Skip to content
master
Go to file
Code

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 
 
 
 
 
 
 
 
 

README.md

Index of Suplemental Files

1.1 Binary Files – hdroot-bootkit-analysis/binaries

File Description
C_932.NLS 64-bit bootkit service DLL sample, as installed
driver32.sys.bin 32-bit kernel driver used by the dropper to write directly to the physical disk.
driver64.sys.bin 64-bit signed kernel driver used by the dropper to write directly to the physical disk.
dropper64.bin 64-bit dropper sample that installs bootkit
mbr-clean.bin MBR before modification, for comparison.
mbr-inst.bin MBR that has been modified after install.
pe1_decrypted.bin 32-bit bootkit service DLL sample, extracted and decrypted from decrypted rkimage
pe1_encrypted_b61e1dcf.bin 32-bit bootkit service DLL sample, extracted in original form from decrypted rkimage. XOR key is 0xb64e1dcf.
pe2_decrypted.bin 64-bit bootkit service DLL sample, extracted and decrypted from decrypted rkimage
pe2_encrypted_b61e8d81.bin 64-bit bootkit service DLL sample, extracted in original form from decrypted rkimage. XOR key is 0xb64e8d81.
rkimage_decrypted.bin rkImage sample, extracted from harddrive and decrypted.
rkimage_encrypted.bin rkImage sample, extracted from harddrive and decrypted.
rkimage_backdoor_decrypted.bin rkImage sample with example backdoor, extracted from harddrive and decrypted.
rkimage_backdoor_encrypted.bin rkImage sample with example backdoor, extracted from harddrive. Obfuscated with 0x76 byte-XOR.
verifier_win7_decrypted.bin verifier sample, containing the verifier sector followed by two copies of the original mbr sector.
verifier_win7_encrypted.bin Verifier sample, containing the verifier sector followed by two copies of the original mbr sector. Obfuscated with 0x76 byte-XOR.
verifier_win10_decrypted.bin verifier sample, containing the verifier sector followed by two copies of the original mbr sector.
verifier_win10_encrypted.bin Verifier sample, containing the verifier sector followed by two copies of the original mbr sector. Obfuscated with 0x76 byte-XOR.

1.2 Code Files – hdroot-bootkit-analysis/code

File Description
convert.c C utility to decrypt verifier and rkimage samples.
dll_decryptor.c C utility to decrypt service DLL samples with 4-byte XOR keys.
fuzzer.py Simple python fuzzer to discover commands to dropper64.bin
proof.cpp C++ program to install as backdoor. Writes C:\proof.txt as evidence that bootkit ran successfully.

1.3 Evidence Files – hdroot-bootkit-analysis/evidence

File Description
crc_error.PNG Error message shown by check command when secondary bootkit image is modified after install.
driver64_certificate.PNG Screenshot of the stolen certificate used by the 64-bit kernel driver.
driver64_valid.PNG Screenshot showing that the certificate on the kernel driver has not been revoked.
dropper64_certificate.PNG Screenshot of the stolen certificate used by the 64-bit dropper.
dropper64_revoked.PNG Screenshot showing that the certificate on the dropper has been revoked.
hashes_after.txt Hashes taken of files after the bootkit has run on a Windows 7 virtual machine.
hashes_before.txt Hashes taken of files before the bootkit has run on a Windows 7 virtual machine.
hashes_win10.txt Hashes of the first and second rkImage locations on a Windows 10 virtual machine with > 30% free space.
install_win10.PNG Screenshot of installing a backdoor on Windows 10.
install_win10_cmd.PNG Screenshot of installing cmd.exe as the backdoor.
install_win7.PNG Screenshot of installing a backdoor on Windows 7 with low disk space.
installer_cmd.txt The text output of installing a backdoor on Windows 10.
Neowiz.p7b Extracted certificate used in the 64-bit kernel driver.
reg_service_after.txt Registry after boot, with timestamps showing it was written to, even if the values didn’t change.
reg_service_before.txt Registry before rebooting, with timestamps.
vol_modules.txt Volatility output snippet from listing modules that shows the kernel driver.
vol_reg_debugfile.txt Volatility output that shows a registry key for the DEBUGFILE service used by the kernel driver.

1.4 Ida Pro Files – hdroot-bootkit-analysis/ida pro

File Description
driver32.sys.idb Ida Pro file for the 32-bit kernel driver. Functionally same as the 64-bit driver.
driver64.sys.idb Ida Pro file for the 64-bit kernel driver. Functionally same as the 32-bit driver.
dropper64.i64 Ida Pro file for the dropper sample. Largely not reversed, as the static sample is packed with VMProtect.
mbr_infected.idb Ida Pro file for the bootkit MBR. Disassembly is 16-bit.
pe1_decrypted.idb Ida Pro file for the 32-bit service DLL. Functionally same as the 64-bit DLL.
pe2_decrypted.i64 Ida Pro file for the 64-bit service DLL. Functionally same as the 32-bit DLL.
rkimage_decrypted.idb Ida Pro file for rkImage. Contains real mode (16-bit) and protected mode (32-bit) segments. Also has undefined data at the end because the sample disassembled was mistakenly longer than the rkimage+bootkit length.
verifier_decrypted.idb Ida Pro file for the verifier. Contains verifier and original MBR. Disassembly is 16-bit.

About

Supporting Files on my analysis of the malware designated hdroot.

Resources

Releases

No releases published
You can’t perform that action at this time.