8b88b928-4717-4a30-832e-dcb3bb15b7a3

bootia32.efi :inline

Description

This was provided by Isoo Software Dev Co Ltd and revoked Jul-20

  • UUID: 8b88b928-4717-4a30-832e-dcb3bb15b7a3
  • Created: 2023-05-22
  • Author: Michael Haag
  • Acknowledgement: |

Download

This download link contains the Revoked Bootloader!

Commands

bcdedit /copy "{current}" /d "TheBoots" | {% if ($_ -match '{\S+}') { bcdedit /set $matches[0] path \windows\temp\bootia32.efi } }
Use CasePrivilegesOperating System
Persistence32-bit

Detections

YARA 🏹

Expand

Exact Match

with header and size limitation

Threat Hunting

without header and size limitation

Renamed

for renamed bootloader files

Sigma 🛡️

Expand

Names

detects loading using name only

Hashes

detects loading using hashes only

Sysmon 🔎

Expand

Block

on hashes

Alert

on hashes

Resources


  • https://uefi.org/revocationlistfile
  • https://support.microsoft.com/en-gb/topic/microsoft-guidance-for-applying-secure-boot-dbx-update-kb4575994-e3b9e4cb-a330-b3ba-a602-15083965d9ca

  • CVE

  • CVE-2020-10713
  • CVE-2020-14308
  • CVE-2020-14309
  • CVE-2020-14310
  • CVE-2020-14311
  • CVE-2020-15705
  • CVE-2020-15706
  • CVE-2020-15707
  • Known Vulnerable Samples

    PropertyValue
    Filenamebootia32.efi
    MD5b1aea18419d0643fb2e4d8f6da2ae461
    SHA13085f38227977dce8dac3b29c92b0103e5b5eae8
    SHA25656f9e50da4817b1de9d9291eb5f2bc63703ca3e6f4a8571bde28cf756e2c80ba
    Authentihash MD540b8a117af84ea3225963daf421eccb3
    Authentihash SHA199823dd47cfe71774cb0fcc687fa1da921b6240b
    Authentihash SHA256bd882355bf6813cf88ec0b83b6133691100f480381ac06531c3d5909cf1fb626
    RichPEHeaderHash MD5ffdf660eb1ebf020a1d0a55a90712dfb
    RichPEHeaderHash SHA13e905e3d061d0d59de61fcf39c994fcb0ec1bab3
    RichPEHeaderHash SHA2562b3f99a94b7a7132854be769e27b331419c53989ef42f686d6f5ba09ddefefd6

    Certificates

    Expand
    Certificate 330000002530b3d3726ee3f72f000100000025
    FieldValue
    ToBeSigned (TBS) MD5a5052527524f4998a7bd87f396196fe8
    ToBeSigned (TBS) SHA12374a3e4f0499d106f0e4d71a22f7b0e709847c0
    ToBeSigned (TBS) SHA256f5b4992e0bd1b102ae9d5aeec4bd213f5dd042bd27b9a345ad336d2dda10a138
    SubjectC=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows UEFI Driver Publisher
    ValidFrom2017-08-11 20:20:00
    ValidTo2018-08-11 20:20:00
    Signature6650dd7878bef0a62b1d76ba8fa57b6193d9938ddd1975f32a880d6e9363ba516b00907d455d1089cf79e3045a976a794db027534a761a840a29d09dccb3b5978fdb1d27d6be2831b0af31b64c25d3e195056b68a403e961d61c38339c4bfbb4c16102a4b417f52b75f4d6539626736df3e9e7d689e59333e7686df72c6ac70548eb3e6f0913de69895041529dba440132da3699ee3d3ccd6c0cb1ca11d206a157a9e3504c57aea164e700dec89ccb81194b012f697127dcd1cc7dc08ccf9f92014b2a0814fdc2a010b7a7243456e15af7e812bef07b28aebcb29f0f20f5c1900827f32aaf4fef92601853403e718db111c7c35da77eea96c4deb6f903e94543
    SignatureAlgorithmOID1.2.840.113549.1.1.11
    IsCertificateAuthorityFalse
    SerialNumber330000002530b3d3726ee3f72f000100000025
    Version3
    Certificate 6108d3c4000000000004
    FieldValue
    ToBeSigned (TBS) MD51f23e75a000f0b6db92650dc26ac98e1
    ToBeSigned (TBS) SHA1bc477f73f16f0a5ae09e8ce4745c0a79c0e9a39d
    ToBeSigned (TBS) SHA2569589b8c95168f79243f61922faa5990de0a4866de928736fed658ea7bff1a5e2
    SubjectC=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation UEFI CA 2011
    ValidFrom2011-06-27 21:22:45
    ValidTo2026-06-27 21:32:45
    Signature350842ff30cccef7760cad1068583529463276277cef124127421b4aaa6d813848591355f3e95834a6160b82aa5dad82da808341068fb41df203b9f31a5d1bf15090f9b3558442281c20bdb2ae5114c5c0ac9795211c90db0ffc779e95739188cabdbd52b905500ddf579ea061ed0de56d25d9400f1740c8cea34ac24daf9a121d08548fbdc7bcb92b3d492b1f32fc6a21694f9bc87e4234fc3606178b8f2040c0b39a257527cdc903a3f65dd1e736547ab950b5d312d107bfbb74dfdc1e8f80d5ed18f42f14166b2fde668cb023e5c784d8edeac13382ad564b182df1689507cdcff072f0aebbdd8685982c214c332bf00f4af06887b592553275a16a826a3ca32511a4edadd704aecbd84059a084d1954c6291221a741d8c3d470e44a6e4b09b3435b1fab653a82c81eca40571c89db8bae81b4466e447540e8e567fb39f1698b286d0683e9023b52f5e8f50858dc68d825f41a1f42e0de099d26c75e4b669b52186fa07d1f6e24dd1daad2c77531e253237c76c52729586b0f135616a19f5b23b815056a6322dfea289f94286271855a182ca5a9bf830985414a64796252fc826e441941a5c023fe596e3855b3c3e3fbb47167255e22522b1d97be703062aa3f71e9046c3000dd61989e30e352762037115a6efd027a0a0593760f83894b8e07870f8ba4c868794f6e0ae0245ee65c2b6a37e69167507929bf5a6bc598358
    SignatureAlgorithmOID1.2.840.113549.1.1.11
    IsCertificateAuthorityTrue
    SerialNumber6108d3c4000000000004
    Version3

