Wintapix Malicious Driver

4 minute read


Wintapix Driver is a malicious driver that was operating about three years ago but just caught the eyes of the hunters a little while ago.

It’s primarily targeting saudi arabia as a large number of the samples found were there and also in the middle east.

the operator behind it is not specifically known, but from the targets and TTPs, there is a thought that they are Iranian threat actors.

Technical Analysis

The first thing to look at any Driver is whether it’s signed or not, and in our case, the driver is not signed which means it may be used in the post-exploitation part of the kill chain to achieve more persistence and being more stealthy.

Error Loading

The sample looks a bit obfuscated at the DrivrEntry function which makes it a little hard to trace what’s the sequential flow of the driver statically So I decided to start looking at the functions found in the driver to construct a view of the capabilities of the driver especially because the number of functions is not that much.


Code Injection

The driver has the capability to inject code into running processes but it has some conditions the process must meet.

The first one is the process shouldn’t be one of these processes.

  • wininit.exe
  • csrss.exe
  • smss.exe
  • services.exe
  • winlogon.exe
  • lsass.exe

Error Loading

The second one is that the process should be running with local system user

Error Loading

The shell Code that will be injected is left unpacked inside the Driver’s memory.

Error Loading

Registry persistence

The Driver also adds an entry to itself into the service registry key.

Error Loading

Defeat Deletion

The Driver registers a handle to an event to notify if any changes happen to the directory where he lives, To be able to write itself back if deleted.

Error Loading

Kernel Debugging

Now It’s time for the underground world kernel to debug the Driver.

I will not go throw how to set up your own kernel Debugging Environment, It’s mentioned everywhere and I will get you a link to one of them in the resources Section.

all I will do to start is set up a breakpoint at the nt!IopLoadDriver function and then load my driver then start it, this will trigger our breakpoint before the DriverEntry.

Error Loading

You will land in a big function so we need to see only the call instructions inside it using the command.

uf /c @rip

We are interested in PnpCallDriverEntry function that will lead us to our Driver Entry.

Doing the same inside this function we look for nt!guard_dispatch_icall then inside it, you will find a call to register rax that holds the Entry of your Driver. (look at the resources for detailed info about this lookup process)

Now we are inside our DriverEntry.

Error Loading

As the sample uses VMProtect which is a very complicated anti-analysis packer and I already got what I wanted from the static analysis, I will continue my investigation with the shell code that will be injected.

Shell Code Analysis

After extracting the shell code out of the Driver and uploading it to VirusTotal, It got detected as a Donut Shell Code.

Error Loading

Donut is a position-independent code that enables in-memory execution of VBScript, JScript, EXE, DLL files, and dotNET assemblies”. It can take any of the supported executable formats and convert them into Position-Independent Code (PIC).

which also can be identified with the human eye by looking at the first few bites.

Error Loading

As the shell code will start by call (E8) and the next word repeated twice(in our case 4f01 0080 4f01 0080), here is also a yara rule that detects it.

We can get the original file and reverse this code change using this tool undonut.

Error Loading

Stage 2

Error Loading

The malware starts by decrypting values from resources and saving the decrypted data in two arrays.

Error Loading

These are some of the decrypted values.

Error Loading

I found then that these strings are used as endpoint names in a web server to be accessed by the threat actor to achieve his goal.

there are two uses for this endpoint will be taking advantage of

  • Backdoor

Error Loading

  • Proxy

Error Loading

The malware also has the ability to terminate services like the logging service from the server.

Yara Rule

rule WINTAPIX : rootkit
    description = "Detection Rule for WINTAPIX Rootkit"
    email = ""
    author = "Amr Ashraf"

    $mz = {4D 5A}     // MZ header

    $string1 = "\\SystemRoot\\System32\\drivers\\WinTapix.sys" wide
    $string2 = "S-1-5-18" wide
    $string3 = "wininit.exe" wide
    $string4 = "csrss.exe" wide
    $string5 = "smss.exe" wide
    $string6 = "services.exe" wide
    $string7 = "winlogon.exe" wide
    $string8 = "lsass.exe" wide

    $shellcode = {E8 80 4F 01 00 80 4F 01  00 80 2B F1 BC 9A 16 19 33 71 FA A5 5B 8E B3 FB  77 F4 88 A3 03 35 38 56 D5 59 34 1C 1A C0 CF 52  B6 00 00 00 00 30 9E 89}
    ($mz at 0) and 
    (all of ($string*) or $shellcode)


WINTAPIX : 8578bff36e3b02cc71495b647db88c67c3c5ca710b5a2bd539148550595d0330

.Net payload : 786298c0d98aaf35777738a43a41546c6c8b1972b9bd601fb6cccf2c8f539ae4

Ida Database