Analysis Report

MAR-10375867-1.v1 – HermeticWiper

Last Revised
Alert Code
AR22-115A

Notification

This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.

This document is marked TLP:WHITE--Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.cisa.gov/tlp.

Summary

Description

CISA received seven files for analysis. Five of these files were identified as the HermeticWiper, all digitally signed by Hermetica Digital Ltd. The other two files are 32-bit and 64-bit copies of the EaseUS Partition Master NT Driver (EPMNTDrv), all digitally signed by Chengdu Yiwo Technology Development Co., Ltd with an expired certificate issued in 2012. The wiper contains four copies of compressed EPMNTDrv in its resource section. Each EPMNTDrv targets different versions and architectures of the Windows operating system (OS). Upon execution of the wiper, it extracts, expands, registers the driver with a service key and starts the service immediately. After the driver service is started and the driver process lives in memory, the service key and associated driver files are deleted. The driver process enables the wiper to conduct read and write directly on the disk.

The wiper overwrites the Master boot record (MBR), New Technologies File System (NTFS) boot sector and data and attributes the system relies on for a system restoration. The wiper sets a sleep timer, which can be its first numeric input. If the wiper runs with the administrative privilege or if the wiper's name begins with the 'c' character, the expiration of the timer will trigger a forced system shutdown followed by an immediate reboot, rendering the system useless at that point. Before the timer expires, the wiper continues the fragmentation process on the disk and overwrites the File Allocation Table (FAT) file system Boot Sector or the NTFS Master File Table (MFT) and its backup in $MFTMirr, user's files from user's directories and the attributes and data contents of the Windows Event Logs with random bytes. The wiper will stop the fragmentation, locate the allocated clusters and overwrite them with random bytes. Finally, the wiper overwrites itself with random bytes and the wiping process is terminated.

Two of the 'newer' HermeticWiper compiled in 2022 will detect the role of the infected system. If the system is a Domain Controller, the wiper will wait for three minutes to complete the overwriting of the MBR, boot sector and system restore directory attributes and data with random bytes before it exits. The domain controller continues to function until the next reboot.

For a downloadable copy of IOCs, see: MAR-10375867-1.v1.stix

Submitted Files (7)

0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da (0385eeab00e946a302b24a91dea418...)

06086c1da4590dcc7f1e10a6be3431e1166286a9e7761f2de9de79d7fda9c397 (06086c1da4590dcc7f1e10a6be3431...)

1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591 (1bc44eef75779e3ca1eefb8ff5a648...)

2c10b2ec0b995b88c27d141d6f7b14d6b8177c52818687e4ff8e6ecf53adf5bf (2c10b2ec0b995b88c27d141d6f7b14...)

3c557727953a8f6b4788984464fb77741b821991acbf5e746aebdd02615b1767 (3c557727953a8f6b4788984464fb77...)

8c614cf476f871274aa06153224e8f7354bf5e23e6853358591bf35a381fb75b (<two-random-characters>dr.sys)

96b77284744f8761c4f2558388e0aee2140618b484ff53fa8b222b340d2a9c84 (epmntdrv.sys)

Additional Files (6)

23ef301ddba39bb00f0819d2061c9c14d17dc30f780a945920a51bc3ba0198a4 (<two-random-characters>dr.sys)

2c7732da3dcfc82f60f063f2ec9fa09f9d38d5cfbe80c850ded44de43bdb666d (<two-random-characters>dr.sys)

b01e0c6ac0b8bcde145ab7b68cf246deea9402fa7ea3aede7105f7051fe240c1 (drv_x86)

b6f2e008967c5527337448d768f2332d14b92de22a1279fd4d91000bb3d4a0fd (drv_xp_x64)

e5f3ef69a534260e899a36cec459440dc572388defd8f1d98760d31c700f42d5 (drv_x64)

fd7eacc2f87aceac865b0aa97a50503d44b799f27737e009f91f3c281233c17d (drv_xp_x86)

