7e80423f-8b30-4ee2-b904-9f5421826a8c

daxin_blank.sys :inline :inline

Description

Driver used in the Daxin malware campaign.

  • UUID: 7e80423f-8b30-4ee2-b904-9f5421826a8c
  • Created: 2023-02-28
  • Author: Michael Haag
  • Acknowledgement: |

Download

This download link contains the malicious driver!

Commands

sc.exe create daxin_blank.sys binPath=C:\windows\temp\daxin_blank.sys     type=kernel && sc.exe start daxin_blank.sys
Use CasePrivilegesOperating System
Elevate privilegeskernelWindows 10

Detections

YARA 🏹

Expand

Exact Match

with header and size limitation

Threat Hunting

without header and size limitation

Sigma 🛡️

Expand

Names

detects loading using name only

Hashes

detects loading using hashes only

Sysmon 🔎

Expand

Block

on hashes

Alert

on hashes

Resources


  • https://gist.github.com/MHaggis/9ab3bb795a6018d70fb11fa7c31f8f48
  • https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/daxin-backdoor-espionage

  • Known Vulnerable Samples

    PropertyValue
    Filenamedaxin_blank.sys
    Creation Timestamp2013-01-23 00:07:26
    MD562c18d61ed324088f963510bae43b831
    SHA18302802b709ad242a81b939b6c90b3230e1a1f1e
    SHA25649c827cf48efb122a9d6fd87b426482b7496ccd4a2dbca31ebbf6b2b80c98530
    Authentihash MD5253bde63495fa4f995a6debae44e598e
    Authentihash SHA157391d4c4e30f91e3e780d5242fd98a178ec67ac
    Authentihash SHA256a000d211840cb8fbcbf95c334b1d04eadb45ba03b0413c96472e47e9e22413ff
    RichPEHeaderHash MD58f9faa12ddcbb631cbad8b74124e28c1
    RichPEHeaderHash SHA1c120a5848e8e01e01846164408d19dcb972cc894
    RichPEHeaderHash SHA256edf117e94236b5914ca392b30047f8acb8c10d19d1ab6d09d5ca116dfc756d39
    PublisherAnhua Xinda (Beijing) Technology Co., Ltd.

    Download

    Certificates

    Expand
    Certificate 7e93ebfb7cc64e59ea4b9a77d406fc3b
    FieldValue
    ToBeSigned (TBS) MD5d0785ad36e427c92b19f6826ab1e8020
    ToBeSigned (TBS) SHA1365b7a9c21bd9373e49052c3e7b3e4646ddd4d43
    ToBeSigned (TBS) SHA256c2abb7484da91a658548de089d52436175fdb760a1387d225611dc0613a1e2ff
    SubjectC=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2
    ValidFrom2012-12-21 00:00:00
    ValidTo2020-12-30 23:59:59
    Signature03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityTrue
    SerialNumber7e93ebfb7cc64e59ea4b9a77d406fc3b
    Version3
    Certificate 0ecff438c8febf356e04d86a981b1a50
    FieldValue
    ToBeSigned (TBS) MD5e9d38360b914c8863f6cba3ee58764d3
    ToBeSigned (TBS) SHA14cba8eae47b6bf76f20b3504b98b8f062694a89b
    ToBeSigned (TBS) SHA25688901d86a4cc1f1bb193d08e1fb63d27452e63f83e228c657ab1a92e4ade3976
    SubjectC=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4
    ValidFrom2012-10-18 00:00:00
    ValidTo2020-12-29 23:59:59
    Signature783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityFalse
    SerialNumber0ecff438c8febf356e04d86a981b1a50
    Version3
    Certificate 387c9476e28320264594846317d46540
    FieldValue
    ToBeSigned (TBS) MD5ce372214eabe9d311e4a156fe2044327
    ToBeSigned (TBS) SHA17f7eb1a547c9b0b2e41b0f44515dfd20c16edceb
    ToBeSigned (TBS) SHA25603d59cc81c6960a93ab4b02e5521aa9fb349e8d7df9dfdf675201e48c23b5a34
    SubjectC=CN, ST=Beijing, L=Beijing, O=Anhua Xinda (Beijing) Technology Co., Ltd., OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=Anhua Xinda (Beijing) Technology Co., Ltd.
    ValidFrom2011-06-28 00:00:00
    ValidTo2014-06-27 23:59:59
    Signature75446640570a5790bb9af0f472df1738c47e362aedd568599f66a121e1c27b51008ca2e0d72ed727e61ee0c76a578dc56de22c5ee58136db144fc68aca0fd0196d70716bd8c9d19b5fdd8a147d749367a953604b24502efdd039577033df13b8d20a8cc7ca4829a303c11e7f6bf3c370d98b64b875ca3745546285bb70c204467968b1c4a416b0636c590dff6f7a3091ed00351c626e32e859bdd58d363940a5ed33d121e423d2ba1b8ad85c5c1296e23d627e0aafe9268945bce9567c38719621eecdde83a74139fb3e0920a32e558fd64c0149cfec10f4b82fdcc8cdaed4011977c2169035b71edc68fabaf43d59f989ee5d97ec94eaa05ef2a62bfc480fa9
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityFalse
    SerialNumber387c9476e28320264594846317d46540
    Version3
    Certificate 611993e400000000001c
    FieldValue
    ToBeSigned (TBS) MD578a717e082dcc1cda3458d917e677d14
    ToBeSigned (TBS) SHA14a872e0e51f9b304469cd1dedb496ee9b8b983a4
    ToBeSigned (TBS) SHA256317fa1d234ebc49040ebc5e8746f8997471496051b185a91bdd9dfbb23fab5f8
    SubjectC=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5
    ValidFrom2011-02-22 19:25:17
    ValidTo2021-02-22 19:35:17
    Signature812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityTrue
    SerialNumber611993e400000000001c
    Version3
    Certificate 5200e5aa2556fc1a86ed96c9d44b33c7
    FieldValue
    ToBeSigned (TBS) MD5b30c31a572b0409383ed3fbe17e56e81
    ToBeSigned (TBS) SHA14843a82ed3b1f2bfbee9671960e1940c942f688d
    ToBeSigned (TBS) SHA25603cda47a6e654ed85d932714fc09ce4874600eda29ec6628cfbaeb155cab78c9
    SubjectC=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA
    ValidFrom2010-02-08 00:00:00
    ValidTo2020-02-07 23:59:59
    Signature5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityTrue
    SerialNumber5200e5aa2556fc1a86ed96c9d44b33c7
    Version3

