576bb95a-f15e-4a0d-bcee-08791e1504e2

driver_d9f15d91.sys :inline :inline

Description

Sophos, from time to time, has observed a threat actor deploy variants of Poortry on different machines within a single estate during an attack. These variants contain the same payload, but signed with a different certificate than the driver first seen used during the attack.

  • UUID: 576bb95a-f15e-4a0d-bcee-08791e1504e2
  • Created: 2024-09-10
  • Author: Michael Haag
  • Acknowledgement: |

DownloadBlock

This download link contains the malicious driver!

Commands

sc.exe create driver_d9f15d91.sys binPath=C:\windows\temp\driver_d9f15d91.sys type=kernel && sc.exe start driver_d9f15d91.sys
Use CasePrivilegesOperating System
Elevate privilegeskernelWindows 10

Detections

YARA 🏹

Expand

Exact Match

with header and size limitation

Threat Hunting

without header and size limitation

Sigma 🛡️

Expand

Names

detects loading using name only

Hashes

detects loading using hashes only

Sysmon 🔎

Expand

Block

on hashes

Alert

on hashes

Resources


  • https://news.sophos.com/en-us/2024/08/27/burnt-cigar-2/

    • Known Vulnerable Samples

    PropertyValue
    Filename
    Creation Timestamp2024-04-09 03:09:37
    MD5b71bbf5838a0346d567bc60e7955b642
    SHA139ce3d1d083474ecbed453a0ec8344c66d51a4ac
    SHA256d9f15d91397d1c8d01b6d6871c4f18f3a85ca85f091a92f4e9221524344ca5fe
    Authentihash MD5675127d3de10a429d442c797977175b7
    Authentihash SHA1fbc2e05f6c1e72e9c4c2d1d48ec8de888a52169f
    Authentihash SHA2562559a34af1cc5cd65bfd4334d053294046e05d833937e3b6fbfe7ddd381d0963
    RichPEHeaderHash MD55c9838bf922891eadad2c7006bd6dd15
    RichPEHeaderHash SHA19d7c89a5a44b43be37478da7fdcae820807f0fc1
    RichPEHeaderHash SHA256f72b36d9f494d03932b50a05fa0d19fe453bdbd8d2db82e1b44d539a4ee3542a

