aa687f89-4f3b-4b59-b64e-fee5e2ae2310

wantd_2.sys :inline :inline

Description

Driver used in the Daxin malware campaign.

  • UUID: aa687f89-4f3b-4b59-b64e-fee5e2ae2310
  • Created: 2023-02-28
  • Author: Michael Haag
  • Acknowledgement: |

Download

This download link contains the malicious driver!

Commands

sc.exe create wantd_2.sys binPath=C:\windows\temp\wantd_2.sys type=kernel && sc.exe start wantd_2.sys
Use CasePrivilegesOperating System
Elevate privilegeskernelWindows 10

Detections

YARA 🏹

Expand

Exact Match

with header and size limitation

Threat Hunting

without header and size limitation

Sigma 🛡️

Expand

Names

detects loading using name only

Hashes

detects loading using hashes only

Sysmon 🔎

Expand

Block

on hashes

Alert

on hashes

Resources


  • https://gist.github.com/MHaggis/9ab3bb795a6018d70fb11fa7c31f8f48
  • https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/daxin-backdoor-espionage

    • Known Vulnerable Samples

    PropertyValue
    Filenamewantd_2.sys
    Creation Timestamp2014-04-30 01:52:31
    MD58636fe3724f2bcba9399daffd6ef3c7e
    SHA13b6b35bca1b05fafbfc883a844df6d52af44ccdc
    SHA2566908ebf52eb19c6719a0b508d1e2128f198d10441551cbfb9f4031d382f5229f
    Authentihash MD54b7d15fe072cc44bb427206b295f861d
    Authentihash SHA12edc9b891f72f204bee80618058f921a3f6fb5a1
    Authentihash SHA25625d16b2b53fc7b52a65616ab7fc04a503946c20fe96556681bfaddd589401f4a
    RichPEHeaderHash MD5ffb3b0d0258fb0606ee7e21ca15c01ab
    RichPEHeaderHash SHA10c79c4323d4fdcd03744c74405225f23034656b4
    RichPEHeaderHash SHA25624a759b45ba0cca67772c01218a5571bc0785aee67ab3288c539a077c540cf3f
    PublisherAnhua Xinda (Beijing) Technology Co., Ltd.
    CompanyMicrosoft Corporation
    DescriptionWAN Transport Driver
    ProductMicrosoft Windows Operating System
    OriginalFilenamewantd.sys

    Download

    Certificates

    Expand
    Certificate 7e93ebfb7cc64e59ea4b9a77d406fc3b
    FieldValue
    ToBeSigned (TBS) MD5d0785ad36e427c92b19f6826ab1e8020
    ToBeSigned (TBS) SHA1365b7a9c21bd9373e49052c3e7b3e4646ddd4d43
    ToBeSigned (TBS) SHA256c2abb7484da91a658548de089d52436175fdb760a1387d225611dc0613a1e2ff
    SubjectC=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2
    ValidFrom2012-12-21 00:00:00
    ValidTo2020-12-30 23:59:59
    Signature03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityTrue
    SerialNumber7e93ebfb7cc64e59ea4b9a77d406fc3b
    Version3
    Certificate 0ecff438c8febf356e04d86a981b1a50
    FieldValue
    ToBeSigned (TBS) MD5e9d38360b914c8863f6cba3ee58764d3
    ToBeSigned (TBS) SHA14cba8eae47b6bf76f20b3504b98b8f062694a89b
    ToBeSigned (TBS) SHA25688901d86a4cc1f1bb193d08e1fb63d27452e63f83e228c657ab1a92e4ade3976
    SubjectC=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4
    ValidFrom2012-10-18 00:00:00
    ValidTo2020-12-29 23:59:59
    Signature783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityFalse
    SerialNumber0ecff438c8febf356e04d86a981b1a50
    Version3
    Certificate 387c9476e28320264594846317d46540
    FieldValue
    ToBeSigned (TBS) MD5ce372214eabe9d311e4a156fe2044327
    ToBeSigned (TBS) SHA17f7eb1a547c9b0b2e41b0f44515dfd20c16edceb
    ToBeSigned (TBS) SHA25603d59cc81c6960a93ab4b02e5521aa9fb349e8d7df9dfdf675201e48c23b5a34
    SubjectC=CN, ST=Beijing, L=Beijing, O=Anhua Xinda (Beijing) Technology Co., Ltd., OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=Anhua Xinda (Beijing) Technology Co., Ltd.
    ValidFrom2011-06-28 00:00:00
    ValidTo2014-06-27 23:59:59
    Signature75446640570a5790bb9af0f472df1738c47e362aedd568599f66a121e1c27b51008ca2e0d72ed727e61ee0c76a578dc56de22c5ee58136db144fc68aca0fd0196d70716bd8c9d19b5fdd8a147d749367a953604b24502efdd039577033df13b8d20a8cc7ca4829a303c11e7f6bf3c370d98b64b875ca3745546285bb70c204467968b1c4a416b0636c590dff6f7a3091ed00351c626e32e859bdd58d363940a5ed33d121e423d2ba1b8ad85c5c1296e23d627e0aafe9268945bce9567c38719621eecdde83a74139fb3e0920a32e558fd64c0149cfec10f4b82fdcc8cdaed4011977c2169035b71edc68fabaf43d59f989ee5d97ec94eaa05ef2a62bfc480fa9
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityFalse
    SerialNumber387c9476e28320264594846317d46540
    Version3
    Certificate 611993e400000000001c
    FieldValue
    ToBeSigned (TBS) MD578a717e082dcc1cda3458d917e677d14
    ToBeSigned (TBS) SHA14a872e0e51f9b304469cd1dedb496ee9b8b983a4
    ToBeSigned (TBS) SHA256317fa1d234ebc49040ebc5e8746f8997471496051b185a91bdd9dfbb23fab5f8
    SubjectC=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5
    ValidFrom2011-02-22 19:25:17
    ValidTo2021-02-22 19:35:17
    Signature812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityTrue
    SerialNumber611993e400000000001c
    Version3
    Certificate 5200e5aa2556fc1a86ed96c9d44b33c7
    FieldValue
    ToBeSigned (TBS) MD5b30c31a572b0409383ed3fbe17e56e81
    ToBeSigned (TBS) SHA14843a82ed3b1f2bfbee9671960e1940c942f688d
    ToBeSigned (TBS) SHA25603cda47a6e654ed85d932714fc09ce4874600eda29ec6628cfbaeb155cab78c9
    SubjectC=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA
    ValidFrom2010-02-08 00:00:00
    ValidTo2020-02-07 23:59:59
    Signature5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityTrue
    SerialNumber5200e5aa2556fc1a86ed96c9d44b33c7
    Version3

