| File | Description |
|---|---|
| C_932.NLS | 64-bit bootkit service DLL sample, as installed |
| driver32.sys.bin | 32-bit kernel driver used by the dropper to write directly to the physical disk. |
| driver64.sys.bin | 64-bit signed kernel driver used by the dropper to write directly to the physical disk. |
| dropper64.bin | 64-bit dropper sample that installs bootkit |
| mbr-clean.bin | MBR before modification, for comparison. |
| mbr-inst.bin | MBR that has been modified after install. |
| pe1_decrypted.bin | 32-bit bootkit service DLL sample, extracted and decrypted from decrypted rkimage |
| pe1_encrypted_b61e1dcf.bin | 32-bit bootkit service DLL sample, extracted in original form from decrypted rkimage. XOR key is 0xb64e1dcf. |
| pe2_decrypted.bin | 64-bit bootkit service DLL sample, extracted and decrypted from decrypted rkimage |
| pe2_encrypted_b61e8d81.bin | 64-bit bootkit service DLL sample, extracted in original form from decrypted rkimage. XOR key is 0xb64e8d81. |
| rkimage_decrypted.bin | rkImage sample, extracted from harddrive and decrypted. |
| rkimage_encrypted.bin | rkImage sample, extracted from harddrive and decrypted. |
| rkimage_backdoor_decrypted.bin | rkImage sample with example backdoor, extracted from harddrive and decrypted. |
| rkimage_backdoor_encrypted.bin | rkImage sample with example backdoor, extracted from harddrive. Obfuscated with 0x76 byte-XOR. |
| verifier_win7_decrypted.bin | verifier sample, containing the verifier sector followed by two copies of the original mbr sector. |
| verifier_win7_encrypted.bin | Verifier sample, containing the verifier sector followed by two copies of the original mbr sector. Obfuscated with 0x76 byte-XOR. |
| verifier_win10_decrypted.bin | verifier sample, containing the verifier sector followed by two copies of the original mbr sector. |
| verifier_win10_encrypted.bin | Verifier sample, containing the verifier sector followed by two copies of the original mbr sector. Obfuscated with 0x76 byte-XOR. |
| File | Description |
|---|---|
| convert.c | C utility to decrypt verifier and rkimage samples. |
| dll_decryptor.c | C utility to decrypt service DLL samples with 4-byte XOR keys. |
| fuzzer.py | Simple python fuzzer to discover commands to dropper64.bin |
| proof.cpp | C++ program to install as backdoor. Writes C:\proof.txt as evidence that bootkit ran successfully. |
| File | Description |
|---|---|
| crc_error.PNG | Error message shown by check command when secondary bootkit image is modified after install. |
| driver64_certificate.PNG | Screenshot of the stolen certificate used by the 64-bit kernel driver. |
| driver64_valid.PNG | Screenshot showing that the certificate on the kernel driver has not been revoked. |
| dropper64_certificate.PNG | Screenshot of the stolen certificate used by the 64-bit dropper. |
| dropper64_revoked.PNG | Screenshot showing that the certificate on the dropper has been revoked. |
| hashes_after.txt | Hashes taken of files after the bootkit has run on a Windows 7 virtual machine. |
| hashes_before.txt | Hashes taken of files before the bootkit has run on a Windows 7 virtual machine. |
| hashes_win10.txt | Hashes of the first and second rkImage locations on a Windows 10 virtual machine with > 30% free space. |
| install_win10.PNG | Screenshot of installing a backdoor on Windows 10. |
| install_win10_cmd.PNG | Screenshot of installing cmd.exe as the backdoor. |
| install_win7.PNG | Screenshot of installing a backdoor on Windows 7 with low disk space. |
| installer_cmd.txt | The text output of installing a backdoor on Windows 10. |
| Neowiz.p7b | Extracted certificate used in the 64-bit kernel driver. |
| reg_service_after.txt | Registry after boot, with timestamps showing it was written to, even if the values didn’t change. |
| reg_service_before.txt | Registry before rebooting, with timestamps. |
| vol_modules.txt | Volatility output snippet from listing modules that shows the kernel driver. |
| vol_reg_debugfile.txt | Volatility output that shows a registry key for the DEBUGFILE service used by the kernel driver. |
| File | Description |
|---|---|
| driver32.sys.idb | Ida Pro file for the 32-bit kernel driver. Functionally same as the 64-bit driver. |
| driver64.sys.idb | Ida Pro file for the 64-bit kernel driver. Functionally same as the 32-bit driver. |
| dropper64.i64 | Ida Pro file for the dropper sample. Largely not reversed, as the static sample is packed with VMProtect. |
| mbr_infected.idb | Ida Pro file for the bootkit MBR. Disassembly is 16-bit. |
| pe1_decrypted.idb | Ida Pro file for the 32-bit service DLL. Functionally same as the 64-bit DLL. |
| pe2_decrypted.i64 | Ida Pro file for the 64-bit service DLL. Functionally same as the 32-bit DLL. |
| rkimage_decrypted.idb | Ida Pro file for rkImage. Contains real mode (16-bit) and protected mode (32-bit) segments. Also has undefined data at the end because the sample disassembled was mistakenly longer than the rkimage+bootkit length. |
| verifier_decrypted.idb | Ida Pro file for the verifier. Contains verifier and original MBR. Disassembly is 16-bit. |