Findings

1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591

Tags

droppertrojanviruswiper

Details
Name 1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591
Size 117000 bytes
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 3f4a16b29f2f0532b7ce3e7656799125
SHA1 61b25d11392172e587d8da3045812a66c3385451
SHA256 1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591
SHA512 32acaceda42128ef9e0a9f36ee2678d2fc296fda2df38629eb223939c8a9352b3bb2b7021bb84e9f223a4a26df57b528a711447b1451213a013fe00f9b971d80
ssdeep 1536:sBOoa7Nn52wurilmw9BgjKu1sPPxaSLyqC:sBOoa7P2wxlPwV1qPkSuqC
Entropy 6.385391
Antivirus
AhnLab Trojan/Win.FoxBlade
Antiy Trojan/Win32.HermeticWiper.a
Avira TR/HermeticWiper.T
Bitdefender Trojan.GenericKD.48632599
ClamAV Win.Malware.HermeticWiper-9940039-0
Comodo Malware
Cyren W32/Agent.OSPU-6752
ESET a variant of Win32/KillDisk.NCV trojan
Emsisoft MalCert-S.OE (A)
IKARUS Trojan.Win32.KillDisk
K7 Trojan ( 0058ecab1 )
Lavasoft Trojan.GenericKD.48632599
McAfee Generic trojan.jt
NANOAV Trojan.Win32.HermeticWiper.jmyeyd
NETGATE Trojan.Win32.Malware
Sophos Mal/KillDisk-A
Symantec Trojan.KillDisk
TACHYON Trojan/W32.HermeticWiper.117000
Trend Micro Trojan.407C6538
Trend Micro HouseCall Trojan.407C6538
Vir.IT eXplorer Trojan.Win32.HermeticWiper.A
VirusBlokAda Trojan.Agent
Zillya! Dropper.HermeticWiper.Win32.2
YARA Rules
  • rule CISA_10375867_01 : wiper HERMETICWIPER
    {
       meta:
           Author = "CISA Code & Media Analysis"
           Incident = "10375867"
           Date = "2022-04-05"
           Last_Modified = "20220406_1500"
           Actor = "n/a"
           Category = "Wiper"
           Family = "n/a"
           Description = "Detects Hermetic Wiper samples"
           MD5_1 = "382fc1a3c5225fceb672eea13f572a38"
           SHA256_1 = "2c10b2ec0b995b88c27d141d6f7b14d6b8177c52818687e4ff8e6ecf53adf5bf"
           MD5_2 = "decc2726599edcae8d1d1d0ca99d83a6"
           SHA256_2 = "3c557727953a8f6b4788984464fb77741b821991acbf5e746aebdd02615b1767"
           MD5_3 = "84ba0197920fd3e2b7dfa719fee09d2f"
           SHA256_3 = "0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da"
           MD5_4 = "3f4a16b29f2f0532b7ce3e7656799125"
           SHA256_4 = "1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591"
           MD5_5 = "f1a33b2be4c6215a1c39b45e391a3e85"
           SHA256_5 = "06086c1da4590dcc7f1e10a6be3431e1166286a9e7761f2de9de79d7fda9c397"
       strings:
           $rsrc1 = { 53 5A 44 44 }
           $rsrc2 = { 52 00 43 00 44 00 41 00 54 00 41 00 }
           $rsrc3 = { 44 00 52 00 56 00 5F 00 58 00 36 00 34 }
           $rsrc4 = { 44 00 52 00 56 00 5F 00 58 00 38 00 36 }
           $rsrc5 = { 44 00 52 00 56 00 5F 00 58 00 50 00 5F 00 58 00 36 00 34 }
           $rsrc6 = { 44 00 52 00 56 00 5F 00 58 00 50 00 5F 00 58 00 38 00 36 00 }
           $s1 = { 45 00 50 00 4D 00 4E 00 54 00 44 00 52 00 56 00 5C 00 25 00 75 }
           $s2 = { 50 00 68 00 79 00 73 00 69 00 63 00 61 00 6C 00 44 00 72 00 69 00 76 00 65 00 25 00 75 }
           $s3 = { 53 00 59 00 53 00 54 00 45 00 4D 00 5C 00 43 00 75 00 72 00 72 00 65 00 6E 00 74 00 43 00 6F 00 6E 00 74 00 72 00 6F 00 6C 00 53 00 65 00 74 00 5C 00 43 00 6F 00 6E 00 74 00 72 00 6F 00 6C 00 5C 00 43 00 72 00 61 00 73 00 68 00 43 00 6F 00 6E 00 74 00 72 00 6F 00 6C }
           $s4 = { 43 00 72 00 61 00 73 00 68 00 44 00 75 00 6D 00 70 00 45 00 6E 00 61 00 62 00 6C 00 65 00 64 }
           $s5 = { 24 00 49 00 4E 00 44 00 45 00 58 00 5F 00 41 00 4C 00 4C 00 4F 00 43 00 41 00 54 00 49 00 4F 00 4E }
           $s6 = { 53 00 65 00 4C 00 6F 00 61 00 64 00 44 00 72 00 69 00 76 00 65 00 72 00 50 00 72 00 69 00 76 00 69 00 6C 00 65 00 67 00 65 }
           $s7 = { 53 00 65 00 42 00 61 00 63 00 6B 00 75 00 70 00 50 00 72 00 69 00 76 00 69 00 6C 00 65 00 67 00 65 }
           $s8 = { 43 00 3A 00 5C 00 57 00 69 00 6E 00 64 00 6F 00 77 00 73 00 5C 00 53 00 59 00 53 00 56 00 4F 00 4C }
       condition:
           uint16(0) == 0x5A4D and ((3 of ($rsrc*)) and (7 of ($s*)))
    }
ssdeep Matches
99 06086c1da4590dcc7f1e10a6be3431e1166286a9e7761f2de9de79d7fda9c397
PE Metadata
Compile Date 2022-02-23 04:48:53-05:00
Import Hash fe4a2284122da348258c83ef437fbd7b
PE Sections
MD5 Name Raw Size Entropy
0d370bcce45eae7f5d16bb308b5ca811 header 1024 2.519045
ba89a1d62ff34e1b9c45da08bda91c3c .text 16384 6.388564
a32e2e98f61c52c443c6d653d682991a .rdata 5120 4.441415
ca2eecf5edbfc7c94c96a4696789c07d .data 512 0.762127
e77f09dc0f10e6627c83ae611fec363c .rsrc 89088 6.203475
e5535abe90a2baf02252af4fb155a053 .reloc 1024 6.211847
Packers/Compilers/Cryptors
Borland Delphi 3.0 (???)
Relationships
1bc44eef75... Contains e5f3ef69a534260e899a36cec459440dc572388defd8f1d98760d31c700f42d5
1bc44eef75... Contains b6f2e008967c5527337448d768f2332d14b92de22a1279fd4d91000bb3d4a0fd
1bc44eef75... Contains b01e0c6ac0b8bcde145ab7b68cf246deea9402fa7ea3aede7105f7051fe240c1
1bc44eef75... Contains fd7eacc2f87aceac865b0aa97a50503d44b799f27737e009f91f3c281233c17d
Description

