NTOSKRNL.EXE
    • HAL.DLL
    • ntoskrnl.exe
    • NDIS.SYS

    Imported Functions

    Expand
    • MmUnlockPages
    • MmProbeAndLockPages
    • IoAllocateMdl
    • IoQueueWorkItem
    • IoAllocateWorkItem
    • IoGetCurrentProcess
    • _stricmp
    • IoFreeWorkItem
    • RtlFreeUnicodeString
    • ZwClose
    • ZwWriteFile
    • ZwCreateFile
    • RtlAnsiStringToUnicodeString
    • _strnicmp
    • RtlUnwind
    • RtlCopyUnicodeString
    • wcsncmp
    • swprintf
    • IoCreateDevice
    • IoCreateSymbolicLink
    • KeInitializeSpinLock
    • ExfInterlockedInsertTailList
    • RtlInitUnicodeString
    • MmMapLockedPagesSpecifyCache
    • IoFreeMdl
    • InterlockedDecrement
    • InterlockedIncrement
    • InterlockedExchange
    • IoDeleteSymbolicLink
    • IoDeleteDevice
    • ExfInterlockedRemoveHeadList
    • IofCompleteRequest
    • ExAllocatePoolWithTag
    • strncmp
    • ExFreePool
    • KfAcquireSpinLock
    • KfReleaseSpinLock
    • KeInitializeApc
    • KeInsertQueueApc
    • KeAttachProcess
    • KeDetachProcess
    • NtQuerySystemInformation
    • NdisAllocatePacket
    • NdisCopyFromPacketToPacket
    • NdisAllocateMemory
    • NdisFreePacket
    • NdisAllocateBuffer
    • NdisSetEvent
    • NdisResetEvent
    • NdisFreeBufferPool
    • NdisFreePacketPool
    • NdisFreeMemory
    • NdisWaitEvent
    • NdisQueryAdapterInstanceName
    • NdisOpenAdapter
    • NdisInitializeEvent
    • NdisAllocatePacketPool
    • NdisRegisterProtocol
    • NdisAllocateBufferPool
    • NdisCloseAdapter
    • NdisDeregisterProtocol

    Exported Functions

    Expand

    Sections

    Expand
    • .text
    • .rdata
    • .data
    • INIT
    • .rsrc
    • .reloc

    Signature

    Expand

    source

    last_updated: 2024-09-26