f8bddc8b-49b9-41f7-a877-d15ec3f174f9

daxin_blank4.sys :inline :inline

Description

Driver used in the Daxin malware campaign.

  • UUID: f8bddc8b-49b9-41f7-a877-d15ec3f174f9
  • Created: 2023-02-28
  • Author: Michael Haag
  • Acknowledgement: |

DownloadBlock

This download link contains the malicious driver!

Commands

sc.exe create daxin_blank4.sys binPath=C:\windows\temp\daxin_blank4.sys     type=kernel && sc.exe start daxin_blank4.sys
Use CasePrivilegesOperating System
Elevate privilegeskernelWindows 10

Detections

YARA 🏹

Expand

Exact Match

with header and size limitation

Threat Hunting

without header and size limitation

Sigma 🛡️

Expand

Names

detects loading using name only

Hashes

detects loading using hashes only

Sysmon 🔎

Expand

Block

on hashes

Alert

on hashes

Resources


  • https://gist.github.com/MHaggis/9ab3bb795a6018d70fb11fa7c31f8f48
  • https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/daxin-backdoor-espionage

    • Known Vulnerable Samples

    PropertyValue
    Filenamedaxin_blank4.sys
    Creation Timestamp2010-04-20 02:42:35
    MD5491aec2249ad8e2020f9f9b559ab68a8
    SHA18692274681e8d10c26ddf2b993f31974b04f5bf0
    SHA2568dafe5f3d0527b66f6857559e3c81872699003e0f2ffda9202a1b5e29db2002e
    Authentihash MD5f66f4d6b97b9e7b0e467daed2ed69bed
    Authentihash SHA1c8f227b45d27c43db4b661ef610efbfacfda8a75
    Authentihash SHA25615b081ec83a89182b5bb0a642d56513f40810b5b0a42e904ab6d3fa8f34c0446
    RichPEHeaderHash MD51381b25bf0ced4095e632696cc69b688
    RichPEHeaderHash SHA1430cd24c4929262cae66fffe4f3aea3e2f1a7d4e
    RichPEHeaderHash SHA2568fa76d4c6994c56e80ca822d3f346cbd3934333a2dfa1ea7c7800023b27efe04
    Publishern/a

    Download

    Imports

    Expand
    • NTOSKRNL.EXE
    • HAL.DLL
    • ntoskrnl.exe
    • NDIS.SYS

    Imported Functions

    Expand
    • strlen
    • IoFreeMdl
    • MmMapLockedPagesSpecifyCache
    • ZwClose
    • IofCompleteRequest
    • KeResetEvent
    • InterlockedIncrement
    • KeSetEvent
    • InterlockedDecrement
    • RtlUnicodeStringToInteger
    • RtlInitUnicodeString
    • KeInitializeEvent
    • wcsncmp
    • wcscat
    • wcslen
    • wcscpy
    • MmBuildMdlForNonPagedPool
    • IoAllocateMdl
    • strncmp
    • MmMapLockedPages
    • MmProbeAndLockPages
    • MmUnlockPages
    • MmUnmapLockedPages
    • RtlFreeUnicodeString
    • ZwWriteFile
    • ZwCreateFile
    • RtlAnsiStringToUnicodeString
    • strcat
    • ZwReadFile
    • ZwQueryInformationFile
    • _wcsnicmp
    • strcmp
    • _stricmp
    • MmGetSystemRoutineAddress
    • ZwQueryValueKey
    • ZwOpenKey
    • IoCreateFile
    • KeWaitForMultipleObjects
    • strcpy
    • RtlUnwind
    • vsprintf
    • KeWaitForSingleObject
    • KeDelayExecutionThread
    • PsTerminateSystemThread
    • PsCreateSystemThread
    • ObReferenceObjectByHandle
    • ExFreePool
    • KeInitializeSpinLock
    • KeTickCount
    • memset
    • memcpy
    • RtlCompareUnicodeString
    • ExAllocatePoolWithTag
    • KfAcquireSpinLock
    • KfReleaseSpinLock
    • PsGetVersion
    • ZwTerminateProcess
    • ZwOpenProcess
    • RtlSetDaclSecurityDescriptor
    • RtlAddAccessAllowedAce
    • RtlCreateAcl
    • RtlLengthSid
    • RtlCreateSecurityDescriptor
    • ZwWaitForSingleObject
    • NtFsControlFile
    • NtWriteFile
    • NtReadFile
    • RtlLengthRequiredSid
    • RtlImageDirectoryEntryToData
    • ZwQueryInformationProcess
    • ZwQuerySystemInformation
    • PsLookupProcessByProcessId
    • KeAttachProcess
    • KeDetachProcess
    • PsLookupThreadByThreadId
    • KeInitializeApc
    • KeInsertQueueApc
    • ZwOpenFile
    • ZwDeviceIoControlFile
    • PsThreadType
    • NtQuerySystemInformation
    • NdisAllocateMemory
    • NdisAllocatePacket
    • NdisCopyFromPacketToPacket
    • NdisFreePacket
    • NdisAllocateBuffer
    • NdisDeregisterProtocol
    • NdisRegisterProtocol
    • NdisAllocateBufferPool
    • NdisAllocatePacketPool
    • NdisFreeBufferPool
    • NdisFreePacketPool
    • NdisFreeMemory

    Exported Functions

    Expand

    Sections

    Expand
    • .text
    • .rdata
    • .data
    • INIT
    • .vmp0
    • .vmp1
    • .reloc

    Signature

    Expand

    source

    last_updated: 2024-09-26