a22104a8-126d-449f-ba3e-28678c60c587

wantd_3.sys :inline :inline

Description

Driver used in the Daxin malware campaign.

  • UUID: a22104a8-126d-449f-ba3e-28678c60c587
  • Created: 2023-02-28
  • Author: Michael Haag
  • Acknowledgement: |

DownloadBlock

This download link contains the malicious driver!

Commands

sc.exe create wantd_3.sys binPath=C:\windows\temp\wantd_3.sys type=kernel && sc.exe start wantd_3.sys
Use CasePrivilegesOperating System
Elevate privilegeskernelWindows 10

Detections

YARA 🏹

Expand

Exact Match

with header and size limitation

Threat Hunting

without header and size limitation

Sigma 🛡️

Expand

Names

detects loading using name only

Hashes

detects loading using hashes only

Sysmon 🔎

Expand

Block

on hashes

Alert

on hashes

Resources


  • https://gist.github.com/MHaggis/9ab3bb795a6018d70fb11fa7c31f8f48
  • https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/daxin-backdoor-espionage

  • Known Vulnerable Samples

    PropertyValue
    Filenamewantd_3.sys
    Creation Timestamp2014-04-30 01:52:21
    MD5fb7c61ef427f9b2fdff3574ee6b1819b
    SHA11f25f54e9b289f76604e81e98483309612c5a471
    SHA25681c7bb39100d358f8286da5e9aa838606c98dfcc263e9a82ed91cd438cb130d1
    Authentihash MD5cbb18883d7893156620f084ff40b2fbf
    Authentihash SHA1df59532dbae676b3fb2653a1bbd9cd5f1cd3ba78
    Authentihash SHA256a1ee0b8a7974f3d11c10241027c0e7171c798a28589aae9ff8c5a86228642af7
    RichPEHeaderHash MD57dac9e657681230dfe85b6e42aa5891e
    RichPEHeaderHash SHA102e8444b111e83edca1a07580800daf3e7e2453d
    RichPEHeaderHash SHA2563e7f74d584bec768a7e4677b53f195737e86f319c4804790a13a2adbb38425a9
    Publishern/a
    CompanyMicrosoft Corporation
    DescriptionWAN Transport Driver
    ProductMicrosoft Windows Operating System
    OriginalFilenamewantd.sys

    Download

    Imports

    Expand
    • ntoskrnl.exe
    • HAL.dll
    • NDIS.SYS

    Imported Functions

    Expand
    • IofCompleteRequest
    • KeResetEvent
    • InterlockedIncrement
    • KeSetEvent
    • InterlockedDecrement
    • RtlUnicodeStringToInteger
    • RtlInitUnicodeString
    • KeInitializeEvent
    • wcsncmp
    • wcscat
    • wcslen
    • wcscpy
    • MmBuildMdlForNonPagedPool
    • IoAllocateMdl
    • KeInsertQueueApc
    • KeInitializeApc
    • KeDetachProcess
    • KeAttachProcess
    • PsLookupThreadByThreadId
    • ZwAllocateVirtualMemory
    • RtlCompareUnicodeString
    • PsLookupProcessByProcessId
    • ZwFreeVirtualMemory
    • _wcsnicmp
    • ZwQuerySystemInformation
    • ZwQueryInformationProcess
    • RtlImageDirectoryEntryToData
    • _stricmp
    • NtQuerySystemInformation
    • ZwOpenFile
    • MmGetSystemRoutineAddress
    • ZwQueryValueKey
    • ZwOpenKey
    • ZwTerminateProcess
    • ZwOpenProcess
    • IoCreateFile
    • RtlSetDaclSecurityDescriptor
    • RtlAddAccessAllowedAce
    • RtlCreateAcl
    • RtlLengthSid
    • RtlCreateSecurityDescriptor
    • NtWriteFile
    • NtReadFile
    • KeWaitForMultipleObjects
    • NtFsControlFile
    • ZwWaitForSingleObject
    • RtlLengthRequiredSid
    • IoCreateSymbolicLink
    • DbgPrint
    • IoCreateDevice
    • IoDeleteDevice
    • IoDeleteSymbolicLink
    • sprintf
    • ZwCreateFile
    • RtlAnsiStringToUnicodeString
    • ZwWriteFile
    • ZwReadFile
    • ZwQueryInformationFile
    • vsprintf
    • ZwDeviceIoControlFile
    • MmMapLockedPagesSpecifyCache
    • IoFreeMdl
    • KeWaitForSingleObject
    • ObfDereferenceObject
    • KeDelayExecutionThread
    • PsTerminateSystemThread
    • PsCreateSystemThread
    • PsThreadType
    • ObReferenceObjectByHandle
    • ZwClose
    • KeQueryTimeIncrement
    • KeTickCount
    • KeInitializeSpinLock
    • ExAllocatePoolWithTag
    • PsGetVersion
    • ExFreePool
    • KfReleaseSpinLock
    • KfAcquireSpinLock
    • NdisAllocatePacketPool
    • NdisAllocateBufferPool
    • NdisRegisterProtocol
    • NdisDeregisterProtocol
    • NdisUnchainBufferAtFront
    • NdisAllocatePacket
    • NdisAllocateMemory
    • NdisFreePacket
    • NdisAllocateBuffer
    • NdisFreeMemory
    • NdisFreeBufferPool
    • NdisCopyFromPacketToPacket
    • NdisFreePacketPool

    Exported Functions

    Expand

    Sections

    Expand
    • .text
    • .rdata
    • .data
    • INIT
    • .rsrc
    • .reloc

    Signature

    Expand

    source

    last_updated: 2024-09-26