This file is identified as a 32-bit HermeticWiper. The resource section of the HermeticWiper is embedded with four SZDD compressed driver files as displayed in Figure 1. Depending on the OS major version and system architecture type (32-bit/64-bit), the corresponding SZDD compressed file will be extracted into the System32 directory and expanded to a driver file <random-2-characters>dr.sys (Figures 2-4). The expanded file is a copy of the EaseUs Partition Manager (epmntdrv.sys). The wiper enables SeLoadDriverPrivilege and registers the driver as a system service. The new system service starts immediately and the driver process runs in memory. Then the wiper immediately removes the following registry key and deletes the SZDD file and the expanded driver file from System32 in order to remove its tracks on the victim's system.

--Begin sample device service installed--
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\lxdr, Data: "C:\Windows\system32\Drivers\lxdr.sys"
--End sample device service installed--

In preparation, the wiper disables the crash dump service by disabling the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl\CrashDumpEnabled key. In addition, the wiper disables the Volume Snapshot Service (VSS).

In order to run on user mode, the wiper enables SeBackupPrivilege. If the wiper's name begins with a 'c', it will reconstruct the "SeShutDownPrivilege" string and enable it (Figure 5). The SeShutDownPrivilege is necessary for the wiper when it runs in user mode, to be able to execute InitiateSystemShutdownExW, which is configured to force applications to close, shutdown the system without warning and immediately force a reboot (Figure 13, line 199). The SeShutDownPrivilege is not needed if the wiper runs on administrative privilege; the system will shutdown and reboot regardless of the wiper's name.

The wiper uses the same method to locate and wipe files. First, it locates target files and stores their disk locations into a customized structure type. Meanwhile, a random buffer is generated using CryptGenRandom (Figure 7) for each group of targeted files and stored into the same structure. The stuffed structure is passed to a wipe function, which runs as a separated process thread later in the program (Figure 6).

