b660d253-2b60-46c5-b95a-c354aa5eb154

driver_4f9b5a2f.sys :inline :inline

Description

Sophos, from time to time, has observed a threat actor deploy variants of Poortry on different machines within a single estate during an attack. These variants contain the same payload, but signed with a different certificate than the driver first seen used during the attack.

  • UUID: b660d253-2b60-46c5-b95a-c354aa5eb154
  • Created: 2024-09-10
  • Author: Michael Haag
  • Acknowledgement: |

DownloadBlock

This download link contains the malicious driver!

Commands

sc.exe create driver_bfcbc010.sys binPath=C:\windows\temp\driver_bfcbc010.sys type=kernel && sc.exe start driver_bfcbc010.sys
Use CasePrivilegesOperating System
Elevate privilegeskernelWindows 10

Detections

YARA 🏹

Expand

Exact Match

with header and size limitation

Threat Hunting

without header and size limitation

Sigma 🛡️

Expand

Names

detects loading using name only

Hashes

detects loading using hashes only

Sysmon 🔎

Expand

Block

on hashes

Alert

on hashes

Resources


  • https://news.sophos.com/en-us/2024/08/27/burnt-cigar-2/

    • Known Vulnerable Samples

    PropertyValue
    Filename
    Creation Timestamp2022-12-21 06:07:48
    MD5d6220f35d2ab7e028e21d5420e12ee93
    SHA1e6e2e01c527d52fe6b2d377043a1ed77f7257d73
    SHA2564f9b5a2fe29c436a53d36d8a2084369ac6a8cd59b9eb01b3d3fa293f3487d3cc
    Authentihash MD5a0e21c1aa62fb7cfa003b88b9e8cc7c2
    Authentihash SHA1f74723ee733f7d08e08b2c567806b575dd123b58
    Authentihash SHA256e38eb95fd1593c73311d426dbd85491494a4521aaa4c4ef66e02f7d6d0339171
    RichPEHeaderHash MD5b3c2084dcf3f40c0653c0d83ed93d1ec
    RichPEHeaderHash SHA198192b19393d287eeaa3c6cb52aa97723a66d136
    RichPEHeaderHash SHA256783d7f55f46700737aafd36725d14b1c98049d9c0179f13143227d1e285d624b

