a9cf2c6cb4a83acb3cf58c333879aba0_NEIKI

Sharing

Copy URL Twitter E-mail

General

Target

a9cf2c6cb4a83acb3cf58c333879aba0_NEIKI
Size

183KB
MD5

a9cf2c6cb4a83acb3cf58c333879aba0
SHA1

78ad6203b19a6617962cecd32beb079fcee57ecf
SHA256

1f36ad66ca8a05327b223519ee4e9c7c5603e96d67daf5c9a40e252b9718765e
SHA512

42cd0e6d0bb37f28922c5ecc299e88e8ffe676a1e127d825aaf6d77cf03a257f95ba3a4cccd37e3d1ce07e257c641ed33aa11d31ce9cde11ef1f14dde9265a8d
SSDEEP

3072:4Srs/1em8PJpnLsSGvexOBUaHv+oDYikVy2ek53mk:/som8PJpgSJOBUSvNkZR

Score

1^/10

Malware Config

Signatures

Files

a9cf2c6cb4a83acb3cf58c333879aba0_NEIKI
.sys windows:5 windows x64 arch:x64

214ac3ca8abdcd0912a73a46ae02b11d

Code Sign

5f:78:14:9e:b4:f7:5e:b1:74:04:a8:14:3a:ae:ae:d7
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Not Before

23/03/2011, 00:00

Not After

22/03/2012, 23:59

Subject

CN=上海域联软件技术有限公司,OU=Digital ID Class 3 - Microsoft Software Validation v2,O=上海域联软件技术有限公司,L=Shanghai,ST=Shanghai,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

61:19:93:e4:00:00:00:00:00:1c
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

