127cde1d-905e-4c67-a2c3-04ea4deaea7d

wantd_6.sys :inline :inline

Description

Driver used in the Daxin malware campaign.

  • UUID: 127cde1d-905e-4c67-a2c3-04ea4deaea7d
  • Created: 2023-02-28
  • Author: Michael Haag
  • Acknowledgement: |

Download

This download link contains the malicious driver!

Commands

sc.exe create wantd_6.sys binPath=C:\windows\temp\wantd_6.sys type=kernel && sc.exe start wantd_6.sys
Use CasePrivilegesOperating System
Elevate privilegeskernelWindows 10

Detections

YARA 🏹

Expand

Exact Match

with header and size limitation

Threat Hunting

without header and size limitation

Sigma 🛡️

Expand

Names

detects loading using name only

Hashes

detects loading using hashes only

Sysmon 🔎

Expand

Block

on hashes

Alert

on hashes

Resources


  • https://gist.github.com/MHaggis/9ab3bb795a6018d70fb11fa7c31f8f48
  • https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/daxin-backdoor-espionage

    • Known Vulnerable Samples

    PropertyValue
    Filenamewantd_6.sys
    Creation Timestamp2013-11-27 16:59:02
    MD54b058945c9f2b8d8ebc485add1101ba5
    SHA137e6450c7cd6999d080da94b867ba23faa8c32fe
    SHA256e7af7bcb86bd6bab1835f610671c3921441965a839673ac34444cf0ce7b2164e
    Authentihash MD53bfdb46b5ad5fa267b992a2350a6518a
    Authentihash SHA1cb65c6f9f411892d13ffe8ba1cb5e9c4be2c0a25
    Authentihash SHA256bd243e33fa80f4bd6010c23ecdf94b6008fee30df248255dcfe014c91f2ce2af
    RichPEHeaderHash MD58cdd468850a9084b109fb26005e28d1f
    RichPEHeaderHash SHA1abee83f631fc7792dc07a572a003c103903f305e
    RichPEHeaderHash SHA256aa49c3910540c2edd0e4a9154e5741d5cc65662a1364616e057ca3fc74243755
    PublisherAnhua Xinda (Beijing) Technology Co., Ltd.
    CompanyMicrosoft Corporation
    DescriptionWAN Transport Driver
    ProductMicrosoft Windows Operating System
    OriginalFilenamewantd.sys

    Download

    Certificates

    Expand
    Certificate 387c9476e28320264594846317d46540
    FieldValue
    ToBeSigned (TBS) MD5ce372214eabe9d311e4a156fe2044327
    ToBeSigned (TBS) SHA17f7eb1a547c9b0b2e41b0f44515dfd20c16edceb
    ToBeSigned (TBS) SHA25603d59cc81c6960a93ab4b02e5521aa9fb349e8d7df9dfdf675201e48c23b5a34
    SubjectC=CN, ST=Beijing, L=Beijing, O=Anhua Xinda (Beijing) Technology Co., Ltd., OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=Anhua Xinda (Beijing) Technology Co., Ltd.
    ValidFrom2011-06-28 00:00:00
    ValidTo2014-06-27 23:59:59
    Signature75446640570a5790bb9af0f472df1738c47e362aedd568599f66a121e1c27b51008ca2e0d72ed727e61ee0c76a578dc56de22c5ee58136db144fc68aca0fd0196d70716bd8c9d19b5fdd8a147d749367a953604b24502efdd039577033df13b8d20a8cc7ca4829a303c11e7f6bf3c370d98b64b875ca3745546285bb70c204467968b1c4a416b0636c590dff6f7a3091ed00351c626e32e859bdd58d363940a5ed33d121e423d2ba1b8ad85c5c1296e23d627e0aafe9268945bce9567c38719621eecdde83a74139fb3e0920a32e558fd64c0149cfec10f4b82fdcc8cdaed4011977c2169035b71edc68fabaf43d59f989ee5d97ec94eaa05ef2a62bfc480fa9
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityFalse
    SerialNumber387c9476e28320264594846317d46540
    Version3
    Certificate 611993e400000000001c
    FieldValue
    ToBeSigned (TBS) MD578a717e082dcc1cda3458d917e677d14
    ToBeSigned (TBS) SHA14a872e0e51f9b304469cd1dedb496ee9b8b983a4
    ToBeSigned (TBS) SHA256317fa1d234ebc49040ebc5e8746f8997471496051b185a91bdd9dfbb23fab5f8
    SubjectC=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5
    ValidFrom2011-02-22 19:25:17
    ValidTo2021-02-22 19:35:17
    Signature812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityTrue
    SerialNumber611993e400000000001c
    Version3
    Certificate 5200e5aa2556fc1a86ed96c9d44b33c7
    FieldValue
    ToBeSigned (TBS) MD5b30c31a572b0409383ed3fbe17e56e81
    ToBeSigned (TBS) SHA14843a82ed3b1f2bfbee9671960e1940c942f688d
    ToBeSigned (TBS) SHA25603cda47a6e654ed85d932714fc09ce4874600eda29ec6628cfbaeb155cab78c9
    SubjectC=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA
    ValidFrom2010-02-08 00:00:00
    ValidTo2020-02-07 23:59:59
    Signature5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityTrue
    SerialNumber5200e5aa2556fc1a86ed96c9d44b33c7
    Version3

