Skip to content

Instantly share code, notes, and snippets.

@ARISTODE

ARISTODE/nthook_v1.json

Created November 4, 2025 18:27
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save ARISTODE/b53f921b109f0615eef2eb000a86f67b to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save ARISTODE/b53f921b109f0615eef2eb000a86f67b to your computer and use it in GitHub Desktop.
Download ZIP
Raw
nthook_v1.json
{
"sample_path": "/Users/yohuang/Downloads/malwares/NtHook.exe",
"analyzed_at": "2025-11-04T07:31:58.539184Z",
"verdict": "suspicious",
"confidence": 0.59,
"summary": "Verdict SUSPICIOUS from 35 evidence items (pattern=0, high=0, medium=21, low=14; max_conf=0.60, avg_conf=0.50; coverage=0%).",
"reasoning_summary": {
"purpose": "A Windows driver of unknown purpose, possibly intended to interact with specific user-mode processes.",
"malware_class": null,
"narrative": "This sample is a Windows driver, identified by its `DriverEntry` export and imports from `ntoskrnl.exe` [baseline_static_metadata-imports]. Its purpose is unclear, but it contains strings referencing several user-mode executables, including 'safemon.dll' and 'CORAL.EXE', suggesting it may be designed to monitor or interact with these specific processes. However, the analysis found no concrete evidence of malicious behavior. Automated checks for common rootkit techniques, such as registering process creation callbacks via `PsSetCreateProcessNotifyRoutine` [trace-identify_rootkit_stealth_mechanisms-0] or registry callbacks via `CmRegisterCallback` [trace-identify_rootkit_stealth_mechanisms-2], found no such activity. Furthermore, the driver does not appear to implement its own persistence by creating a service in the registry [trace-investigate_driver_persistence-0]. Due to these conflicting signals\u2014suspicious strings without corresponding malicious code\u2014its intent cannot be definitively determined. [baseline_static_metadata-exports] [trace-trace_usermode_process_interaction-1] [trace-investigate_driver_persistence-1]",
"citations": [
"baseline_static_metadata-imports",
"baseline_static_metadata-exports",
"trace-trace_usermode_process_interaction-1",
"trace-identify_rootkit_stealth_mechanisms-0",
"trace-identify_rootkit_stealth_mechanisms-2",
"trace-investigate_driver_persistence-0",
"trace-investigate_driver_persistence-1"
],
"confidence": 0.5
},
"evidence_chain": [
{
"id": "baseline_static_metadata-metadata",
"title": "IDA static metadata collected",
"description": "IDA MCP enumerated the binary successfully.\n\n\u2022 Functions discovered: 629\n\u2022 Exported entry points: 1\n\u2022 Import modules: 2 (84 symbols)\n\u2022 Exported symbols: 1\n\u2022 Extracted strings: 2075\n\u2022 Sample functions: sub_11006, sub_11064, sub_110D2, sub_11124, sub_111E0\n\u2022 Entry points: DriverEntry",
"source": {
"type": "ida:metadata",
"identifier": "baseline_static_metadata_metadata",
"location": "127.0.0.1:8890",
"tool": "ida_mcp",
"parameters": {
"host": "127.0.0.1",
"port": 8890
}
},
"kind": "artifact",
"location": null,
"confidence": 0.55,
"severity": "medium",
"tags": [
"ida",
"metadata",
"baseline_static_metadata"
],
"artifacts": [
"artifacts/baseline_static_metadata_metadata.json"
],
"observations": [],
"related_evidence_ids": []
},
{
"id": "baseline_static_metadata-imports",
"title": "Imported symbols enumerated",
"description": "Total modules: 2\nTotal symbols: 84\nHeaviest modules: ntoskrnl, HAL\nSample imports: ntoskrnl!RtlUnicodeStringToAnsiString, ntoskrnl!RtlInitUnicodeString, ntoskrnl!_strnset, ntoskrnl!memcpy, ntoskrnl!MmGetSystemRoutineAddress, HAL!KeGetCurrentIrql",
"source": {
"type": "ida:import",
"identifier": "list_imports",
"location": "127.0.0.1:8890",
"tool": "ida_mcp",
"parameters": {
"host": "127.0.0.1",
"port": 8890
}
},
"kind": "artifact",
"location": null,
"confidence": 0.6,
"severity": "medium",
"tags": [
"ida",
"imports",
"baseline_static_metadata"
],
"artifacts": [
"artifacts/baseline_static_metadata_imports.json"
],
"observations": [],
"related_evidence_ids": []
},
{
"id": "baseline_static_metadata-exports",
"title": "Exported symbols enumerated",
"description": "Total exports: 1\nSample exports: DriverEntry",
"source": {
"type": "ida:export",
"identifier": "list_exports",
"location": "127.0.0.1:8890",
"tool": "ida_mcp",
"parameters": {
"host": "127.0.0.1",
"port": 8890
}
},
"kind": "artifact",
"location": null,
"confidence": 0.55,
"severity": "medium",
"tags": [
"ida",
"exports",
"baseline_static_metadata"
],
"artifacts": [
"artifacts/baseline_static_metadata_exports.json"
],
"observations": [],
"related_evidence_ids": []
},
{
"id": "baseline_static_metadata-strings",
"title": "String literals extracted",
"description": "Total strings: 2075\nLongest strings: <assembly xmlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVersion=\"1.0\">\r\n <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3\">\r\n <security>\r\n <requestedPrivileges>\r\n <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>\r\n </requestedPrivileges>\r\n </security>\r\n </trustInfo>\r\n</assembly>PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD, R6033\r\n- Attempt to use MSIL code from this assembly during native code initialization\nThis indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.\r\n, R6034\r\nAn application has made an attempt to load the C runtime library incorrectly.\nPlease contact the application's support team for more information.\r\n, \r\nThis application has requested the Runtime to terminate it in an unusual way.\nPlease contact the application's support team for more information.\r\n, <html><frameset border=0 frameSpacing=0 rows=\"*,0\" frameBorder=NO><frame name=\"main\" marginWidth=0 marginHeight=0 noresize src=\"\nSample strings: error, NtCreateUserProcess, NtShutdownSystem, NtDeviceIoControlFile, NtQueryValueKey, NtCreateProcessEx, NtQueryDirectoryFile, HTTP/1 ...",
"source": {
"type": "ida:string",
"identifier": "list_strings",
"location": "127.0.0.1:8890",
"tool": "ida_mcp",
"parameters": {
"host": "127.0.0.1",
"port": 8890
}
},
"kind": "artifact",
"location": null,
"confidence": 0.55,
"severity": "medium",
"tags": [
"ida",
"strings",
"baseline_static_metadata"
],
"artifacts": [
"artifacts/baseline_static_metadata_strings.json"
],
"observations": [],
"related_evidence_ids": []
},
{
"id": "function-DriverEntry",
"title": "Function analysis: DriverEntry",
"description": "Function DriverEntry @ 0xa803e analyzed. Suspicion score 0.00. Summary excerpt: /* line: 0, address: 688190 */ NTSTATUS __stdcall DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)\n/* line: 1 */ {\n/* line: 2, address: 688195 */ __security_init_cookie();\n/* line: 3, address: 688200 */ return DriverEntry(DriverObject, RegistryPath);\n/* line: 4 */ }",
"source": {
"type": "ida:function_summary",
"identifier": "DriverEntry",
"location": "127.0.0.1:8890",
"tool": "ida_mcp",
"parameters": {
"host": "127.0.0.1",
"port": 8890
}
},
"kind": "summary",
"location": {
"function_id": "DriverEntry",
"function_name": "DriverEntry",
"address": 688190,
"address_range": null,
"call_path": []
},
"confidence": 0.35,
"severity": "low",
"tags": [
"ida",
"function",
"DriverEntry"
],
"artifacts": [
"artifacts/DriverEntry_pseudocode.c",
"artifacts/DriverEntry_disassembly.asm"
],
"observations": [],
"related_evidence_ids": []
},
{
"id": "function-sub_000A803E",
"title": "Function analysis: sub_000A803E",
"description": "Function DriverEntry @ 0xa803e analyzed. Suspicion score 0.00. Summary excerpt: /* line: 0, address: 688190 */ NTSTATUS __stdcall DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)\n/* line: 1 */ {\n/* line: 2, address: 688195 */ __security_init_cookie();\n/* line: 3, address: 688200 */ return DriverEntry(DriverObject, RegistryPath);\n/* line: 4 */ }",