The wiper coordinates the destruction process into groups, each handled by its own process thread. First, the wiper creates a thread to overwrite itself (Figure 13, lines 173, 209). This thread is passed to WaitForMultipleObjects which waits till the very end when the overwrite occurs.

Next, the wiper makes the system unusable and cannot be revived. First, the wiper locates the MBR and the boot sector of all available physical drives from 0 to 100 (Figure 13, lines 178-179). Then it generates a 4096 byte buffer filled with random bytes. 4096 is the Windows default allocation size (Figure 8). The destruction of MBR and boot sector render the OS unable to reboot (Figure 13, line 213).

Then, the wiper makes it impossible to restore the system by overwriting the $I30 and the $DATA attributes of the C:\System Volume Information directory (Figure 13, lines 183 and 213). The C:\System Volume Information directory contains system restore points and information used by VSS.

--Begin target attributes--
The $I30 attribute covers both of the following attributes:
    1. $INDEX_ROOT - contains information about the files and sub-directories .
    2. $INDEX_ALLOCATION - contains spilled over information from $INDEX_ROOT.
The $DATA attribute contains user or system stored content.
--End target attributes--

Then the wiper starts a low priority process thread for fragmentation, skipping the following Windows system directories when enumerating files (Figure 13, line 203 and Figure 9). User files that are not in the following directories will be fragmented using FSCTL_GET_RETRIEVAL_POINTERS to obtain the file's allocation and location on disk. The output is randomized and passed to FSCTL_MOVE_FILE to relocate the file's virtual clusters (Figure 10).

--Begin skipped directories--
Windows
Program Files
Program Files(x86)
PerfLogs
Boot
System Volume Information
AppData
--End skipped directories--

In this newer version of HermeticWiper that was compiled in 2022 ensures the wiper will bring down a Domain Controller in the shortest possible time. First, the wiper checks for the presence of C:\Windows\SYSVOL using GetFileAttributesW (Figure 13, line 220). The SYSVOL directory indicates the victim's system is a Domain Controller Server, which is responsible for security authentication requests within a domain. In this case, the wiper waits for three minutes to ensure the destruction of the MBR, boot sector and data requires for a system restore (that already happened in the thread created in Figure 13, line 211). The wiper process and all its process threads exit (Figure 13, lines 220-224). The domain controller continues to function until the next reboot.

The second stage of data wipe continues on systems that are not identified as a Domain Controller server (Figure 14) .

The wiper will locate the MFT and its backup in the $MFTMirr file in NTFS, or the Boot Sector in a FAT file system (Figure 11) of all available physical drives from 0 to 100 and store them in a customized structure to be wiped later (Figure 14, lines 228-229, 266). A buffer with random bytes is also generated and passed to the structure.

Then it locates $Bitmap (contains clusters allocation statuses) and $LogFile (contains journals of metadata transactions) from all available logical drives, such as "C:\" and "D:\" (Figure 14, line 232) and stores them in the same customized structure for these data to be wiped later (Figure 14, line 266).

Next, it recursively locates users files from the user's directory, avoiding the AppData directory and user filename that contains the "ntuser" string. It also recursively locates files under the user's Desktop and My Document directory (Figure 14, lines 236, 239). These locations are also stored into the same customized structure to be wiped later (Figure 14, line 266).

The C:\Windows\System32\winevt\Logs directory contains all Windows events logs. The locations of $I30 (includes $INDEX_ROOT and $INDEX_ALLOCATION) as well as locations of $DATA attributes are collected into the same customized structure for these data to be wiped later (Figure 14, lines 242, 266).

The wiper terminates the data fragmentation in 30 seconds, then calls the same function utilizing FSCTL_GET_VOLUME_BITMAP to obtain occupied clusters in a volume. This information is passed to a separated write structure to be wiped by random buffer later (Figure 14, line 267).

The HermeticWiper accepts up to two optional numeric inputs (Figure 15). The first numeric input is used to set the first sleep timer that triggers InitiateSystemShutdownExW in a process thread (Figure 13, line 197). If no input is provided, the resulting 34 minutes will be used and the least significant four digits in milliseconds are randomized (Figure 13, lines 187-192) before passing to the sleep timer. That randomization in sleep time is negligible when measuring in minutes. The second numeric input, if provided, will be compared with the first input and the smaller value will be used. If no input is provided, the resulting 19 minutes will be used and the least significant four digits in milliseconds are randomized (Figure 14, lines 244-253). This second sleep time keeps the main wiper thread alive.

