netfilter | 2ddec3b9a96665fb74e2f9bc9cad5e30_NeikiAnalytics[.]exe

Sharing

Copy URL

Twitter E-mail

General

Target

2ddec3b9a96665fb74e2f9bc9cad5e30_NeikiAnalytics.exe
Size

55KB
MD5

2ddec3b9a96665fb74e2f9bc9cad5e30
SHA1

c9b75f2c62155d45e6745caf3d9d87cb2d5549e2
SHA256

b7516dca419d087ef844c42e061a834908f34e7363577ab128094973896222c8
SHA512

6979f2fbdf73b8044de7ca34ffcd8997ccf860d5964e44d379887184c8269f24c113f89474fccec58bd7f6735615b35f01cbaccc3382ccefeb65830c284baa67
SSDEEP

768:F1ZqCQKy8IYdfWiUelR36ihR6nmRYs1SHjS/OPNi7GbRul:FNyq+4lRX6IH1SyOVi7ARul

Score

10^/10

netfilter

Malware Config

Signatures

NetFilter payload 1 IoCs

resource	yara_rule
sample	netfilter_payload

Netfilter family
netfilter

Files

2ddec3b9a96665fb74e2f9bc9cad5e30_NeikiAnalytics.exe
.sys windows:10 windows x64 arch:x64

a04dde371e3d8553c4d92d3a20a5989c

Code Sign

33:00:00:00:b5:21:3f:ca:1e:4a:a0:3d:e4:00:00:00:00:00:b5
Certificate

Issuer

CN=Microsoft Windows Third Party Component CA 2012,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

15-12-2020 22:15

Not After

02-12-2021 22:15

Subject

CN=Microsoft Windows Hardware Compatibility Publisher,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0b:aa:c1:00:00:00:00:00:09
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

18-04-2012 23:48

Not After

18-04-2027 23:58

Subject

CN=Microsoft Windows Third Party Component CA 2012,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

de:c8:a9:33:db:a0:44:63:ed:9b:b7:d5:33:38:ff:87:f2:c2:3c:fb:79:e0:e9:88:44:9f:c6:31:25:2c:9d:cc
Signer

Actual PE Digest

de:c8:a9:33:db:a0:44:63:ed:9b:b7:d5:33:38:ff:87:f2:c2:3c:fb:79:e0:e9:88:44:9f:c6:31:25:2c:9d:cc

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

G:\源码\hello\x64\Release\netfilterdrv.pdb

Imports

fwpkclnt.sys

FwpmFilterAdd0
FwpmFilterDeleteById0
FwpsAcquireClassifyHandle0
FwpmCalloutAdd0
FwpsCompleteClassify0
FwpsAcquireWritableLayerDataPointer0
FwpsApplyModifiedLayerData0
FwpmSubLayerDeleteByKey0
FwpmSubLayerAdd0
FwpmTransactionAbort0
FwpmTransactionCommit0
FwpmTransactionBegin0
FwpmEngineClose0
FwpmEngineOpen0
FwpsCalloutUnregisterById0
FwpsReleaseClassifyHandle0
FwpsCalloutRegister1

ntoskrnl.exe

IoCreateFile
IoFreeIrp
IoGetRelatedDeviceObject
ObReferenceObjectByHandle
ObfDereferenceObject
ZwQueryInformationFile
ZwSetInformationFile
ZwReadFile
ZwWriteFile
ZwClose
IoFileObjectType
KeEnterCriticalRegion
KeLeaveCriticalRegion
PsTerminateSystemThread
KeSetBasePriorityThread
sprintf
CmUnRegisterCallback
CmRegisterCallbackEx
CmCallbackGetKeyObjectID
MmIsAddressValid
strlen
strncmp
strncpy
wcscat
wcslen
wcsncmp
RtlInitAnsiString
strcat
strcmp
strncat
IoAllocateIrp
ExAcquireSpinLockExclusive
ExReleaseSpinLockExclusive
wcscpy
RtlAnsiStringToUnicodeString
RtlFreeUnicodeString
RtlCreateSecurityDescriptor
RtlSetDaclSecurityDescriptor
KeResetEvent
KeInitializeTimerEx
KeSetTimerEx
PsCreateSystemThread
ZwCreateKey
ZwOpenKey
ZwFlushKey
ZwQueryValueKey
ZwSetValueKey
NtQueryInformationToken
RtlLengthSid
RtlConvertSidToUnicodeString
RtlCreateAcl
RtlAddAccessAllowedAce
RtlSetOwnerSecurityDescriptor
PsLookupProcessByProcessId
ObOpenObjectByPointer
ZwOpenProcessTokenEx
ZwSetSecurityObject
PsGetProcessImageFileName
PsProcessType
SeExports
strchr
strncpy_s
MmProbeAndLockPages
MmUnlockPages
IoAllocateMdl
IoFreeMdl
IoReuseIrp
__C_specific_handler
IofCallDriver
ExAllocatePoolWithTag
KeWaitForSingleObject
KeSetEvent
KeInitializeEvent
IoDeleteSymbolicLink
KeBugCheckEx
RtlCopyUnicodeString
ExFreePoolWithTag
RtlInitUnicodeString
strcpy
strstr

netio.sys

WskCaptureProviderNPI
WskReleaseProviderNPI
WskDeregister
WskRegister

wdfldr.sys

WdfVersionBind
WdfVersionBindClass
WdfVersionUnbindClass
WdfVersionUnbind

Sections

.text
Size: 26KB - Virtual size: 25KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 10KB - Virtual size: 46KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

INIT
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 40B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

a04dde371e3d8553c4d92d3a20a5989c

Code Sign

33:00:00:00:b5:21:3f:ca:1e:4a:a0:3d:e4:00:00:00:00:00:b5Certificate

Extended Key Usages

61:0b:aa:c1:00:00:00:00:00:09Certificate

Key Usages

de:c8:a9:33:db:a0:44:63:ed:9b:b7:d5:33:38:ff:87:f2:c2:3c:fb:79:e0:e9:88:44:9f:c6:31:25:2c:9d:ccSigner

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

fwpkclnt.sys

ntoskrnl.exe

netio.sys

wdfldr.sys

Sections

.text Size: 26KB - Virtual size: 25KB

.rdata Size: 4KB - Virtual size: 3KB

.data Size: 10KB - Virtual size: 46KB

.pdata Size: 2KB - Virtual size: 1KB

INIT Size: 3KB - Virtual size: 3KB

.reloc Size: 512B - Virtual size: 40B

33:00:00:00:b5:21:3f:ca:1e:4a:a0:3d:e4:00:00:00:00:00:b5
Certificate

61:0b:aa:c1:00:00:00:00:00:09
Certificate

de:c8:a9:33:db:a0:44:63:ed:9b:b7:d5:33:38:ff:87:f2:c2:3c:fb:79:e0:e9:88:44:9f:c6:31:25:2c:9d:cc
Signer

.text
Size: 26KB - Virtual size: 25KB

.rdata
Size: 4KB - Virtual size: 3KB

.data
Size: 10KB - Virtual size: 46KB

.pdata
Size: 2KB - Virtual size: 1KB

INIT
Size: 3KB - Virtual size: 3KB

.reloc
Size: 512B - Virtual size: 40B