"source": {
"type": "ida:function_summary",
"identifier": "sub_000A803E",
"location": "127.0.0.1:8890",
"tool": "ida_mcp",
"parameters": {
"host": "127.0.0.1",
"port": 8890
}
},
"kind": "summary",
"location": {
"function_id": "sub_000A803E",
"function_name": "DriverEntry",
"address": 688190,
"address_range": null,
"call_path": []
},
"confidence": 0.35,
"severity": "low",
"tags": [
"ida",
"function",
"sub_000A803E"
],
"artifacts": [
"artifacts/sub_000A803E_pseudocode.c",
"artifacts/sub_000A803E_disassembly.asm"
],
"observations": [],
"related_evidence_ids": []
},
{
"id": "function-sub_000A803E",
"title": "Function analysis: sub_000A803E",
"description": "Function DriverEntry @ 0xa803e analyzed. Suspicion score 0.00. Summary excerpt: /* line: 0, address: 688190 */ NTSTATUS __stdcall DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)\n/* line: 1 */ {\n/* line: 2, address: 688195 */ __security_init_cookie();\n/* line: 3, address: 688200 */ return DriverEntry(DriverObject, RegistryPath);\n/* line: 4 */ }",
"source": {
"type": "ida:function_summary",
"identifier": "sub_000A803E",
"location": "127.0.0.1:8890",
"tool": "ida_mcp",
"parameters": {
"host": "127.0.0.1",
"port": 8890
}
},
"kind": "summary",
"location": {
"function_id": "sub_000A803E",
"function_name": "DriverEntry",
"address": 688190,
"address_range": null,
"call_path": []
},
"confidence": 0.35,
"severity": "low",
"tags": [
"ida",
"function",
"sub_000A803E"
],
"artifacts": [
"artifacts/sub_000A803E_pseudocode.c",
"artifacts/sub_000A803E_disassembly.asm"
],
"observations": [],
"related_evidence_ids": []
},
{
"id": "function-sub_000A803E",
"title": "Function analysis: sub_000A803E",
"description": "Function DriverEntry @ 0xa803e analyzed. Suspicion score 0.00. Summary excerpt: /* line: 0, address: 688190 */ NTSTATUS __stdcall DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)\n/* line: 1 */ {\n/* line: 2, address: 688195 */ __security_init_cookie();\n/* line: 3, address: 688200 */ return DriverEntry(DriverObject, RegistryPath);\n/* line: 4 */ }",
"source": {
"type": "ida:function_summary",
"identifier": "sub_000A803E",
"location": "127.0.0.1:8890",
"tool": "ida_mcp",
"parameters": {
"host": "127.0.0.1",
"port": 8890
}
},
"kind": "summary",
"location": {
"function_id": "sub_000A803E",
"function_name": "DriverEntry",
"address": 688190,
"address_range": null,
"call_path": []
},
"confidence": 0.35,
"severity": "low",
"tags": [
"ida",
"function",
"sub_000A803E"
],
"artifacts": [
"artifacts/sub_000A803E_pseudocode.c",
"artifacts/sub_000A803E_disassembly.asm"
],
"observations": [],
"related_evidence_ids": []
},
{
"id": "function-sub_000A803E",
"title": "Function analysis: sub_000A803E",
"description": "Function DriverEntry @ 0xa803e analyzed. Suspicion score 0.00. Summary excerpt: /* line: 0, address: 688190 */ NTSTATUS __stdcall DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)\n/* line: 1 */ {\n/* line: 2, address: 688195 */ __security_init_cookie();\n/* line: 3, address: 688200 */ return DriverEntry(DriverObject, RegistryPath);\n/* line: 4 */ }",
"source": {
"type": "ida:function_summary",
"identifier": "sub_000A803E",
"location": "127.0.0.1:8890",
"tool": "ida_mcp",
"parameters": {
"host": "127.0.0.1",
"port": 8890
}
},
"kind": "summary",
"location": {
"function_id": "sub_000A803E",
"function_name": "DriverEntry",
"address": 688190,
"address_range": null,
"call_path": []
},
"confidence": 0.35,
"severity": "low",
"tags": [
"ida",
"function",
"sub_000A803E"
],
"artifacts": [
"artifacts/sub_000A803E_pseudocode.c",
"artifacts/sub_000A803E_disassembly.asm"
],
"observations": [],
"related_evidence_ids": []
},
{
"id": "function-DriverEntry",
"title": "Function analysis: DriverEntry",
"description": "Function DriverEntry @ 0xa803e analyzed. Suspicion score 0.00. Summary excerpt: /* line: 0, address: 688190 */ NTSTATUS __stdcall DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)\n/* line: 1 */ {\n/* line: 2, address: 688195 */ __security_init_cookie();\n/* line: 3, address: 688200 */ return DriverEntry(DriverObject, RegistryPath);\n/* line: 4 */ }",
"source": {
"type": "ida:function_summary",
"identifier": "DriverEntry",
"location": "127.0.0.1:8890",
"tool": "ida_mcp",
"parameters": {
"host": "127.0.0.1",
"port": 8890
}
},
"kind": "summary",
"location": {
"function_id": "DriverEntry",
"function_name": "DriverEntry",
"address": 688190,
"address_range": null,
"call_path": []
},
"confidence": 0.35,
"severity": "low",
"tags": [
"ida",
"function",
"DriverEntry"
],
"artifacts": [
"artifacts/DriverEntry_pseudocode.c",
"artifacts/DriverEntry_disassembly.asm"
],
"observations": [],
"related_evidence_ids": []
},
{
"id": "function-sub_000A803E",
"title": "Function analysis: sub_000A803E",
"description": "Function DriverEntry @ 0xa803e analyzed. Suspicion score 0.00. Summary excerpt: /* line: 0, address: 688190 */ NTSTATUS __stdcall DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)\n/* line: 1 */ {\n/* line: 2, address: 688195 */ __security_init_cookie();\n/* line: 3, address: 688200 */ return DriverEntry(DriverObject, RegistryPath);\n/* line: 4 */ }",
"source": {
"type": "ida:function_summary",
"identifier": "sub_000A803E",
"location": "127.0.0.1:8890",
"tool": "ida_mcp",
"parameters": {
"host": "127.0.0.1",
"port": 8890
}
},
"kind": "summary",
"location": {
"function_id": "sub_000A803E",
"function_name": "DriverEntry",
"address": 688190,
"address_range": null,
"call_path": []
},
"confidence": 0.35,
"severity": "low",
"tags": [
"ida",
"function",
"sub_000A803E"
],
"artifacts": [
"artifacts/sub_000A803E_pseudocode.c",
"artifacts/sub_000A803E_disassembly.asm"
],
"observations": [],
"related_evidence_ids": []
},
{
"id": "function-sub_000A803E",
"title": "Function analysis: sub_000A803E",
"description": "Function DriverEntry @ 0xa803e analyzed. Suspicion score 0.00. Summary excerpt: /* line: 0, address: 688190 */ NTSTATUS __stdcall DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)\n/* line: 1 */ {\n/* line: 2, address: 688195 */ __security_init_cookie();\n/* line: 3, address: 688200 */ return DriverEntry(DriverObject, RegistryPath);\n/* line: 4 */ }",
"source": {
"type": "ida:function_summary",
"identifier": "sub_000A803E",
"location": "127.0.0.1:8890",
"tool": "ida_mcp",
"parameters": {
"host": "127.0.0.1",
"port": 8890
}
},
"kind": "summary",
"location": {
"function_id": "sub_000A803E",
"function_name": "DriverEntry",
"address": 688190,
"address_range": null,
"call_path": []
},
"confidence": 0.35,
"severity": "low",
"tags": [
"ida",
"function",
"sub_000A803E"
],
"artifacts": [
"artifacts/sub_000A803E_pseudocode.c",
"artifacts/sub_000A803E_disassembly.asm"
],
"observations": [],
"related_evidence_ids": []
},
{
"id": "function-sub_000A803E",
"title": "Function analysis: sub_000A803E",
"description": "Function DriverEntry @ 0xa803e analyzed. Suspicion score 0.00. Summary excerpt: /* line: 0, address: 688190 */ NTSTATUS __stdcall DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)\n/* line: 1 */ {\n/* line: 2, address: 688195 */ __security_init_cookie();\n/* line: 3, address: 688200 */ return DriverEntry(DriverObject, RegistryPath);\n/* line: 4 */ }",
"source": {
"type": "ida:function_summary",
"identifier": "sub_000A803E",
"location": "127.0.0.1:8890",
"tool": "ida_mcp",
"parameters": {
"host": "127.0.0.1",
"port": 8890
}
},
"kind": "summary",
"location": {
"function_id": "sub_000A803E",
"function_name": "DriverEntry",
"address": 688190,