    Imports

    Expand
    • ntoskrnl.exe
    • NDIS.SYS

    Imported Functions

    Expand
    • IoAllocateMdl
    • _stricmp
    • sprintf
    • RtlLengthRequiredSid
    • ExAllocatePoolWithTag
    • vsprintf
    • IoDeleteSymbolicLink
    • ExFreePoolWithTag
    • RtlAnsiStringToUnicodeString
    • NtWriteFile
    • RtlCreateAcl
    • PsLookupProcessByProcessId
    • NtQuerySystemInformation
    • _wcsnicmp
    • ZwReadFile
    • RtlSetDaclSecurityDescriptor
    • KeInitializeApc
    • IoDeleteDevice
    • NtFsControlFile
    • KeInsertQueueApc
    • MmGetSystemRoutineAddress
    • IoCreateFile
    • ZwQuerySystemInformation
    • KeReleaseSpinLock
    • RtlAddAccessAllowedAce
    • RtlImageDirectoryEntryToData
    • KeDetachProcess
    • KeDelayExecutionThread
    • wcsncmp
    • ZwCreateFile
    • PsCreateSystemThread
    • ZwQueryValueKey
    • PsTerminateSystemThread
    • ZwFreeVirtualMemory
    • KeQueryTimeIncrement
    • ObReferenceObjectByHandle
    • KeWaitForSingleObject
    • KeAttachProcess
    • PsGetVersion
    • PsThreadType
    • RtlCompareUnicodeString
    • ZwOpenProcess
    • ZwQueryInformationProcess
    • IoCreateSymbolicLink
    • ObfDereferenceObject
    • IoCreateDevice
    • ZwTerminateProcess
    • ZwQueryInformationFile
    • KeWaitForMultipleObjects
    • ZwWriteFile
    • NtReadFile
    • DbgPrint
    • PsLookupThreadByThreadId
    • RtlLengthSid
    • RtlCreateSecurityDescriptor
    • ZwAllocateVirtualMemory
    • ZwOpenKey
    • KeAcquireSpinLockRaiseToDpc
    • ZwOpenFile
    • RtlUnicodeStringToInteger
    • MmIsAddressValid
    • ZwDeviceIoControlFile
    • IofCompleteRequest
    • ZwClose
    • MmMapLockedPagesSpecifyCache
    • MmUserProbeAddress
    • MmBuildMdlForNonPagedPool
    • memchr
    • ZwWaitForSingleObject
    • RtlInitUnicodeString
    • NdisAllocateMemoryWithTag
    • NdisAllocateNetBufferAndNetBufferList
    • NdisMSendNetBufferListsComplete
    • NdisReturnNetBufferLists
    • NdisAllocateNetBufferListPool
    • NdisFreeMemory
    • NdisCopyFromNetBufferToNetBuffer
    • NdisFreeMdl
    • NdisFreeNetBufferListPool
    • NdisFreeNetBufferList
    • NdisSendNetBufferLists

