a22104a8-126d-449f-ba3e-28678c60c587
wantd_3.sys 
Description
Driver used in the Daxin malware campaign.
This download link contains the malicious driver!
Commands
sc.exe create wantd_3.sys binPath=C:\windows\temp\wantd_3.sys type=kernel && sc.exe start wantd_3.sys
| Use Case | Privileges | Operating System |
|---|---|---|
| Elevate privileges | kernel | Windows 10 |
Detections
YARA 🏹
Resources
Known Vulnerable Samples
| Property | Value |
|---|---|
| Filename | wantd_3.sys |
| Creation Timestamp | 2014-04-30 01:52:21 |
| MD5 | fb7c61ef427f9b2fdff3574ee6b1819b |
| SHA1 | 1f25f54e9b289f76604e81e98483309612c5a471 |
| SHA256 | 81c7bb39100d358f8286da5e9aa838606c98dfcc263e9a82ed91cd438cb130d1 |
| Authentihash MD5 | cbb18883d7893156620f084ff40b2fbf |
| Authentihash SHA1 | df59532dbae676b3fb2653a1bbd9cd5f1cd3ba78 |
| Authentihash SHA256 | a1ee0b8a7974f3d11c10241027c0e7171c798a28589aae9ff8c5a86228642af7 |
| RichPEHeaderHash MD5 | 7dac9e657681230dfe85b6e42aa5891e |
| RichPEHeaderHash SHA1 | 02e8444b111e83edca1a07580800daf3e7e2453d |
| RichPEHeaderHash SHA256 | 3e7f74d584bec768a7e4677b53f195737e86f319c4804790a13a2adbb38425a9 |
| Publisher | n/a |
| Company | Microsoft Corporation |
| Description | WAN Transport Driver |
| Product | Microsoft Windows Operating System |
| OriginalFilename | wantd.sys |
Imports
Expand
- ntoskrnl.exe
- HAL.dll
- NDIS.SYS
Imported Functions
Expand
- IofCompleteRequest
- KeResetEvent
- InterlockedIncrement
- KeSetEvent
- InterlockedDecrement
- RtlUnicodeStringToInteger
- RtlInitUnicodeString
- KeInitializeEvent
- wcsncmp
- wcscat
- wcslen
- wcscpy
- MmBuildMdlForNonPagedPool
- IoAllocateMdl
- KeInsertQueueApc
- KeInitializeApc
- KeDetachProcess
- KeAttachProcess
- PsLookupThreadByThreadId
- ZwAllocateVirtualMemory
- RtlCompareUnicodeString
- PsLookupProcessByProcessId
- ZwFreeVirtualMemory
- _wcsnicmp
- ZwQuerySystemInformation
- ZwQueryInformationProcess
- RtlImageDirectoryEntryToData
- _stricmp
- NtQuerySystemInformation
- ZwOpenFile
- MmGetSystemRoutineAddress
- ZwQueryValueKey
- ZwOpenKey
- ZwTerminateProcess
- ZwOpenProcess
- IoCreateFile
- RtlSetDaclSecurityDescriptor
- RtlAddAccessAllowedAce
- RtlCreateAcl
- RtlLengthSid
- RtlCreateSecurityDescriptor
- NtWriteFile
- NtReadFile
- KeWaitForMultipleObjects
- NtFsControlFile
- ZwWaitForSingleObject
- RtlLengthRequiredSid
- IoCreateSymbolicLink
- DbgPrint
- IoCreateDevice
- IoDeleteDevice
- IoDeleteSymbolicLink
- sprintf
- ZwCreateFile
- RtlAnsiStringToUnicodeString
- ZwWriteFile
- ZwReadFile
- ZwQueryInformationFile
- vsprintf
- ZwDeviceIoControlFile
- MmMapLockedPagesSpecifyCache
- IoFreeMdl
- KeWaitForSingleObject
- ObfDereferenceObject
- KeDelayExecutionThread
- PsTerminateSystemThread
- PsCreateSystemThread
- PsThreadType
- ObReferenceObjectByHandle
- ZwClose
- KeQueryTimeIncrement
- KeTickCount
- KeInitializeSpinLock
- ExAllocatePoolWithTag
- PsGetVersion
- ExFreePool
- KfReleaseSpinLock
- KfAcquireSpinLock
- NdisAllocatePacketPool
- NdisAllocateBufferPool
- NdisRegisterProtocol
- NdisDeregisterProtocol
- NdisUnchainBufferAtFront
- NdisAllocatePacket
- NdisAllocateMemory
- NdisFreePacket
- NdisAllocateBuffer
- NdisFreeMemory
- NdisFreeBufferPool
- NdisCopyFromPacketToPacket
- NdisFreePacketPool
Exported Functions
Expand
Sections
Expand
- .text
- .rdata
- .data
- INIT
- .rsrc
- .reloc
Signature
Expand
last_updated: 2024-04-09