"address_range": null,
"call_path": []
},
"confidence": 0.35,
"severity": "low",
"tags": [
"ida",
"function",
"sub_000A803E"
],
"artifacts": [
"artifacts/sub_000A803E_pseudocode.c",
"artifacts/sub_000A803E_disassembly.asm"
],
"observations": [],
"related_evidence_ids": []
},
{
"id": "trace-analyze_driver_entry-0",
"title": "Trace step 0 \u2014 Analyze Driver Initialization via DriverEntry",
"description": "Analyze the driver's entry point to understand its initialization process and core functionality. Executed `analyze_function`; observations=2.\nObservations:\n- No new observations captured during this step.\n- Captured 1 evidence item(s).",
"source": {
"type": "manual",
"identifier": null,
"location": null,
"tool": "workflow.trace",
"parameters": {
"thread_id": "analyze_driver_entry",
"step_action": "Analyze the driver's entry point to understand its initialization process and core functionality.",
"status": "success"
}
},
"kind": "summary",
"location": {
"function_id": null,
"function_name": "The main entry point function, 'DriverEntry'.",
"address": null,
"address_range": null,
"call_path": []
},
"confidence": 0.6,
"severity": "medium",
"tags": [
"trace",
"analyze_driver_entry",
"persistence",
"stealth",
"defense_evasion",
"execution_control"
],
"artifacts": [],
"observations": [],
"related_evidence_ids": []
},
{
"id": "trace-analyze_driver_entry-1",
"title": "Trace step 1 \u2014 Analyze Driver Initialization via DriverEntry",
"description": "Analyze the driver's entry point to understand its initialization process and core functionality. Executed `analyze_function`; observations=2.\nObservations:\n- No new observations captured during this step.\n- Captured 1 evidence item(s).",
"source": {
"type": "manual",
"identifier": null,
"location": null,
"tool": "workflow.trace",
"parameters": {
"thread_id": "analyze_driver_entry",
"step_action": "Analyze the driver's entry point to understand its initialization process and core functionality.",
"status": "success"
}
},
"kind": "summary",
"location": {
"function_id": null,
"function_name": "The main entry point function, 'DriverEntry'.",
"address": null,
"address_range": null,
"call_path": []
},
"confidence": 0.6,
"severity": "medium",
"tags": [
"trace",
"analyze_driver_entry",
"persistence",
"stealth",
"defense_evasion",
"execution_control"
],
"artifacts": [],
"observations": [],
"related_evidence_ids": []
},
{
"id": "trace-analyze_driver_entry-2",
"title": "Trace step 2 \u2014 Analyze Driver Initialization via DriverEntry",
"description": "Analyze the driver's entry point, `DriverEntry`, to understand its initialization process, including device creation, dispatch routine registration, and any other setup activities. Executed `analyze_function`; observations=2.\nObservations:\n- No new observations captured during this step.\n- Captured 1 evidence item(s).",
"source": {
"type": "manual",
"identifier": null,
"location": null,
"tool": "workflow.trace",
"parameters": {
"thread_id": "analyze_driver_entry",
"step_action": "Analyze the driver's entry point, `DriverEntry`, to understand its initialization process, including device creation, dispatch routine registration, and any other setup activities.",
"status": "success"
}
},
"kind": "summary",
"location": {
"function_id": null,
"function_name": "The main entry point function, 'DriverEntry'.",
"address": null,
"address_range": null,
"call_path": []
},
"confidence": 0.6,
"severity": "medium",
"tags": [
"trace",
"analyze_driver_entry",
"persistence",
"stealth",
"defense_evasion",
"execution_control"
],
"artifacts": [],
"observations": [],
"related_evidence_ids": []
},
{
"id": "trace-analyze_driver_entry-3",
"title": "Trace step 3 \u2014 Analyze Driver Initialization via DriverEntry",
"description": "Analyze the driver's entry point, `DriverEntry`, to understand its initialization process, including device creation, dispatch routine registration, and any other setup activities. Executed `analyze_function`; observations=2.\nObservations:\n- No new observations captured during this step.\n- Captured 1 evidence item(s).",
"source": {
"type": "manual",
"identifier": null,
"location": null,
"tool": "workflow.trace",
"parameters": {
"thread_id": "analyze_driver_entry",
"step_action": "Analyze the driver's entry point, `DriverEntry`, to understand its initialization process, including device creation, dispatch routine registration, and any other setup activities.",
"status": "success"
}
},
"kind": "summary",
"location": {
"function_id": null,
"function_name": "The main entry point function, 'DriverEntry'.",
"address": null,
"address_range": null,
"call_path": []
},
"confidence": 0.6,
"severity": "medium",
"tags": [
"trace",
"analyze_driver_entry",
"persistence",
"stealth",
"defense_evasion",
"execution_control"
],
"artifacts": [],
"observations": [],
"related_evidence_ids": []
},
{
"id": "trace-analyze_driver_entry-4",
"title": "Trace step 4 \u2014 Analyze Driver Initialization via DriverEntry",
"description": "Analyze the driver's entry point, `DriverEntry`, to understand its initialization process, including device creation, dispatch routine registration, and any other setup activities. Executed `analyze_function`; observations=2.\nObservations:\n- No new observations captured during this step.\n- Captured 1 evidence item(s).",
"source": {
"type": "manual",
"identifier": null,
"location": null,
"tool": "workflow.trace",
"parameters": {
"thread_id": "analyze_driver_entry",
"step_action": "Analyze the driver's entry point, `DriverEntry`, to understand its initialization process, including device creation, dispatch routine registration, and any other setup activities.",
"status": "success"
}
},
"kind": "summary",
"location": {
"function_id": null,
"function_name": "The main entry point function, 'DriverEntry'.",
"address": null,
"address_range": null,
"call_path": []
},
"confidence": 0.6,
"severity": "medium",
"tags": [
"trace",
"analyze_driver_entry",
"persistence",
"stealth",
"defense_evasion",
"execution_control"
],
"artifacts": [],
"observations": [],
"related_evidence_ids": []
},
{
"id": "trace-analyze_driver_entry-5",
"title": "Trace step 5 \u2014 Analyze Driver Initialization via DriverEntry",
"description": "Analyze the driver's entry point, `DriverEntry`, to understand its initialization process and core functionality. Executed `analyze_function`; observations=2.\nObservations:\n- No new observations captured during this step.\n- Captured 1 evidence item(s).",
"source": {
"type": "manual",
"identifier": null,
"location": null,
"tool": "workflow.trace",
"parameters": {
"thread_id": "analyze_driver_entry",
"step_action": "Analyze the driver's entry point, `DriverEntry`, to understand its initialization process and core functionality.",
"status": "success"
}
},
"kind": "summary",
"location": {
"function_id": null,
"function_name": "The main entry point function, 'DriverEntry'.",
"address": null,
"address_range": null,
"call_path": []
},
"confidence": 0.6,
"severity": "medium",
"tags": [
"trace",
"analyze_driver_entry",
"persistence",
"stealth",
"defense_evasion",
"execution_control"
],
"artifacts": [],
"observations": [],
"related_evidence_ids": []
},
{
"id": "trace-trace_usermode_process_interaction-0",
"title": "Trace step 0 \u2014 Investigate References to User-Mode Executables",
"description": "Trace step runner raised an exception.\nNo detailed observations captured for this step.",
"source": {
"type": "manual",
"identifier": null,
"location": null,
"tool": "workflow.trace",
"parameters": {
"thread_id": "trace_usermode_process_interaction",
"step_action": "internal_error",