    Imports

    Expand
    • ntoskrnl.exe
    • NDIS.SYS

    Imported Functions

    Expand
    • wcsncmp
    • IoAllocateMdl
    • _stricmp
    • sprintf
    • RtlLengthRequiredSid
    • _strnicmp
    • ExAllocatePoolWithTag
    • vsprintf
    • IoDeleteSymbolicLink
    • ExFreePoolWithTag
    • RtlAnsiStringToUnicodeString
    • NtWriteFile
    • RtlCreateAcl
    • PsLookupProcessByProcessId
    • NtQuerySystemInformation
    • _wcsnicmp
    • ZwReadFile
    • RtlSetDaclSecurityDescriptor
    • KeInitializeApc
    • IoDeleteDevice
    • NtFsControlFile
    • KeInsertQueueApc
    • MmGetSystemRoutineAddress
    • IoCreateFile
    • atoi
    • _snprintf
    • ZwQuerySystemInformation
    • KeReleaseSpinLock
    • RtlAddAccessAllowedAce
    • RtlImageDirectoryEntryToData
    • KeDetachProcess
    • ZwOpenFile
    • ZwCreateFile
    • PsCreateSystemThread
    • ZwQueryValueKey
    • PsTerminateSystemThread
    • ZwFreeVirtualMemory
    • KeQueryTimeIncrement
    • ObReferenceObjectByHandle
    • KeWaitForSingleObject
    • KeAttachProcess
    • PsGetVersion
    • PsThreadType
    • RtlCompareUnicodeString
    • ZwOpenProcess
    • ZwQueryInformationProcess
    • IoCreateSymbolicLink
    • ObfDereferenceObject
    • IoCreateDevice
    • ZwTerminateProcess
    • ZwQueryInformationFile
    • KeWaitForMultipleObjects
    • ZwWriteFile
    • NtReadFile
    • PsLookupThreadByThreadId
    • RtlLengthSid
    • RtlCreateSecurityDescriptor
    • ZwAllocateVirtualMemory
    • ZwOpenKey
    • KeAcquireSpinLockRaiseToDpc
    • RtlUnicodeStringToInteger
    • MmIsAddressValid
    • ZwDeviceIoControlFile
    • IofCompleteRequest
    • ZwClose
    • MmMapLockedPagesSpecifyCache
    • KeDelayExecutionThread
    • MmUserProbeAddress
    • MmBuildMdlForNonPagedPool
    • memchr
    • ZwWaitForSingleObject
    • RtlInitUnicodeString
    • NdisAllocateMemoryWithTag
    • NdisAllocateNetBufferAndNetBufferList
    • NdisMSendNetBufferListsComplete
    • NdisReturnNetBufferLists
    • NdisAllocateNetBufferListPool
    • NdisFreeMemory
    • NdisMIndicateStatus
    • NdisFreeMdl
    • NdisFreeNetBufferListPool
    • NdisFreeNetBufferList
    • NdisSendNetBufferLists

