netfilter | e8e7f2f889948fd977b5941e6897921da28c8898a9ca1379816d9f3fa9bc40ff

Sharing

Copy URL

Twitter E-mail

General

Target

e8e7f2f889948fd977b5941e6897921da28c8898a9ca1379816d9f3fa9bc40ff
Size

48KB
MD5

58df991da21c475ac135914b8315f74d
SHA1

b821b326c1855ca802ead55042657909a5f2d760
SHA256

e8e7f2f889948fd977b5941e6897921da28c8898a9ca1379816d9f3fa9bc40ff
SHA512

d13da5962158b396668a0115fbecf0b421edf54a9e1a687388d5682ed49d448305ce43a15da795c46d4d88ae7323aab73d6a46b30c205b045d02ec10e18a96be
SSDEEP

768:bmWYAhtY+DNA9uB+91EB8njD0RfgmBtgpkX4OLv2MiX6TmfHOQtfbhM:bm3Ahv+3EU+4QvNLv2lwSHOoT6

Score

10^/10

netfilter

Malware Config

Signatures

NetFilter Payload 1 IoCs

Processes:

resource yara_rule

sample netfilter_payload
Netfilter family
netfilter

resource	yara_rule
sample	netfilter_payload

Files

e8e7f2f889948fd977b5941e6897921da28c8898a9ca1379816d9f3fa9bc40ff
.exe windows x64

3b7a92cf2b8a3fe6fdccfac5a51f1c5f

Code Sign

73:27:09:7d:a2:34:17:a7:4d:45:18:1f:b1:60:f9:f7
Certificate

Issuer

CN=WDKTestCert omen\,132578539763945900

Not Before

15-02-2021 09:12

Not After

15-02-2031 00:00

Subject

CN=WDKTestCert omen\,132578539763945900

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageKeyEncipherment
KeyUsageDataEncipherment

33:00:00:00:b5:21:3f:ca:1e:4a:a0:3d:e4:00:00:00:00:00:b5
Certificate

Issuer

CN=Microsoft Windows Third Party Component CA 2012,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

15-12-2020 22:15

Not After

02-12-2021 22:15

Subject

CN=Microsoft Windows Hardware Compatibility Publisher,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0b:aa:c1:00:00:00:00:00:09
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

18-04-2012 23:48

Not After

18-04-2027 23:58

Subject

CN=Microsoft Windows Third Party Component CA 2012,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

dd:d8:3a:f2:e9:9c:2e:51:f2:bb:bb:5a:1f:aa:df:9f:2d:db:c3:e3:9b:08:69:35:62:1d:68:46:a8:53:0d:76
Signer

Actual PE Digest

dd:d8:3a:f2:e9:9c:2e:51:f2:bb:bb:5a:1f:aa:df:9f:2d:db:c3:e3:9b:08:69:35:62:1d:68:46:a8:53:0d:76

Digest Algorithm

sha256

PE Digest Matches

true

Signature Validations

Trusted

false

Verification

Signing Certificate

CN=Microsoft Windows Hardware Compatibility Publisher,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

03-02-2022 02:54
Valid: false

a2:da:5c:39:7f:73:7f:a5:5d:8f:93:d3:ce:d5:eb:70:ae:09:80:1f
Signer

Actual PE Digest

a2:da:5c:39:7f:73:7f:a5:5d:8f:93:d3:ce:d5:eb:70:ae:09:80:1f

Digest Algorithm

sha1

PE Digest Matches

true

Signature Validations

Trusted

false

Verification

Signing Certificate

CN=WDKTestCert omen\,132578539763945900

03-02-2022 02:54
Valid: false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

fwpkclnt.sys

FwpmFilterAdd0
FwpmFilterDeleteById0
FwpsAcquireClassifyHandle0
FwpmCalloutAdd0
FwpsCompleteClassify0
FwpsAcquireWritableLayerDataPointer0
FwpsApplyModifiedLayerData0
FwpmSubLayerDeleteByKey0
FwpmSubLayerAdd0
FwpmTransactionAbort0
FwpmTransactionCommit0
FwpmTransactionBegin0
FwpmEngineClose0
FwpmEngineOpen0
FwpsCalloutUnregisterById0
FwpsReleaseClassifyHandle0
FwpsCalloutRegister1