"status": "failure"
}
},
"kind": "summary",
"location": {
"function_id": null,
"function_name": "Suspicious strings referencing executables: 'safemon.dll', 'CORAL.EXE', '115BR.EXE', 'TTRAVELER.EXE', 'NAVIGATOR.EXE'.",
"address": null,
"address_range": null,
"call_path": []
},
"confidence": 0.4,
"severity": "low",
"tags": [
"trace",
"trace_usermode_process_interaction",
"defense_evasion",
"execution_control",
"stealth"
],
"artifacts": [],
"observations": [],
"related_evidence_ids": []
},
{
"id": "trace-trace_usermode_process_interaction-1",
"title": "Trace step 1 \u2014 Investigate References to User-Mode Executables",
"description": "Analyze the driver's entry point to understand its initialization routine and identify key functions that might handle the logic related to the suspicious executable names. Executed `analyze_function`; observations=2.\nObservations:\n- No new observations captured during this step.\n- Captured 1 evidence item(s).",
"source": {
"type": "manual",
"identifier": null,
"location": null,
"tool": "workflow.trace",
"parameters": {
"thread_id": "trace_usermode_process_interaction",
"step_action": "Analyze the driver's entry point to understand its initialization routine and identify key functions that might handle the logic related to the suspicious executable names.",
"status": "success"
}
},
"kind": "summary",
"location": {
"function_id": null,
"function_name": "Suspicious strings referencing executables: 'safemon.dll', 'CORAL.EXE', '115BR.EXE', 'TTRAVELER.EXE', 'NAVIGATOR.EXE'.",
"address": null,
"address_range": null,
"call_path": []
},
"confidence": 0.6,
"severity": "medium",
"tags": [
"trace",
"trace_usermode_process_interaction",
"defense_evasion",
"execution_control",
"stealth"
],
"artifacts": [],
"observations": [],
"related_evidence_ids": []
},
{
"id": "trace-trace_usermode_process_interaction-2",
"title": "Trace step 2 \u2014 Investigate References to User-Mode Executables",
"description": "Trace step runner raised an exception.\nNo detailed observations captured for this step.",
"source": {
"type": "manual",
"identifier": null,
"location": null,
"tool": "workflow.trace",
"parameters": {
"thread_id": "trace_usermode_process_interaction",
"step_action": "internal_error",
"status": "failure"
}
},
"kind": "summary",
"location": {
"function_id": null,
"function_name": "Suspicious strings referencing executables: 'safemon.dll', 'CORAL.EXE', '115BR.EXE', 'TTRAVELER.EXE', 'NAVIGATOR.EXE'.",
"address": null,
"address_range": null,
"call_path": []
},
"confidence": 0.4,
"severity": "low",
"tags": [
"trace",
"trace_usermode_process_interaction",
"defense_evasion",
"execution_control",
"stealth"
],
"artifacts": [],
"observations": [],
"related_evidence_ids": []
},
{
"id": "trace-trace_usermode_process_interaction-3",
"title": "Trace step 3 \u2014 Investigate References to User-Mode Executables",
"description": "Trace step runner raised an exception.\nNo detailed observations captured for this step.",
"source": {
"type": "manual",
"identifier": null,
"location": null,
"tool": "workflow.trace",
"parameters": {
"thread_id": "trace_usermode_process_interaction",
"step_action": "internal_error",
"status": "failure"
}
},
"kind": "summary",
"location": {
"function_id": null,
"function_name": "Suspicious strings referencing executables: 'safemon.dll', 'CORAL.EXE', '115BR.EXE', 'TTRAVELER.EXE', 'NAVIGATOR.EXE'.",
"address": null,
"address_range": null,
"call_path": []
},
"confidence": 0.4,
"severity": "low",
"tags": [
"trace",
"trace_usermode_process_interaction",
"defense_evasion",
"execution_control",
"stealth"
],
"artifacts": [],
"observations": [],
"related_evidence_ids": []
},
{
"id": "trace-identify_rootkit_stealth_mechanisms-0",
"title": "Trace step 0 \u2014 Identify Potential Rootkit Callbacks and Hooks",
"description": "Find call sites for the ntoskrnl.exe!PsSetCreateProcessNotifyRoutine API, which is a common mechanism for malware to monitor or interfere with process creation. Executed `find_import_usage`; observations=2.\nObservations:\n- ntoskrnl.exe!PsSetCreateProcessNotifyRoutine referenced 0 time(s).\n- Full reference list stored at artifacts/trace_output_identify_rootkit_stealth_mechanisms_0_find_import_usage.json.",
"source": {
"type": "manual",
"identifier": null,
"location": null,
"tool": "workflow.trace",
"parameters": {
"thread_id": "identify_rootkit_stealth_mechanisms",
"step_action": "Find call sites for the ntoskrnl.exe!PsSetCreateProcessNotifyRoutine API, which is a common mechanism for malware to monitor or interfere with process creation.",
"status": "success"
}
},
"kind": "summary",
"location": {
"function_id": null,
"function_name": "Imports from ntoskrnl.sys related to system callbacks, object manipulation, and I/O request packet (IRP) handling.",
"address": null,
"address_range": null,
"call_path": []
},
"confidence": 0.6,
"severity": "medium",
"tags": [
"trace",
"identify_rootkit_stealth_mechanisms",
"stealth",
"defense_evasion"
],
"artifacts": [],
"observations": [],
"related_evidence_ids": []
},
{
"id": "trace-identify_rootkit_stealth_mechanisms-1",
"title": "Trace step 1 \u2014 Identify Potential Rootkit Callbacks and Hooks",
"description": "Trace step runner raised an exception.\nNo detailed observations captured for this step.",
"source": {
"type": "manual",
"identifier": null,
"location": null,
"tool": "workflow.trace",
"parameters": {
"thread_id": "identify_rootkit_stealth_mechanisms",
"step_action": "internal_error",
"status": "failure"
}
},
"kind": "summary",
"location": {
"function_id": null,
"function_name": "Imports from ntoskrnl.sys related to system callbacks, object manipulation, and I/O request packet (IRP) handling.",
"address": null,
"address_range": null,
"call_path": []
},
"confidence": 0.4,
"severity": "low",
"tags": [
"trace",
"identify_rootkit_stealth_mechanisms",
"stealth",
"defense_evasion"
],
"artifacts": [],
"observations": [],
"related_evidence_ids": []
},
{
"id": "trace-identify_rootkit_stealth_mechanisms-2",
"title": "Trace step 2 \u2014 Identify Potential Rootkit Callbacks and Hooks",
"description": "Find call sites for the ntoskrnl.exe!CmRegisterCallback API, which is a common mechanism for malware to monitor or interfere with registry operations. Executed `find_import_usage`; observations=2.\nObservations:\n- ntoskrnl.exe!CmRegisterCallback referenced 0 time(s).\n- Full reference list stored at artifacts/trace_output_identify_rootkit_stealth_mechanisms_2_find_import_usage.json.",
"source": {
"type": "manual",
"identifier": null,
"location": null,
"tool": "workflow.trace",
"parameters": {
"thread_id": "identify_rootkit_stealth_mechanisms",
"step_action": "Find call sites for the ntoskrnl.exe!CmRegisterCallback API, which is a common mechanism for malware to monitor or interfere with registry operations.",
"status": "success"
}
},
"kind": "summary",
"location": {
"function_id": null,
"function_name": "Imports from ntoskrnl.sys related to system callbacks, object manipulation, and I/O request packet (IRP) handling.",
"address": null,
"address_range": null,
"call_path": []
},
"confidence": 0.6,
"severity": "medium",
"tags": [
"trace",
"identify_rootkit_stealth_mechanisms",
"stealth",
"defense_evasion"
],
"artifacts": [],
"observations": [],
"related_evidence_ids": []
},
{
"id": "trace-identify_rootkit_stealth_mechanisms-3",
"title": "Trace step 3 \u2014 Identify Potential Rootkit Callbacks and Hooks",
"description": "Analyze the driver's entry point to understand how it initializes its I/O Request Packet (IRP) dispatch routines. This is a critical step to identify potential IRP hooking for stealth. Executed `analyze_function`; observations=2.\nObservations:\n- No new observations captured during this step.\n- Captured 1 evidence item(s).",