    Download

    Certificates

    Expand
    Certificate 1cb2d523a6bf7a066642c578de1c9be4
    FieldValue
    ToBeSigned (TBS) MD565742dda29af02ee39af8b3c11f7469b
    ToBeSigned (TBS) SHA1521f7a1f51ac74d4f29c599aa9dff8d466158438
    ToBeSigned (TBS) SHA25633a7dcdd20164cdfa97f1af890a17ec28047093c116185a42dbcb77ceaabc769
    SubjectC=CN, ST=Guangdong, L=Shenzhen, O=Shenzhen Huanan Xingfa Electronic Equipment Firm, CN=Shenzhen Huanan Xingfa Electronic Equipment Firm
    ValidFrom2013-07-10 00:00:00
    ValidTo2014-07-10 23:59:59
    Signature453f89c72c0f43e9a0bea7aee4cc94137f22b1eed4c9970976ba0a64af4f248e9ed746472c54431e740ade4be5d3cf00a1b0e2138a54a137e2c5ca5d1485acfd4ce5deaf6bb98c4da4b98ed3f68123044bafa8fca57eecbe17acf2299a4c79ed76673280a7f930381406ecce5afad5aa28af71d68f48fff2b8f5944687e941ed507bfbe4b9b1a5075aa9493c083cabcad2e564e52fed0427eebce1880094f83c8a049638b826dbc9ab313354e9fc7938e6c57ad7450514abec83f28229b6ff7a208e6b3e9b059f2c439e2ecb0e143858a7748bcfc7750111a5a7dbb30f32906cafabd4f23c80f3752296e54b3aebef6b381ad065e070a271876ee77bad0d42e0
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityFalse
    SerialNumber1cb2d523a6bf7a066642c578de1c9be4
    Version3
    Certificate 47974d7873a5bcab0d2fb370192fce5e
    FieldValue
    ToBeSigned (TBS) MD5e3a93dc2a8a8a668fdbb286bfe9afab5
    ToBeSigned (TBS) SHA195795d2aa2a554a423bc8c6e5b0a016d14887d35
    ToBeSigned (TBS) SHA256d8844186775bddbccaf3dc017064df7d760fd4b85c5d07561a3efd7da950f89e
    SubjectC=US, O=Thawte, Inc., CN=Thawte Code Signing CA , G2
    ValidFrom2010-02-08 00:00:00
    ValidTo2020-02-07 23:59:59
    Signature56fe535ce1c79ebca7ed7e536d6a144b518c405e805faaa4e82fef38c804c9ca3ecfdf3a584eb0d4b663c52957fa02059a454d68db2a1bd4343d9f00c35acb9549a56ee1b0c5fc414d414a6fd377c8d7388de419de18f31f1565836d450c53f90a9a2ea55dbf6f32811892196a5500ad631c52067e55d92968ae4a7c189a79886b2323d827382a298776cafbc7b662231fed7a564cdd9c325bf53d0c4618953b2a2368836441d9006d0f1924156872bdc571676eac4cdb90eb51a51a6207d0be6a00473c722fec4f613e7385ce5a0ab7bac01c1375e3223928dd6d1d09469d4fbae8408191c6a4ce94721b01cf2a6e15679589ae7db7b7cdf90a3d75b66b3c25
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityTrue
    SerialNumber47974d7873a5bcab0d2fb370192fce5e
    Version3
    Certificate 611fb0a400000000001d
    FieldValue
    ToBeSigned (TBS) MD5a3f222107d4e1085e73b5b589c2f480b
    ToBeSigned (TBS) SHA1b94aa26cd77c48d91a53ac44506cbd255e1d362c
    ToBeSigned (TBS) SHA256a39ed0d6fd4eb1a6f7fed60f726e23eae668b7591bc004644625d22c701213fa
    SubjectC=US, O=thawte, Inc., OU=Certification Services Division, OU=(c) 2006 thawte, Inc. , For authorized use only, CN=thawte Primary Root CA
    ValidFrom2011-02-22 19:31:57
    ValidTo2021-02-22 19:41:57
    Signature2dcc71b5e8ba94ff5ee64467007b6afc412c3ee70e41855ab12a932ba95b89f2f72b499c8003f297b8e760a80ed7fd5de545467594f4ed1c9de166228b61fb29f2c6a8bdf387c98f7f47e1c058b64a1aa2e7f718606969e083069e26c775c40c0d79da746b52b9fae8ea3359b9bb18dd291a14dfd36a37277a9da0dacffffc22c4faf009ff33e93e17ba1cc742cfce2743d30c0c5581303db96060ce02ece19ee81ddc852ce0a18d966d95ac17a4713ea16741b6281d2ce3b615e5b7e5a2f6256d86e320acf9f8314f8e629b9833376d6af735523e90feb03b5fc5b852a9e06ea0479a279e97aea24a9e531939ec357ec659de3ae0aaf533f06abda0821812dea18c4570ca2bd62e959145995a5c240049bd23b30ceca43df5b9e1d1b1825a38eea3fba1ab483a8c5dffa065223fd3d3fe4990db1446a3852e8a554b09ab38b2ab63a008d1fdad48e273d812bcc26ca516fad09ac05e38383a2b718e553aac42197a1f0d4220e7ab5d8c6880524ca1c0d488d02321fb901309007b4937afa9df486022abf4f6c2363bf8513c34bbc586e43ae19f4b90fe5461024b159c34176aa94b8d4cb69d2326c83af1d6b805cdda1d6240183a2f1b41cd3a993a0aa9d1d77eb8c4aff7b8c980105ed55df6ce7a9a02c50f6381efb564e9fc5bd8d2619a68c37cf9c78df91e87d5fa2cf816ae9dab068fc86dc741cda14e84e3dac26ebcfb
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityTrue
    SerialNumber611fb0a400000000001d
    Version3