    Exported Functions

    Expand

    Sections

    Expand
    • .text
    • .rdata
    • .data
    • .pdata
    • INIT
    • .rsrc

    Signature

    Expand
    {
  "Certificates": [
    {
      "IsCertificateAuthority": false,
      "SerialNumber": "387c9476e28320264594846317d46540",
      "Signature": "75446640570a5790bb9af0f472df1738c47e362aedd568599f66a121e1c27b51008ca2e0d72ed727e61ee0c76a578dc56de22c5ee58136db144fc68aca0fd0196d70716bd8c9d19b5fdd8a147d749367a953604b24502efdd039577033df13b8d20a8cc7ca4829a303c11e7f6bf3c370d98b64b875ca3745546285bb70c204467968b1c4a416b0636c590dff6f7a3091ed00351c626e32e859bdd58d363940a5ed33d121e423d2ba1b8ad85c5c1296e23d627e0aafe9268945bce9567c38719621eecdde83a74139fb3e0920a32e558fd64c0149cfec10f4b82fdcc8cdaed4011977c2169035b71edc68fabaf43d59f989ee5d97ec94eaa05ef2a62bfc480fa9",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
      "Subject": "C=CN, ST=Beijing, L=Beijing, O=Anhua Xinda (Beijing) Technology Co., Ltd., OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=Anhua Xinda (Beijing) Technology Co., Ltd.",
      "TBS": {
        "MD5": "ce372214eabe9d311e4a156fe2044327",
        "SHA1": "7f7eb1a547c9b0b2e41b0f44515dfd20c16edceb",
        "SHA256": "03d59cc81c6960a93ab4b02e5521aa9fb349e8d7df9dfdf675201e48c23b5a34",
        "SHA384": "4b8829bc6980e82affeb7ad29efb59fc3ca9b02d015e6c0f385b9f2cf275609cd45936659f41fce579c073e34c2ca308"
      },
      "ValidFrom": "2011-06-28 00:00:00",
      "ValidTo": "2014-06-27 23:59:59",
      "Version": 3
    },
    {
      "IsCertificateAuthority": true,
      "SerialNumber": "611993e400000000001c",
      "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
      "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5",
      "TBS": {
        "MD5": "78a717e082dcc1cda3458d917e677d14",
        "SHA1": "4a872e0e51f9b304469cd1dedb496ee9b8b983a4",
        "SHA256": "317fa1d234ebc49040ebc5e8746f8997471496051b185a91bdd9dfbb23fab5f8",
        "SHA384": "b71052da4eb9157c8c1a5d7f55df19d69b9128598b72fcca608e5b7cc7d64c43c5504b9c86355a6dc22ee40c88cc385c"
      },
      "ValidFrom": "2011-02-22 19:25:17",
      "ValidTo": "2021-02-22 19:35:17",
      "Version": 3
    },
    {
      "IsCertificateAuthority": true,
      "SerialNumber": "5200e5aa2556fc1a86ed96c9d44b33c7",
      "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
      "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA",
      "TBS": {
        "MD5": "b30c31a572b0409383ed3fbe17e56e81",
        "SHA1": "4843a82ed3b1f2bfbee9671960e1940c942f688d",
        "SHA256": "03cda47a6e654ed85d932714fc09ce4874600eda29ec6628cfbaeb155cab78c9",
        "SHA384": "bbda8407c4f9fc4e54d772f1c7fb9d30bc97e1f97ecd51c443063d1fa0644e266328781776cd5c44896c457c75f4d7da"
      },
      "ValidFrom": "2010-02-08 00:00:00",
      "ValidTo": "2020-02-07 23:59:59",
      "Version": 3
    }
  ],
  "CertificatesInfo": "",
  "Signer": [
    {
      "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA",
      "SerialNumber": "387c9476e28320264594846317d46540",
      "Version": 1
    }
  ],
  "SignerInfo": ""
}

    source

    last_updated: 2024-04-09