"source": {
"type": "manual",
"identifier": null,
"location": null,
"tool": "workflow.trace",
"parameters": {
"thread_id": "identify_rootkit_stealth_mechanisms",
"step_action": "Analyze the driver's entry point to understand how it initializes its I/O Request Packet (IRP) dispatch routines. This is a critical step to identify potential IRP hooking for stealth.",
"status": "success"
}
},
"kind": "summary",
"location": {
"function_id": null,
"function_name": "Imports from ntoskrnl.sys related to system callbacks, object manipulation, and I/O request packet (IRP) handling.",
"address": null,
"address_range": null,
"call_path": []
},
"confidence": 0.6,
"severity": "medium",
"tags": [
"trace",
"identify_rootkit_stealth_mechanisms",
"stealth",
"defense_evasion"
],
"artifacts": [],
"observations": [],
"related_evidence_ids": []
},
{
"id": "trace-identify_rootkit_stealth_mechanisms-4",
"title": "Trace step 4 \u2014 Identify Potential Rootkit Callbacks and Hooks",
"description": "Decompile the driver's entry point to understand its initialization logic, specifically how it sets up its IRP dispatch table and creates device objects. This will reveal which I/O operations the driver intends to handle. Executed `decompile_function`; observations=1.\nObservations:\n- Captured pseudocode for 0x000A803E.",
"source": {
"type": "manual",
"identifier": null,
"location": null,
"tool": "workflow.trace",
"parameters": {
"thread_id": "identify_rootkit_stealth_mechanisms",
"step_action": "Decompile the driver's entry point to understand its initialization logic, specifically how it sets up its IRP dispatch table and creates device objects. This will reveal which I/O operations the driver intends to handle.",
"status": "success"
}
},
"kind": "summary",
"location": {
"function_id": null,
"function_name": "Imports from ntoskrnl.sys related to system callbacks, object manipulation, and I/O request packet (IRP) handling.",
"address": null,
"address_range": null,
"call_path": []
},
"confidence": 0.6,
"severity": "medium",
"tags": [
"trace",
"identify_rootkit_stealth_mechanisms",
"stealth",
"defense_evasion"
],
"artifacts": [],
"observations": [],
"related_evidence_ids": []
},
{
"id": "trace-identify_rootkit_stealth_mechanisms-5",
"title": "Trace step 5 \u2014 Identify Potential Rootkit Callbacks and Hooks",
"description": "Trace step runner raised an exception.\nNo detailed observations captured for this step.",
"source": {
"type": "manual",
"identifier": null,
"location": null,
"tool": "workflow.trace",
"parameters": {
"thread_id": "identify_rootkit_stealth_mechanisms",
"step_action": "internal_error",
"status": "failure"
}
},
"kind": "summary",
"location": {
"function_id": null,
"function_name": "Imports from ntoskrnl.sys related to system callbacks, object manipulation, and I/O request packet (IRP) handling.",
"address": null,
"address_range": null,
"call_path": []
},
"confidence": 0.4,
"severity": "low",
"tags": [
"trace",
"identify_rootkit_stealth_mechanisms",
"stealth",
"defense_evasion"
],
"artifacts": [],
"observations": [],
"related_evidence_ids": []
},
{
"id": "trace-investigate_driver_persistence-0",
"title": "Trace step 0 \u2014 Investigate Driver Service Installation for Persistence",
"description": "Find call sites for the `ZwCreateKey` API, which is used to create registry keys. This is a primary method for creating a new service entry for persistence. Executed `find_import_usage`; observations=2.\nObservations:\n- ntoskrnl.exe!ZwCreateKey referenced 0 time(s).\n- Full reference list stored at artifacts/trace_output_investigate_driver_persistence_0_find_import_usage.json.",
"source": {
"type": "manual",
"identifier": null,
"location": null,
"tool": "workflow.trace",
"parameters": {
"thread_id": "investigate_driver_persistence",
"step_action": "Find call sites for the `ZwCreateKey` API, which is used to create registry keys. This is a primary method for creating a new service entry for persistence.",
"status": "success"
}
},
"kind": "summary",
"location": {
"function_id": null,
"function_name": "Mechanisms for loading the driver on system startup.",
"address": null,
"address_range": null,
"call_path": []
},
"confidence": 0.6,
"severity": "medium",
"tags": [
"trace",
"investigate_driver_persistence",
"persistence"
],
"artifacts": [],
"observations": [],
"related_evidence_ids": []
},
{
"id": "trace-investigate_driver_persistence-1",
"title": "Trace step 1 \u2014 Investigate Driver Service Installation for Persistence",
"description": "Find call sites for the `ZwSetValueKey` API, which is used to write values to registry keys. This is a necessary step for configuring a driver service for persistence, such as setting the `ImagePath` or `Start` type. Executed `find_import_usage`; observations=2.\nObservations:\n- ntoskrnl.exe!ZwSetValueKey referenced 0 time(s).\n- Full reference list stored at artifacts/trace_output_investigate_driver_persistence_1_find_import_usage.json.",
"source": {
"type": "manual",
"identifier": null,
"location": null,
"tool": "workflow.trace",
"parameters": {
"thread_id": "investigate_driver_persistence",
"step_action": "Find call sites for the `ZwSetValueKey` API, which is used to write values to registry keys. This is a necessary step for configuring a driver service for persistence, such as setting the `ImagePath` or `Start` type.",
"status": "success"
}
},
"kind": "summary",
"location": {
"function_id": null,
"function_name": "Mechanisms for loading the driver on system startup.",
"address": null,
"address_range": null,
"call_path": []
},
"confidence": 0.6,
"severity": "medium",
"tags": [
"trace",
"investigate_driver_persistence",
"persistence"
],
"artifacts": [],
"observations": [],
"related_evidence_ids": []
},
{
"id": "trace-investigate_driver_persistence-2",
"title": "Trace step 2 \u2014 Investigate Driver Service Installation for Persistence",
"description": "Find call sites for the `RtlCreateRegistryKey` API, which is another common function used by drivers to create registry keys for persistence. Executed `find_import_usage`; observations=2.\nObservations:\n- ntoskrnl.exe!RtlCreateRegistryKey referenced 0 time(s).\n- Full reference list stored at artifacts/trace_output_investigate_driver_persistence_2_find_import_usage.json.",
"source": {
"type": "manual",
"identifier": null,
"location": null,
"tool": "workflow.trace",
"parameters": {
"thread_id": "investigate_driver_persistence",
"step_action": "Find call sites for the `RtlCreateRegistryKey` API, which is another common function used by drivers to create registry keys for persistence.",
"status": "success"
}
},
"kind": "summary",
"location": {
"function_id": null,
"function_name": "Mechanisms for loading the driver on system startup.",
"address": null,
"address_range": null,
"call_path": []
},
"confidence": 0.6,
"severity": "medium",
"tags": [
"trace",
"investigate_driver_persistence",
"persistence"
],
"artifacts": [],
"observations": [],
"related_evidence_ids": []
},
{
"id": "trace-investigate_driver_persistence-3",
"title": "Trace step 3 \u2014 Investigate Driver Service Installation for Persistence",
"description": "Search for common persistence-related artifacts like registry keys and service names. Executed `find_persistence_indicators`; observations=2.\nObservations:\n- autorun strings: 1 candidate(s).\n- service strings: 1 candidate(s).",
"source": {
"type": "manual",
"identifier": null,
"location": null,
"tool": "workflow.trace",