    Imports

    Expand
    • ntoskrnl.exe
    • HAL.dll

    Imported Functions

    Expand
    • KeInitializeEvent
    • KeSetEvent
    • KeWaitForSingleObject
    • KeBugCheckEx
    • ExAllocatePool
    • ExAllocatePoolWithTag
    • ExFreePoolWithTag
    • MmBuildMdlForNonPagedPool
    • PsCreateSystemThread
    • PsTerminateSystemThread
    • IoAllocateIrp
    • IoAllocateMdl
    • IofCompleteRequest
    • IoCreateDevice
    • IoCreateFile
    • IoCreateSymbolicLink
    • IoDeleteDevice
    • RtlInitUnicodeString
    • ObReferenceObjectByHandle
    • ObCloseHandle
    • ObfReferenceObject
    • ObfDereferenceObject
    • ObRegisterCallbacks
    • ObUnRegisterCallbacks
    • IoGetFileObjectGenericMapping
    • ZwTerminateProcess
    • PsLookupProcessByProcessId
    • ObOpenObjectByPointer
    • ObQueryNameString
    • _vsnwprintf
    • ObSetHandleAttributes
    • ObCreateObject
    • SeCreateAccessState
    • __C_specific_handler
    • __chkstk
    • IoFileObjectType
    • PsProcessType
    • PsThreadType
    • IoFreeIrp
    • wcsrchr
    • HalReturnToFirmware