    Download

    Certificates

    Expand
    Certificate 47c30ffefc22bb280f96fea75251
    FieldValue
    ToBeSigned (TBS) MD5729cf4baceff4ef7aa199ad4f4ebed3d
    ToBeSigned (TBS) SHA1f478f0e790d5c8ec6056a3ab2567404a991d2837
    ToBeSigned (TBS) SHA256c3c88c2a500cb5a97abca837193a5bd382f6eb3aeb0008edbce65ea2a3dbfd5c
    SubjectC=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G3
    ValidFrom2016-03-16 00:00:00
    ValidTo2024-03-16 00:00:00
    Signature3b41bbc84f561182b719e3d96dc185ae9e690ec84326234b8d44c8e87d5f070e5341d563444a890bb874ac7db578792f8426e2d7f7bad1ae2dfd69cffa7c64dc24162a4adac097a9bbd5dd88e7a1929a0aa5f6f7bace85d6e4e3d455deeddc3e211f1bc87788cffc65fb05b48f12a630d30d66982f6c2e6f85187c8ff5f6fbb1ab10e183270885b07321ba5d2cba8330b73984dd5db67fd28bb455534c42a2bc4a6c78395b631ca37827bfbe34836b6d7b1e60fbc29b0d88ac8c72546bdc3b88ba81525e689783b8ce7fa3cdf9ea2f2676facd0b06ac4344497bf64c9442b2abcfd542d51942696e618664c7b37d078bdbe5767b6e5f65a91690a2cee4ae6492
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityTrue
    SerialNumber47c30ffefc22bb280f96fea75251
    Version3
    Certificate 7595d72f16ab2f8a1961f5c6
    FieldValue
    ToBeSigned (TBS) MD5d0d8ec83d250b150803ea3804a9943ee
    ToBeSigned (TBS) SHA147af16721f241af735aa231f6555269b1e749173
    ToBeSigned (TBS) SHA25623d457a285af4f77f0177f4cef6937113bb97dd58039701f41bc0ee8046fdb0b
    SubjectC=HK, ST=Kowloon, L=Mongkok, O=EVANGEL TECHNOLOGY (HK) LIMITED, CN=EVANGEL TECHNOLOGY (HK) LIMITED
    ValidFrom2016-10-31 09:08:30
    ValidTo2017-11-01 09:08:30
    Signature490dffced6c24c4a22c71f545a9a13a11b353b1cc4ddd343b4ce20c61e2d3eb7206c8a8a7e7570591d1be650d2ef0924d918ec0dcc269e84b9eed9aafbd8fdc176b023165f4e5071b2060f07b58a8847dcc1ae965e14e531b878873c6e186e549a1b8718c9f7237d5ac0579b21b1f9154ff97c2c07b7e8a6f0f999b87dca091e296baa8204f4d168c63fa01f28879dfb2e72456e6e416194264e3a0bb6cd7a4a1dd1b898c7ce7b1ddabd51d05d17fbec9ebffa3f0ebe8d168cfe254ba4174dc47d03d0596b4ad6e4b3a4c59df934dda305c10f51576d2f6d659cf610ab41c464d523ac6c9b1d7c76168148a8e7e561a89e80ffc81bfdbcff336bf8867e4d956b
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityFalse
    SerialNumber7595d72f16ab2f8a1961f5c6
    Version3
    Certificate 6129152700000000002a
    FieldValue
    ToBeSigned (TBS) MD50bb058d116f02817737920f112d9fd3b
    ToBeSigned (TBS) SHA1fd116235171a4feafedee586b7a59185fb5fd7e6
    ToBeSigned (TBS) SHA256f970426cc46d2ae0fc5f899fa19dbe76e05f07e525654c60c3c9399492c291f4
    SubjectC=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA
    ValidFrom2011-04-15 19:55:08
    ValidTo2021-04-15 20:05:08
    Signature5ff8d065746a81c6a6ca5b03b6914ae84bbdef2ba142f0efb4a5adcd3389ec0b9585ac62501108aa58d25aa08310e5a6337af25af2c5fe787cf09c83df190ad97396002dd62ccde914d41d9de83f3c1a76f7904efb01350a6c9313a0c356eb67a0e4d17a96dec267f190f80a7bf5321b94ec5f751f8d1b34da6c58a7cb2d279e2226b7c9aa30cc0777b836e38201b5393ccc8dd9a75f7f23b3877fdb5798918bd7ce2520e39d644fdd87f72b68490318e0a5df7c5f68644d36838d4781f2e9e0a869abfa7b163c05a449ea8830190a6c73055178dfd41ddd3ad47f2de44e54be83431e7a7433b4a4ebd77073bc2a02988966eef6bc8f749378e329025a5a43e258ce7ccf9acad236893be25fda26054ec8d4e72c910e1797c5beee8b13112323294ffa83d050f6bafad53db3173df4ff034aa325dce67561d1fa35086bd62744d068b78d45e0eb852cc8a15d614474160e5958aed2b5eea5bcd6d7076ab62978fd976767dd8d4f17944fd2ed0caf972437c3a29c81da6be143b6577b4cecbf791319e79fe844e94781b75e701e91f83dd17b27f50b7056434805dda92fab86101d0b12e31ad04c6e75ded645b30b748887935c564a41029af7aeb799d8b67f88fa11f2457cf4d71b91c01cf1a0fbd4080a411a142acef4eb34486e66879ed54b7a397fbb0e3d3861cf735706e412066bd96b5308cd7018c22d4f974691bca9f0
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityTrue
    SerialNumber6129152700000000002a
    Version3

    Imports

    Expand
    • ntoskrnl.exe

    Imported Functions

    Expand
    • strstr
    • DbgPrintEx
    • ExAllocatePoolWithTag
    • ExFreePoolWithTag
    • IofCompleteRequest
    • IoCreateDevice
    • IoCreateSymbolicLink
    • IoDeleteDevice
    • IoDeleteSymbolicLink
    • MmIsAddressValid
    • RtlFindExportedRoutineByName
    • ZwQuerySystemInformation

