de62baae-872d-4e9a-b6d9-b0ac99854c66

Chaos-Rootkit.sys

Description

Chaos-Rootkit is a x64 ring0 rootkit with process hiding, privilege escalation, and capabilities for protecting and unprotecting processes and ability to restrict access to files except for whitelisted process work seamlessly on the latest Windows versions.

UUID: de62baae-872d-4e9a-b6d9-b0ac99854c66
Created: 2024-06-20
Author: goosvorbook
Acknowledgement: |

Download

This download link contains the vulnerable driver!

Commands

sc.exe create Chaos-Rootkit.sys binPath=C:\windows\temp\Chaos-Rootkit.sys type=kernel &amp;&amp; sc.exe start Chaos-Rootkit.sys

Use Case	Privileges	Operating System
Elevate privileges	kernel	Windows 11

Detections

YARA 🏹

Expand

Exact Match

with header and size limitation

Threat Hunting

without header and size limitation

Renamed

for renamed driver files

Sigma 🛡️

Expand

Names

detects loading using name only

Hashes

detects loading using hashes only

Sysmon 🔎

Expand

Block

on hashes

Alert

on hashes

Resources

https://github.com/ZeroMemoryEx/Chaos-Rootkit

Known Vulnerable Samples

Property	Value
Filename
Creation Timestamp	2024-02-24 04:54:46
MD5	443e8d915c04c370b7c31bb5f11ebab7
SHA1	c3f8b7f0995073abb58c2aec1b6062f89fe838a0
SHA256	bdc73f752c1353d41e877d8bf42a1c53f0bba7d6f52348aaef60e06f4d3087d0
Authentihash MD5	cec49dd8b1dbb091e3d6f8134cee5bdc
Authentihash SHA1	a4b5442d906715caaadc011d0c2fa44cd894dbfe
Authentihash SHA256	23be3616a4fb4e620f971e4348dc46b7980abca6463be3cb4b83769a955f2810
RichPEHeaderHash MD5	ae12000e18da8fac0c57ef3d7cd3236e
RichPEHeaderHash SHA1	803fe53650c7d62f0652d87117cab64e01934e73
RichPEHeaderHash SHA256	329187edf745b2d770774d2c1698151b8e63215b7bc7f56dceb4b2894efe0501

Download

Certificates

Expand

Certificate 13d597c6ebaaaf994d4463d3387c0dd2

Field	Value
ToBeSigned (TBS) MD5	6b552c6f192fd7c811a7f292b41dd282
ToBeSigned (TBS) SHA1	fbd054373b922c03cad87c948c29ed2ed0883910
ToBeSigned (TBS) SHA256	e9098f46ff7e02093422a6e4745f420d41fc08c66a95b6f62f09b44297bf35af
Subject	CN=WDKTestCert anash,133231280654008727
ValidFrom	2023-03-12 20:54:25
ValidTo	2033-03-12 00:00:00
Signature	2877c0544f97abe3532296be49983e1e9b7f4c99ef327222c4b2b6d70194c8d97db7140a51dc6a18a009549aabe1bcb8c95d089917b9fed893b52f0518b649680aab7fdb5af9098de934aede339cee3d3c271ffc25c8d1b188fee3ff9a8b6591ac9f6e21934467db0d7d6595edcc98f3bbaf303202fab533ae82372da8d8b8dee1dcb80312e8ebe140ea9edfac35bf59e909b49edad358761784ffafb590665a6426e9b3fae943864a0484002555a654647e1495e92d9e8dafd00b0e36e30a921ec424e2d4a70d579879bdaaab9bc21824479b905e710ae1269e3fc3695c50811805f163e23590e53c173a79adda0fe1deb674f34fc0adf3cbcf93a4955907f7
SignatureAlgorithmOID	1.2.840.113549.1.1.5
IsCertificateAuthority	True
SerialNumber	13d597c6ebaaaf994d4463d3387c0dd2
Version	3

Imports

Expand

FLTMGR.SYS
ntoskrnl.exe
WDFLDR.SYS

Imported Functions

Expand

FltGetRequestorProcessId
KeWaitForSingleObject
ExInitializePushLock
ExAcquirePushLockExclusiveEx
ExReleasePushLockExclusiveEx
MmProbeAndLockPages
MmUnlockPages
MmProtectMdlSystemAddress
MmMapLockedPagesSpecifyCache
MmUnmapLockedPages
IoAllocateMdl
IofCompleteRequest
KeReleaseMutex
IoCreateSymbolicLink
IoDeleteDevice
IoDeleteSymbolicLink
IoFreeMdl
ObfDereferenceObject
NtCreateFile
PsReferencePrimaryToken
PsLookupProcessByProcessId
PsGetProcessImageFileName
__C_specific_handler
wcsstr
RtlCopyUnicodeString
DbgPrintEx
KeInitializeMutex
RtlGetVersion
DbgPrint
MmGetSystemRoutineAddress
IoCreateDevice
WdfVersionBindClass
WdfVersionUnbind
WdfLdrQueryInterface
WdfVersionBind
WdfVersionUnbindClass

Exported Functions

Expand

Sections

Expand

.text
.rdata
.data
.pdata
INIT
.reloc

Signature

Expand

{
  "Certificates": [
    {
      "IsCertificateAuthority": true,
      "SerialNumber": "13d597c6ebaaaf994d4463d3387c0dd2",
      "Signature": "2877c0544f97abe3532296be49983e1e9b7f4c99ef327222c4b2b6d70194c8d97db7140a51dc6a18a009549aabe1bcb8c95d089917b9fed893b52f0518b649680aab7fdb5af9098de934aede339cee3d3c271ffc25c8d1b188fee3ff9a8b6591ac9f6e21934467db0d7d6595edcc98f3bbaf303202fab533ae82372da8d8b8dee1dcb80312e8ebe140ea9edfac35bf59e909b49edad358761784ffafb590665a6426e9b3fae943864a0484002555a654647e1495e92d9e8dafd00b0e36e30a921ec424e2d4a70d579879bdaaab9bc21824479b905e710ae1269e3fc3695c50811805f163e23590e53c173a79adda0fe1deb674f34fc0adf3cbcf93a4955907f7",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
      "Subject": "CN=WDKTestCert anash,133231280654008727",
      "TBS": {
        "MD5": "6b552c6f192fd7c811a7f292b41dd282",
        "SHA1": "fbd054373b922c03cad87c948c29ed2ed0883910",
        "SHA256": "e9098f46ff7e02093422a6e4745f420d41fc08c66a95b6f62f09b44297bf35af",
        "SHA384": "4b008e59d2ea4c49427250d7da08075c183e7759d91b9defaf47873d9dab76f2b9e17cd95aeee7ca99ea0967a3ceeb0f"
      },
      "ValidFrom": "2023-03-12 20:54:25",
      "ValidTo": "2033-03-12 00:00:00",
      "Version": 3
    }
  ],
  "CertificatesInfo": "",
  "Signer": [
    {
      "Issuer": "CN=WDKTestCert anash,133231280654008727",
      "SerialNumber": "13d597c6ebaaaf994d4463d3387c0dd2",
      "Version": 1
    }
  ],
  "SignerInfo": ""
}

source

last_updated: 2024-09-01