ntoskrnl.exe

KeInitializeEvent
KeWaitForSingleObject
IoAllocateIrp
IofCallDriver
IoCreateFile
IoFreeIrp
IoGetRelatedDeviceObject
ObReferenceObjectByHandle
ObfDereferenceObject
ZwQueryInformationFile
ZwSetInformationFile
ZwReadFile
ZwWriteFile
ZwClose
IoFileObjectType
strchr
strncat
strncpy_s
strstr
KeResetEvent
MmProbeAndLockPages
MmUnlockPages
IoAllocateMdl
IoFreeMdl
IoReuseIrp
__C_specific_handler
DbgPrintEx
vDbgPrintEx
vDbgPrintExWithPrefix
MmIsAddressValid
ExSystemTimeToLocalTime
sprintf
_vsnwprintf
KeEnterCriticalRegion
KeLeaveCriticalRegion
PsTerminateSystemThread
KeSetBasePriorityThread
CmUnRegisterCallback
CmRegisterCallbackEx
CmCallbackGetKeyObjectID
strncmp
strncpy
wcsncmp
ExAcquireSpinLockExclusive
ExReleaseSpinLockExclusive
RtlCreateSecurityDescriptor
RtlSetDaclSecurityDescriptor
KeInitializeTimerEx
KeSetTimerEx
PsCreateSystemThread
ZwCreateKey
ZwOpenKey
ZwFlushKey
ZwQueryValueKey
ZwSetValueKey
NtQueryInformationToken
RtlLengthSid
RtlConvertSidToUnicodeString
RtlCreateAcl
RtlAddAccessAllowedAce
RtlSetOwnerSecurityDescriptor
PsLookupProcessByProcessId
ObOpenObjectByPointer
ZwOpenProcessTokenEx
ZwSetSecurityObject
PsGetProcessImageFileName
PsProcessType
SeExports
IoDeleteSymbolicLink
ExFreePoolWithTag
ExAllocatePoolWithTag
KeSetEvent
RtlFreeUnicodeString
KeBugCheckEx
RtlCopyUnicodeString
RtlAnsiStringToUnicodeString
RtlInitUnicodeString
RtlInitAnsiString
RtlTimeToTimeFields

netio.sys

WskCaptureProviderNPI
WskReleaseProviderNPI
WskDeregister
WskRegister

wdfldr.sys

WdfVersionBind
WdfVersionBindClass
WdfVersionUnbindClass
WdfVersionUnbind

Sections

.text
Size: 26KB - Virtual size: 26KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 36KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

INIT
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 60B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

3b7a92cf2b8a3fe6fdccfac5a51f1c5f

Code Sign

73:27:09:7d:a2:34:17:a7:4d:45:18:1f:b1:60:f9:f7Certificate

Extended Key Usages

Key Usages

33:00:00:00:b5:21:3f:ca:1e:4a:a0:3d:e4:00:00:00:00:00:b5Certificate

Extended Key Usages

61:0b:aa:c1:00:00:00:00:00:09Certificate

Key Usages

dd:d8:3a:f2:e9:9c:2e:51:f2:bb:bb:5a:1f:aa:df:9f:2d:db:c3:e3:9b:08:69:35:62:1d:68:46:a8:53:0d:76Signer

Signature Validations

Verification

03-02-2022 02:54 Valid: false

a2:da:5c:39:7f:73:7f:a5:5d:8f:93:d3:ce:d5:eb:70:ae:09:80:1fSigner

Signature Validations

Verification

03-02-2022 02:54 Valid: false

Headers

DLL Characteristics

File Characteristics

Imports

fwpkclnt.sys

ntoskrnl.exe

netio.sys

wdfldr.sys

Sections

.text Size: 26KB - Virtual size: 26KB

.rdata Size: 5KB - Virtual size: 4KB

.data Size: 512B - Virtual size: 36KB

.pdata Size: 1KB - Virtual size: 1KB

INIT Size: 3KB - Virtual size: 3KB

.reloc Size: 512B - Virtual size: 60B

73:27:09:7d:a2:34:17:a7:4d:45:18:1f:b1:60:f9:f7
Certificate

33:00:00:00:b5:21:3f:ca:1e:4a:a0:3d:e4:00:00:00:00:00:b5
Certificate

61:0b:aa:c1:00:00:00:00:00:09
Certificate

dd:d8:3a:f2:e9:9c:2e:51:f2:bb:bb:5a:1f:aa:df:9f:2d:db:c3:e3:9b:08:69:35:62:1d:68:46:a8:53:0d:76
Signer

03-02-2022 02:54
Valid: false

a2:da:5c:39:7f:73:7f:a5:5d:8f:93:d3:ce:d5:eb:70:ae:09:80:1f
Signer

03-02-2022 02:54
Valid: false

.text
Size: 26KB - Virtual size: 26KB

.rdata
Size: 5KB - Virtual size: 4KB

.data
Size: 512B - Virtual size: 36KB

.pdata
Size: 1KB - Virtual size: 1KB

INIT
Size: 3KB - Virtual size: 3KB

.reloc
Size: 512B - Virtual size: 60B