This HermeticWiper variant is signed with the following digital certificate issued by Hermetica Digital Ltd as displayed below:

--Begin Digital Certificate--
Certificate:
   Data:
       Version: 3 (0x2)
       Serial Number:
           0c:48:73:28:73:ac:8c:ce:ba:f8:f0:e1:e8:32:9c:ec
   Signature Algorithm: sha256WithRSAEncryption
       Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2)
       Validity
           Not Before: Apr 13 00:00:00 2021 GMT
           Not After : Apr 14 23:59:59 2022 GMT
       Subject: businessCategory=Private Organization/jurisdictionCountryName=CY/serialNumber=HE 419469, C=CY, L=Nicosia, O=Hermetica Digital Ltd, CN=Hermetica Digital Ltd
       Subject Public Key Info:
           Public Key Algorithm: rsaEncryption
               Public-Key: (2048 bit)
               Modulus:
                   00:92:62:5f:e5:0c:1e:d0:de:a6:75:e5:50:58:1a:
                   02:87:e4:4f:3c:b4:f1:d9:6d:e7:b6:4c:94:c6:78:
                   59:31:39:58:a3:18:d4:d2:56:44:d6:09:1f:ab:8b:
                   fc:3f:72:bf:15:fa:56:ae:64:16:21:13:5b:44:e3:
                   29:68:27:4d:30:eb:2e:b1:05:5c:e2:2d:48:d7:62:
                   ba:b7:1e:f8:de:74:28:e8:90:50:6f:1c:82:5f:7a:
                   e0:d8:60:5f:5c:62:7c:a3:25:bf:f1:99:ab:60:a6:
                   3d:e8:a9:0e:92:3f:4b:18:d7:fb:03:9e:1d:ec:89:
                   d5:73:aa:b0:a1:4c:1d:4b:a7:0e:b4:44:75:3a:41:
                   c0:30:82:a6:0c:b4:db:55:13:93:f2:c5:09:88:a3:
                   18:1e:7f:31:d0:1b:5a:ad:94:07:04:32:d9:8f:18:
                   65:5a:b8:a5:55:91:9f:ef:ea:9d:e1:ed:f1:bd:ff:
                   c6:3e:ff:83:28:87:2e:be:38:ad:21:96:2f:5c:40:
                   0f:6c:35:a8:48:2f:a7:a9:cd:bc:19:56:37:25:ec:
                   83:12:f5:90:e5:88:a0:bb:ef:4b:0b:11:85:2e:38:
                   c7:e3:9e:41:53:9f:9f:52:97:fe:b2:d2:0b:ff:74:
                   c9:5b:f0:e5:ad:ad:c2:40:e6:7a:5c:2f:3e:76:f6:
                   09:93
               Exponent: 65537 (0x10001)
       X509v3 extensions:
           X509v3 Authority Key Identifier:
               keyid:8F:E8:7E:F0:6D:32:6A:00:05:23:C7:70:97:6A:3A:90:FF:6B:EA:D4

           X509v3 Subject Key Identifier:
               C4:9F:18:1C:59:D2:5B:25:71:9E:F1:37:B7:60:59:D6:2A:07:99:E1
           X509v3 Subject Alternative Name:
               othername:<unsupported>
           X509v3 Key Usage: critical
               Digital Signature
           X509v3 Extended Key Usage:
               Code Signing
           X509v3 CRL Distribution Points:

               Full Name:
                URI:http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl

               Full Name:
                URI:http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl

           X509v3 Certificate Policies:
               Policy: 2.16.840.1.114412.3.2
                CPS: http://www.digicert.com/CPS
               Policy: 2.23.140.1.3

           Authority Information Access:
               OCSP - URI:http://ocsp.digicert.com
               CA Issuers - URI:http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt

