C:\Users\frank\Downloads\gdrv-loader-master\bin\swind2.pdb
Static task
static1
1 signatures
General
-
Target
EvilInside-Spoofer-main.zip
-
Size
31KB
-
MD5
890664ca5531c0e99a90b2c22d4b80f2
-
SHA1
781836699173100e19231be3fb917a09321b6c0d
-
SHA256
2598d8b27ae541fdfb9a503b1f2de2f2c07ccac24dc569c93058ae3b67f2ae01
-
SHA512
3fa0c4e508f9c3dbaa5152b172192f67301a35f7935ae461bcae083f05be90c42f3c8fb0d0dbc64c0fd1d0460cf425d65b9738e55e20d397fb083384128e1654
-
SSDEEP
768:goQkKQdAY3KzyyNNA0ZHF31+GZkfb3fIxywoarwAW0Ph//RaFU:zQQdryI2HF31+GZhxy9RAWsDa2
Score
3/10
Malware Config
Signatures
-
Unsigned PE 2 IoCs
Checks for missing Authenticode signature.
resource unpack001/EvilInside-Spoofer-main/frAQBc8W.exe unpack001/EvilInside-Spoofer-main/spoof.sys
Files
-
EvilInside-Spoofer-main.zip.zip
-
EvilInside-Spoofer-main/README.md
-
EvilInside-Spoofer-main/frAQBc8W.exe.exe windows:6 windows x64 arch:x64
8550b9122a4d909a8607237e7d2f9bac
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
PDB Paths
Imports
ntdll
RtlDosPathNameToRelativeNtPathName_U_WithStatus
RtlReleaseRelativeName
NtClose
RtlFreeHeap
NtCreateFile
NtMapViewOfSection
RtlWriteRegistryValue
NtQuerySystemInformation
NtUnloadDriver
NtCreateSection
_snwprintf
RtlInitUnicodeString
wcscpy_s
wcscat_s
RtlGetFullPathName_UEx
NtDeviceIoControlFile
RtlAdjustPrivilege
_stricmp
NtUnmapViewOfSection
NtLoadDriver
memcmp
NtTerminateProcess
RtlNormalizeProcessParams
RtlAllocateHeap
RtlCreateRegistryKey
_vsnwprintf
strcmp
kernel32
ReadConsoleInputW
WriteConsoleW
shlwapi
SHDeleteKeyW
Sections
.text Size: 8KB - Virtual size: 8KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rdata Size: 7KB - Virtual size: 7KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.data Size: 1024B - Virtual size: 1KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.pdata Size: 512B - Virtual size: 384B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.rsrc Size: 1024B - Virtual size: 832B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
-
EvilInside-Spoofer-main/gdrv.sys.sys windows:5 windows x64 arch:x64
cc81a908891587ccac8059435eda4c66
Code Sign
7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3bCertificate
IssuerCN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZANot Before21/12/2012, 00:00Not After30/12/2020, 23:59SubjectCN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=USExtended Key Usages
ExtKeyUsageTimeStamping
Key Usages
KeyUsageCertSign
KeyUsageCRLSign
0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50Certificate
IssuerCN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=USNot Before18/10/2012, 00:00Not After29/12/2020, 23:59SubjectCN=Symantec Time Stamping Services Signer - G4,O=Symantec Corporation,C=USExtended Key Usages
ExtKeyUsageTimeStamping
Key Usages
KeyUsageDigitalSignature
65:52:26:e1:b2:2e:18:e1:59:0f:29:85:ac:22:e7:5cCertificate
IssuerOU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=USNot Before21/05/2009, 00:00Not After20/05/2019, 23:59SubjectCN=VeriSign Class 3 Code Signing 2009-2 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)09,O=VeriSign\, Inc.,C=USExtended Key Usages
ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning
Key Usages
KeyUsageCertSign
KeyUsageCRLSign
61:0c:12:06:00:00:00:00:00:1bCertificate
IssuerCN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=USNot Before23/05/2006, 17:01Not After23/05/2016, 17:11SubjectOU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=USKey Usages
KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign
24:84:72:54:2c:24:ab:8e:42:92:29:ac:f1:21:ca:26Certificate
IssuerCN=VeriSign Class 3 Code Signing 2009-2 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)09,O=VeriSign\, Inc.,C=USNot Before23/08/2010, 00:00Not After17/10/2013, 23:59SubjectCN=Giga-Byte Technology,OU=Digital ID Class 3 - Microsoft Software Validation v2+OU=Testing Department,O=Giga-Byte Technology,L=Taipei Hsien,ST=Taiwan,C=TWExtended Key Usages
ExtKeyUsageCodeSigning
Key Usages
KeyUsageDigitalSignature
0f:50:34:fc:f5:b3:4b:e2:2a:72:d2:ec:c2:9e:34:8e:93:b6:f0:0fSigner
Actual PE Digest0f:50:34:fc:f5:b3:4b:e2:2a:72:d2:ec:c2:9e:34:8e:93:b6:f0:0fDigest Algorithmsha1PE Digest MatchestrueHeaders
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
PDB Paths
f:\ycc\gdrv64\objfre_wnet_AMD64\amd64\gdrv64.pdb
Imports
ntoskrnl.exe
IoCreateDevice
RtlInitUnicodeString
DbgPrint
IoDeleteSymbolicLink
ExFreePoolWithTag
MmUnmapIoSpace
IoFreeMdl
MmUnmapLockedPages
MmMapIoSpace
ZwClose
ZwMapViewOfSection
ObReferenceObjectByHandle
ZwOpenSection
IoCreateSymbolicLink
KeAcquireInStackQueuedSpinLock
MmFreeContiguousMemory
MmIsAddressValid
MmAllocateContiguousMemory
MmGetPhysicalAddress
IofCompleteRequest
ExAllocatePoolWithTag
MmMapLockedPages
MmBuildMdlForNonPagedPool
IoAllocateMdl
ZwUnmapViewOfSection
KeReleaseInStackQueuedSpinLock
IoDeleteDevice
hal
HalTranslateBusAddress
Sections
.text Size: 11KB - Virtual size: 11KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rdata Size: 2KB - Virtual size: 1KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.data Size: 512B - Virtual size: 344B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.pdata Size: 1024B - Virtual size: 732B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
INIT Size: 1KB - Virtual size: 1KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.rsrc Size: 1024B - Virtual size: 1000B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
-
EvilInside-Spoofer-main/spoof.sys.sys windows:10 windows x64 arch:x64
d78993b7ecfebf7a3df615b071726fca
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
PDB Paths
C:\Users\Konrad\Desktop\hwid-master\Kernel\x64\Release\Kernel.pdb
Imports
ntoskrnl.exe
ExAllocatePoolWithTag
ExFreePoolWithTag
MmMapLockedPages
IoBuildDeviceIoControlRequest
IofCallDriver
IoGetAttachedDeviceReference
IoGetDeviceObjectPointer
ObfDereferenceObject
RtlRandomEx
KeWaitForSingleObject
ObQueryNameString
swprintf
ObReferenceObjectByName
IoDriverObjectType
tolower
strstr
MmCopyMemory
ZwQuerySystemInformation
KeInitializeEvent
RtlCopyUnicodeString
DbgPrintEx
DbgPrint
RtlInitUnicodeString
IoEnumerateDeviceObjectList
wcsstr
wdfldr.sys
WdfVersionUnbind
WdfVersionBind
WdfVersionUnbindClass
WdfVersionBindClass
Sections
.text Size: 11KB - Virtual size: 11KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rdata Size: 3KB - Virtual size: 2KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.data Size: 512B - Virtual size: 12KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.pdata Size: 512B - Virtual size: 468B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
INIT Size: 1024B - Virtual size: 982B
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.reloc Size: 512B - Virtual size: 36B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