awesome-windows-rootkits-master[.]zip

Sharing

Copy URL Twitter E-mail

General

Target

awesome-windows-rootkits-master.zip
Size

41KB
MD5

6efc70e003e46165d5b8bd9142fc8c2e
SHA1

c417d1597756c7dfed92f14a29b33f408602c1d6
SHA256

2f5fdcc2f02b2ea6d2bce4f6cd409bcd0711489b8e76d3a4d57b8883ee12024d
SHA512

f749e31190e2f1763e92ff94191bd356a9835cbe7dc01a80c49c9788e7004bba793d089762c2e508b47257424b62d90de68555d5c78cac3791f5ebc0f0c3ea98
SSDEEP

768:dAjKzcvFNi7RB9l9bG3dObZJWDbCTJqjiko1kLzCyPZENpIPfrhVdGx9muj:dAjKzcvFNi7FrbGNOJWbUJqjXo2LzPcH

Score

3^/10

Malware Config

Signatures

Unsigned PE 2 IoCs

Checks for missing Authenticode signature.

resource
unpack002/EquationDrug.sys
unpack003/TheHackingTeam.sys

Files

awesome-windows-rootkits-master.zip
.zip

Password: !nf3ct3d
awesome-windows-rootkits-master/.gitignore
awesome-windows-rootkits-master/EquationDrug.zip
.zip

Password: !nf3ct3d
EquationDrug.sys
.sys windows:4 windows x86 arch:x86

9ab142abb692f6df617e0254f1c41663

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED

Imports

ntoskrnl.exe

ExfInterlockedInsertTailList
ExfInterlockedInsertHeadList
ExfInterlockedRemoveHeadList
PsGetVersion
ZwQueryValueKey
ZwOpenKey
KeWaitForSingleObject
InterlockedExchange
InterlockedCompareExchange
ExQueueWorkItem
IoFreeMdl
IoBuildPartialMdl
MmBuildMdlForNonPagedPool
IoAllocateMdl
PsCreateSystemThread
KeWaitForMultipleObjects
PsTerminateSystemThread
RtlAppendUnicodeStringToString
RtlCopyUnicodeString
memmove
ZwCreateKey
ZwDeleteKey
ZwEnumerateKey
ZwQueryKey
ZwSetValueKey
RtlUnwind
MmMapLockedPagesSpecifyCache
InterlockedDecrement
InterlockedIncrement
swprintf
ObReferenceObjectByHandle
ObfDereferenceObject
IoDeleteSymbolicLink
IofCompleteRequest
IoCreateDevice
IoDeleteDevice
ZwClose
ExAllocatePool
wcslen
RtlAnsiStringToUnicodeString
RtlCompareUnicodeString
RtlFreeUnicodeString
RtlInitAnsiString
RtlUnicodeStringToAnsiString
RtlFreeAnsiString
strncpy
KeInitializeSpinLock
RtlDeleteRegistryValue
_strnicmp
ZwQuerySystemInformation
NtBuildNumber
PsInitialSystemProcess
ZwQueryInformationProcess
ZwOpenProcess
PsLookupProcessByProcessId
strchr
strrchr
MmIsAddressValid
KeDetachProcess
ZwFreeVirtualMemory
ZwAllocateVirtualMemory
KeAttachProcess
KeDelayExecutionThread
KeInsertQueueApc
KeInitializeApc
ZwCreateFile
_snwprintf
ZwFsControlFile
ZwQueryInformationFile
ZwWriteFile
RtlConvertUlongToLargeInteger
KeTickCount
ZwQueryVolumeInformationFile
RtlRandom
ZwSetInformationFile
KeReleaseSemaphore
MmUnlockPages
MmUnmapLockedPages
KeInitializeEvent
KeInitializeSemaphore
MmProbeAndLockPages
KeQuerySystemTime
ExAllocatePoolWithTag
RtlInitUnicodeString
ExFreePool