           X509v3 Basic Constraints: critical
               CA:FALSE
   Signature Algorithm: sha256WithRSAEncryption
        44:da:48:c6:eb:9c:2f:04:bf:3d:64:18:61:13:e0:ad:ec:ec:
        51:93:df:7b:59:6a:95:c1:73:2c:c9:46:19:b1:c2:77:72:85:
        b0:40:c6:52:db:bc:d2:b2:07:19:0f:48:0a:26:c7:05:a3:f5:
        c6:10:f7:55:b2:f1:f3:a6:6f:75:24:04:e4:b5:51:8c:d9:41:
        31:0a:01:5e:4a:f8:e5:96:8c:82:31:49:2f:e1:92:46:a2:93:
        a5:69:d5:d7:a3:6f:56:eb:2f:c5:b6:8f:ff:6f:33:59:c1:9a:
        f6:80:69:20:c3:fe:66:28:f9:0a:75:44:0e:66:16:29:7a:03:
        1b:a6:07:51:00:d7:2d:fa:a9:82:9e:77:2e:45:d7:7b:89:f8:
        62:08:1e:af:db:19:b4:b2:dc:ef:3f:27:3f:f6:45:ac:ce:aa:
        4b:99:1f:98:37:39:73:c0:fb:25:82:9e:86:0d:9b:c1:95:ef:
        1a:0a:d9:21:94:56:ad:07:7d:42:86:8e:e0:3e:e0:0e:88:d0:
        4c:43:4b:a9:7e:88:df:99:27:3a:35:e2:c6:68:a1:c6:99:54:
        b4:76:23:90:ab:df:be:4c:d4:af:c8:65:e4:34:18:a5:6c:89:
        dc:37:25:34:28:03:b4:d4:6a:35:69:82:35:0a:e0:7f:01:c1:
        95:cb:26:e2
-----BEGIN CERTIFICATE-----
MIIFiTCCBHGgAwIBAgIQDEhzKHOsjM66+PDh6DKc7DANBgkqhkiG9w0BAQsFADBs
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSswKQYDVQQDEyJEaWdpQ2VydCBFViBDb2RlIFNpZ25p
bmcgQ0EgKFNIQTIpMB4XDTIxMDQxMzAwMDAwMFoXDTIyMDQxNDIzNTk1OVowgacx
HTAbBgNVBA8MFFByaXZhdGUgT3JnYW5pemF0aW9uMRMwEQYLKwYBBAGCNzwCAQMT
AkNZMRIwEAYDVQQFEwlIRSA0MTk0NjkxCzAJBgNVBAYTAkNZMRAwDgYDVQQHEwdO
aWNvc2lhMR4wHAYDVQQKExVIZXJtZXRpY2EgRGlnaXRhbCBMdGQxHjAcBgNVBAMT
FUhlcm1ldGljYSBEaWdpdGFsIEx0ZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAJJiX+UMHtDepnXlUFgaAofkTzy08dlt57ZMlMZ4WTE5WKMY1NJWRNYJ
H6uL/D9yvxX6Vq5kFiETW0TjKWgnTTDrLrEFXOItSNdiurce+N50KOiQUG8cgl96
4NhgX1xifKMlv/GZq2CmPeipDpI/SxjX+wOeHeyJ1XOqsKFMHUunDrREdTpBwDCC
pgy021UTk/LFCYijGB5/MdAbWq2UBwQy2Y8YZVq4pVWRn+/qneHt8b3/xj7/gyiH
Lr44rSGWL1xAD2w1qEgvp6nNvBlWNyXsgxL1kOWIoLvvSwsRhS44x+OeQVOfn1KX
/rLSC/90yVvw5a2twkDmelwvPnb2CZMCAwEAAaOCAekwggHlMB8GA1UdIwQYMBaA
FI/ofvBtMmoABSPHcJdqOpD/a+rUMB0GA1UdDgQWBBTEnxgcWdJbJXGe8Te3YFnW
KgeZ4TAnBgNVHREEIDAeoBwGCCsGAQUFBwgDoBAwDgwMQ1ktSEUgNDE5NDY5MA4G
A1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzB7BgNVHR8EdDByMDeg
NaAzhjFodHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRVZDb2RlU2lnbmluZ1NIQTIt
ZzEuY3JsMDegNaAzhjFodHRwOi8vY3JsNC5kaWdpY2VydC5jb20vRVZDb2RlU2ln
bmluZ1NIQTItZzEuY3JsMEoGA1UdIARDMEEwNgYJYIZIAYb9bAMCMCkwJwYIKwYB
BQUHAgEWG2h0dHA6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzAHBgVngQwBAzB+Bggr
BgEFBQcBAQRyMHAwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNv
bTBIBggrBgEFBQcwAoY8aHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lD
ZXJ0RVZDb2RlU2lnbmluZ0NBLVNIQTIuY3J0MAwGA1UdEwEB/wQCMAAwDQYJKoZI
hvcNAQELBQADggEBAETaSMbrnC8Evz1kGGET4K3s7FGT33tZapXBcyzJRhmxwndy
hbBAxlLbvNKyBxkPSAomxwWj9cYQ91Wy8fOmb3UkBOS1UYzZQTEKAV5K+OWWjIIx
SS/hkkaik6Vp1dejb1brL8W2j/9vM1nBmvaAaSDD/mYo+Qp1RA5mFil6AxumB1EA
1y36qYKedy5F13uJ+GIIHq/bGbSy3O8/Jz/2RazOqkuZH5g3OXPA+yWCnoYNm8GV
7xoK2SGUVq0HfUKGjuA+4A6I0ExDS6l+iN+ZJzo14sZoocaZVLR2I5Cr375M1K/I
ZeQ0GKVsidw3JTQoA7TUajVpgjUK4H8BwZXLJuI=
-----END CERTIFICATE-----
--End Digital Certificate--

