7a9d34e4-c660-4388-ab61-4fd6f6bf1ad4

avkiller.sys :inline :inline

Description

Sophos, from time to time, has observed a threat actor deploy variants of Poortry on different machines within a single estate during an attack. These variants contain the same payload, but signed with a different certificate than the driver first seen used during the attack.

  • UUID: 7a9d34e4-c660-4388-ab61-4fd6f6bf1ad4
  • Created: 2024-09-10
  • Author: Michael Haag
  • Acknowledgement: |

DownloadBlock

This download link contains the malicious driver!

Commands

sc.exe create avkiller.sys binPath=C:\windows\temp\avkiller.sys type=kernel && sc.exe start avkiller.sys
Use CasePrivilegesOperating System
Elevate privilegeskernelWindows 10

Detections

YARA 🏹

Expand

Exact Match

with header and size limitation

Threat Hunting

without header and size limitation

Sigma 🛡️

Expand

Names

detects loading using name only

Hashes

detects loading using hashes only

Sysmon 🔎

Expand

Block

on hashes

Alert

on hashes

Resources


  • https://news.sophos.com/en-us/2024/08/27/burnt-cigar-2/

    • Known Vulnerable Samples

    PropertyValue
    Filename
    Creation Timestamp2024-03-06 07:44:38
    MD5a8480c3b63db47212041042685afd753
    SHA1009328378ad988c7bc5b1e0f29837f52663b55d6
    SHA256b6cb163089f665c05d607a465f1b6272cdd5c949772ab9ce7227120cf61f971a
    Authentihash MD57f0c6c15be6d37232ec196b64fc20ba6
    Authentihash SHA1bbea672633fa3be7dac0585673f4cfabca0d980c
    Authentihash SHA2566365024365fb0899e8a81735369a2e01f55523888e84b091858b48ef14a79e23
    RichPEHeaderHash MD5ea1c191ab6fbddb430742d6f55a773bc
    RichPEHeaderHash SHA15ce8df83fcf27c87be5294b51a686647f0dbd7d6
    RichPEHeaderHash SHA256288ed0eda97b6f307ee1d6ce94f7fe20c54d4b834bb82d143722ea8b608c1ff7