    Exported Functions

    Expand

    Sections

    Expand
    • .text
    • .rdata
    • .data
    • .pdata
    • INIT
    • .rsrc

    Signature

    Expand
    {
  "Certificates": [
    {
      "IsCertificateAuthority": true,
      "SerialNumber": "7e93ebfb7cc64e59ea4b9a77d406fc3b",
      "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
      "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2",
      "TBS": {
        "MD5": "d0785ad36e427c92b19f6826ab1e8020",
        "SHA1": "365b7a9c21bd9373e49052c3e7b3e4646ddd4d43",
        "SHA256": "c2abb7484da91a658548de089d52436175fdb760a1387d225611dc0613a1e2ff",
        "SHA384": "eab4fe5ef90e0de4a6aa3a27769a5e879f588df5e4785aa4104debd1f81e19ea56d33e3a16e5facf99f68b5d8e3d287b"
      },
      "ValidFrom": "2012-12-21 00:00:00",
      "ValidTo": "2020-12-30 23:59:59",
      "Version": 3
    },
    {
      "IsCertificateAuthority": false,
      "SerialNumber": "0ecff438c8febf356e04d86a981b1a50",
      "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
      "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4",
      "TBS": {
        "MD5": "e9d38360b914c8863f6cba3ee58764d3",
        "SHA1": "4cba8eae47b6bf76f20b3504b98b8f062694a89b",
        "SHA256": "88901d86a4cc1f1bb193d08e1fb63d27452e63f83e228c657ab1a92e4ade3976",
        "SHA384": "e9f2a75334a9e336c5a4712eadee88d0374b0fdc273262f4e65c9040ad2793067cc076696db5279a478773485e285652"
      },
      "ValidFrom": "2012-10-18 00:00:00",
      "ValidTo": "2020-12-29 23:59:59",
      "Version": 3
    },
    {
      "IsCertificateAuthority": false,
      "SerialNumber": "387c9476e28320264594846317d46540",
      "Signature": "75446640570a5790bb9af0f472df1738c47e362aedd568599f66a121e1c27b51008ca2e0d72ed727e61ee0c76a578dc56de22c5ee58136db144fc68aca0fd0196d70716bd8c9d19b5fdd8a147d749367a953604b24502efdd039577033df13b8d20a8cc7ca4829a303c11e7f6bf3c370d98b64b875ca3745546285bb70c204467968b1c4a416b0636c590dff6f7a3091ed00351c626e32e859bdd58d363940a5ed33d121e423d2ba1b8ad85c5c1296e23d627e0aafe9268945bce9567c38719621eecdde83a74139fb3e0920a32e558fd64c0149cfec10f4b82fdcc8cdaed4011977c2169035b71edc68fabaf43d59f989ee5d97ec94eaa05ef2a62bfc480fa9",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
      "Subject": "C=CN, ST=Beijing, L=Beijing, O=Anhua Xinda (Beijing) Technology Co., Ltd., OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=Anhua Xinda (Beijing) Technology Co., Ltd.",
      "TBS": {
        "MD5": "ce372214eabe9d311e4a156fe2044327",
        "SHA1": "7f7eb1a547c9b0b2e41b0f44515dfd20c16edceb",
        "SHA256": "03d59cc81c6960a93ab4b02e5521aa9fb349e8d7df9dfdf675201e48c23b5a34",
        "SHA384": "4b8829bc6980e82affeb7ad29efb59fc3ca9b02d015e6c0f385b9f2cf275609cd45936659f41fce579c073e34c2ca308"
      },
      "ValidFrom": "2011-06-28 00:00:00",
      "ValidTo": "2014-06-27 23:59:59",
      "Version": 3
    },
    {
      "IsCertificateAuthority": true,
      "SerialNumber": "611993e400000000001c",
      "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
      "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5",
      "TBS": {
        "MD5": "78a717e082dcc1cda3458d917e677d14",
        "SHA1": "4a872e0e51f9b304469cd1dedb496ee9b8b983a4",
        "SHA256": "317fa1d234ebc49040ebc5e8746f8997471496051b185a91bdd9dfbb23fab5f8",
        "SHA384": "b71052da4eb9157c8c1a5d7f55df19d69b9128598b72fcca608e5b7cc7d64c43c5504b9c86355a6dc22ee40c88cc385c"
      },
      "ValidFrom": "2011-02-22 19:25:17",
      "ValidTo": "2021-02-22 19:35:17",
      "Version": 3
    },
    {
      "IsCertificateAuthority": true,
      "SerialNumber": "5200e5aa2556fc1a86ed96c9d44b33c7",
      "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
      "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA",
      "TBS": {
        "MD5": "b30c31a572b0409383ed3fbe17e56e81",
        "SHA1": "4843a82ed3b1f2bfbee9671960e1940c942f688d",
        "SHA256": "03cda47a6e654ed85d932714fc09ce4874600eda29ec6628cfbaeb155cab78c9",
        "SHA384": "bbda8407c4f9fc4e54d772f1c7fb9d30bc97e1f97ecd51c443063d1fa0644e266328781776cd5c44896c457c75f4d7da"
      },
      "ValidFrom": "2010-02-08 00:00:00",
      "ValidTo": "2020-02-07 23:59:59",
      "Version": 3
    }
  ],
  "CertificatesInfo": "",
  "Signer": [
    {
      "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA",
      "SerialNumber": "387c9476e28320264594846317d46540",
      "Version": 1
    }
  ],
  "SignerInfo": ""
}

    source

    last_updated: 2024-04-09