Screenshots

Figure 1 - The resource section contains four versions of compressed epmntdrv.sys, targeting 32-bit and 64-bit Windows OS.

Figure 1 - The resource section contains four versions of compressed epmntdrv.sys, targeting 32-bit and 64-bit Windows OS.

Figure 2 - One of the four compressed driver files is extracted from the resource section based on the OS major version and system architecture (x86/x64).

Figure 2 - One of the four compressed driver files is extracted from the resource section based on the OS major version and system architecture (x86/x64).

Figure 3 - The SZDD is extracted and decompressed by LZOpenFileW followed by LZCopy. The decompressed file is given a .sys extension, registered as a driver service which is started immediately. The installed service key, the SZDD compressed resource and the .sys files are deleted afterwards.

Figure 3 - The SZDD is extracted and decompressed by LZOpenFileW followed by LZCopy. The decompressed file is given a .sys extension, registered as a driver service which is started immediately. The installed service key, the SZDD compressed resource and the .sys files are deleted afterwards.

Figure 4 - This algorithm generates a four-character string as the name of the driver and its associated service key. The name contains two random characters and ends with a static string "dr". The indexes to select the first and second character are computed differently, with the variable v12 in the screenshot corresponding to the first character and v12[1] corresponding to the second character.

Figure 4 - This algorithm generates a four-character string as the name of the driver and its associated service key. The name contains two random characters and ends with a static string "dr". The indexes to select the first and second character are computed differently, with the variable v12 in the screenshot corresponding to the first character and v12[1] corresponding to the second character.

Figure 5 - The string "SeShutDownPrivilege" that passed to LookupPrivilegeValueW will be deobfuscated if the wiper's name begins with the 'c' character. Enabling SeShutDownPrivilege allows the wiper with only user privilege to shutdown the system using InitiateSystemShutdownExW. The SeBackupPrivilege allows the retrieval of file content, skipping the Access Control List (ACL) security check. This privilege is enabled by default to permit the wiper that runs with only user privilege to read and write any files.

Figure 5 - The string "SeShutDownPrivilege" that passed to LookupPrivilegeValueW will be deobfuscated if the wiper's name begins with the 'c' character. Enabling SeShutDownPrivilege allows the wiper with only user privilege to shutdown the system using InitiateSystemShutdownExW. The SeBackupPrivilege allows the retrieval of file content, skipping the Access Control List (ACL) security check. This privilege is enabled by default to permit the wiper that runs with only user privilege to read and write any files.

Figure 6 - Snippet of the function that overwrites saved locations on disk using the 4096 bytes buffer filled with random data generated by CryptGenRandom. This function is used to wipe different groups of data as follows: Figure 13, line 207 (to erase the malware file), Figure 13, line 211 (to erase MBR, MBS and C:\System Volume Information), Figure 14, line 266 (to erase MFT, $Bitmap, $Logfile, users files and Windows Event Logs) and Figure 14, line 267 (to erase allocated clusters).

Figure 6 - Snippet of the function that overwrites saved locations on disk using the 4096 bytes buffer filled with random data generated by CryptGenRandom. This function is used to wipe different groups of data as follows: Figure 13, line 207 (to erase the malware file), Figure 13, line 211 (to erase MBR, MBS and C:\System Volume Information), Figure 14, line 266 (to erase MFT, $Bitmap, $Logfile, users files and Windows Event Logs) and Figure 14, line 267 (to erase allocated clusters).