33ddeadcdb68ae311cde1464a675239593cebdab19b3a1ef77ceaf2988b69151

Sharing

Copy URL Twitter E-mail

General

Target

33ddeadcdb68ae311cde1464a675239593cebdab19b3a1ef77ceaf2988b69151
Size

194KB
MD5

f95b27d20ba52718d467a3ce0ee5b1c8
SHA1

576961938c4a86a98690db3cf98b13454b3dd458
SHA256

33ddeadcdb68ae311cde1464a675239593cebdab19b3a1ef77ceaf2988b69151
SHA512

22ac94fb7b3a0a8da5bc2bece9cb43bd0382236b02544b804dd3ca0888323cb0bad0dff5bd996e4501a219b72c6c0bbd697b653046d093b96cfbcc77981dbe6a
SSDEEP

3072:Tl6FOFh0PWZO5AMxHXc46ntszVjz3xbRgjSHneq+sTsDJmD8cV/PkvH:xpr0PWZ+x3t6tMJz8+Hr+sCJcV/PGH

Score

1^/10

Malware Config

Signatures

Files

33ddeadcdb68ae311cde1464a675239593cebdab19b3a1ef77ceaf2988b69151
.sys windows:10 windows x64 arch:x64

58ecbaaab3100bdda10da5c8f0945a4d

Code Sign

54:87:1d:9a:b3:8d:19:02:c3:21:15:f4:c0:79:7e:a2
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Not Before

07/01/2014, 00:00

Not After

07/01/2015, 23:59

Subject

CN=Shenzhen Jinxian Technology Co.\, Ltd.,OU=Digital ID Class 3 - Microsoft Software Validation v2,O=Shenzhen Jinxian Technology Co.\, Ltd.,L=Shenzhen,ST=Guangdong,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

61:19:93:e4:00:00:00:00:00:1c
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

22/02/2011, 19:25

Not After

22/02/2021, 19:35

Subject

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

1e:b1:32:d5:7e:79:68:96:0d:f2:6e:85:4e:b0:dd:a6
Certificate

Issuer

CN=JemmyLoveJenny SHA1 TimeStamping Services CA,OU=pki.jemmylovejenny.tk,O=JemmyLoveJenny PKI Service,C=CN

Not Before

01/01/2000, 00:00

Not After

31/12/2099, 23:59

Subject

CN=Fake TimeStamp Responder,OU=timestamp.pki.jemmylovejenny.tk,O=JemmyLoveJenny PKI Service,C=CN

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

08/02/2010, 00:00

Not After

07/02/2020, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

1e:b1:32:d5:7e:79:68:96
Certificate

Issuer

CN=JemmyLoveJenny EV Root CA,OU=pki.jemmylovejenny.tk,O=JemmyLoveJenny PKI Service,C=CN

Not Before

01/01/2000, 00:00

Not After

31/12/2099, 23:59

Subject

CN=JemmyLoveJenny SHA1 TimeStamping Services CA,OU=pki.jemmylovejenny.tk,O=JemmyLoveJenny PKI Service,C=CN

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

8c:c2:6f:b1:e7:48:92:5b:79:57:5c:7f:75:92:2a:3e:c6:57:2d:fb
Signer

Actual PE Digest

8c:c2:6f:b1:e7:48:92:5b:79:57:5c:7f:75:92:2a:3e:c6:57:2d:fb

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

E:\PROJECT\FancyCache\release\drv\winlh\amd64\rxfcv_srv_raw.pdb

Imports

rxbsknl.sys

RxbsCreateHyperDevice
RxbsCloseHyperDevice
RxbsSetParamHyperSystem
RxbsGetParamHyperSystem
RxbsStartHyperSystem
RxbsGetHyperSystemState
RxbsConnectHyperSystem
RxbsDisconnectHyperSystem

