ddecc35f-2233-4894-86d8-69e6e473943e

bootia32.efi :inline

Description

This was provided by Trend Micro and revoked Mar-23

  • UUID: ddecc35f-2233-4894-86d8-69e6e473943e
  • Created: 2023-05-22
  • Author: Michael Haag
  • Acknowledgement: |

Download

This download link contains the Revoked Bootloader!

Commands

bcdedit /copy "{current}" /d "TheBoots" | {% if ($_ -match '{\S+}') { bcdedit /set $matches[0] path \windows\temp\bootia32.efi } }
Use CasePrivilegesOperating System
Persistence32-bit

Detections

YARA 🏹

Expand

Exact Match

with header and size limitation

Threat Hunting

without header and size limitation

Renamed

for renamed bootloader files

Sigma 🛡️

Expand

Names

detects loading using name only

Hashes

detects loading using hashes only

Sysmon 🔎

Expand

Block

on hashes

Alert

on hashes

Resources


  • https://uefi.org/revocationlistfile
  • https://support.microsoft.com/en-gb/topic/microsoft-guidance-for-applying-secure-boot-dbx-update-kb4575994-e3b9e4cb-a330-b3ba-a602-15083965d9ca

    • CVE

  • CVE-2023-28005

    • Known Vulnerable Samples

    PropertyValue
    Filenamebootia32.efi
    MD5ece26d0686590a1ae0f950a412ed1a10
    SHA115634f8fd748f28e29e4b77ce899a6d561576240
    SHA25652febd655c84f4557de0ca35a236d468c03fa3bd0f51f54c31b37db29673da3f
    Authentihash MD52e2ee7180f421c97f27615cef8531dab
    Authentihash SHA12375db1ba66ae1873c8f31b76f305ec8bfcbf3c2
    Authentihash SHA256c4ebdc43048c43f5f11c59ead051a3585a07fafce985cfed8b27b73a5492f9b2
    RichPEHeaderHash MD5ffdf660eb1ebf020a1d0a55a90712dfb
    RichPEHeaderHash SHA13e905e3d061d0d59de61fcf39c994fcb0ec1bab3
    RichPEHeaderHash SHA2562b3f99a94b7a7132854be769e27b331419c53989ef42f686d6f5ba09ddefefd6

    Certificates

    Expand
    Certificate 330000001e0d8474951a966ce400010000001e
    FieldValue
    ToBeSigned (TBS) MD5b6f099bf203668f11a8f79ab08792ed8
    ToBeSigned (TBS) SHA14713755a345940554eada6042e90b0151591fad6
    ToBeSigned (TBS) SHA25662a02001fda2712f35e5ba5f619a6403b6a2c10570eab455fdc69455535f49bb
    SubjectC=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=MOPR, CN=Microsoft Windows UEFI Driver Publisher
    ValidFrom2016-11-17 22:05:37
    ValidTo2018-02-17 22:05:37
    Signature0141873b6d85a37b5ac2a306448d73b6be76f7682ad14efef7ce4b377f0f7a5fbefd76377d59dc2caccd28d1be3eb180a8b66ab19a853bd14c7d5e955e8f07bc2ee0686ac3a2c9e997bd9f58de6dc9b93900c6b7824f64bf415ac51ebaa3dcfe8ad4fc2a41ad95b372c421c4f87835a59867c244e1c8df142abc4b23579f57431565eb8de6a7a0318b2fd17f93876a335c9450d2531f6a877baf43a569f83703a68e49987ca3c6dd42a595827f5be49151d3b79ea262e38ef5b37bda5b1be3462baa6ccb313193cdba21ea3cb1e9bbc751a769f354d63a0d1de3158c67d47b765b92d580ed5f1f1cdb5f61774c4b66c7deb15f4c71d605106064f33a17d31ca6
    SignatureAlgorithmOID1.2.840.113549.1.1.11
    IsCertificateAuthorityFalse
    SerialNumber330000001e0d8474951a966ce400010000001e
    Version3
    Certificate 6108d3c4000000000004
    FieldValue
    ToBeSigned (TBS) MD51f23e75a000f0b6db92650dc26ac98e1
    ToBeSigned (TBS) SHA1bc477f73f16f0a5ae09e8ce4745c0a79c0e9a39d
    ToBeSigned (TBS) SHA2569589b8c95168f79243f61922faa5990de0a4866de928736fed658ea7bff1a5e2
    SubjectC=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation UEFI CA 2011
    ValidFrom2011-06-27 21:22:45
    ValidTo2026-06-27 21:32:45
    Signature350842ff30cccef7760cad1068583529463276277cef124127421b4aaa6d813848591355f3e95834a6160b82aa5dad82da808341068fb41df203b9f31a5d1bf15090f9b3558442281c20bdb2ae5114c5c0ac9795211c90db0ffc779e95739188cabdbd52b905500ddf579ea061ed0de56d25d9400f1740c8cea34ac24daf9a121d08548fbdc7bcb92b3d492b1f32fc6a21694f9bc87e4234fc3606178b8f2040c0b39a257527cdc903a3f65dd1e736547ab950b5d312d107bfbb74dfdc1e8f80d5ed18f42f14166b2fde668cb023e5c784d8edeac13382ad564b182df1689507cdcff072f0aebbdd8685982c214c332bf00f4af06887b592553275a16a826a3ca32511a4edadd704aecbd84059a084d1954c6291221a741d8c3d470e44a6e4b09b3435b1fab653a82c81eca40571c89db8bae81b4466e447540e8e567fb39f1698b286d0683e9023b52f5e8f50858dc68d825f41a1f42e0de099d26c75e4b669b52186fa07d1f6e24dd1daad2c77531e253237c76c52729586b0f135616a19f5b23b815056a6322dfea289f94286271855a182ca5a9bf830985414a64796252fc826e441941a5c023fe596e3855b3c3e3fbb47167255e22522b1d97be703062aa3f71e9046c3000dd61989e30e352762037115a6efd027a0a0593760f83894b8e07870f8ba4c868794f6e0ae0245ee65c2b6a37e69167507929bf5a6bc598358
    SignatureAlgorithmOID1.2.840.113549.1.1.11
    IsCertificateAuthorityTrue
    SerialNumber6108d3c4000000000004
    Version3