    Download

    Certificates

    Expand
    Certificate 71a0b73695ddb1afc23b2b9a18ee54cb
    FieldValue
    ToBeSigned (TBS) MD58314595952398203ab24badbbc927d39
    ToBeSigned (TBS) SHA1b07dcf73133408eee2786a208ce4b2543bf6c583
    ToBeSigned (TBS) SHA256c734685d985b8ea13db4fc1a6dcd26aa0dde78b4c3b651ea5d58e32e081b2a41
    SubjectC=US, O=thawte, Inc., CN=thawte SHA256 Code Signing CA
    ValidFrom2013-12-10 00:00:00
    ValidTo2023-12-09 23:59:59
    Signature243bf5d7a03613c743fef0098768d198316e12e43f1e1f967b6b4c1e879e8bc56ca3b10c7b5092d5819cb18f2c29b7eef99105b98e41f12cf6d0592d98e0b9ea8001474095b83d9d03bd79bb35b6ad9c4c27f6674510c9c5bc874e557bd287bbdddc30efc6d46ccc99356d1ce060d3cd688f29594b89960846c98efc754fc5dc09cc4e278b44cd07bcac04e0b533a5879ff4dd730c91ea12816fe375f01eb5936c4417d53e97c9bd072c56771f85dd46e8bfde2c8194a3f7e5b7a7c1379f75ca55774d5e3629ca85d84541725775c0795bfa3410066d642042b73ac81f1d4664025fc647bef0c43a2854daf61e4f9aa21943a46f49f8fc5e422028848b47206e
    SignatureAlgorithmOID1.2.840.113549.1.1.11
    IsCertificateAuthorityTrue
    SerialNumber71a0b73695ddb1afc23b2b9a18ee54cb
    Version3
    Certificate 1ef4ebc005a0702610bf1b2304869025
    FieldValue
    ToBeSigned (TBS) MD52c4b40a02062e2b5a8c341a47f9c632f
    ToBeSigned (TBS) SHA147df919dace02a7069f8f102b73b12e2b54ae23c
    ToBeSigned (TBS) SHA2566dee78a4bbf3ce3d0721249fee237d942e8a9c69d0c1a21c4b071a71a1ef78d5
    SubjectC=CN, L=Zaozhuang, O=Bopsoft, CN=Bopsoft, ST=Shandong
    ValidFrom2017-11-22 00:00:00
    ValidTo2018-11-22 23:59:59
    Signature3346fc00b09bb2e3772ad56ea8c7940fbc23f30851bd721cb5729cc5abb75e876f7cb55dbdfb9dd5c3b491ff0f6c7fa9dad3300e52dc360db7d3c98fc29480b3325302064eefa27093177b7cf7b6f6b3e1fc23f8599edb1f3731ec62f348bab7ed37063f71676fdfa6510c369f4b358b08214de1ef1ba47babc02d432a40ae7d043e0d0e2f0d6787fc99c81a5d3569e75abbcf666e9cdfb8fccd7bbe3f776a48af003c5c090eb5fd1730ecb3bbebbb190d8c07538982a14487c0b8f19b5b367496fcca6cf56fa8cf213bceb51c07eb8d766ef3e280f8821e3c0c1c22c928523d1d188eb997f614adee63afdda3d7bc418e4286b6f32d6f7361ea7dde2a63f8d3
    SignatureAlgorithmOID1.2.840.113549.1.1.11
    IsCertificateAuthorityFalse
    SerialNumber1ef4ebc005a0702610bf1b2304869025
    Version3
    Certificate 611fb0a400000000001d
    FieldValue
    ToBeSigned (TBS) MD5a3f222107d4e1085e73b5b589c2f480b
    ToBeSigned (TBS) SHA1b94aa26cd77c48d91a53ac44506cbd255e1d362c
    ToBeSigned (TBS) SHA256a39ed0d6fd4eb1a6f7fed60f726e23eae668b7591bc004644625d22c701213fa
    SubjectC=US, O=thawte, Inc., OU=Certification Services Division, OU=(c) 2006 thawte, Inc. , For authorized use only, CN=thawte Primary Root CA
    ValidFrom2011-02-22 19:31:57
    ValidTo2021-02-22 19:41:57
    Signature2dcc71b5e8ba94ff5ee64467007b6afc412c3ee70e41855ab12a932ba95b89f2f72b499c8003f297b8e760a80ed7fd5de545467594f4ed1c9de166228b61fb29f2c6a8bdf387c98f7f47e1c058b64a1aa2e7f718606969e083069e26c775c40c0d79da746b52b9fae8ea3359b9bb18dd291a14dfd36a37277a9da0dacffffc22c4faf009ff33e93e17ba1cc742cfce2743d30c0c5581303db96060ce02ece19ee81ddc852ce0a18d966d95ac17a4713ea16741b6281d2ce3b615e5b7e5a2f6256d86e320acf9f8314f8e629b9833376d6af735523e90feb03b5fc5b852a9e06ea0479a279e97aea24a9e531939ec357ec659de3ae0aaf533f06abda0821812dea18c4570ca2bd62e959145995a5c240049bd23b30ceca43df5b9e1d1b1825a38eea3fba1ab483a8c5dffa065223fd3d3fe4990db1446a3852e8a554b09ab38b2ab63a008d1fdad48e273d812bcc26ca516fad09ac05e38383a2b718e553aac42197a1f0d4220e7ab5d8c6880524ca1c0d488d02321fb901309007b4937afa9df486022abf4f6c2363bf8513c34bbc586e43ae19f4b90fe5461024b159c34176aa94b8d4cb69d2326c83af1d6b805cdda1d6240183a2f1b41cd3a993a0aa9d1d77eb8c4aff7b8c980105ed55df6ce7a9a02c50f6381efb564e9fc5bd8d2619a68c37cf9c78df91e87d5fa2cf816ae9dab068fc86dc741cda14e84e3dac26ebcfb
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityTrue
    SerialNumber611fb0a400000000001d
    Version3
    Certificate 0094fa63cebbbc0730522a9ca5
    FieldValue
    ToBeSigned (TBS) MD5ab2efb6e04ffd3788ff390443e4e837d
    ToBeSigned (TBS) SHA1bbbcf0041c5dcd0512e64f8a500b37822ff0a637
    ToBeSigned (TBS) SHA2560e05875da66f48327f14d1d8b08db647a01bb49f6487291e847f14a0432808fd
    SubjectC=CN, O=Pikachu Trust Network CA, OU=Identity Authentication, CN=Pikachu Time Fake RSA 2048 V01,E2100, ??=Pikachu Time Fake RSA 2048 V01,E2100, ??=vSaNeO* Nf RSA2048 V01,E2100, ??=vSaNeO* Nf RSA2048 V01,E2100, ??=Pikachu Time Fake RSA 2048 V01,E2100
    ValidFrom2000-01-01 00:00:00
    ValidTo2099-12-31 23:59:59
    Signature163f5597d4df0398888852aa0e58bad45504ffa8af14f8360a60d656ff874c05731c24fb1032e0ce5a016e598e5ebc4ce72ff25ebdb198ed879311da97489a179e2dadb2475fa5cbdfaa7683f3afe3c804fcfbb9362cbcc61510044175e0dc2368416773bcc8b6b1fb679a8cd455fcf9f72b7b06c4a24e68fc8f8084dae22a965bba8e95291b991564d45539f62d071cb67cef5481f43c8d13ec7d3eba897effb2722dbf0944bee4a5bac0b2da968ad0599c70f4a4adf21d72308d11f7bd413ebbc2d029a458ef712411b8f2a8564b295b7368cd7d306598950f79dc44f1592acd6c34ec7282ff9de3ad54dd121b998db6e659b85f9d28ba3399daf54c8cafeb5ab0695769627974f91b0aacac264a894a000c87e4d9d4c6b1f16dd300afc8f22fc54fd3072112cdac50438bca5253fca47c806ed36bb23d66292fe7dce1ebd3fd4330a6060f75ce100007ccb8d2055f376a351147c4537c11e16d3c3e4a60edf648a66fa77b712f8bb9329b966b1b3df47749185bc64a0d19f468cfdd492090b867309299a405fbf0962f87553e89717ecebf77dc211a6d95f4c12b6ed26a7937b8f011791ea63dc361ef2424f5dac02da989c1ce655dc7bbd6d8565deed7dc6a3763b52507d24f0817954c7e4e44a612352f78245d3dd0892d4b88c8a52ebb8e271e917c48d50d16b1a5e43e586cccbaebea110988a979bba0e0e32b3789a0
    SignatureAlgorithmOID1.2.840.113549.1.1.11
    IsCertificateAuthorityFalse
    SerialNumber0094fa63cebbbc0730522a9ca5
    Version3

    Imports

    Expand
    • ntoskrnl.exe

    Imported Functions

    Expand
    • strstr
    • DbgPrint
    • ObfDereferenceObject
    • ZwClose
    • PsGetProcessId
    • ZwTerminateProcess
    • ZwOpenProcess
    • PsLookupProcessByProcessId
    • PsGetProcessImageFileName

    Exported Functions

    Expand

    Sections

    Expand
    • .text
    • .rdata
    • .data
    • .pdata
    • INIT
    • .reloc

    Signature

    Expand
    {
  "Certificates": [
    {
      "IsCertificateAuthority": true,
      "SerialNumber": "71a0b73695ddb1afc23b2b9a18ee54cb",
      "Signature": "243bf5d7a03613c743fef0098768d198316e12e43f1e1f967b6b4c1e879e8bc56ca3b10c7b5092d5819cb18f2c29b7eef99105b98e41f12cf6d0592d98e0b9ea8001474095b83d9d03bd79bb35b6ad9c4c27f6674510c9c5bc874e557bd287bbdddc30efc6d46ccc99356d1ce060d3cd688f29594b89960846c98efc754fc5dc09cc4e278b44cd07bcac04e0b533a5879ff4dd730c91ea12816fe375f01eb5936c4417d53e97c9bd072c56771f85dd46e8bfde2c8194a3f7e5b7a7c1379f75ca55774d5e3629ca85d84541725775c0795bfa3410066d642042b73ac81f1d4664025fc647bef0c43a2854daf61e4f9aa21943a46f49f8fc5e422028848b47206e",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.11",
      "Subject": "C=US, O=thawte, Inc., CN=thawte SHA256 Code Signing CA",
      "TBS": {
        "MD5": "8314595952398203ab24badbbc927d39",
        "SHA1": "b07dcf73133408eee2786a208ce4b2543bf6c583",
        "SHA256": "c734685d985b8ea13db4fc1a6dcd26aa0dde78b4c3b651ea5d58e32e081b2a41",
        "SHA384": "874ded773c743b4e18744d7978b41cfe2e55529c61d45a0e34b3950aaad56b6c7a3780880133bcd1df3b1f86d468d46d"
      },
      "ValidFrom": "2013-12-10 00:00:00",
      "ValidTo": "2023-12-09 23:59:59",
      "Version": 3
    },
    {
      "IsCertificateAuthority": false,
      "SerialNumber": "1ef4ebc005a0702610bf1b2304869025",
      "Signature": "3346fc00b09bb2e3772ad56ea8c7940fbc23f30851bd721cb5729cc5abb75e876f7cb55dbdfb9dd5c3b491ff0f6c7fa9dad3300e52dc360db7d3c98fc29480b3325302064eefa27093177b7cf7b6f6b3e1fc23f8599edb1f3731ec62f348bab7ed37063f71676fdfa6510c369f4b358b08214de1ef1ba47babc02d432a40ae7d043e0d0e2f0d6787fc99c81a5d3569e75abbcf666e9cdfb8fccd7bbe3f776a48af003c5c090eb5fd1730ecb3bbebbb190d8c07538982a14487c0b8f19b5b367496fcca6cf56fa8cf213bceb51c07eb8d766ef3e280f8821e3c0c1c22c928523d1d188eb997f614adee63afdda3d7bc418e4286b6f32d6f7361ea7dde2a63f8d3",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.11",
      "Subject": "C=CN, L=Zaozhuang, O=Bopsoft, CN=Bopsoft, ST=Shandong",
      "TBS": {
        "MD5": "2c4b40a02062e2b5a8c341a47f9c632f",
        "SHA1": "47df919dace02a7069f8f102b73b12e2b54ae23c",
        "SHA256": "6dee78a4bbf3ce3d0721249fee237d942e8a9c69d0c1a21c4b071a71a1ef78d5",
        "SHA384": "9f40d16f8e471019201108ba3a1a1ce834e7bd894f086894c1e4d89bbcbaca9567f2b005df6e5c4888315c5cbb490f23"
      },
      "ValidFrom": "2017-11-22 00:00:00",
      "ValidTo": "2018-11-22 23:59:59",
      "Version": 3
    },
    {
      "IsCertificateAuthority": true,
      "SerialNumber": "611fb0a400000000001d",
