C:\Users\Goose\Documents\usermode\build\goosext.pdb
Static task
static1
Behavioral task
behavioral1
Sample
kernelmode.zip
Resource
win10v2004-20231215-en
General
-
Target
kernelmode.zip
-
Size
944KB
-
MD5
51bc10ff032d1f941277e011eb256081
-
SHA1
7e0f72e847efdbde3a46ba9739de943f8efa1f23
-
SHA256
f526bc5ca761a868e9211fd015102c9baaff76bd92cfd439b3a06efe4b68787d
-
SHA512
cf246494a5e06b3b42dfb2732759f405dcb55c493516a341c2cf7670d939fa8987142e73b9335fa7ed2d094c0b2029dfc491b269a2f6db52ac05b6241a9e5a2b
-
SSDEEP
24576:JjA3JA5kd4K53YAge64D1XGWRQoy7rNaVChPw6:JjGJABFAHVD1ITN8GL
Malware Config
Signatures
-
Unsigned PE 2 IoCs
Checks for missing Authenticode signature.
resource unpack001/kernelmode/goosext.exe unpack001/kernelmode/kernelmode.sys
Files
-
kernelmode.zip.zip
Password: Vayzer
-
kernelmode/goosext.exe.exe windows:6 windows x64 arch:x64
Password: Vayzer
1f0230d852ffc4fcc9411ae654a24300
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
PDB Paths
Imports
kernel32
GetStdHandle
VirtualAlloc
OpenProcess
CreateToolhelp32Snapshot
Sleep
GetLastError
Process32NextW
Process32FirstW
CloseHandle
ExitProcess
GetConsoleWindow
lstrcmpiW
GetCommandLineW
InitializeSListHead
GetSystemTimeAsFileTime
GetCurrentThreadId
VirtualFree
IsDebuggerPresent
GetModuleHandleW
CreateEventW
DeleteCriticalSection
InitializeCriticalSectionAndSpinCount
IsProcessorFeaturePresent
TerminateProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
SetConsoleTextAttribute
SetLastError
GetStartupInfoW
QueryPerformanceCounter
FreeLibrary
GetProcAddress
QueryPerformanceFrequency
LoadLibraryA
GetModuleHandleA
GlobalUnlock
WideCharToMultiByte
GlobalLock
GlobalFree
GlobalAlloc
GetCurrentProcess
GetCurrentProcessId
MultiByteToWideChar
user32
GetWindowThreadProcessId
GetWindow
ScreenToClient
GetWindowRect
DestroyWindow
SetWindowPos
GetSystemMetrics
ShowWindow
ClientToScreen
GetForegroundWindow
LoadCursorW
GetAsyncKeyState
DispatchMessageW
PeekMessageW
EnumWindows
DefWindowProcA
SetLayeredWindowAttributes
TranslateMessage
LoadIconW
SetWindowLongW
GetDesktopWindow
RegisterClassExA
UpdateWindow
GetKeyState
OpenClipboard
GetCursorPos
CloseClipboard
EmptyClipboard
GetClipboardData
SetClipboardData
SetCursorPos
SetCursor
GetClientRect
advapi32
PrivilegeCheck
OpenProcessToken
SetThreadToken
CreateProcessAsUserW
DuplicateTokenEx
LookupPrivilegeValueW
RevertToSelf
GetTokenInformation
SetTokenInformation
d3d9
Direct3DCreate9Ex
imm32
ImmReleaseContext
ImmGetContext
ImmSetCandidateWindow
ImmSetCompositionWindow
dwmapi
DwmExtendFrameIntoClientArea
msvcp140
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
?uncaught_exception@std@@YA_NXZ
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z
?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
vcruntime140_1
__CxxFrameHandler4
vcruntime140
memset
memmove
memcpy
memcmp
memchr
__C_specific_handler
__current_exception_context
__current_exception
strstr
__std_terminate
api-ms-win-crt-stdio-l1-1-0
ftell
__acrt_iob_func
fflush
__p__commode
fclose
_set_fmode
fseek
__stdio_common_vfprintf
__stdio_common_vsscanf
fread
__stdio_common_vsprintf
_wfopen
fwrite
__stdio_common_vsprintf_s
api-ms-win-crt-utility-l1-1-0
qsort
api-ms-win-crt-string-l1-1-0
strncmp
_wcsicmp
strcmp
strncpy
api-ms-win-crt-heap-l1-1-0
malloc
_set_new_mode
free
api-ms-win-crt-convert-l1-1-0
atof
api-ms-win-crt-runtime-l1-1-0
__p___argv
_c_exit
_register_thread_local_exe_atexit_callback
exit
_exit
_initialize_onexit_table
system
terminate
_initterm_e
_initterm
_configure_narrow_argv
__p___argc
_get_initial_narrow_environment
_set_app_type
_seh_filter_exe
_cexit
_crt_atexit
_register_onexit_function
_initialize_narrow_environment
api-ms-win-crt-math-l1-1-0
tanf
fmodf
ceilf
powf
sinf
sqrtf
__setusermatherr
cosf
atan2
asin
acosf
api-ms-win-crt-locale-l1-1-0
_configthreadlocale
Sections
.text Size: 236KB - Virtual size: 236KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rdata Size: 51KB - Virtual size: 50KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.data Size: 512B - Virtual size: 2KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.pdata Size: 10KB - Virtual size: 10KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.rsrc Size: 512B - Virtual size: 488B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.reloc Size: 512B - Virtual size: 480B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
-
kernelmode/kernelmode.sys.sys windows:10 windows x64 arch:x64
13fcff0e0da006b212f6c2c9c4c02307
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
PDB Paths
C:\Users\Goose\Downloads\Fortnite-External-Source-main (3)\Fortnite-External-Source-main\km\x64\Release\km.pdb
Imports
ntoskrnl.exe
RtlGetVersion
ExAllocatePoolWithTag
ExFreePoolWithTag
MmUnmapIoSpace
MmMapIoSpaceEx