    Imports

    Expand

    Imports

    Expand

    ImportedFunctions

    Expand

    ExportedFunctions

    Expand

    Signature

    Expand
    {
  "Certificates": [
    {
      "IsCertificateAuthority": false,
      "SerialNumber": "330000001e0d8474951a966ce400010000001e",
      "Signature": "0141873b6d85a37b5ac2a306448d73b6be76f7682ad14efef7ce4b377f0f7a5fbefd76377d59dc2caccd28d1be3eb180a8b66ab19a853bd14c7d5e955e8f07bc2ee0686ac3a2c9e997bd9f58de6dc9b93900c6b7824f64bf415ac51ebaa3dcfe8ad4fc2a41ad95b372c421c4f87835a59867c244e1c8df142abc4b23579f57431565eb8de6a7a0318b2fd17f93876a335c9450d2531f6a877baf43a569f83703a68e49987ca3c6dd42a595827f5be49151d3b79ea262e38ef5b37bda5b1be3462baa6ccb313193cdba21ea3cb1e9bbc751a769f354d63a0d1de3158c67d47b765b92d580ed5f1f1cdb5f61774c4b66c7deb15f4c71d605106064f33a17d31ca6",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.11",
      "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=MOPR, CN=Microsoft Windows UEFI Driver Publisher",
      "TBS": {
        "MD5": "b6f099bf203668f11a8f79ab08792ed8",
        "SHA1": "4713755a345940554eada6042e90b0151591fad6",
        "SHA256": "62a02001fda2712f35e5ba5f619a6403b6a2c10570eab455fdc69455535f49bb"
      },
      "ValidFrom": "2016-11-17 22:05:37",
      "ValidTo": "2018-02-17 22:05:37",
      "Version": 3
    },
    {
      "IsCertificateAuthority": true,
      "SerialNumber": "6108d3c4000000000004",
      "Signature": "350842ff30cccef7760cad1068583529463276277cef124127421b4aaa6d813848591355f3e95834a6160b82aa5dad82da808341068fb41df203b9f31a5d1bf15090f9b3558442281c20bdb2ae5114c5c0ac9795211c90db0ffc779e95739188cabdbd52b905500ddf579ea061ed0de56d25d9400f1740c8cea34ac24daf9a121d08548fbdc7bcb92b3d492b1f32fc6a21694f9bc87e4234fc3606178b8f2040c0b39a257527cdc903a3f65dd1e736547ab950b5d312d107bfbb74dfdc1e8f80d5ed18f42f14166b2fde668cb023e5c784d8edeac13382ad564b182df1689507cdcff072f0aebbdd8685982c214c332bf00f4af06887b592553275a16a826a3ca32511a4edadd704aecbd84059a084d1954c6291221a741d8c3d470e44a6e4b09b3435b1fab653a82c81eca40571c89db8bae81b4466e447540e8e567fb39f1698b286d0683e9023b52f5e8f50858dc68d825f41a1f42e0de099d26c75e4b669b52186fa07d1f6e24dd1daad2c77531e253237c76c52729586b0f135616a19f5b23b815056a6322dfea289f94286271855a182ca5a9bf830985414a64796252fc826e441941a5c023fe596e3855b3c3e3fbb47167255e22522b1d97be703062aa3f71e9046c3000dd61989e30e352762037115a6efd027a0a0593760f83894b8e07870f8ba4c868794f6e0ae0245ee65c2b6a37e69167507929bf5a6bc598358",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.11",
      "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation UEFI CA 2011",
      "TBS": {
        "MD5": "1f23e75a000f0b6db92650dc26ac98e1",
        "SHA1": "bc477f73f16f0a5ae09e8ce4745c0a79c0e9a39d",
        "SHA256": "9589b8c95168f79243f61922faa5990de0a4866de928736fed658ea7bff1a5e2"
      },
      "ValidFrom": "2011-06-27 21:22:45",
      "ValidTo": "2026-06-27 21:32:45",
      "Version": 3
    }
  ],
  "CertificatesInfo": "",
  "Signer": [
    {
      "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation UEFI CA 2011",
      "SerialNumber": "330000001e0d8474951a966ce400010000001e",
      "Version": 1
    }
  ],
  "SignerInfo": ""
}

    source

    last_updated: 2023-08-31