"parameters": {
"thread_id": "investigate_driver_persistence",
"step_action": "Search for common persistence-related artifacts like registry keys and service names.",
"status": "success"
}
},
"kind": "summary",
"location": {
"function_id": null,
"function_name": "Mechanisms for loading the driver on system startup.",
"address": null,
"address_range": null,
"call_path": []
},
"confidence": 0.6,
"severity": "medium",
"tags": [
"trace",
"investigate_driver_persistence",
"persistence"
],
"artifacts": [],
"observations": [],
"related_evidence_ids": []
},
{
"id": "trace-investigate_driver_persistence-4",
"title": "Trace step 4 \u2014 Investigate Driver Service Installation for Persistence",
"description": "Analyze the driver's entry point to understand its initialization sequence, which is the most likely place to find the setup for persistence mechanisms. Executed `analyze_function`; observations=2.\nObservations:\n- No new observations captured during this step.\n- Captured 1 evidence item(s).",
"source": {
"type": "manual",
"identifier": null,
"location": null,
"tool": "workflow.trace",
"parameters": {
"thread_id": "investigate_driver_persistence",
"step_action": "Analyze the driver's entry point to understand its initialization sequence, which is the most likely place to find the setup for persistence mechanisms.",
"status": "success"
}
},
"kind": "summary",
"location": {
"function_id": null,
"function_name": "Mechanisms for loading the driver on system startup.",
"address": null,
"address_range": null,
"call_path": []
},
"confidence": 0.6,
"severity": "medium",
"tags": [
"trace",
"investigate_driver_persistence",
"persistence"
],
"artifacts": [],
"observations": [],
"related_evidence_ids": []
},
{
"id": "trace-investigate_driver_persistence-5",
"title": "Trace step 5 \u2014 Investigate Driver Service Installation for Persistence",
"description": "Enumerate the functions called by the driver's entry point (`DriverEntry`) to understand its initialization and setup routines, which may include persistence logic. Executed `enumerate_callees`; observations=1.\nObservations:\n- {\"address\": 688133, \"name\": \"___security_init_cookie\", \"call_sites\": [688195], \"edge_type\": \"direct\"}",
"source": {
"type": "manual",
"identifier": null,
"location": null,
"tool": "workflow.trace",
"parameters": {
"thread_id": "investigate_driver_persistence",
"step_action": "Enumerate the functions called by the driver's entry point (`DriverEntry`) to understand its initialization and setup routines, which may include persistence logic.",
"status": "success"
}
},
"kind": "summary",
"location": {
"function_id": null,
"function_name": "Mechanisms for loading the driver on system startup.",
"address": null,
"address_range": null,
"call_path": []
},
"confidence": 0.6,
"severity": "medium",
"tags": [
"trace",
"investigate_driver_persistence",
"persistence"
],
"artifacts": [],
"observations": [],
"related_evidence_ids": []
}
],
"next_steps": [
"Prioritise deeper analysis of the cited suspicious behaviours.",
"Collect dynamic or network telemetry to confirm or refute malicious intent."
],
"capability_summary": {
"present": [],
"absent": [],
"investigating": [
"defense_evasion",
"execution_control",
"persistence",
"stealth"
],
"unknown": [
"c2"
],
"capabilities": {
"persistence": {
"state": "investigating",
"evidence_count": 12,
"evidence_ids": [
"trace-analyze_driver_entry-0",
"trace-analyze_driver_entry-1",
"trace-analyze_driver_entry-2",
"trace-analyze_driver_entry-3",
"trace-analyze_driver_entry-4",
"trace-analyze_driver_entry-5",
"trace-investigate_driver_persistence-0",
"trace-investigate_driver_persistence-1",
"trace-investigate_driver_persistence-2",
"trace-investigate_driver_persistence-3",
"trace-investigate_driver_persistence-4",
"trace-investigate_driver_persistence-5"
],
"confidence": null,
"notes": null
},
"stealth": {
"state": "investigating",
"evidence_count": 16,
"evidence_ids": [
"trace-analyze_driver_entry-0",
"trace-analyze_driver_entry-1",
"trace-analyze_driver_entry-2",
"trace-analyze_driver_entry-3",
"trace-analyze_driver_entry-4",
"trace-analyze_driver_entry-5",
"trace-trace_usermode_process_interaction-0",
"trace-trace_usermode_process_interaction-1",
"trace-trace_usermode_process_interaction-2",
"trace-trace_usermode_process_interaction-3",
"trace-identify_rootkit_stealth_mechanisms-0",
"trace-identify_rootkit_stealth_mechanisms-1",
"trace-identify_rootkit_stealth_mechanisms-2",
"trace-identify_rootkit_stealth_mechanisms-3",
"trace-identify_rootkit_stealth_mechanisms-4",
"trace-identify_rootkit_stealth_mechanisms-5"
],
"confidence": null,
"notes": null
},
"execution_control": {
"state": "investigating",
"evidence_count": 10,
"evidence_ids": [
"trace-analyze_driver_entry-0",
"trace-analyze_driver_entry-1",
"trace-analyze_driver_entry-2",
"trace-analyze_driver_entry-3",
"trace-analyze_driver_entry-4",
"trace-analyze_driver_entry-5",
"trace-trace_usermode_process_interaction-0",
"trace-trace_usermode_process_interaction-1",
"trace-trace_usermode_process_interaction-2",
"trace-trace_usermode_process_interaction-3"
],
"confidence": null,
"notes": null
},
"c2": {
"state": "unknown",
"evidence_count": 0,
"evidence_ids": [],
"confidence": null,
"notes": null
},
"defense_evasion": {
"state": "investigating",
"evidence_count": 16,
"evidence_ids": [
"trace-analyze_driver_entry-0",
"trace-analyze_driver_entry-1",
"trace-analyze_driver_entry-2",
"trace-analyze_driver_entry-3",
"trace-analyze_driver_entry-4",
"trace-analyze_driver_entry-5",
"trace-trace_usermode_process_interaction-0",
"trace-trace_usermode_process_interaction-1",
"trace-trace_usermode_process_interaction-2",
"trace-trace_usermode_process_interaction-3",
"trace-identify_rootkit_stealth_mechanisms-0",
"trace-identify_rootkit_stealth_mechanisms-1",
"trace-identify_rootkit_stealth_mechanisms-2",
"trace-identify_rootkit_stealth_mechanisms-3",
"trace-identify_rootkit_stealth_mechanisms-4",
"trace-identify_rootkit_stealth_mechanisms-5"
],
"confidence": null,
"notes": null
}
}
},
"triage_overview": [
{
"thread_id": "analyze_driver_entry",
"title": "Analyze Driver Initialization via DriverEntry",
"focus": "The main entry point function, 'DriverEntry'.",
"rationale": "As the primary entry point for a kernel driver, 'DriverEntry' is responsible for all initial setup. Analyzing it will reveal the driver's core functionality, such as creating device objects, registering dispatch routines, or setting up system callbacks that contain the malicious logic. This is the most critical first step to understanding the binary's purpose.",
"capability_hypotheses": [
"persistence",
"stealth",
"defense_evasion",
"execution_control"
],
"priority": 0,
"status": "max_iterations",
"confidence": 0.9,
"blocking_gaps": []
},
{
"thread_id": "trace_usermode_process_interaction",
"title": "Investigate References to User-Mode Executables",
"focus": "Suspicious strings referencing executables: 'safemon.dll', 'CORAL.EXE', '115BR.EXE', 'TTRAVELER.EXE', 'NAVIGATOR.EXE'.",
"rationale": "A kernel driver referencing specific user-mode executables is highly anomalous. This could be part of a defense evasion strategy to terminate security products, or it could be related to injecting code into legitimate processes ('execution_control', 'stealth'). Identifying the context of these string references is crucial.",
"capability_hypotheses": [
"defense_evasion",
"execution_control",
"stealth"
],
"priority": 1,
"status": "max_failures",
"confidence": 0.8,
"blocking_gaps": [
"The addresses of the functions where these strings are used are currently unknown."
