11a73c42-26aa-446b-8560-43eecb265091

driver_e1123b59.sys :inline :inline

Description

Sophos, from time to time, has observed a threat actor deploy variants of Poortry on different machines within a single estate during an attack. These variants contain the same payload, but signed with a different certificate than the driver first seen used during the attack.

  • UUID: 11a73c42-26aa-446b-8560-43eecb265091
  • Created: 2024-09-10
  • Author: Michael Haag
  • Acknowledgement: |

DownloadBlock

This download link contains the malicious driver!

Commands

sc.exe create driver_d9f15d91.sys binPath=C:\windows\temp\driver_d9f15d91.sys type=kernel && sc.exe start driver_d9f15d91.sys
Use CasePrivilegesOperating System
Elevate privilegeskernelWindows 10

Detections

YARA 🏹

Expand

Exact Match

with header and size limitation

Threat Hunting

without header and size limitation

Sigma 🛡️

Expand

Names

detects loading using name only

Hashes

detects loading using hashes only

Sysmon 🔎

Expand

Block

on hashes

Alert

on hashes

Resources


  • https://news.sophos.com/en-us/2024/08/27/burnt-cigar-2/

  • Known Vulnerable Samples

    PropertyValue
    Filename
    Creation Timestamp2022-07-06 07:22:49
    MD5d96cbcec39b96ba813e317958d74d1b9
    SHA123d66b87c8ea22e08db1c010ec5e5499cb94ffc0
    SHA256e1123b59a801e243a64270d0c6ab1277e5e3afba9c19023807409f53c1b0204b
    Authentihash MD520c4b0fa2c72cbcb23c60dce08b27d0f
    Authentihash SHA18edab5d7b94f551309a25f49687534ce1ba036b0
    Authentihash SHA2564eaf2205cdd189cc96806bd5364a505f77ad5dbb622558cd374044965fd20658
    RichPEHeaderHash MD5f8484906a3ebec0fafbfa931dfc1578c
    RichPEHeaderHash SHA1e245729db89dac7c356ef3b6bbb5d97bd813523d
    RichPEHeaderHash SHA256dc5f0dbcc936d7587ccc207bec1d51db96cb77d8e8ada62d1b77d06c1e0e3103
    Company湖北盾网网络科技有限公司
    Description客户端加载驱动
    Product盾网主动防御系统
    OriginalFilenamedwadsafeload.sys

