3d1439e9-9a7d-497a-8c6c-74513f825d6a

daxin_blank6.sys :inline :inline

Description

Driver used in the Daxin malware campaign.

  • UUID: 3d1439e9-9a7d-497a-8c6c-74513f825d6a
  • Created: 2023-02-28
  • Author: Michael Haag
  • Acknowledgement: |

DownloadBlock

This download link contains the malicious driver!

Commands

sc.exe create daxin_blank6.sys binPath=C:\windows\temp\daxin_blank6.sys     type=kernel && sc.exe start daxin_blank6.sys
Use CasePrivilegesOperating System
Elevate privilegeskernelWindows 10

Detections

YARA 🏹

Expand

Exact Match

with header and size limitation

Threat Hunting

without header and size limitation

Sigma 🛡️

Expand

Names

detects loading using name only

Hashes

detects loading using hashes only

Sysmon 🔎

Expand

Block

on hashes

Alert

on hashes

Resources


  • https://gist.github.com/MHaggis/9ab3bb795a6018d70fb11fa7c31f8f48
  • https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/daxin-backdoor-espionage

    • Known Vulnerable Samples

    PropertyValue
    Filenamedaxin_blank6.sys
    Creation Timestamp2009-03-25 20:44:42
    MD50ae30291c6cbfa7be39320badd6e8de0
    SHA1c257aa4094539719a3c7b7950598ef872dbf9518
    SHA256e6a7b0bc01a627a7d0ffb07faddb3a4dd96b6f5208ac26107bdaeb3ab1ec8217
    Authentihash MD5d59fbf4aa759286d1dd9abb40733f7b2
    Authentihash SHA13c34c7c5916b987420fbfb4f3e3fef7400471831
    Authentihash SHA256a8c558e74ebe35a095a5b79d4bb26c10b18f8ebb449365e742f856d4e032555c
    RichPEHeaderHash MD5909f63d34ab6d10273023d528b1722a0
    RichPEHeaderHash SHA12e7dbeb35bb60bf672f840375926888760d4ad58
    RichPEHeaderHash SHA25664d9f0289f8d52b49a1beb95e9248e2e08d06e94c9d2fc86b3b85536cf7697c1
    Publishern/a

    Download

    Imports

    Expand
    • NTOSKRNL.EXE
    • HAL.DLL
    • ntoskrnl.exe
    • NDIS.SYS

    Imported Functions

    Expand
    • MmUnlockPages
    • MmProbeAndLockPages
    • IoAllocateMdl
    • IoQueueWorkItem
    • IoAllocateWorkItem
    • IoGetCurrentProcess
    • _stricmp
    • IoFreeWorkItem
    • RtlFreeUnicodeString
    • ZwClose
    • ZwWriteFile
    • ZwCreateFile
    • RtlAnsiStringToUnicodeString
    • _strnicmp
    • RtlUnwind
    • RtlCopyUnicodeString
    • wcsncmp
    • swprintf
    • IoCreateDevice
    • IoCreateSymbolicLink
    • KeInitializeSpinLock
    • ExfInterlockedInsertTailList
    • RtlInitUnicodeString
    • MmMapLockedPagesSpecifyCache
    • IoFreeMdl
    • InterlockedDecrement
    • InterlockedIncrement
    • InterlockedExchange
    • IoDeleteSymbolicLink
    • IoDeleteDevice
    • ExfInterlockedRemoveHeadList
    • IofCompleteRequest
    • ExAllocatePoolWithTag
    • strncmp
    • ExFreePool
    • KfAcquireSpinLock
    • KfReleaseSpinLock
    • KeInitializeApc
    • KeInsertQueueApc
    • KeAttachProcess
    • KeDetachProcess
    • NtQuerySystemInformation
    • NdisAllocatePacket
    • NdisCopyFromPacketToPacket
    • NdisAllocateMemory
    • NdisFreePacket
    • NdisAllocateBuffer
    • NdisSetEvent
    • NdisResetEvent
    • NdisFreeBufferPool
    • NdisFreePacketPool
    • NdisFreeMemory
    • NdisWaitEvent
    • NdisQueryAdapterInstanceName
    • NdisOpenAdapter
    • NdisInitializeEvent
    • NdisAllocatePacketPool
    • NdisRegisterProtocol
    • NdisAllocateBufferPool
    • NdisCloseAdapter
    • NdisDeregisterProtocol

    Exported Functions

    Expand

    Sections

    Expand
    • .text
    • .rdata
    • .data
    • INIT
    • .reloc

    Signature

    Expand

    source

    last_updated: 2024-09-26