    Exported Functions

    Expand

    Sections

    Expand
    • .text
    • .rdata
    • .data
    • .pdata
    • INIT
    • .reloc

    Signature

    Expand
    {
  "Certificates": [
    {
      "IsCertificateAuthority": false,
      "SerialNumber": "1cb2d523a6bf7a066642c578de1c9be4",
      "Signature": "453f89c72c0f43e9a0bea7aee4cc94137f22b1eed4c9970976ba0a64af4f248e9ed746472c54431e740ade4be5d3cf00a1b0e2138a54a137e2c5ca5d1485acfd4ce5deaf6bb98c4da4b98ed3f68123044bafa8fca57eecbe17acf2299a4c79ed76673280a7f930381406ecce5afad5aa28af71d68f48fff2b8f5944687e941ed507bfbe4b9b1a5075aa9493c083cabcad2e564e52fed0427eebce1880094f83c8a049638b826dbc9ab313354e9fc7938e6c57ad7450514abec83f28229b6ff7a208e6b3e9b059f2c439e2ecb0e143858a7748bcfc7750111a5a7dbb30f32906cafabd4f23c80f3752296e54b3aebef6b381ad065e070a271876ee77bad0d42e0",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
      "Subject": "C=CN, ST=Guangdong, L=Shenzhen, O=Shenzhen Huanan Xingfa Electronic Equipment Firm, CN=Shenzhen Huanan Xingfa Electronic Equipment Firm",
      "TBS": {
        "MD5": "65742dda29af02ee39af8b3c11f7469b",
        "SHA1": "521f7a1f51ac74d4f29c599aa9dff8d466158438",
        "SHA256": "33a7dcdd20164cdfa97f1af890a17ec28047093c116185a42dbcb77ceaabc769",
        "SHA384": "c6ee18c1175e124cc37ceeb72251230868f8fe48e2052a1984b6b1b0975039de150f9a7cad5969f44d504ec0357ec8b1"
      },
      "ValidFrom": "2013-07-10 00:00:00",
      "ValidTo": "2014-07-10 23:59:59",
      "Version": 3
    },
    {
      "IsCertificateAuthority": true,
      "SerialNumber": "47974d7873a5bcab0d2fb370192fce5e",
      "Signature": "56fe535ce1c79ebca7ed7e536d6a144b518c405e805faaa4e82fef38c804c9ca3ecfdf3a584eb0d4b663c52957fa02059a454d68db2a1bd4343d9f00c35acb9549a56ee1b0c5fc414d414a6fd377c8d7388de419de18f31f1565836d450c53f90a9a2ea55dbf6f32811892196a5500ad631c52067e55d92968ae4a7c189a79886b2323d827382a298776cafbc7b662231fed7a564cdd9c325bf53d0c4618953b2a2368836441d9006d0f1924156872bdc571676eac4cdb90eb51a51a6207d0be6a00473c722fec4f613e7385ce5a0ab7bac01c1375e3223928dd6d1d09469d4fbae8408191c6a4ce94721b01cf2a6e15679589ae7db7b7cdf90a3d75b66b3c25",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
      "Subject": "C=US, O=Thawte, Inc., CN=Thawte Code Signing CA , G2",
      "TBS": {
        "MD5": "e3a93dc2a8a8a668fdbb286bfe9afab5",
        "SHA1": "95795d2aa2a554a423bc8c6e5b0a016d14887d35",
        "SHA256": "d8844186775bddbccaf3dc017064df7d760fd4b85c5d07561a3efd7da950f89e",
        "SHA384": "78d972495720b43a6470b18ae1226bcca20707628087717a9364c14ca053ba264e6d149718b103542d9942200138a69d"
      },
      "ValidFrom": "2010-02-08 00:00:00",
      "ValidTo": "2020-02-07 23:59:59",
      "Version": 3
    },
    {
      "IsCertificateAuthority": true,
      "SerialNumber": "611fb0a400000000001d",
      "Signature": "2dcc71b5e8ba94ff5ee64467007b6afc412c3ee70e41855ab12a932ba95b89f2f72b499c8003f297b8e760a80ed7fd5de545467594f4ed1c9de166228b61fb29f2c6a8bdf387c98f7f47e1c058b64a1aa2e7f718606969e083069e26c775c40c0d79da746b52b9fae8ea3359b9bb18dd291a14dfd36a37277a9da0dacffffc22c4faf009ff33e93e17ba1cc742cfce2743d30c0c5581303db96060ce02ece19ee81ddc852ce0a18d966d95ac17a4713ea16741b6281d2ce3b615e5b7e5a2f6256d86e320acf9f8314f8e629b9833376d6af735523e90feb03b5fc5b852a9e06ea0479a279e97aea24a9e531939ec357ec659de3ae0aaf533f06abda0821812dea18c4570ca2bd62e959145995a5c240049bd23b30ceca43df5b9e1d1b1825a38eea3fba1ab483a8c5dffa065223fd3d3fe4990db1446a3852e8a554b09ab38b2ab63a008d1fdad48e273d812bcc26ca516fad09ac05e38383a2b718e553aac42197a1f0d4220e7ab5d8c6880524ca1c0d488d02321fb901309007b4937afa9df486022abf4f6c2363bf8513c34bbc586e43ae19f4b90fe5461024b159c34176aa94b8d4cb69d2326c83af1d6b805cdda1d6240183a2f1b41cd3a993a0aa9d1d77eb8c4aff7b8c980105ed55df6ce7a9a02c50f6381efb564e9fc5bd8d2619a68c37cf9c78df91e87d5fa2cf816ae9dab068fc86dc741cda14e84e3dac26ebcfb",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
      "Subject": "C=US, O=thawte, Inc., OU=Certification Services Division, OU=(c) 2006 thawte, Inc. , For authorized use only, CN=thawte Primary Root CA",
      "TBS": {
        "MD5": "a3f222107d4e1085e73b5b589c2f480b",
        "SHA1": "b94aa26cd77c48d91a53ac44506cbd255e1d362c",
        "SHA256": "a39ed0d6fd4eb1a6f7fed60f726e23eae668b7591bc004644625d22c701213fa",
        "SHA384": "64b7643e4146016cbf83c911eb67e4601b6bb8d66f8ee8dcee67b815f91770d86ab23678b984430f22a963e5484881b7"
      },
      "ValidFrom": "2011-02-22 19:31:57",
      "ValidTo": "2021-02-22 19:41:57",
      "Version": 3
    }
  ],
  "CertificatesInfo": "",
  "Signer": [
    {
      "Issuer": "C=US, O=Thawte, Inc., CN=Thawte Code Signing CA , G2",
      "SerialNumber": "1cb2d523a6bf7a066642c578de1c9be4",
      "Version": 1
    }
  ],
  "SignerInfo": ""
}

    source

    last_updated: 2025-01-29