    Download

    Certificates

    Expand
    Certificate 47c30ffefc22bb280f96fea75251
    FieldValue
    ToBeSigned (TBS) MD5729cf4baceff4ef7aa199ad4f4ebed3d
    ToBeSigned (TBS) SHA1f478f0e790d5c8ec6056a3ab2567404a991d2837
    ToBeSigned (TBS) SHA256c3c88c2a500cb5a97abca837193a5bd382f6eb3aeb0008edbce65ea2a3dbfd5c
    SubjectC=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G3
    ValidFrom2016-03-16 00:00:00
    ValidTo2024-03-16 00:00:00
    Signature3b41bbc84f561182b719e3d96dc185ae9e690ec84326234b8d44c8e87d5f070e5341d563444a890bb874ac7db578792f8426e2d7f7bad1ae2dfd69cffa7c64dc24162a4adac097a9bbd5dd88e7a1929a0aa5f6f7bace85d6e4e3d455deeddc3e211f1bc87788cffc65fb05b48f12a630d30d66982f6c2e6f85187c8ff5f6fbb1ab10e183270885b07321ba5d2cba8330b73984dd5db67fd28bb455534c42a2bc4a6c78395b631ca37827bfbe34836b6d7b1e60fbc29b0d88ac8c72546bdc3b88ba81525e689783b8ce7fa3cdf9ea2f2676facd0b06ac4344497bf64c9442b2abcfd542d51942696e618664c7b37d078bdbe5767b6e5f65a91690a2cee4ae6492
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityTrue
    SerialNumber47c30ffefc22bb280f96fea75251
    Version3
    Certificate 7595d72f16ab2f8a1961f5c6
    FieldValue
    ToBeSigned (TBS) MD5d0d8ec83d250b150803ea3804a9943ee
    ToBeSigned (TBS) SHA147af16721f241af735aa231f6555269b1e749173
    ToBeSigned (TBS) SHA25623d457a285af4f77f0177f4cef6937113bb97dd58039701f41bc0ee8046fdb0b
    SubjectC=HK, ST=Kowloon, L=Mongkok, O=EVANGEL TECHNOLOGY (HK) LIMITED, CN=EVANGEL TECHNOLOGY (HK) LIMITED
    ValidFrom2016-10-31 09:08:30
    ValidTo2017-11-01 09:08:30
    Signature490dffced6c24c4a22c71f545a9a13a11b353b1cc4ddd343b4ce20c61e2d3eb7206c8a8a7e7570591d1be650d2ef0924d918ec0dcc269e84b9eed9aafbd8fdc176b023165f4e5071b2060f07b58a8847dcc1ae965e14e531b878873c6e186e549a1b8718c9f7237d5ac0579b21b1f9154ff97c2c07b7e8a6f0f999b87dca091e296baa8204f4d168c63fa01f28879dfb2e72456e6e416194264e3a0bb6cd7a4a1dd1b898c7ce7b1ddabd51d05d17fbec9ebffa3f0ebe8d168cfe254ba4174dc47d03d0596b4ad6e4b3a4c59df934dda305c10f51576d2f6d659cf610ab41c464d523ac6c9b1d7c76168148a8e7e561a89e80ffc81bfdbcff336bf8867e4d956b
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityFalse
    SerialNumber7595d72f16ab2f8a1961f5c6
    Version3
    Certificate 6129152700000000002a
    FieldValue
    ToBeSigned (TBS) MD50bb058d116f02817737920f112d9fd3b
    ToBeSigned (TBS) SHA1fd116235171a4feafedee586b7a59185fb5fd7e6
    ToBeSigned (TBS) SHA256f970426cc46d2ae0fc5f899fa19dbe76e05f07e525654c60c3c9399492c291f4
    SubjectC=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA
    ValidFrom2011-04-15 19:55:08
    ValidTo2021-04-15 20:05:08
    Signature5ff8d065746a81c6a6ca5b03b6914ae84bbdef2ba142f0efb4a5adcd3389ec0b9585ac62501108aa58d25aa08310e5a6337af25af2c5fe787cf09c83df190ad97396002dd62ccde914d41d9de83f3c1a76f7904efb01350a6c9313a0c356eb67a0e4d17a96dec267f190f80a7bf5321b94ec5f751f8d1b34da6c58a7cb2d279e2226b7c9aa30cc0777b836e38201b5393ccc8dd9a75f7f23b3877fdb5798918bd7ce2520e39d644fdd87f72b68490318e0a5df7c5f68644d36838d4781f2e9e0a869abfa7b163c05a449ea8830190a6c73055178dfd41ddd3ad47f2de44e54be83431e7a7433b4a4ebd77073bc2a02988966eef6bc8f749378e329025a5a43e258ce7ccf9acad236893be25fda26054ec8d4e72c910e1797c5beee8b13112323294ffa83d050f6bafad53db3173df4ff034aa325dce67561d1fa35086bd62744d068b78d45e0eb852cc8a15d614474160e5958aed2b5eea5bcd6d7076ab62978fd976767dd8d4f17944fd2ed0caf972437c3a29c81da6be143b6577b4cecbf791319e79fe844e94781b75e701e91f83dd17b27f50b7056434805dda92fab86101d0b12e31ad04c6e75ded645b30b748887935c564a41029af7aeb799d8b67f88fa11f2457cf4d71b91c01cf1a0fbd4080a411a142acef4eb34486e66879ed54b7a397fbb0e3d3861cf735706e412066bd96b5308cd7018c22d4f974691bca9f0
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityTrue
    SerialNumber6129152700000000002a
    Version3

