de62baae-872d-4e9a-b6d9-b0ac99854c66

Chaos-Rootkit.sys :inline

Description

Chaos-Rootkit is a x64 ring0 rootkit with process hiding, privilege escalation, and capabilities for protecting and unprotecting processes and ability to restrict access to files except for whitelisted process work seamlessly on the latest Windows versions.

  • UUID: de62baae-872d-4e9a-b6d9-b0ac99854c66
  • Created: 2024-06-20
  • Author: goosvorbook
  • Acknowledgement: |

DownloadBlock

This download link contains the vulnerable driver!

Commands

sc.exe create Chaos-Rootkit.sys binPath=C:\windows\temp\Chaos-Rootkit.sys type=kernel && sc.exe start Chaos-Rootkit.sys
Use CasePrivilegesOperating System
Elevate privilegeskernelWindows 11

Detections

YARA 🏹

Expand

Exact Match

with header and size limitation

Threat Hunting

without header and size limitation

Renamed

for renamed driver files

Sigma 🛡️

Expand

Names

detects loading using name only

Hashes

detects loading using hashes only

Sysmon 🔎

Expand

Block

on hashes

Alert

on hashes

Resources


  • https://github.com/ZeroMemoryEx/Chaos-Rootkit

  • Known Vulnerable Samples

    PropertyValue
    Filename
    Creation Timestamp2024-02-24 04:54:46
    MD5443e8d915c04c370b7c31bb5f11ebab7
    SHA1c3f8b7f0995073abb58c2aec1b6062f89fe838a0
    SHA256bdc73f752c1353d41e877d8bf42a1c53f0bba7d6f52348aaef60e06f4d3087d0
    Authentihash MD5cec49dd8b1dbb091e3d6f8134cee5bdc
    Authentihash SHA1a4b5442d906715caaadc011d0c2fa44cd894dbfe
    Authentihash SHA25623be3616a4fb4e620f971e4348dc46b7980abca6463be3cb4b83769a955f2810
    RichPEHeaderHash MD5ae12000e18da8fac0c57ef3d7cd3236e
    RichPEHeaderHash SHA1803fe53650c7d62f0652d87117cab64e01934e73
    RichPEHeaderHash SHA256329187edf745b2d770774d2c1698151b8e63215b7bc7f56dceb4b2894efe0501

    Download

    Certificates

    Expand
    Certificate 13d597c6ebaaaf994d4463d3387c0dd2
    FieldValue
    ToBeSigned (TBS) MD56b552c6f192fd7c811a7f292b41dd282
    ToBeSigned (TBS) SHA1fbd054373b922c03cad87c948c29ed2ed0883910
    ToBeSigned (TBS) SHA256e9098f46ff7e02093422a6e4745f420d41fc08c66a95b6f62f09b44297bf35af
    SubjectCN=WDKTestCert anash,133231280654008727
    ValidFrom2023-03-12 20:54:25
    ValidTo2033-03-12 00:00:00
    Signature2877c0544f97abe3532296be49983e1e9b7f4c99ef327222c4b2b6d70194c8d97db7140a51dc6a18a009549aabe1bcb8c95d089917b9fed893b52f0518b649680aab7fdb5af9098de934aede339cee3d3c271ffc25c8d1b188fee3ff9a8b6591ac9f6e21934467db0d7d6595edcc98f3bbaf303202fab533ae82372da8d8b8dee1dcb80312e8ebe140ea9edfac35bf59e909b49edad358761784ffafb590665a6426e9b3fae943864a0484002555a654647e1495e92d9e8dafd00b0e36e30a921ec424e2d4a70d579879bdaaab9bc21824479b905e710ae1269e3fc3695c50811805f163e23590e53c173a79adda0fe1deb674f34fc0adf3cbcf93a4955907f7
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityTrue
    SerialNumber13d597c6ebaaaf994d4463d3387c0dd2
    Version3

    Imports

    Expand
    • FLTMGR.SYS
    • ntoskrnl.exe
    • WDFLDR.SYS

    Imported Functions

    Expand
    • FltGetRequestorProcessId
    • KeWaitForSingleObject
    • ExInitializePushLock
    • ExAcquirePushLockExclusiveEx
    • ExReleasePushLockExclusiveEx
    • MmProbeAndLockPages
    • MmUnlockPages
    • MmProtectMdlSystemAddress
    • MmMapLockedPagesSpecifyCache
    • MmUnmapLockedPages
    • IoAllocateMdl
    • IofCompleteRequest
    • KeReleaseMutex
    • IoCreateSymbolicLink
    • IoDeleteDevice
    • IoDeleteSymbolicLink
    • IoFreeMdl
    • ObfDereferenceObject
    • NtCreateFile
    • PsReferencePrimaryToken
    • PsLookupProcessByProcessId
    • PsGetProcessImageFileName
    • __C_specific_handler
    • wcsstr
    • RtlCopyUnicodeString
    • DbgPrintEx
    • KeInitializeMutex
    • RtlGetVersion
    • DbgPrint
    • MmGetSystemRoutineAddress
    • IoCreateDevice
    • WdfVersionBindClass
    • WdfVersionUnbind
    • WdfLdrQueryInterface
    • WdfVersionBind
    • WdfVersionUnbindClass

    Exported Functions

    Expand

    Sections

    Expand
    • .text
    • .rdata
    • .data
    • .pdata
    • INIT
    • .reloc

    Signature

    Expand
    {
      "Certificates": [
        {
          "IsCertificateAuthority": true,
          "SerialNumber": "13d597c6ebaaaf994d4463d3387c0dd2",
          "Signature": "2877c0544f97abe3532296be49983e1e9b7f4c99ef327222c4b2b6d70194c8d97db7140a51dc6a18a009549aabe1bcb8c95d089917b9fed893b52f0518b649680aab7fdb5af9098de934aede339cee3d3c271ffc25c8d1b188fee3ff9a8b6591ac9f6e21934467db0d7d6595edcc98f3bbaf303202fab533ae82372da8d8b8dee1dcb80312e8ebe140ea9edfac35bf59e909b49edad358761784ffafb590665a6426e9b3fae943864a0484002555a654647e1495e92d9e8dafd00b0e36e30a921ec424e2d4a70d579879bdaaab9bc21824479b905e710ae1269e3fc3695c50811805f163e23590e53c173a79adda0fe1deb674f34fc0adf3cbcf93a4955907f7",
          "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
          "Subject": "CN=WDKTestCert anash,133231280654008727",
          "TBS": {
            "MD5": "6b552c6f192fd7c811a7f292b41dd282",
            "SHA1": "fbd054373b922c03cad87c948c29ed2ed0883910",
            "SHA256": "e9098f46ff7e02093422a6e4745f420d41fc08c66a95b6f62f09b44297bf35af",
            "SHA384": "4b008e59d2ea4c49427250d7da08075c183e7759d91b9defaf47873d9dab76f2b9e17cd95aeee7ca99ea0967a3ceeb0f"
          },
          "ValidFrom": "2023-03-12 20:54:25",
          "ValidTo": "2033-03-12 00:00:00",
          "Version": 3
        }
      ],
      "CertificatesInfo": "",
      "Signer": [
        {
          "Issuer": "CN=WDKTestCert anash,133231280654008727",
          "SerialNumber": "13d597c6ebaaaf994d4463d3387c0dd2",
          "Version": 1
        }
      ],
      "SignerInfo": ""
    }
    

    source

    last_updated: 2024-09-26