daxin | 8d9a2363b757d3f127b9c6ed8f7b8b018e652369bc070aa3500b3a978feaa6ce

Sharing

Copy URL Twitter E-mail

General

Target

8d9a2363b757d3f127b9c6ed8f7b8b018e652369bc070aa3500b3a978feaa6ce
Size

70KB
MD5

79df0eabbf2895e4e2dae15a4772868c
SHA1

d02403f85be6f243054395a873b41ef8a17ea279
SHA256

8d9a2363b757d3f127b9c6ed8f7b8b018e652369bc070aa3500b3a978feaa6ce
SHA512

dc822a9963bce743f3af5d7a49a0aebe35bfaa899dc11e2b40aba6d5122a32fc2b8c1d8d2cdbb6d153dd7669060cb3e10beb58227d1327394b3a3c3954f09604
SSDEEP

1536:ARM1VWgS1lYpKCNTzc8jt4riPJdBnH2dXDGZ838tGVxJ:AhgUup7NQiP9H2dz08ssVxJ

Score

10^/10

daxin

Malware Config

Signatures

Daxin family
daxin

Daxin payload 1 IoCs

resource	yara_rule
sample	family_daxin

Files

8d9a2363b757d3f127b9c6ed8f7b8b018e652369bc070aa3500b3a978feaa6ce
.sys windows:6 windows x64 arch:x64

6150c5c5e078c5bf23006689a41058cd

Code Sign

38:7c:94:76:e2:83:20:26:45:94:84:63:17:d4:65:40
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Not Before

28/06/2011, 00:00

Not After

27/06/2014, 23:59

Subject

CN=Anhua Xinda (Beijing) Technology Co.\, Ltd.,OU=Digital ID Class 3 - Microsoft Software Validation v2,O=Anhua Xinda (Beijing) Technology Co.\, Ltd.,L=Beijing,ST=Beijing,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

61:19:93:e4:00:00:00:00:00:1c
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

22/02/2011, 19:25

Not After

22/02/2021, 19:35

Subject

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

08/02/2010, 00:00

Not After

07/02/2020, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

a1:0f:5c:6c:4d:5a:e7:8f:0c:a7:71:32:8c:74:eb:9f:c5:1e:59:3d
Signer

Actual PE Digest

a1:0f:5c:6c:4d:5a:e7:8f:0c:a7:71:32:8c:74:eb:9f:c5:1e:59:3d

Digest Algorithm

sha1

PE Digest Matches

false

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

ntoskrnl.exe

wcsncmp
IoAllocateMdl
_stricmp
sprintf
RtlLengthRequiredSid
_strnicmp
ExAllocatePoolWithTag
vsprintf
IoDeleteSymbolicLink
ExFreePoolWithTag
RtlAnsiStringToUnicodeString
NtWriteFile
RtlCreateAcl
PsLookupProcessByProcessId
NtQuerySystemInformation
_wcsnicmp
ZwReadFile
RtlSetDaclSecurityDescriptor
KeInitializeApc
IoDeleteDevice
NtFsControlFile
KeInsertQueueApc
MmGetSystemRoutineAddress
IoCreateFile
atoi
_snprintf
ZwQuerySystemInformation
KeReleaseSpinLock
RtlAddAccessAllowedAce
RtlImageDirectoryEntryToData
KeDetachProcess
ZwOpenFile
ZwCreateFile
PsCreateSystemThread
ZwQueryValueKey
PsTerminateSystemThread
ZwFreeVirtualMemory
KeQueryTimeIncrement
ObReferenceObjectByHandle
KeWaitForSingleObject
KeAttachProcess
PsGetVersion
PsThreadType
RtlCompareUnicodeString
ZwOpenProcess
ZwQueryInformationProcess
IoCreateSymbolicLink
ObfDereferenceObject
IoCreateDevice
ZwTerminateProcess
ZwQueryInformationFile
KeWaitForMultipleObjects
ZwWriteFile
NtReadFile
PsLookupThreadByThreadId
RtlLengthSid
RtlCreateSecurityDescriptor
ZwAllocateVirtualMemory
ZwOpenKey
KeAcquireSpinLockRaiseToDpc
RtlUnicodeStringToInteger
MmIsAddressValid
ZwDeviceIoControlFile
IofCompleteRequest
ZwClose
MmMapLockedPagesSpecifyCache
KeDelayExecutionThread
MmUserProbeAddress
MmBuildMdlForNonPagedPool
memchr
ZwWaitForSingleObject
RtlInitUnicodeString

ndis.sys

NdisAllocateMemoryWithTag
NdisAllocateNetBufferAndNetBufferList
NdisMSendNetBufferListsComplete
NdisReturnNetBufferLists
NdisAllocateNetBufferListPool
NdisFreeMemory
NdisMIndicateStatus
NdisFreeMdl
NdisFreeNetBufferListPool
NdisFreeNetBufferList
NdisSendNetBufferLists

Sections

.text
Size: 54KB - Virtual size: 54KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 73KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

INIT
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 944B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

6150c5c5e078c5bf23006689a41058cd

Code Sign

38:7c:94:76:e2:83:20:26:45:94:84:63:17:d4:65:40Certificate

Extended Key Usages

Key Usages

61:19:93:e4:00:00:00:00:00:1cCertificate

Key Usages

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7Certificate

Extended Key Usages

Key Usages

a1:0f:5c:6c:4d:5a:e7:8f:0c:a7:71:32:8c:74:eb:9f:c5:1e:59:3dSigner

Headers

File Characteristics

Imports

ntoskrnl.exe

ndis.sys

Sections

.text Size: 54KB - Virtual size: 54KB

.rdata Size: 2KB - Virtual size: 2KB

.data Size: 512B - Virtual size: 73KB

.pdata Size: 2KB - Virtual size: 2KB

INIT Size: 3KB - Virtual size: 3KB

.rsrc Size: 1024B - Virtual size: 944B

38:7c:94:76:e2:83:20:26:45:94:84:63:17:d4:65:40
Certificate

61:19:93:e4:00:00:00:00:00:1c
Certificate

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

a1:0f:5c:6c:4d:5a:e7:8f:0c:a7:71:32:8c:74:eb:9f:c5:1e:59:3d
Signer

.text
Size: 54KB - Virtual size: 54KB

.rdata
Size: 2KB - Virtual size: 2KB

.data
Size: 512B - Virtual size: 73KB

.pdata
Size: 2KB - Virtual size: 2KB

INIT
Size: 3KB - Virtual size: 3KB

.rsrc
Size: 1024B - Virtual size: 944B