85ef0c80-cca4-48f1-8ace-0ab2fda03b79

shdloader.efi

Description

This was provided by New Horizon Datasys Inc and revoked Aug-22

UUID: 85ef0c80-cca4-48f1-8ace-0ab2fda03b79
Created: 2023-05-22
Author: Michael Haag
Acknowledgement: |

This download link contains the Revoked Bootloader!

Commands


          1
          bcdedit /copy "{current}" /d "TheBoots" | {% if ($_ -match '{\S+}') { bcdedit /set $matches[0] path \windows\temp\shdloader.efi } }

not set

Use Case	Privileges	Operating System
Persistence		64-bit

Detections

YARA 🏹

Expand

Exact Match

with header and size limitation

Threat Hunting

without header and size limitation

Renamed

for renamed bootloader files

Sigma 🛡️

Expand

Names

detects loading using name only

Hashes

detects loading using hashes only

Sysmon 🔎

Expand

Block

on hashes

Alert

on hashes

Resources

https://uefi.org/revocationlistfile

https://support.microsoft.com/en-gb/topic/microsoft-guidance-for-applying-secure-boot-dbx-update-kb4575994-e3b9e4cb-a330-b3ba-a602-15083965d9ca

CVE

CVE-2022-34302

Known Vulnerable Samples

Property	Value
Filename	shdloader.efi
MD5	1c9670b5add3e4d6aa442a53427f422a
SHA1	11ddf040e749c8362e91c58fd17cb9c7aea4be91
SHA256	c3d65e174d47d3772cb431ea599bba76b8670bfaa51081895796432e2ef6461f
Authentihash MD5	431612322a95c76c8bbfb190f00aa9cc
Authentihash SHA1	e0b9eb89abfb711dc3600589fcdceafb74ecaaed
Authentihash SHA256	c55be4a2a6ac574a9d46f1e1c54cac29d29dcd7b9040389e7157bb32c4591c4c
RichPEHeaderHash MD5	ffdf660eb1ebf020a1d0a55a90712dfb
RichPEHeaderHash SHA1	3e905e3d061d0d59de61fcf39c994fcb0ec1bab3
RichPEHeaderHash SHA256	2b3f99a94b7a7132854be769e27b331419c53989ef42f686d6f5ba09ddefefd6

Certificates

Expand

Certificate 33000000081eb17e9c15fc837a000100000008

Field	Value
ToBeSigned (TBS) MD5	c5e24205d04c09c94d81b6935af7ec09
ToBeSigned (TBS) SHA1	12622dccb5b07edfd65cae6fc018e24b80ff2c82
ToBeSigned (TBS) SHA256	d6afbff1c283d7777501bd3b2adb4aadb8ce32649ee401dfbb06f884362f7507
Subject	C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=MOPR, CN=Microsoft Windows UEFI Driver Publisher
ValidFrom	2012-07-02 22:25:14
ValidTo	2013-10-02 22:25:14
Signature	840831439e4e63e88d00e1b0c0678d70bb89f466e9027ab28177926d5def8175b3240e729f943f1e6bd94a0f27c92e696a5001c0747f6bf7574c09e8485a5eb6d7024244ddd73236c28e9dfad58ec5098b74516234232552d9230c1d0ddae73108b0a0144bd9e9265dac56ebdcce7512cf3627a6858d41876ede19d35e0e27957a6896aae9ea150098327450fe7c72385aac6feff0616b3d066cd0be7e5a537bb18488c67db9f0731c30ac7918fe977b4250ffbfbeea81e1ba3b8a0305b9374f0d22453781cc5823b5faad5e50e84306381f83382fe0ed8b176a9c9ff1868cc6543e7f12b1f112adc62430fd1ba530d877a290f0d2e09eacce07ed37ec439c25
SignatureAlgorithmOID	1.2.840.113549.1.1.11
IsCertificateAuthority	False
SerialNumber	33000000081eb17e9c15fc837a000100000008
Version	3

Certificate 6108d3c4000000000004

Field	Value
ToBeSigned (TBS) MD5	1f23e75a000f0b6db92650dc26ac98e1
ToBeSigned (TBS) SHA1	bc477f73f16f0a5ae09e8ce4745c0a79c0e9a39d
ToBeSigned (TBS) SHA256	9589b8c95168f79243f61922faa5990de0a4866de928736fed658ea7bff1a5e2
Subject	C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation UEFI CA 2011
ValidFrom	2011-06-27 21:22:45
ValidTo	2026-06-27 21:32:45
Signature	350842ff30cccef7760cad1068583529463276277cef124127421b4aaa6d813848591355f3e95834a6160b82aa5dad82da808341068fb41df203b9f31a5d1bf15090f9b3558442281c20bdb2ae5114c5c0ac9795211c90db0ffc779e95739188cabdbd52b905500ddf579ea061ed0de56d25d9400f1740c8cea34ac24daf9a121d08548fbdc7bcb92b3d492b1f32fc6a21694f9bc87e4234fc3606178b8f2040c0b39a257527cdc903a3f65dd1e736547ab950b5d312d107bfbb74dfdc1e8f80d5ed18f42f14166b2fde668cb023e5c784d8edeac13382ad564b182df1689507cdcff072f0aebbdd8685982c214c332bf00f4af06887b592553275a16a826a3ca32511a4edadd704aecbd84059a084d1954c6291221a741d8c3d470e44a6e4b09b3435b1fab653a82c81eca40571c89db8bae81b4466e447540e8e567fb39f1698b286d0683e9023b52f5e8f50858dc68d825f41a1f42e0de099d26c75e4b669b52186fa07d1f6e24dd1daad2c77531e253237c76c52729586b0f135616a19f5b23b815056a6322dfea289f94286271855a182ca5a9bf830985414a64796252fc826e441941a5c023fe596e3855b3c3e3fbb47167255e22522b1d97be703062aa3f71e9046c3000dd61989e30e352762037115a6efd027a0a0593760f83894b8e07870f8ba4c868794f6e0ae0245ee65c2b6a37e69167507929bf5a6bc598358
SignatureAlgorithmOID	1.2.840.113549.1.1.11
IsCertificateAuthority	True
SerialNumber	6108d3c4000000000004
Version	3