    Imports

    Expand
    • ksecdd.sys
    • NETIO.SYS
    • ntoskrnl.exe
    • WDFLDR.SYS

    Imported Functions

    Expand
    • BCryptDestroyKey
    • BCryptDecrypt
    • BCryptGenerateSymmetricKey
    • BCryptCloseAlgorithmProvider
    • BCryptOpenAlgorithmProvider
    • WskQueryProviderCharacteristics
    • WskCaptureProviderNPI
    • WskReleaseProviderNPI
    • WskDeregister
    • WskRegister
    • RtlCheckRegistryKey
    • RtlAnsiStringToUnicodeString
    • RtlCopyUnicodeString
    • RtlFreeUnicodeString
    • RtlTimeToTimeFields
    • KeInitializeEvent
    • KeSetEvent
    • KeDelayExecutionThread
    • KeWaitForSingleObject
    • KeQueryTimeIncrement
    • ExAllocatePool
    • ExAllocatePoolWithTag
    • ExFreePoolWithTag
    • ExAcquireFastMutex
    • ExReleaseFastMutex
    • ExQueryDepthSList
    • ExpInterlockedPopEntrySList
    • ExpInterlockedPushEntrySList
    • ExInitializeNPagedLookasideList
    • ExDeleteNPagedLookasideList
    • ExQueueWorkItem
    • ExSystemTimeToLocalTime
    • MmProbeAndLockPages
    • MmUnlockPages
    • MmBuildMdlForNonPagedPool
    • PsCreateSystemThread
    • PsTerminateSystemThread
    • IoAllocateIrp
    • IoAllocateMdl
    • IofCallDriver
    • RtlWriteRegistryValue
    • IoCreateFile
    • IoFreeIrp
    • IoFreeMdl
    • ObReferenceObjectByHandle
    • ObfDereferenceObject
    • ZwCreateFile
    • ZwLoadDriver
    • ZwUnloadDriver
    • ZwQueryInformationFile
    • ZwWriteFile
    • ZwClose
    • ZwCreateKey
    • ZwOpenKey
    • ZwQueryValueKey
    • ZwSetValueKey
    • RtlInitializeGenericTableAvl
    • RtlInsertElementGenericTableAvl
    • RtlDeleteElementGenericTableAvl
    • RtlLookupElementGenericTableAvl
    • RtlGetElementGenericTableAvl
    • PsGetCurrentThreadId
    • IoGetFileObjectGenericMapping
    • MmFlushImageSection
    • ObInsertObject
    • ZwWaitForSingleObject
    • sprintf_s
    • swprintf_s
    • ObCreateObject
    • SeCreateAccessState
    • __C_specific_handler
    • IoFileObjectType
    • RtlUnicodeToMultiByteN
    • RtlAnsiCharToUnicodeChar
    • KeBugCheckEx
    • RtlCreateRegistryKey
    • RtlInitUnicodeString
    • RtlInitAnsiString
    • wcscpy_s
    • IoCancelIrp
    • WdfVersionBind
    • WdfVersionBindClass
    • WdfVersionUnbind
    • WdfVersionUnbindClass

    Exported Functions

    Expand

    Sections

    Expand
    • .text
    • .rdata
    • .data
    • .pdata
    • INIT
    • .rsrc
    • .reloc