    Imports

    Expand

    Imports

    Expand

    ImportedFunctions

    Expand

    ExportedFunctions

    Expand

    Signature

    Expand
    {
      "Certificates": [
        {
          "IsCertificateAuthority": false,
          "SerialNumber": "330000002530b3d3726ee3f72f000100000025",
          "Signature": "6650dd7878bef0a62b1d76ba8fa57b6193d9938ddd1975f32a880d6e9363ba516b00907d455d1089cf79e3045a976a794db027534a761a840a29d09dccb3b5978fdb1d27d6be2831b0af31b64c25d3e195056b68a403e961d61c38339c4bfbb4c16102a4b417f52b75f4d6539626736df3e9e7d689e59333e7686df72c6ac70548eb3e6f0913de69895041529dba440132da3699ee3d3ccd6c0cb1ca11d206a157a9e3504c57aea164e700dec89ccb81194b012f697127dcd1cc7dc08ccf9f92014b2a0814fdc2a010b7a7243456e15af7e812bef07b28aebcb29f0f20f5c1900827f32aaf4fef92601853403e718db111c7c35da77eea96c4deb6f903e94543",
          "SignatureAlgorithmOID": "1.2.840.113549.1.1.11",
          "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows UEFI Driver Publisher",
          "TBS": {
            "MD5": "a5052527524f4998a7bd87f396196fe8",
            "SHA1": "2374a3e4f0499d106f0e4d71a22f7b0e709847c0",
            "SHA256": "f5b4992e0bd1b102ae9d5aeec4bd213f5dd042bd27b9a345ad336d2dda10a138"
          },
          "ValidFrom": "2017-08-11 20:20:00",
          "ValidTo": "2018-08-11 20:20:00",
          "Version": 3
        },
        {
          "IsCertificateAuthority": true,
          "SerialNumber": "6108d3c4000000000004",
          "Signature": "350842ff30cccef7760cad1068583529463276277cef124127421b4aaa6d813848591355f3e95834a6160b82aa5dad82da808341068fb41df203b9f31a5d1bf15090f9b3558442281c20bdb2ae5114c5c0ac9795211c90db0ffc779e95739188cabdbd52b905500ddf579ea061ed0de56d25d9400f1740c8cea34ac24daf9a121d08548fbdc7bcb92b3d492b1f32fc6a21694f9bc87e4234fc3606178b8f2040c0b39a257527cdc903a3f65dd1e736547ab950b5d312d107bfbb74dfdc1e8f80d5ed18f42f14166b2fde668cb023e5c784d8edeac13382ad564b182df1689507cdcff072f0aebbdd8685982c214c332bf00f4af06887b592553275a16a826a3ca32511a4edadd704aecbd84059a084d1954c6291221a741d8c3d470e44a6e4b09b3435b1fab653a82c81eca40571c89db8bae81b4466e447540e8e567fb39f1698b286d0683e9023b52f5e8f50858dc68d825f41a1f42e0de099d26c75e4b669b52186fa07d1f6e24dd1daad2c77531e253237c76c52729586b0f135616a19f5b23b815056a6322dfea289f94286271855a182ca5a9bf830985414a64796252fc826e441941a5c023fe596e3855b3c3e3fbb47167255e22522b1d97be703062aa3f71e9046c3000dd61989e30e352762037115a6efd027a0a0593760f83894b8e07870f8ba4c868794f6e0ae0245ee65c2b6a37e69167507929bf5a6bc598358",
          "SignatureAlgorithmOID": "1.2.840.113549.1.1.11",
          "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation UEFI CA 2011",
          "TBS": {
            "MD5": "1f23e75a000f0b6db92650dc26ac98e1",
            "SHA1": "bc477f73f16f0a5ae09e8ce4745c0a79c0e9a39d",
            "SHA256": "9589b8c95168f79243f61922faa5990de0a4866de928736fed658ea7bff1a5e2"
          },
          "ValidFrom": "2011-06-27 21:22:45",
          "ValidTo": "2026-06-27 21:32:45",
          "Version": 3
        }
      ],
      "CertificatesInfo": "",
      "Signer": [
        {
          "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation UEFI CA 2011",
          "SerialNumber": "330000002530b3d3726ee3f72f000100000025",
          "Version": 1
        }
      ],
      "SignerInfo": ""
    }
    

    source

    last_updated: 2023-08-31