Imports

Expand

Imports

Expand

ImportedFunctions

Expand

ExportedFunctions

Expand

Signature

Expand


          1
          {
        
          2
          "Certificates": [
        
          3
          {
        
          4
          "IsCertificateAuthority": false,
        
          5
          "SerialNumber": "33000000081eb17e9c15fc837a000100000008",
        
          6
          "Signature": "840831439e4e63e88d00e1b0c0678d70bb89f466e9027ab28177926d5def8175b3240e729f943f1e6bd94a0f27c92e696a5001c0747f6bf7574c09e8485a5eb6d7024244ddd73236c28e9dfad58ec5098b74516234232552d9230c1d0ddae73108b0a0144bd9e9265dac56ebdcce7512cf3627a6858d41876ede19d35e0e27957a6896aae9ea150098327450fe7c72385aac6feff0616b3d066cd0be7e5a537bb18488c67db9f0731c30ac7918fe977b4250ffbfbeea81e1ba3b8a0305b9374f0d22453781cc5823b5faad5e50e84306381f83382fe0ed8b176a9c9ff1868cc6543e7f12b1f112adc62430fd1ba530d877a290f0d2e09eacce07ed37ec439c25",
        
          7
          "SignatureAlgorithmOID": "1.2.840.113549.1.1.11",
        
          8
          "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=MOPR, CN=Microsoft Windows UEFI Driver Publisher",
        
          9
          "TBS": {
        
          10
          "MD5": "c5e24205d04c09c94d81b6935af7ec09",
        
          11
          "SHA1": "12622dccb5b07edfd65cae6fc018e24b80ff2c82",
        
          12
          "SHA256": "d6afbff1c283d7777501bd3b2adb4aadb8ce32649ee401dfbb06f884362f7507"
        
          13
          },
        
          14
          "ValidFrom": "2012-07-02 22:25:14",
        
          15
          "ValidTo": "2013-10-02 22:25:14",
        
          16
          "Version": 3
        
          17
          },
        
          18
          {
        
          19
          "IsCertificateAuthority": true,
        
          20
          "SerialNumber": "6108d3c4000000000004",
        
          21
          "Signature": "350842ff30cccef7760cad1068583529463276277cef124127421b4aaa6d813848591355f3e95834a6160b82aa5dad82da808341068fb41df203b9f31a5d1bf15090f9b3558442281c20bdb2ae5114c5c0ac9795211c90db0ffc779e95739188cabdbd52b905500ddf579ea061ed0de56d25d9400f1740c8cea34ac24daf9a121d08548fbdc7bcb92b3d492b1f32fc6a21694f9bc87e4234fc3606178b8f2040c0b39a257527cdc903a3f65dd1e736547ab950b5d312d107bfbb74dfdc1e8f80d5ed18f42f14166b2fde668cb023e5c784d8edeac13382ad564b182df1689507cdcff072f0aebbdd8685982c214c332bf00f4af06887b592553275a16a826a3ca32511a4edadd704aecbd84059a084d1954c6291221a741d8c3d470e44a6e4b09b3435b1fab653a82c81eca40571c89db8bae81b4466e447540e8e567fb39f1698b286d0683e9023b52f5e8f50858dc68d825f41a1f42e0de099d26c75e4b669b52186fa07d1f6e24dd1daad2c77531e253237c76c52729586b0f135616a19f5b23b815056a6322dfea289f94286271855a182ca5a9bf830985414a64796252fc826e441941a5c023fe596e3855b3c3e3fbb47167255e22522b1d97be703062aa3f71e9046c3000dd61989e30e352762037115a6efd027a0a0593760f83894b8e07870f8ba4c868794f6e0ae0245ee65c2b6a37e69167507929bf5a6bc598358",
        
          22
          "SignatureAlgorithmOID": "1.2.840.113549.1.1.11",
        
          23
          "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation UEFI CA 2011",
        
          24
          "TBS": {
        
          25
          "MD5": "1f23e75a000f0b6db92650dc26ac98e1",
        
          26
          "SHA1": "bc477f73f16f0a5ae09e8ce4745c0a79c0e9a39d",
        
          27
          "SHA256": "9589b8c95168f79243f61922faa5990de0a4866de928736fed658ea7bff1a5e2"
        
          28
          },
        
          29
          "ValidFrom": "2011-06-27 21:22:45",
        
          30
          "ValidTo": "2026-06-27 21:32:45",
        
          31
          "Version": 3
        
          32
          }
        
          33
          ],
        
          34
          "CertificatesInfo": "",
        
          35
          "Signer": [
        
          36
          {
        
          37
          "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation UEFI CA 2011",
        
          38
          "SerialNumber": "33000000081eb17e9c15fc837a000100000008",
        
          39
          "Version": 1
        
          40
          }
        
          41
          ],
        
          42
          "SignerInfo": ""
        
          43
          }

...

not set

source

last_updated: 2023-08-31