]
},
{
"thread_id": "identify_rootkit_stealth_mechanisms",
"title": "Identify Potential Rootkit Callbacks and Hooks",
"focus": "Imports from ntoskrnl.sys related to system callbacks, object manipulation, and I/O request packet (IRP) handling.",
"rationale": "Kernel drivers are the ideal platform for implementing rootkits to achieve stealth. Common techniques involve hooking IRPs to hide file system or network activity, or registering notification routines (e.g., PsSetCreateProcessNotifyRoutine, CmRegisterCallback) to monitor or interfere with system operations. We must proactively search for indicators of this behavior.",
"capability_hypotheses": [
"stealth",
"defense_evasion"
],
"priority": 2,
"status": "max_iterations",
"confidence": 0.7,
"blocking_gaps": [
"A complete list of imported ntoskrnl functions is needed to target the search."
]
},
{
"thread_id": "investigate_driver_persistence",
"title": "Investigate Driver Service Installation for Persistence",
"focus": "Mechanisms for loading the driver on system startup.",
"rationale": "A malicious driver must have a mechanism to persist across reboots. The standard method is to create a system service configured to load at or during boot. We need to find evidence of service creation, which is typically done via the registry.",
"capability_hypotheses": [
"persistence"
],
"priority": 3,
"status": "max_iterations",
"confidence": 0.6,
"blocking_gaps": []
}
],
"trace_workflows": [
{
"thread_id": "analyze_driver_entry",
"title": "Analyze Driver Initialization via DriverEntry",
"focus": "The main entry point function, 'DriverEntry'.",
"capability_hypotheses": [
"persistence",
"stealth",
"defense_evasion",
"execution_control"
],
"status": "max_iterations",
"notes": [
"iteration_cap"
],
"steps": [
{
"step_index": 0,
"action": "Analyze the driver's entry point to understand its initialization process and core functionality.",
"status": "success",
"context_hash": "1b481c8f1696a71d4e66ed0adacc0049f648da35f497ef72cb11274b42f2b47d",
"context_keys": [
"baseline_metadata",
"capability_state",
"context_hash",
"step_definition",
"thread",
"timestamp"
],
"evidence_ids": [
"function-DriverEntry"
],
"observations": [
"No new observations captured during this step.",
"Captured 1 evidence item(s)."
],
"duration_seconds": 6.797928292000051
},
{
"step_index": 1,
"action": "Analyze the driver's entry point to understand its initialization process and core functionality.",
"status": "success",
"context_hash": "702ad541a70a799bde654f72507c555b96967cccf0f1eea9e75d510f2261cde4",
"context_keys": [
"baseline_metadata",
"capability_state",
"context_hash",
"step_definition",
"thread",
"timestamp"
],
"evidence_ids": [
"function-sub_000A803E"
],
"observations": [
"No new observations captured during this step.",
"Captured 1 evidence item(s)."
],
"duration_seconds": 7.072792874999777
},
{
"step_index": 2,
"action": "Analyze the driver's entry point, `DriverEntry`, to understand its initialization process, including device creation, dispatch routine registration, and any other setup activities.",
"status": "success",
"context_hash": "4f20e5d0e0a8997abada5007cf19e8248ade9374eedf0440479890d3daf6bb65",
"context_keys": [
"baseline_metadata",
"capability_state",
"context_hash",
"step_definition",
"thread",
"timestamp"
],
"evidence_ids": [
"function-sub_000A803E"
],
"observations": [
"No new observations captured during this step.",
"Captured 1 evidence item(s)."
],
"duration_seconds": 7.152915125000163
},
{
"step_index": 3,
"action": "Analyze the driver's entry point, `DriverEntry`, to understand its initialization process, including device creation, dispatch routine registration, and any other setup activities.",
"status": "success",
"context_hash": "f68c9374e6aad25aae265a74aa5b9cec82498dc15f29b6ae480b3ed27f2270de",
"context_keys": [
"baseline_metadata",
"capability_state",
"context_hash",
"step_definition",
"thread",
"timestamp"
],
"evidence_ids": [
"function-sub_000A803E"
],
"observations": [
"No new observations captured during this step.",
"Captured 1 evidence item(s)."
],
"duration_seconds": 6.876519667000139
},
{
"step_index": 4,
"action": "Analyze the driver's entry point, `DriverEntry`, to understand its initialization process, including device creation, dispatch routine registration, and any other setup activities.",
"status": "success",
"context_hash": "f7b397980f91797df236392aefb5593c19eb91f1ca018504ae54bc658e2fadaa",
"context_keys": [
"baseline_metadata",
"capability_state",
"context_hash",
"step_definition",
"thread",
"timestamp"
],
"evidence_ids": [
"function-sub_000A803E"
],
"observations": [
"No new observations captured during this step.",
"Captured 1 evidence item(s)."
],
"duration_seconds": 6.723561082999822
},
{
"step_index": 5,
"action": "Analyze the driver's entry point, `DriverEntry`, to understand its initialization process and core functionality.",
"status": "success",
"context_hash": "f6708423b28dc7462eaffa12c691a622ca112807c6abff57e666229af3b2df2d",
"context_keys": [
"baseline_metadata",
"capability_state",
"context_hash",
"step_definition",
"thread",
"timestamp"
],
"evidence_ids": [
"function-DriverEntry"
],
"observations": [
"No new observations captured during this step.",
"Captured 1 evidence item(s)."
],
"duration_seconds": 6.753587583999888
}
]
},
{
"thread_id": "trace_usermode_process_interaction",
"title": "Investigate References to User-Mode Executables",
"focus": "Suspicious strings referencing executables: 'safemon.dll', 'CORAL.EXE', '115BR.EXE', 'TTRAVELER.EXE', 'NAVIGATOR.EXE'.",
"capability_hypotheses": [
"defense_evasion",
"execution_control",
"stealth"
],
"status": "max_failures",
"notes": [
"step_runner_exception",
"step_runner_exception",
"step_runner_exception",
"failure_cap"
],
"steps": [
{
"step_index": 0,
"action": "internal_error",
"status": "failure",
"context_hash": null,
"context_keys": [],
"evidence_ids": [],
"observations": [],
"duration_seconds": null
},
{
"step_index": 1,
"action": "Analyze the driver's entry point to understand its initialization routine and identify key functions that might handle the logic related to the suspicious executable names.",
"status": "success",
"context_hash": "86059db402937ce1d69540147d475a05faf4e8ea6af2fb3e0ae970485d9aa7dc",
"context_keys": [
"baseline_metadata",
"capability_state",
"context_hash",
"step_definition",
"thread",
"timestamp"
],
"evidence_ids": [
"function-sub_000A803E"
],
"observations": [
"No new observations captured during this step.",
"Captured 1 evidence item(s)."
],
"duration_seconds": 6.786383624999871
},
{
"step_index": 2,
"action": "internal_error",
"status": "failure",
"context_hash": null,
"context_keys": [],
"evidence_ids": [],
"observations": [],
"duration_seconds": null
},
{
"step_index": 3,
"action": "internal_error",
"status": "failure",
"context_hash": null,
"context_keys": [],
"evidence_ids": [],
"observations": [],
"duration_seconds": null
}
]
},
{
"thread_id": "identify_rootkit_stealth_mechanisms",
"title": "Identify Potential Rootkit Callbacks and Hooks",
"focus": "Imports from ntoskrnl.sys related to system callbacks, object manipulation, and I/O request packet (IRP) handling.",
"capability_hypotheses": [
"stealth",
"defense_evasion"
],
"status": "max_iterations",
"notes": [
"step_runner_exception",
"step_runner_exception",
"iteration_cap"
],
"steps": [
{
"step_index": 0,
"action": "Find call sites for the ntoskrnl.exe!PsSetCreateProcessNotifyRoutine API, which is a common mechanism for malware to monitor or interfere with process creation.",
"status": "success",
"context_hash": "de17ce62d6c76f85003ad996d5dc9c34c3609f09a5ea11a4dc1354827091265a",
"context_keys": [
"baseline_metadata",
"capability_state",
"context_hash",
"step_definition",
"thread",
"timestamp"
],
"evidence_ids": [],
"observations": [
"ntoskrnl.exe!PsSetCreateProcessNotifyRoutine referenced 0 time(s).",
"Full reference list stored at artifacts/trace_output_identify_rootkit_stealth_mechanisms_0_find_import_usage.json."