    Exported Functions

    Expand

    Sections

    Expand
    • .text
    • .rdata
    • .data
    • .pdata
    • INIT
    • .reloc

    Signature

    Expand
    {
  "Certificates": [
    {
      "IsCertificateAuthority": true,
      "SerialNumber": "47c30ffefc22bb280f96fea75251",
      "Signature": "3b41bbc84f561182b719e3d96dc185ae9e690ec84326234b8d44c8e87d5f070e5341d563444a890bb874ac7db578792f8426e2d7f7bad1ae2dfd69cffa7c64dc24162a4adac097a9bbd5dd88e7a1929a0aa5f6f7bace85d6e4e3d455deeddc3e211f1bc87788cffc65fb05b48f12a630d30d66982f6c2e6f85187c8ff5f6fbb1ab10e183270885b07321ba5d2cba8330b73984dd5db67fd28bb455534c42a2bc4a6c78395b631ca37827bfbe34836b6d7b1e60fbc29b0d88ac8c72546bdc3b88ba81525e689783b8ce7fa3cdf9ea2f2676facd0b06ac4344497bf64c9442b2abcfd542d51942696e618664c7b37d078bdbe5767b6e5f65a91690a2cee4ae6492",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
      "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G3",
      "TBS": {
        "MD5": "729cf4baceff4ef7aa199ad4f4ebed3d",
        "SHA1": "f478f0e790d5c8ec6056a3ab2567404a991d2837",
        "SHA256": "c3c88c2a500cb5a97abca837193a5bd382f6eb3aeb0008edbce65ea2a3dbfd5c",
        "SHA384": "e62bbb1ba1ad3df59f2c7265df5576af6b5d4a7473b74985a9d956975fdfc517ffbdd2172b0e3ea36befcb6a9026c872"
      },
      "ValidFrom": "2016-03-16 00:00:00",
      "ValidTo": "2024-03-16 00:00:00",
      "Version": 3
    },
    {
      "IsCertificateAuthority": false,
      "SerialNumber": "7595d72f16ab2f8a1961f5c6",
      "Signature": "490dffced6c24c4a22c71f545a9a13a11b353b1cc4ddd343b4ce20c61e2d3eb7206c8a8a7e7570591d1be650d2ef0924d918ec0dcc269e84b9eed9aafbd8fdc176b023165f4e5071b2060f07b58a8847dcc1ae965e14e531b878873c6e186e549a1b8718c9f7237d5ac0579b21b1f9154ff97c2c07b7e8a6f0f999b87dca091e296baa8204f4d168c63fa01f28879dfb2e72456e6e416194264e3a0bb6cd7a4a1dd1b898c7ce7b1ddabd51d05d17fbec9ebffa3f0ebe8d168cfe254ba4174dc47d03d0596b4ad6e4b3a4c59df934dda305c10f51576d2f6d659cf610ab41c464d523ac6c9b1d7c76168148a8e7e561a89e80ffc81bfdbcff336bf8867e4d956b",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
      "Subject": "C=HK, ST=Kowloon, L=Mongkok, O=EVANGEL TECHNOLOGY (HK) LIMITED, CN=EVANGEL TECHNOLOGY (HK) LIMITED",
      "TBS": {
        "MD5": "d0d8ec83d250b150803ea3804a9943ee",
        "SHA1": "47af16721f241af735aa231f6555269b1e749173",
        "SHA256": "23d457a285af4f77f0177f4cef6937113bb97dd58039701f41bc0ee8046fdb0b",
        "SHA384": "42a42ea9c25ef0bcd4cb4541e177192fa1b13561055c2b79f2bd1685a7a7072c5a2e5e449ea07f01cf05e8f172802c59"
      },
      "ValidFrom": "2016-10-31 09:08:30",
      "ValidTo": "2017-11-01 09:08:30",
      "Version": 3
    },
    {
      "IsCertificateAuthority": true,
      "SerialNumber": "6129152700000000002a",
      "Signature": "5ff8d065746a81c6a6ca5b03b6914ae84bbdef2ba142f0efb4a5adcd3389ec0b9585ac62501108aa58d25aa08310e5a6337af25af2c5fe787cf09c83df190ad97396002dd62ccde914d41d9de83f3c1a76f7904efb01350a6c9313a0c356eb67a0e4d17a96dec267f190f80a7bf5321b94ec5f751f8d1b34da6c58a7cb2d279e2226b7c9aa30cc0777b836e38201b5393ccc8dd9a75f7f23b3877fdb5798918bd7ce2520e39d644fdd87f72b68490318e0a5df7c5f68644d36838d4781f2e9e0a869abfa7b163c05a449ea8830190a6c73055178dfd41ddd3ad47f2de44e54be83431e7a7433b4a4ebd77073bc2a02988966eef6bc8f749378e329025a5a43e258ce7ccf9acad236893be25fda26054ec8d4e72c910e1797c5beee8b13112323294ffa83d050f6bafad53db3173df4ff034aa325dce67561d1fa35086bd62744d068b78d45e0eb852cc8a15d614474160e5958aed2b5eea5bcd6d7076ab62978fd976767dd8d4f17944fd2ed0caf972437c3a29c81da6be143b6577b4cecbf791319e79fe844e94781b75e701e91f83dd17b27f50b7056434805dda92fab86101d0b12e31ad04c6e75ded645b30b748887935c564a41029af7aeb799d8b67f88fa11f2457cf4d71b91c01cf1a0fbd4080a411a142acef4eb34486e66879ed54b7a397fbb0e3d3861cf735706e412066bd96b5308cd7018c22d4f974691bca9f0",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
      "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA",
      "TBS": {
        "MD5": "0bb058d116f02817737920f112d9fd3b",
        "SHA1": "fd116235171a4feafedee586b7a59185fb5fd7e6",
        "SHA256": "f970426cc46d2ae0fc5f899fa19dbe76e05f07e525654c60c3c9399492c291f4",
        "SHA384": "c0df876be008c26ca407fe904e6f5e7ccded17f9c16830ce9f8022309c9e64c97f494810f152811ae43e223b82ad7cc6"
      },
      "ValidFrom": "2011-04-15 19:55:08",
      "ValidTo": "2021-04-15 20:05:08",
      "Version": 3
    }
  ],
  "CertificatesInfo": "",
  "Signer": [
    {
      "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G3",
      "SerialNumber": "7595d72f16ab2f8a1961f5c6",
      "Version": 1
    }
  ],
  "SignerInfo": ""
}

    source

    last_updated: 2025-01-29