hal

KeQueryPerformanceCounter
ExAcquireFastMutex
ExReleaseFastMutex
KfAcquireSpinLock
KfReleaseSpinLock

ndis.sys

NdisFreePacket
NdisAllocateBufferPool
NdisAllocatePacketPool
NdisFreeBufferPool
NdisCloseAdapter
NdisAllocatePacket
NdisOpenAdapter
NdisWaitEvent
NdisDeregisterProtocol
NdisInitializeEvent
NdisResetEvent
NdisSetEvent
NdisRegisterProtocol
NdisAllocateBuffer
NdisUnchainBufferAtFront
NdisFreePacketPool

Sections

.text
Size: 40KB - Virtual size: 40KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 7KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

INIT
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 928B - Virtual size: 912B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.reloc
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
awesome-windows-rootkits-master/README.md
awesome-windows-rootkits-master/TheHackingTeam.zip
.zip

Password: !nf3ct3d
TheHackingTeam.sys
.sys windows:6 windows x86 arch:x86

0986c134ccc3041a3665a381bbdf8c83

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

mrxsmbmg.pdb

Imports

ntoskrnl.exe

KeWaitForSingleObject
KeInitializeEvent
ExFreePool
RtlInitUnicodeString
ExAllocatePool
_except_handler3
memcpy
_local_unwind2
memset
KeDelayExecutionThread
RtlCompareUnicodeString
ZwClose
ObfDereferenceObject
KeWaitForMultipleObjects
ObReferenceObjectByHandle
PsCreateSystemThread
PsGetVersion
ZwQueryInformationProcess
wcsncpy
RtlInitString
PsGetCurrentProcessId
ZwOpenProcess
RtlEqualString
RtlInitAnsiString
strrchr
ZwOpenThread
KeSetEvent
KeClearEvent
ZwCreateKey
ZwSetValueKey
ZwQueryValueKey
ZwOpenKey
ZwQuerySystemInformation
ExAllocatePoolWithTag
swprintf
ExFreePoolWithTag
RtlCopyUnicodeString
RtlAppendUnicodeStringToString
ZwDeleteKey

Sections

.text
Size: 9KB - Virtual size: 9KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 384B - Virtual size: 316B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

INIT
Size: 1024B - Virtual size: 958B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 968B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.reloc
Size: 640B - Virtual size: 598B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

Password: !nf3ct3d

Password: !nf3ct3d

9ab142abb692f6df617e0254f1c41663

Headers

File Characteristics

Imports

ntoskrnl.exe

hal

ndis.sys

Sections

.text Size: 40KB - Virtual size: 40KB

.data Size: 7KB - Virtual size: 7KB

INIT Size: 2KB - Virtual size: 2KB

.rsrc Size: 928B - Virtual size: 912B

.reloc Size: 3KB - Virtual size: 3KB

Password: !nf3ct3d

0986c134ccc3041a3665a381bbdf8c83

Headers

File Characteristics

PDB Paths

Imports

ntoskrnl.exe

Sections

.text Size: 9KB - Virtual size: 9KB

.rdata Size: 1KB - Virtual size: 1KB

.data Size: 384B - Virtual size: 316B

INIT Size: 1024B - Virtual size: 958B

.rsrc Size: 1024B - Virtual size: 968B

.reloc Size: 640B - Virtual size: 598B

.text
Size: 40KB - Virtual size: 40KB

.data
Size: 7KB - Virtual size: 7KB

INIT
Size: 2KB - Virtual size: 2KB

.rsrc
Size: 928B - Virtual size: 912B

.reloc
Size: 3KB - Virtual size: 3KB

.text
Size: 9KB - Virtual size: 9KB

.rdata
Size: 1KB - Virtual size: 1KB

.data
Size: 384B - Virtual size: 316B

INIT
Size: 1024B - Virtual size: 958B

.rsrc
Size: 1024B - Virtual size: 968B

.reloc
Size: 640B - Virtual size: 598B