ObfDereferenceObject
MmCopyMemory
KeStackAttachProcess
KeUnstackDetachProcess
PsLookupProcessByProcessId
ZwQuerySystemInformation
PsGetProcessSectionBaseAddress
Sections
.text Size: 4KB - Virtual size: 4KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rdata Size: 1KB - Virtual size: 1KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.data Size: 512B - Virtual size: 89B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.pdata Size: 512B - Virtual size: 276B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
INIT Size: 512B - Virtual size: 436B
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.reloc Size: 512B - Virtual size: 36B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
-
kernelmode/spoofer.exe.exe windows:5 windows x86 arch:x86
Password: Vayzer
bf5a4aa99e5b160f8521cadd6bfe73b8
Code Sign
0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5aCertificate
IssuerCN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=USNot Before01/08/2022, 00:00Not After09/11/2031, 23:59SubjectCN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=USKey Usages
KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign
07:36:37:b7:24:54:7c:d8:47:ac:fd:28:66:2a:5e:5bCertificate
IssuerCN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=USNot Before23/03/2022, 00:00Not After22/03/2037, 23:59SubjectCN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA,O=DigiCert\, Inc.,C=USExtended Key Usages
ExtKeyUsageTimeStamping
Key Usages
KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign
08:ad:40:b2:60:d2:9c:4c:9f:5e:cd:a9:bd:93:ae:d9Certificate
IssuerCN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=USNot Before29/04/2021, 00:00Not After28/04/2036, 23:59SubjectCN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1,O=DigiCert\, Inc.,C=USExtended Key Usages
ExtKeyUsageCodeSigning
Key Usages
KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign
0c:4d:69:72:4b:94:fa:3c:2a:4a:3d:29:07:80:3d:5aCertificate
IssuerCN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA,O=DigiCert\, Inc.,C=USNot Before21/09/2022, 00:00Not After21/11/2033, 23:59SubjectCN=DigiCert Timestamp 2022 - 2,O=DigiCert,C=USExtended Key Usages
ExtKeyUsageTimeStamping
Key Usages
KeyUsageDigitalSignature
0b:97:6d:d3:81:4e:72:2f:75:0a:35:f3:bc:91:bf:a0Certificate
IssuerCN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1,O=DigiCert\, Inc.,C=USNot Before10/03/2023, 00:00Not After19/03/2024, 23:59SubjectCN=GOG sp. z o.o,O=GOG sp. z o.o,L=WARSZAWA,ST=MAZOWIECKIE,C=PLExtended Key Usages
ExtKeyUsageCodeSigning
Key Usages
KeyUsageDigitalSignature
59:b1:0a:3d:3c:59:07:f4:e9:a6:98:02:b1:d6:3f:a6:04:ec:a5:f4Signer
Actual PE Digest59:b1:0a:3d:3c:59:07:f4:e9:a6:98:02:b1:d6:3f:a6:04:ec:a5:f4Digest Algorithmsha1PE Digest MatchesfalseHeaders
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
File Characteristics
IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE
PDB Paths
Imports
kernel32
RaiseException
GetLastError
MultiByteToWideChar
lstrlenA
InterlockedDecrement
GetProcAddress
LoadLibraryA
FreeResource
SizeofResource
LockResource
LoadResource
FindResourceA
GetModuleHandleA
Module32Next
CloseHandle
Module32First
CreateToolhelp32Snapshot
GetCurrentProcessId
SetEndOfFile
GetStringTypeW
GetStringTypeA
LCMapStringW
LCMapStringA
GetLocaleInfoA
HeapFree
GetProcessHeap
HeapAlloc
GetCommandLineA
HeapCreate
VirtualFree
DeleteCriticalSection
LeaveCriticalSection
EnterCriticalSection
VirtualAlloc
HeapReAlloc
HeapSize
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
GetModuleHandleW
Sleep
ExitProcess
WriteFile
GetStdHandle
GetModuleFileNameA
WideCharToMultiByte
GetConsoleCP
GetConsoleMode
ReadFile
TlsGetValue
TlsAlloc
TlsSetValue
TlsFree
InterlockedIncrement
SetLastError
GetCurrentThreadId
FlushFileBuffers
SetFilePointer
SetHandleCount
GetFileType
GetStartupInfoA
RtlUnwind
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
GetEnvironmentStringsW
QueryPerformanceCounter
GetTickCount
GetSystemTimeAsFileTime
InitializeCriticalSectionAndSpinCount
GetCPInfo
GetACP
GetOEMCP
IsValidCodePage
CompareStringA
CompareStringW
SetEnvironmentVariableA
WriteConsoleA
GetConsoleOutputCP
WriteConsoleW
SetStdHandle
CreateFileA
ole32
OleInitialize
oleaut32
SafeArrayCreate
SafeArrayAccessData
SafeArrayUnaccessData
SafeArrayDestroy
SafeArrayCreateVector
VariantClear
VariantInit
SysFreeString
SysAllocString
Sections
.text Size: 102KB - Virtual size: 101KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rdata Size: 27KB - Virtual size: 27KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.data Size: 5KB - Virtual size: 12KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.rsrc Size: 488KB - Virtual size: 488KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