    Imports

    Expand
    • ntoskrnl.exe
    • NDIS.SYS

    Imported Functions

    Expand
    • wcsncmp
    • DbgPrint
    • IoAllocateMdl
    • _stricmp
    • sprintf
    • RtlLengthRequiredSid
    • ExAllocatePoolWithTag
    • vsprintf
    • IoDeleteSymbolicLink
    • ExFreePoolWithTag
    • RtlAnsiStringToUnicodeString
    • NtWriteFile
    • RtlCreateAcl
    • PsLookupProcessByProcessId
    • NtQuerySystemInformation
    • _wcsnicmp
    • ZwReadFile
    • RtlSetDaclSecurityDescriptor
    • KeInitializeApc
    • IoDeleteDevice
    • NtFsControlFile
    • KeInsertQueueApc
    • MmGetSystemRoutineAddress
    • IoCreateFile
    • ZwQuerySystemInformation
    • KeReleaseSpinLock
    • RtlAddAccessAllowedAce
    • RtlImageDirectoryEntryToData
    • KeDetachProcess
    • ZwOpenFile
    • ZwWaitForSingleObject
    • ZwCreateFile
    • PsCreateSystemThread
    • ZwQueryValueKey
    • PsTerminateSystemThread
    • ZwFreeVirtualMemory
    • KeQueryTimeIncrement
    • ObReferenceObjectByHandle
    • KeWaitForSingleObject
    • KeAttachProcess
    • PsGetVersion
    • PsThreadType
    • RtlCompareUnicodeString
    • ZwOpenProcess
    • ZwQueryInformationProcess
    • IoCreateSymbolicLink
    • ObfDereferenceObject
    • IoCreateDevice
    • ZwTerminateProcess
    • ZwQueryInformationFile
    • KeWaitForMultipleObjects
    • ZwWriteFile
    • NtReadFile
    • PsLookupThreadByThreadId
    • RtlLengthSid
    • RtlCreateSecurityDescriptor
    • ZwAllocateVirtualMemory
    • ZwOpenKey
    • KeAcquireSpinLockRaiseToDpc
    • RtlUnicodeStringToInteger
    • MmIsAddressValid
    • PsGetCurrentProcessId
    • ZwDeviceIoControlFile
    • IofCompleteRequest
    • ZwClose
    • MmMapLockedPagesSpecifyCache
    • MmUserProbeAddress
    • MmBuildMdlForNonPagedPool
    • memchr
    • KeDelayExecutionThread
    • RtlInitUnicodeString
    • NdisAllocateMemoryWithTag
    • NdisAllocateNetBufferAndNetBufferList
    • NdisMSendNetBufferListsComplete
    • NdisReturnNetBufferLists
    • NdisAllocateNetBufferListPool
    • NdisFreeMemory
    • NdisCopyFromNetBufferToNetBuffer
    • NdisFreeMdl
    • NdisFreeNetBufferListPool
    • NdisFreeNetBufferList
    • NdisSendNetBufferLists