22/02/2011, 19:25

Not After

22/02/2021, 19:35

Subject

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

08/02/2010, 00:00

Not After

07/02/2020, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

25:83:7e:0a:77:82:a5:2c:ff:69:c1:65:ba:f1:3d:ee:d4:86:ed:fd
Signer

Actual PE Digest

25:83:7e:0a:77:82:a5:2c:ff:69:c1:65:ba:f1:3d:ee:d4:86:ed:fd

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

C:\src\Sandbox\Projects\Bin\x64\SbieRelease\SbieDrv.pdb

Imports

ntoskrnl.exe

ProbeForRead
PsGetCurrentProcessId
KeAreApcsDisabled
ExGetPreviousMode
ProbeForWrite
ObfDereferenceObject
LpcRequestPort
ObfReferenceObject
ZwClose
ZwSetEvent
ZwOpenEvent
RtlInitUnicodeString
ObReferenceObjectByHandle
LpcPortObjectType
wcsncpy
ExRaiseStatus
ExFreePoolWithTag
IoDeleteDevice
wcsncmp
IoCreateDevice
ExAllocatePoolWithTag
RtlCompareUnicodeString
wcschr
RtlFreeUnicodeString
_wcsicmp
_wcsnicmp
ExAcquireResourceSharedLite
RtlUnicodeStringToInteger
ZwYieldExecution
swprintf
RtlQueryRegistryValues
_itow
KeWaitForSingleObject
PsDereferencePrimaryToken
RtlConvertSidToUnicodeString
SeQueryInformationToken
PsReferencePrimaryToken
IoGetCurrentProcess
towlower
KeSetEvent
KeInitializeEvent
ZwUnmapViewOfSection
ZwMapViewOfSection
ZwCreateSection
ZwQueryInformationFile
ZwCreateFile
PsGetVersion
RtlSetSaclSecurityDescriptor
RtlAddAce
RtlSetDaclSecurityDescriptor
RtlCreateSecurityDescriptor
RtlAddAccessAllowedAceEx
RtlCreateAcl
wcsrchr
ZwQueryValueKey
ZwOpenKey
MmGetSystemRoutineAddress
KeDelayExecutionThread
ZwWriteFile
ZwSetInformationFile
sprintf
IoFileObjectType
IoCreateFileSpecifyDeviceObjectHint
SeTokenObjectType
ZwOpenThreadToken
ZwQuerySymbolicLinkObject
ZwOpenSymbolicLinkObject
ExWindowStationObjectType
PsGetProcessWin32WindowStation
IoIs32bitProcess
ZwWaitForSingleObject
__C_specific_handler
MmProtectMdlSystemAddress
MmMapLockedPagesSpecifyCache
MmProbeAndLockPages
IoAllocateMdl
ExInitializeResourceLite
ExDeleteResourceLite
KeBugCheckEx
IoCreateFile
ZwReadFile
_wcslwr
ZwCreateDirectoryObject
ZwSetSecurityObject
ZwCreateSymbolicLinkObject
NtClose
ZwOpenDirectoryObject
NtDuplicateObject
ObOpenObjectByPointer
SeSinglePrivilegeCheck
PsGetProcessId
PsProcessType
ObReferenceObjectByName
ZwQueryDirectoryObject
PsGetProcessSessionId
PsLookupProcessByProcessId
ZwQuerySystemInformation
CmUnRegisterCallback
ZwLoadKey
ZwOpenProcessTokenEx
ZwCreateKey
ZwSetValueKey
ExLocalTimeToSystemTime
RtlTimeFieldsToTime
IoWriteErrorLogEntry
IoAllocateErrorLogEntry
DbgPrint
ObQueryNameString
PsSetThreadHardErrorsAreDisabled
RtlInt64ToUnicodeString
PsGetProcessCreateTimeQuadPart
PsSetLoadImageNotifyRoutine
PsSetCreateProcessNotifyRoutine
PsRemoveLoadImageNotifyRoutine
PsDereferenceImpersonationToken
SeQuerySessionIdToken
PsReferenceImpersonationToken
KeUnstackDetachProcess
KeStackAttachProcess
PsGetProcessPeb
ZwQueryInformationProcess
ZwOpenProcess
PsGetProcessJob
ObOpenObjectByName
SeTokenIsAdmin
ZwQueryInformationToken
PsImpersonateClient
SeTokenType
PsGetCurrentThreadId
PsGetProcessExitProcessCalled
ZwOpenProcessToken
ZwDuplicateToken
PsRemoveCreateThreadNotifyRoutine
PsGetThreadProcess
PsGetThreadId
SeTokenImpersonationLevel
PsThreadType
PsSetCreateThreadNotifyRoutine
SeFilterToken
RtlEqualSid
ZwSetInformationProcess
RtlAddAccessAllowedAce
IofCompleteRequest
ExReleaseResourceLite
ZwUnloadKey
ExAcquireResourceExclusiveLite

fltmgr.sys

FltStartFiltering
FltUnregisterFilter
FltRegisterFilter

Sections

.text
Size: 112KB - Virtual size: 111KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 33KB - Virtual size: 32KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 9KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

INITDATA
Size: 512B - Virtual size: 320B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

INIT
Size: 17KB - Virtual size: 16KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 1016B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.reloc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

214ac3ca8abdcd0912a73a46ae02b11d

Code Sign

5f:78:14:9e:b4:f7:5e:b1:74:04:a8:14:3a:ae:ae:d7Certificate

Extended Key Usages

Key Usages

61:19:93:e4:00:00:00:00:00:1cCertificate

Key Usages

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7Certificate

Extended Key Usages

Key Usages

25:83:7e:0a:77:82:a5:2c:ff:69:c1:65:ba:f1:3d:ee:d4:86:ed:fdSigner

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

ntoskrnl.exe

fltmgr.sys

Sections

.text Size: 112KB - Virtual size: 111KB

.rdata Size: 33KB - Virtual size: 32KB

.data Size: 3KB - Virtual size: 4KB

.pdata Size: 9KB - Virtual size: 8KB

INITDATA Size: 512B - Virtual size: 320B

INIT Size: 17KB - Virtual size: 16KB

.rsrc Size: 1024B - Virtual size: 1016B

.reloc Size: 1KB - Virtual size: 1KB

5f:78:14:9e:b4:f7:5e:b1:74:04:a8:14:3a:ae:ae:d7
Certificate

61:19:93:e4:00:00:00:00:00:1c
Certificate

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

25:83:7e:0a:77:82:a5:2c:ff:69:c1:65:ba:f1:3d:ee:d4:86:ed:fd
Signer

.text
Size: 112KB - Virtual size: 111KB

.rdata
Size: 33KB - Virtual size: 32KB

.data
Size: 3KB - Virtual size: 4KB

.pdata
Size: 9KB - Virtual size: 8KB

INITDATA
Size: 512B - Virtual size: 320B

INIT
Size: 17KB - Virtual size: 16KB

.rsrc
Size: 1024B - Virtual size: 1016B

.reloc
Size: 1KB - Virtual size: 1KB