eef1fcf4-8c54-420b-8d38-9c5f95129dcc

ntbios.sys :inline :inline

Description

Driver used in the Daxin malware campaign.

  • UUID: eef1fcf4-8c54-420b-8d38-9c5f95129dcc
  • Created: 2023-02-28
  • Author: Michael Haag
  • Acknowledgement: |

DownloadBlock

This download link contains the malicious driver!

Commands

sc.exe create ntbios.sys binPath=C:\windows\temp \n \n \n  tbios.sys type=kernel && sc.exe start ntbios.sys
Use CasePrivilegesOperating System
Elevate privilegeskernelWindows 10

Detections

YARA 🏹

Expand

Exact Match

with header and size limitation

Threat Hunting

without header and size limitation

Sigma 🛡️

Expand

Names

detects loading using name only

Hashes

detects loading using hashes only

Sysmon 🔎

Expand

Block

on hashes

Alert

on hashes

Resources


  • https://gist.github.com/MHaggis/9ab3bb795a6018d70fb11fa7c31f8f48
  • https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/daxin-backdoor-espionage

    • Known Vulnerable Samples

    PropertyValue
    Filenamentbios.sys
    Creation Timestamp2009-11-19 03:26:14
    MD514580bd59c55185115fd3abe73b016a2
    SHA171469dce9c2f38d0e0243a289f915131bf6dd2a8
    SHA25696bf3ee7c6673b69c6aa173bb44e21fa636b1c2c73f4356a7599c121284a51cc
    Authentihash MD5dd3f6fe14dadb95f5d8c963006dec9d7
    Authentihash SHA12374491565e5798dccd4db2dc2af7e9bbefafd5b
    Authentihash SHA25650f9323eaf7c49cfca5890c6c46d729574d0caca89f7acc9f608c8226f54a975
    RichPEHeaderHash MD5ebd225fe8cf34907033d6b6123047339
    RichPEHeaderHash SHA1642936e6d95c6231c8427a1c7a76dd99910fc635
    RichPEHeaderHash SHA256b04e0a7d507b0838174bb9df686e4ce60c5b81e183867441ed5951a5d3555510
    Publishern/a
    CompanyMicrosoft Corporation
    Descriptionntbios driver
    ProductMicrosoft(R) Windows (R) NT Operating System
    OriginalFilenamentbios.sys

    Download

    Imports

    Expand
    • NTOSKRNL.EXE
    • HAL.DLL
    • ntoskrnl.exe
    • NDIS.SYS

    Imported Functions

    Expand
    • MmUnlockPages
    • MmProbeAndLockPages
    • IoAllocateMdl
    • IoQueueWorkItem
    • IoAllocateWorkItem
    • IoGetCurrentProcess
    • _stricmp
    • IoFreeWorkItem
    • RtlFreeUnicodeString
    • ZwClose
    • ZwWriteFile
    • ZwCreateFile
    • RtlAnsiStringToUnicodeString
    • _strnicmp
    • RtlUnwind
    • RtlCopyUnicodeString
    • wcsncmp
    • swprintf
    • IoCreateDevice
    • IoCreateSymbolicLink
    • KeInitializeSpinLock
    • ExfInterlockedInsertTailList
    • RtlInitUnicodeString
    • MmMapLockedPagesSpecifyCache
    • IoFreeMdl
    • InterlockedDecrement
    • InterlockedIncrement
    • InterlockedExchange
    • IoDeleteSymbolicLink
    • IoDeleteDevice
    • ExfInterlockedRemoveHeadList
    • IofCompleteRequest
    • ExAllocatePoolWithTag
    • strncmp
    • ExFreePool
    • KfAcquireSpinLock
    • KfReleaseSpinLock
    • KeInitializeApc
    • KeInsertQueueApc
    • KeAttachProcess
    • KeDetachProcess
    • NtQuerySystemInformation
    • NdisAllocatePacket
    • NdisCopyFromPacketToPacket
    • NdisAllocateMemory
    • NdisFreePacket
    • NdisAllocateBuffer
    • NdisSetEvent
    • NdisResetEvent
    • NdisFreeBufferPool
    • NdisFreePacketPool
    • NdisFreeMemory
    • NdisWaitEvent
    • NdisQueryAdapterInstanceName
    • NdisOpenAdapter
    • NdisInitializeEvent
    • NdisAllocatePacketPool
    • NdisRegisterProtocol
    • NdisAllocateBufferPool
    • NdisCloseAdapter
    • NdisDeregisterProtocol

    Exported Functions

    Expand

    Sections

    Expand
    • .text
    • .rdata
    • .data
    • INIT
    • .rsrc
    • .reloc

    Signature

    Expand

    source

    last_updated: 2024-09-26