ntoskrnl.exe

KeSetPriorityThread
KeWaitForSingleObject
ExFreePoolWithTag
ExInterlockedRemoveHeadList
PsTerminateSystemThread
KeInitializeEvent
KeInitializeGuardedMutex
KeAcquireGuardedMutex
KeReleaseGuardedMutex
ExAllocatePoolWithTag
ExQueryDepthSList
ExpInterlockedPopEntrySList
ExpInterlockedPushEntrySList
ExInitializeNPagedLookasideList
ExDeleteNPagedLookasideList
MmMapLockedPagesSpecifyCache
MmUnmapLockedPages
MmMapIoSpace
MmUnmapIoSpace
IoAllocateMdl
IoFreeMdl
RtlCompareMemory
ExUuidCreate
RtlInitUnicodeString
KeClearEvent
KeSetEvent
ExInterlockedInsertTailList
IofCompleteRequest
IoCreateDevice
IoCreateSymbolicLink
IoDeleteDevice
IoDeleteSymbolicLink
IoRegisterShutdownNotification
IoRegisterLastChanceShutdownNotification
IoUnregisterShutdownNotification
ObfDereferenceObject
RtlCopyUnicodeString
IoAttachDeviceToDeviceStack
IoBuildSynchronousFsdRequest
IofCallDriver
IoInitializeRemoveLockEx
IoAcquireRemoveLockEx
IoReleaseRemoveLockEx
IoRegisterDeviceInterface
ZwClose
IoRegisterBootDriverReinitialization
IoRegisterDriverReinitialization
IoGetAttachedDevice
InitSafeBootMode
IoReleaseRemoveLockAndWaitEx
KeInitializeDpc
KeFlushQueuedDpcs
KeInitializeTimer
KeCancelTimer
KeSetTimerEx
KeInsertQueue
RtlFreeUnicodeString
RtlStringFromGUID
ZwEnumerateValueKey
ZwSetValueKey
KeReadStateEvent
KeReadStateTimer
KeSetTimer
KeWaitForMultipleObjects
KeAcquireInStackQueuedSpinLock
KeReleaseInStackQueuedSpinLock
KeQueryActiveProcessorCount
KeDelayExecutionThread
IoAllocateIrp
IoBuildPartialMdl
IoFreeIrp
KeRemoveQueue
ExAllocatePoolWithTagPriority
ZwQueryValueKey
KeEnterCriticalRegion
KeLeaveCriticalRegion
IoDetachDevice
IoSetDeviceInterfaceState
ZwCreateFile
ZwOpenFile
ZwQueryInformationFile
ZwReadFile
ZwWriteFile
ZwDeleteFile
_vsnwprintf
RtlAppendUnicodeStringToString
KdDisableDebugger
KdEnableDebugger
ZwCreateSection
ZwMapViewOfSection
ZwUnmapViewOfSection
KdDebuggerEnabled
_strnicmp
RtlGUIDFromString
RtlCreateSecurityDescriptor
RtlSetDaclSecurityDescriptor
ZwCreateKey
ZwOpenKey
ZwDeleteValueKey
RtlLengthSid
RtlCreateAcl
RtlAddAccessAllowedAce
RtlSetOwnerSecurityDescriptor
ZwSetSecurityObject
ObReferenceObjectByName
SeExports
KeGetCurrentIrql
IoGetStackLimits
ExEventObjectType
ExWindowStationObjectType
KeBugCheckEx
KeRevertToUserAffinityThreadEx
KeSetSystemAffinityThreadEx
MmBuildMdlForNonPagedPool
MmAllocatePagesForMdlEx
MmFreePagesFromMdl
MmCreateMdl
MmGetPhysicalMemoryRanges
ZwQuerySystemInformation
PsCreateSystemThread
ObReferenceObjectByHandle
KeInitializeQueue
KeRundownQueue
wcschr
RtlUnicodeStringToInteger
RtlEqualUnicodeString
IoAllocateErrorLogEntry
IoBuildDeviceIoControlRequest
IoGetDeviceObjectPointer
IoWriteErrorLogEntry
IoOpenDeviceRegistryKey
ObfReferenceObject
ZwOpenSymbolicLinkObject
ZwQuerySymbolicLinkObject
RtlPrefixUnicodeString
RtlQueryRegistryValues
MmGetSystemRoutineAddress
RtlCompareUnicodeString

Sections

.text
Size: 121KB - Virtual size: 120KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

EXTRA
Size: 10KB - Virtual size: 9KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

CPATA
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 16KB - Virtual size: 15KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 6KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

PAGE
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

INIT
Size: 16KB - Virtual size: 16KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 196B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.juno
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sharing

General

Malware Config

Signatures

Files

58ecbaaab3100bdda10da5c8f0945a4d

Code Sign

54:87:1d:9a:b3:8d:19:02:c3:21:15:f4:c0:79:7e:a2Certificate

Extended Key Usages

Key Usages

61:19:93:e4:00:00:00:00:00:1cCertificate

Key Usages

1e:b1:32:d5:7e:79:68:96:0d:f2:6e:85:4e:b0:dd:a6Certificate

Extended Key Usages

Key Usages

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7Certificate

Extended Key Usages

Key Usages

1e:b1:32:d5:7e:79:68:96Certificate

Extended Key Usages

Key Usages

8c:c2:6f:b1:e7:48:92:5b:79:57:5c:7f:75:92:2a:3e:c6:57:2d:fbSigner

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

rxbsknl.sys

ntoskrnl.exe

Sections

.text Size: 121KB - Virtual size: 120KB

EXTRA Size: 10KB - Virtual size: 9KB

CPATA Size: 4KB - Virtual size: 4KB

.rdata Size: 16KB - Virtual size: 15KB

.data Size: 1024B - Virtual size: 2KB

.pdata Size: 6KB - Virtual size: 6KB

PAGE Size: 2KB - Virtual size: 2KB

INIT Size: 16KB - Virtual size: 16KB

.rsrc Size: 2KB - Virtual size: 2KB

.reloc Size: 512B - Virtual size: 196B

.juno Size: 4KB - Virtual size: 4KB

54:87:1d:9a:b3:8d:19:02:c3:21:15:f4:c0:79:7e:a2
Certificate

61:19:93:e4:00:00:00:00:00:1c
Certificate

1e:b1:32:d5:7e:79:68:96:0d:f2:6e:85:4e:b0:dd:a6
Certificate

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

1e:b1:32:d5:7e:79:68:96
Certificate

8c:c2:6f:b1:e7:48:92:5b:79:57:5c:7f:75:92:2a:3e:c6:57:2d:fb
Signer

.text
Size: 121KB - Virtual size: 120KB

EXTRA
Size: 10KB - Virtual size: 9KB

CPATA
Size: 4KB - Virtual size: 4KB

.rdata
Size: 16KB - Virtual size: 15KB

.data
Size: 1024B - Virtual size: 2KB

.pdata
Size: 6KB - Virtual size: 6KB

PAGE
Size: 2KB - Virtual size: 2KB

INIT
Size: 16KB - Virtual size: 16KB

.rsrc
Size: 2KB - Virtual size: 2KB

.reloc
Size: 512B - Virtual size: 196B

.juno
Size: 4KB - Virtual size: 4KB