    Exported Functions

    Expand

    Sections

    Expand
    • .text
    • .rdata
    • .data
    • .pdata
    • INIT

    Signature

    Expand
    {
      "Certificates": [
        {
          "IsCertificateAuthority": true,
          "SerialNumber": "7e93ebfb7cc64e59ea4b9a77d406fc3b",
          "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6",
          "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
          "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2",
          "TBS": {
            "MD5": "d0785ad36e427c92b19f6826ab1e8020",
            "SHA1": "365b7a9c21bd9373e49052c3e7b3e4646ddd4d43",
            "SHA256": "c2abb7484da91a658548de089d52436175fdb760a1387d225611dc0613a1e2ff",
            "SHA384": "eab4fe5ef90e0de4a6aa3a27769a5e879f588df5e4785aa4104debd1f81e19ea56d33e3a16e5facf99f68b5d8e3d287b"
          },
          "ValidFrom": "2012-12-21 00:00:00",
          "ValidTo": "2020-12-30 23:59:59",
          "Version": 3
        },
        {
          "IsCertificateAuthority": false,
          "SerialNumber": "0ecff438c8febf356e04d86a981b1a50",
          "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475",
          "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
          "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4",
          "TBS": {
            "MD5": "e9d38360b914c8863f6cba3ee58764d3",
            "SHA1": "4cba8eae47b6bf76f20b3504b98b8f062694a89b",
            "SHA256": "88901d86a4cc1f1bb193d08e1fb63d27452e63f83e228c657ab1a92e4ade3976",
            "SHA384": "e9f2a75334a9e336c5a4712eadee88d0374b0fdc273262f4e65c9040ad2793067cc076696db5279a478773485e285652"
          },
          "ValidFrom": "2012-10-18 00:00:00",
          "ValidTo": "2020-12-29 23:59:59",
          "Version": 3
        },
        {
          "IsCertificateAuthority": false,
          "SerialNumber": "387c9476e28320264594846317d46540",
          "Signature": "75446640570a5790bb9af0f472df1738c47e362aedd568599f66a121e1c27b51008ca2e0d72ed727e61ee0c76a578dc56de22c5ee58136db144fc68aca0fd0196d70716bd8c9d19b5fdd8a147d749367a953604b24502efdd039577033df13b8d20a8cc7ca4829a303c11e7f6bf3c370d98b64b875ca3745546285bb70c204467968b1c4a416b0636c590dff6f7a3091ed00351c626e32e859bdd58d363940a5ed33d121e423d2ba1b8ad85c5c1296e23d627e0aafe9268945bce9567c38719621eecdde83a74139fb3e0920a32e558fd64c0149cfec10f4b82fdcc8cdaed4011977c2169035b71edc68fabaf43d59f989ee5d97ec94eaa05ef2a62bfc480fa9",
          "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
          "Subject": "C=CN, ST=Beijing, L=Beijing, O=Anhua Xinda (Beijing) Technology Co., Ltd., OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=Anhua Xinda (Beijing) Technology Co., Ltd.",
          "TBS": {
            "MD5": "ce372214eabe9d311e4a156fe2044327",
            "SHA1": "7f7eb1a547c9b0b2e41b0f44515dfd20c16edceb",
            "SHA256": "03d59cc81c6960a93ab4b02e5521aa9fb349e8d7df9dfdf675201e48c23b5a34",
            "SHA384": "4b8829bc6980e82affeb7ad29efb59fc3ca9b02d015e6c0f385b9f2cf275609cd45936659f41fce579c073e34c2ca308"
          },
          "ValidFrom": "2011-06-28 00:00:00",
          "ValidTo": "2014-06-27 23:59:59",
          "Version": 3
        },
        {
          "IsCertificateAuthority": true,
          "SerialNumber": "611993e400000000001c",
          "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94",
          "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
          "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5",
          "TBS": {
            "MD5": "78a717e082dcc1cda3458d917e677d14",
            "SHA1": "4a872e0e51f9b304469cd1dedb496ee9b8b983a4",
            "SHA256": "317fa1d234ebc49040ebc5e8746f8997471496051b185a91bdd9dfbb23fab5f8",
            "SHA384": "b71052da4eb9157c8c1a5d7f55df19d69b9128598b72fcca608e5b7cc7d64c43c5504b9c86355a6dc22ee40c88cc385c"
          },
          "ValidFrom": "2011-02-22 19:25:17",
          "ValidTo": "2021-02-22 19:35:17",
          "Version": 3
        },
        {
          "IsCertificateAuthority": true,
          "SerialNumber": "5200e5aa2556fc1a86ed96c9d44b33c7",
          "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3",
          "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
          "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA",
          "TBS": {
            "MD5": "b30c31a572b0409383ed3fbe17e56e81",
            "SHA1": "4843a82ed3b1f2bfbee9671960e1940c942f688d",
            "SHA256": "03cda47a6e654ed85d932714fc09ce4874600eda29ec6628cfbaeb155cab78c9",
            "SHA384": "bbda8407c4f9fc4e54d772f1c7fb9d30bc97e1f97ecd51c443063d1fa0644e266328781776cd5c44896c457c75f4d7da"
          },
          "ValidFrom": "2010-02-08 00:00:00",
          "ValidTo": "2020-02-07 23:59:59",
          "Version": 3
        }
      ],
      "CertificatesInfo": "",
      "Signer": [
        {
          "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA",
          "SerialNumber": "387c9476e28320264594846317d46540",
          "Version": 1
        }
      ],
      "SignerInfo": ""
    }
    

    source

    last_updated: 2024-03-28