],
"duration_seconds": 2.5159953329998643
},
{
"step_index": 1,
"action": "internal_error",
"status": "failure",
"context_hash": null,
"context_keys": [],
"evidence_ids": [],
"observations": [],
"duration_seconds": null
},
{
"step_index": 2,
"action": "Find call sites for the ntoskrnl.exe!CmRegisterCallback API, which is a common mechanism for malware to monitor or interfere with registry operations.",
"status": "success",
"context_hash": "7a50b49a4706556c9b5949188dfcf3aecd4079b6947224b6ca5f2586cba42fa5",
"context_keys": [
"baseline_metadata",
"capability_state",
"context_hash",
"step_definition",
"thread",
"timestamp"
],
"evidence_ids": [],
"observations": [
"ntoskrnl.exe!CmRegisterCallback referenced 0 time(s).",
"Full reference list stored at artifacts/trace_output_identify_rootkit_stealth_mechanisms_2_find_import_usage.json."
],
"duration_seconds": 2.293325083000127
},
{
"step_index": 3,
"action": "Analyze the driver's entry point to understand how it initializes its I/O Request Packet (IRP) dispatch routines. This is a critical step to identify potential IRP hooking for stealth.",
"status": "success",
"context_hash": "f2fb7bd8a608af5254192b9c8b7f4264dc0bedae9d64dd5c2b5f1a98f6914861",
"context_keys": [
"baseline_metadata",
"capability_state",
"context_hash",
"step_definition",
"thread",
"timestamp"
],
"evidence_ids": [
"function-sub_000A803E"
],
"observations": [
"No new observations captured during this step.",
"Captured 1 evidence item(s)."
],
"duration_seconds": 6.865223166000305
},
{
"step_index": 4,
"action": "Decompile the driver's entry point to understand its initialization logic, specifically how it sets up its IRP dispatch table and creates device objects. This will reveal which I/O operations the driver intends to handle.",
"status": "success",
"context_hash": "cf528484cbd2ac3fe190103b56ab10810b0b0f8f0ebc40b36968891158496a44",
"context_keys": [
"baseline_metadata",
"capability_state",
"context_hash",
"step_definition",
"thread",
"timestamp"
],
"evidence_ids": [],
"observations": [
"Captured pseudocode for 0x000A803E."
],
"duration_seconds": 6.974828500000058
},
{
"step_index": 5,
"action": "internal_error",
"status": "failure",
"context_hash": null,
"context_keys": [],
"evidence_ids": [],
"observations": [],
"duration_seconds": null
}
]
},
{
"thread_id": "investigate_driver_persistence",
"title": "Investigate Driver Service Installation for Persistence",
"focus": "Mechanisms for loading the driver on system startup.",
"capability_hypotheses": [
"persistence"
],
"status": "max_iterations",
"notes": [
"iteration_cap"
],
"steps": [
{
"step_index": 0,
"action": "Find call sites for the `ZwCreateKey` API, which is used to create registry keys. This is a primary method for creating a new service entry for persistence.",
"status": "success",
"context_hash": "ab804368b586956d8fa28fb5a70dd493649cc821f1fc38af17a48a1beff090ff",
"context_keys": [
"baseline_metadata",
"capability_state",
"context_hash",
"step_definition",
"thread",
"timestamp"
],
"evidence_ids": [],
"observations": [
"ntoskrnl.exe!ZwCreateKey referenced 0 time(s).",
"Full reference list stored at artifacts/trace_output_investigate_driver_persistence_0_find_import_usage.json."
],
"duration_seconds": 2.2572157499998866
},
{
"step_index": 1,
"action": "Find call sites for the `ZwSetValueKey` API, which is used to write values to registry keys. This is a necessary step for configuring a driver service for persistence, such as setting the `ImagePath` or `Start` type.",
"status": "success",
"context_hash": "c9ff61cb8bcc571f303f4ec02dc5431162f4ef1f0143d465b0d2359b5341d462",
"context_keys": [
"baseline_metadata",
"capability_state",
"context_hash",
"step_definition",
"thread",
"timestamp"
],
"evidence_ids": [],
"observations": [
"ntoskrnl.exe!ZwSetValueKey referenced 0 time(s).",
"Full reference list stored at artifacts/trace_output_investigate_driver_persistence_1_find_import_usage.json."
],
"duration_seconds": 2.333220457999687
},
{
"step_index": 2,
"action": "Find call sites for the `RtlCreateRegistryKey` API, which is another common function used by drivers to create registry keys for persistence.",
"status": "success",
"context_hash": "b855e5688779132dc829349faf1dde01f6b8beb3f8bc5e9064ea10c2e171635b",
"context_keys": [
"baseline_metadata",
"capability_state",
"context_hash",
"step_definition",
"thread",
"timestamp"
],
"evidence_ids": [],
"observations": [
"ntoskrnl.exe!RtlCreateRegistryKey referenced 0 time(s).",
"Full reference list stored at artifacts/trace_output_investigate_driver_persistence_2_find_import_usage.json."
],
"duration_seconds": 2.212191249999705
},
{
"step_index": 3,
"action": "Search for common persistence-related artifacts like registry keys and service names.",
"status": "success",
"context_hash": "ab0a8a2b1ee6b95ff12cb6850e384f612c7c5a880c1041d07663daf983724a63",
"context_keys": [
"baseline_metadata",
"capability_state",
"context_hash",
"step_definition",
"thread",
"timestamp"
],
"evidence_ids": [],
"observations": [
"autorun strings: 1 candidate(s).",
"service strings: 1 candidate(s)."
],
"duration_seconds": 4.744547374999911
},
{
"step_index": 4,
"action": "Analyze the driver's entry point to understand its initialization sequence, which is the most likely place to find the setup for persistence mechanisms.",
"status": "success",
"context_hash": "b18354d6eb23eaa144f15b41e436719438ea7f86bff7ecd53bd93ec6a4832f3e",
"context_keys": [
"baseline_metadata",
"capability_state",
"context_hash",
"step_definition",
"thread",
"timestamp"
],
"evidence_ids": [
"function-sub_000A803E"
],
"observations": [
"No new observations captured during this step.",
"Captured 1 evidence item(s)."
],
"duration_seconds": 6.951915625000311
},
{
"step_index": 5,
"action": "Enumerate the functions called by the driver's entry point (`DriverEntry`) to understand its initialization and setup routines, which may include persistence logic.",
"status": "success",
"context_hash": "f5900a6d0cfd231e358bd7fecf4e72ea892d3aa23af5252830e36fb396426b1b",
"context_keys": [
"baseline_metadata",
"capability_state",
"context_hash",
"step_definition",
"thread",
"timestamp"
],
"evidence_ids": [],
"observations": [
"{\"address\": 688133, \"name\": \"___security_init_cookie\", \"call_sites\": [688195], \"edge_type\": \"direct\"}"
],
"duration_seconds": 6.885379207999904
}
]
}
],
"telemetry_links": {
"langfuse_trace_id": "c289a1df22b41f26cb4056b893814b33",
"langfuse_trace_url": "http://localhost:3100//project/malware-agent/traces/c289a1df22b41f26cb4056b893814b33"
},
"analysis_metrics": {
"started_at": "2025-11-04T07:26:28.005391+00:00",
"ended_at": "2025-11-04T07:31:40.158746+00:00",
"runtime_seconds": 312.153355,
"lead_trace_count": 4,
"baseline_seed_count": 14,
"lead_budget": null,
"evidence_count": 35,
"token_usage": {
"prompt_tokens": 3784,
"completion_tokens": 2059,
"total_tokens": 5843
},
"token_usage_by_model": {
"gemini/gemini-2.5-pro": {
"prompt_tokens": 3784,
"completion_tokens": 2059,
"total_tokens": 5843,
"calls": 1
}
},
"llm_calls": 1,
"langfuse": {
"langfuse_trace_id": "c289a1df22b41f26cb4056b893814b33",
"started_at": "2025-11-04T07:26:28.005786+00:00",
"ended_at": "2025-11-04T07:31:58.540305+00:00",
"runtime_seconds": 330.534519,
"token_usage": {
"prompt_tokens": 2418,
"completion_tokens": 3347,
"total_tokens": 5765
},
"llm_call_count": 23
}
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment