9748d5c8-62dd-474b-a336-0aadb49e5ff9

daxin_blank3.sys :inline :inline

Description

Driver used in the Daxin malware campaign.

  • UUID: 9748d5c8-62dd-474b-a336-0aadb49e5ff9
  • Created: 2023-02-28
  • Author: Michael Haag
  • Acknowledgement: |

DownloadBlock

This download link contains the malicious driver!

Commands

sc.exe create daxin_blank3.sys binPath=C:\windows\temp\daxin_blank3.sys     type=kernel && sc.exe start daxin_blank3.sys
Use CasePrivilegesOperating System
Elevate privilegeskernelWindows 10

Detections

YARA 🏹

Expand

Exact Match

with header and size limitation

Threat Hunting

without header and size limitation

Sigma 🛡️

Expand

Names

detects loading using name only

Hashes

detects loading using hashes only

Sysmon 🔎

Expand

Block

on hashes

Alert

on hashes

Resources


  • https://gist.github.com/MHaggis/9ab3bb795a6018d70fb11fa7c31f8f48
  • https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/daxin-backdoor-espionage

    • Known Vulnerable Samples

    PropertyValue
    Filenamedaxin_blank3.sys
    Creation Timestamp2009-11-17 17:54:13
    MD5bd5b0514f3b40f139d8079138d01b5f6
    SHA173bac306292b4e9107147db94d0d836fdb071e33
    SHA2567a7e8df7173387aec593e4fe2b45520ea3156c5f810d2bb1b2784efd1c922376
    Authentihash MD5800a604e6039d6dc93d68d116c38b640
    Authentihash SHA175670f26e2df371741e8832012e06fdcd179b64c
    Authentihash SHA256afb9e6b70f707149e7243e41ffafbdda463da9a890c56091c454df60608efa0f
    RichPEHeaderHash MD59857565d974281ef92bdf9265b2054e4
    RichPEHeaderHash SHA1c85f13237ee6920b3ec2550afbae60d7cc4315c6
    RichPEHeaderHash SHA2569ebbf9b07f0b4454c9ff06e0ef41e51af3f1789ec72c54ca41f259a2d5b9f831
    Publishern/a

    Download

    Imports

    Expand
    • NTOSKRNL.EXE
    • HAL.DLL
    • ntoskrnl.exe
    • NDIS.SYS

    Imported Functions

    Expand
    • MmMapLockedPagesSpecifyCache
    • ZwClose
    • IofCompleteRequest
    • KeResetEvent
    • InterlockedIncrement
    • KeSetEvent
    • InterlockedDecrement
    • RtlUnicodeStringToInteger
    • RtlInitUnicodeString
    • KeInitializeEvent
    • wcsncmp
    • wcscat
    • wcslen
    • wcscpy
    • MmBuildMdlForNonPagedPool
    • IoAllocateMdl
    • strlen
    • RtlCompareUnicodeString
    • IoFreeMdl
    • MmProbeAndLockPages
    • MmUnlockPages
    • MmUnmapLockedPages
    • RtlFreeUnicodeString
    • ZwWriteFile
    • ZwCreateFile
    • RtlAnsiStringToUnicodeString
    • strcat
    • ZwReadFile
    • ZwQueryInformationFile
    • strncmp
    • _wcsnicmp
    • strcmp
    • _stricmp
    • MmGetSystemRoutineAddress
    • ZwQueryValueKey
    • ZwOpenKey
    • IoCreateFile
    • KeWaitForMultipleObjects
    • strcpy
    • RtlUnwind
    • vsprintf
    • KeWaitForSingleObject
    • KeDelayExecutionThread
    • PsTerminateSystemThread
    • PsCreateSystemThread
    • ObReferenceObjectByHandle
    • ExFreePool
    • KeInitializeSpinLock
    • KeTickCount
    • memset
    • memcpy
    • MmMapLockedPages
    • ExAllocatePoolWithTag
    • KfAcquireSpinLock
    • KfReleaseSpinLock
    • PsGetVersion
    • ZwTerminateProcess
    • ZwOpenProcess
    • RtlSetDaclSecurityDescriptor
    • RtlAddAccessAllowedAce
    • RtlCreateAcl
    • RtlLengthSid
    • RtlCreateSecurityDescriptor
    • ZwWaitForSingleObject
    • NtFsControlFile
    • NtWriteFile
    • NtReadFile
    • RtlLengthRequiredSid
    • RtlImageDirectoryEntryToData
    • ZwQueryInformationProcess
    • ZwQuerySystemInformation
    • PsLookupProcessByProcessId
    • KeAttachProcess
    • KeDetachProcess
    • PsLookupThreadByThreadId
    • KeInitializeApc
    • KeInsertQueueApc
    • ZwOpenFile
    • ZwDeviceIoControlFile
    • PsThreadType
    • NtQuerySystemInformation
    • NdisAllocateMemory
    • NdisAllocatePacket
    • NdisCopyFromPacketToPacket
    • NdisFreePacket
    • NdisAllocateBuffer
    • NdisDeregisterProtocol
    • NdisRegisterProtocol
    • NdisAllocateBufferPool
    • NdisAllocatePacketPool
    • NdisFreeBufferPool
    • NdisFreePacketPool
    • NdisFreeMemory

    Exported Functions

    Expand

    Sections

    Expand
    • .text
    • .rdata
    • .data
    • INIT
    • .reloc

    Signature

    Expand

    source

    last_updated: 2024-09-26