    Signature

    Expand
    {
      "Certificates": [
        {
          "IsCertificateAuthority": true,
          "SerialNumber": "47c30ffefc22bb280f96fea75251",
          "Signature": "3b41bbc84f561182b719e3d96dc185ae9e690ec84326234b8d44c8e87d5f070e5341d563444a890bb874ac7db578792f8426e2d7f7bad1ae2dfd69cffa7c64dc24162a4adac097a9bbd5dd88e7a1929a0aa5f6f7bace85d6e4e3d455deeddc3e211f1bc87788cffc65fb05b48f12a630d30d66982f6c2e6f85187c8ff5f6fbb1ab10e183270885b07321ba5d2cba8330b73984dd5db67fd28bb455534c42a2bc4a6c78395b631ca37827bfbe34836b6d7b1e60fbc29b0d88ac8c72546bdc3b88ba81525e689783b8ce7fa3cdf9ea2f2676facd0b06ac4344497bf64c9442b2abcfd542d51942696e618664c7b37d078bdbe5767b6e5f65a91690a2cee4ae6492",
          "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
          "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G3",
          "TBS": {
            "MD5": "729cf4baceff4ef7aa199ad4f4ebed3d",
            "SHA1": "f478f0e790d5c8ec6056a3ab2567404a991d2837",
            "SHA256": "c3c88c2a500cb5a97abca837193a5bd382f6eb3aeb0008edbce65ea2a3dbfd5c",
            "SHA384": "e62bbb1ba1ad3df59f2c7265df5576af6b5d4a7473b74985a9d956975fdfc517ffbdd2172b0e3ea36befcb6a9026c872"
          },
          "ValidFrom": "2016-03-16 00:00:00",
          "ValidTo": "2024-03-16 00:00:00",
          "Version": 3
        },
        {
          "IsCertificateAuthority": false,
          "SerialNumber": "7595d72f16ab2f8a1961f5c6",
          "Signature": "490dffced6c24c4a22c71f545a9a13a11b353b1cc4ddd343b4ce20c61e2d3eb7206c8a8a7e7570591d1be650d2ef0924d918ec0dcc269e84b9eed9aafbd8fdc176b023165f4e5071b2060f07b58a8847dcc1ae965e14e531b878873c6e186e549a1b8718c9f7237d5ac0579b21b1f9154ff97c2c07b7e8a6f0f999b87dca091e296baa8204f4d168c63fa01f28879dfb2e72456e6e416194264e3a0bb6cd7a4a1dd1b898c7ce7b1ddabd51d05d17fbec9ebffa3f0ebe8d168cfe254ba4174dc47d03d0596b4ad6e4b3a4c59df934dda305c10f51576d2f6d659cf610ab41c464d523ac6c9b1d7c76168148a8e7e561a89e80ffc81bfdbcff336bf8867e4d956b",
          "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
          "Subject": "C=HK, ST=Kowloon, L=Mongkok, O=EVANGEL TECHNOLOGY (HK) LIMITED, CN=EVANGEL TECHNOLOGY (HK) LIMITED",
          "TBS": {
            "MD5": "d0d8ec83d250b150803ea3804a9943ee",
            "SHA1": "47af16721f241af735aa231f6555269b1e749173",
            "SHA256": "23d457a285af4f77f0177f4cef6937113bb97dd58039701f41bc0ee8046fdb0b",
            "SHA384": "42a42ea9c25ef0bcd4cb4541e177192fa1b13561055c2b79f2bd1685a7a7072c5a2e5e449ea07f01cf05e8f172802c59"
          },
          "ValidFrom": "2016-10-31 09:08:30",
          "ValidTo": "2017-11-01 09:08:30",
          "Version": 3
        },
        {
          "IsCertificateAuthority": true,
          "SerialNumber": "6129152700000000002a",
          "Signature": "5ff8d065746a81c6a6ca5b03b6914ae84bbdef2ba142f0efb4a5adcd3389ec0b9585ac62501108aa58d25aa08310e5a6337af25af2c5fe787cf09c83df190ad97396002dd62ccde914d41d9de83f3c1a76f7904efb01350a6c9313a0c356eb67a0e4d17a96dec267f190f80a7bf5321b94ec5f751f8d1b34da6c58a7cb2d279e2226b7c9aa30cc0777b836e38201b5393ccc8dd9a75f7f23b3877fdb5798918bd7ce2520e39d644fdd87f72b68490318e0a5df7c5f68644d36838d4781f2e9e0a869abfa7b163c05a449ea8830190a6c73055178dfd41ddd3ad47f2de44e54be83431e7a7433b4a4ebd77073bc2a02988966eef6bc8f749378e329025a5a43e258ce7ccf9acad236893be25fda26054ec8d4e72c910e1797c5beee8b13112323294ffa83d050f6bafad53db3173df4ff034aa325dce67561d1fa35086bd62744d068b78d45e0eb852cc8a15d614474160e5958aed2b5eea5bcd6d7076ab62978fd976767dd8d4f17944fd2ed0caf972437c3a29c81da6be143b6577b4cecbf791319e79fe844e94781b75e701e91f83dd17b27f50b7056434805dda92fab86101d0b12e31ad04c6e75ded645b30b748887935c564a41029af7aeb799d8b67f88fa11f2457cf4d71b91c01cf1a0fbd4080a411a142acef4eb34486e66879ed54b7a397fbb0e3d3861cf735706e412066bd96b5308cd7018c22d4f974691bca9f0",
          "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
          "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA",
          "TBS": {
            "MD5": "0bb058d116f02817737920f112d9fd3b",
            "SHA1": "fd116235171a4feafedee586b7a59185fb5fd7e6",
            "SHA256": "f970426cc46d2ae0fc5f899fa19dbe76e05f07e525654c60c3c9399492c291f4",
            "SHA384": "c0df876be008c26ca407fe904e6f5e7ccded17f9c16830ce9f8022309c9e64c97f494810f152811ae43e223b82ad7cc6"
          },
          "ValidFrom": "2011-04-15 19:55:08",
          "ValidTo": "2021-04-15 20:05:08",
          "Version": 3
        }
      ],
      "CertificatesInfo": "",
      "Signer": [
        {
          "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G3",
          "SerialNumber": "7595d72f16ab2f8a1961f5c6",
          "Version": 1
        }
      ],
      "SignerInfo": ""
    }
    

    source

    last_updated: 2025-01-13