      "Signature": "2dcc71b5e8ba94ff5ee64467007b6afc412c3ee70e41855ab12a932ba95b89f2f72b499c8003f297b8e760a80ed7fd5de545467594f4ed1c9de166228b61fb29f2c6a8bdf387c98f7f47e1c058b64a1aa2e7f718606969e083069e26c775c40c0d79da746b52b9fae8ea3359b9bb18dd291a14dfd36a37277a9da0dacffffc22c4faf009ff33e93e17ba1cc742cfce2743d30c0c5581303db96060ce02ece19ee81ddc852ce0a18d966d95ac17a4713ea16741b6281d2ce3b615e5b7e5a2f6256d86e320acf9f8314f8e629b9833376d6af735523e90feb03b5fc5b852a9e06ea0479a279e97aea24a9e531939ec357ec659de3ae0aaf533f06abda0821812dea18c4570ca2bd62e959145995a5c240049bd23b30ceca43df5b9e1d1b1825a38eea3fba1ab483a8c5dffa065223fd3d3fe4990db1446a3852e8a554b09ab38b2ab63a008d1fdad48e273d812bcc26ca516fad09ac05e38383a2b718e553aac42197a1f0d4220e7ab5d8c6880524ca1c0d488d02321fb901309007b4937afa9df486022abf4f6c2363bf8513c34bbc586e43ae19f4b90fe5461024b159c34176aa94b8d4cb69d2326c83af1d6b805cdda1d6240183a2f1b41cd3a993a0aa9d1d77eb8c4aff7b8c980105ed55df6ce7a9a02c50f6381efb564e9fc5bd8d2619a68c37cf9c78df91e87d5fa2cf816ae9dab068fc86dc741cda14e84e3dac26ebcfb",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
      "Subject": "C=US, O=thawte, Inc., OU=Certification Services Division, OU=(c) 2006 thawte, Inc. , For authorized use only, CN=thawte Primary Root CA",
      "TBS": {
        "MD5": "a3f222107d4e1085e73b5b589c2f480b",
        "SHA1": "b94aa26cd77c48d91a53ac44506cbd255e1d362c",
        "SHA256": "a39ed0d6fd4eb1a6f7fed60f726e23eae668b7591bc004644625d22c701213fa",
        "SHA384": "64b7643e4146016cbf83c911eb67e4601b6bb8d66f8ee8dcee67b815f91770d86ab23678b984430f22a963e5484881b7"
      },
      "ValidFrom": "2011-02-22 19:31:57",
      "ValidTo": "2021-02-22 19:41:57",
      "Version": 3
    },
    {
      "IsCertificateAuthority": false,
      "SerialNumber": "0094fa63cebbbc0730522a9ca5",
      "Signature": "163f5597d4df0398888852aa0e58bad45504ffa8af14f8360a60d656ff874c05731c24fb1032e0ce5a016e598e5ebc4ce72ff25ebdb198ed879311da97489a179e2dadb2475fa5cbdfaa7683f3afe3c804fcfbb9362cbcc61510044175e0dc2368416773bcc8b6b1fb679a8cd455fcf9f72b7b06c4a24e68fc8f8084dae22a965bba8e95291b991564d45539f62d071cb67cef5481f43c8d13ec7d3eba897effb2722dbf0944bee4a5bac0b2da968ad0599c70f4a4adf21d72308d11f7bd413ebbc2d029a458ef712411b8f2a8564b295b7368cd7d306598950f79dc44f1592acd6c34ec7282ff9de3ad54dd121b998db6e659b85f9d28ba3399daf54c8cafeb5ab0695769627974f91b0aacac264a894a000c87e4d9d4c6b1f16dd300afc8f22fc54fd3072112cdac50438bca5253fca47c806ed36bb23d66292fe7dce1ebd3fd4330a6060f75ce100007ccb8d2055f376a351147c4537c11e16d3c3e4a60edf648a66fa77b712f8bb9329b966b1b3df47749185bc64a0d19f468cfdd492090b867309299a405fbf0962f87553e89717ecebf77dc211a6d95f4c12b6ed26a7937b8f011791ea63dc361ef2424f5dac02da989c1ce655dc7bbd6d8565deed7dc6a3763b52507d24f0817954c7e4e44a612352f78245d3dd0892d4b88c8a52ebb8e271e917c48d50d16b1a5e43e586cccbaebea110988a979bba0e0e32b3789a0",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.11",
      "Subject": "C=CN, O=Pikachu Trust Network CA, OU=Identity Authentication, CN=Pikachu Time Fake RSA 2048 V01,E2100, ??=Pikachu Time Fake RSA 2048 V01,E2100, ??=vSaNeO* Nf RSA2048 V01,E2100, ??=vSaNeO* Nf RSA2048 V01,E2100, ??=Pikachu Time Fake RSA 2048 V01,E2100",
      "TBS": {
        "MD5": "ab2efb6e04ffd3788ff390443e4e837d",
        "SHA1": "bbbcf0041c5dcd0512e64f8a500b37822ff0a637",
        "SHA256": "0e05875da66f48327f14d1d8b08db647a01bb49f6487291e847f14a0432808fd",
        "SHA384": "95c13b92af8a79c17a022236830b7a210253553df8e543d22b2124f384821808e22563651507324d12e6f24761578458"
      },
      "ValidFrom": "2000-01-01 00:00:00",
      "ValidTo": "2099-12-31 23:59:59",
      "Version": 3
    }
  ],
  "CertificatesInfo": "",
  "Signer": [
    {
      "Issuer": "C=US, O=thawte, Inc., CN=thawte SHA256 Code Signing CA",
      "SerialNumber": "1ef4ebc005a0702610bf1b2304869025",
      "Version": 1
    }
  ],
  "SignerInfo": ""
}

    source

    last_updated: 2025-01-29