MAR-10375867-1.v1 – HermeticWiper

This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.

This document is marked TLP:WHITE--Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.cisa.gov/tlp.

Description

CISA received seven files for analysis. Five of these files were identified as the HermeticWiper, all digitally signed by Hermetica Digital Ltd. The other two files are 32-bit and 64-bit copies of the EaseUS Partition Master NT Driver (EPMNTDrv), all digitally signed by Chengdu Yiwo Technology Development Co., Ltd with an expired certificate issued in 2012. The wiper contains four copies of compressed EPMNTDrv in its resource section. Each EPMNTDrv targets different versions and architectures of the Windows operating system (OS). Upon execution of the wiper, it extracts, expands, registers the driver with a service key and starts the service immediately. After the driver service is started and the driver process lives in memory, the service key and associated driver files are deleted. The driver process enables the wiper to conduct read and write directly on the disk.



The wiper overwrites the Master boot record (MBR), New Technologies File System (NTFS) boot sector and data and attributes the system relies on for a system restoration. The wiper sets a sleep timer, which can be its first numeric input. If the wiper runs with the administrative privilege or if the wiper's name begins with the 'c' character, the expiration of the timer will trigger a forced system shutdown followed by an immediate reboot, rendering the system useless at that point. Before the timer expires, the wiper continues the fragmentation process on the disk and overwrites the File Allocation Table (FAT) file system Boot Sector or the NTFS Master File Table (MFT) and its backup in $MFTMirr, user's files from user's directories and the attributes and data contents of the Windows Event Logs with random bytes. The wiper will stop the fragmentation, locate the allocated clusters and overwrite them with random bytes. Finally, the wiper overwrites itself with random bytes and the wiping process is terminated.



Two of the 'newer' HermeticWiper compiled in 2022 will detect the role of the infected system. If the system is a Domain Controller, the wiper will wait for three minutes to complete the overwriting of the MBR, boot sector and system restore directory attributes and data with random bytes before it exits. The domain controller continues to function until the next reboot.

For a downloadable copy of IOCs, see: MAR-10375867-1.v1.stix

Submitted Files (7)

0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da (0385eeab00e946a302b24a91dea418...)

06086c1da4590dcc7f1e10a6be3431e1166286a9e7761f2de9de79d7fda9c397 (06086c1da4590dcc7f1e10a6be3431...)

1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591 (1bc44eef75779e3ca1eefb8ff5a648...)

2c10b2ec0b995b88c27d141d6f7b14d6b8177c52818687e4ff8e6ecf53adf5bf (2c10b2ec0b995b88c27d141d6f7b14...)

3c557727953a8f6b4788984464fb77741b821991acbf5e746aebdd02615b1767 (3c557727953a8f6b4788984464fb77...)

8c614cf476f871274aa06153224e8f7354bf5e23e6853358591bf35a381fb75b (<two-random-characters>dr.sys)

96b77284744f8761c4f2558388e0aee2140618b484ff53fa8b222b340d2a9c84 (epmntdrv.sys)

Additional Files (6)

23ef301ddba39bb00f0819d2061c9c14d17dc30f780a945920a51bc3ba0198a4 (<two-random-characters>dr.sys)

2c7732da3dcfc82f60f063f2ec9fa09f9d38d5cfbe80c850ded44de43bdb666d (<two-random-characters>dr.sys)

b01e0c6ac0b8bcde145ab7b68cf246deea9402fa7ea3aede7105f7051fe240c1 (drv_x86)

b6f2e008967c5527337448d768f2332d14b92de22a1279fd4d91000bb3d4a0fd (drv_xp_x64)

e5f3ef69a534260e899a36cec459440dc572388defd8f1d98760d31c700f42d5 (drv_x64)

fd7eacc2f87aceac865b0aa97a50503d44b799f27737e009f91f3c281233c17d (drv_xp_x86)

1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591

Tags

droppertrojanviruswiper

Details

Antivirus

YARA Rules

• rule CISA_10375867_01 : wiper HERMETICWIPER
  
  {
  
     meta:
  
         Author = "CISA Code & Media Analysis"
  
         Incident = "10375867"
  
         Date = "2022-04-05"
  
         Last_Modified = "20220406_1500"
  
         Actor = "n/a"
  
         Category = "Wiper"
  
         Family = "n/a"
  
         Description = "Detects Hermetic Wiper samples"
  
         MD5_1 = "382fc1a3c5225fceb672eea13f572a38"
  
         SHA256_1 = "2c10b2ec0b995b88c27d141d6f7b14d6b8177c52818687e4ff8e6ecf53adf5bf"
  
         MD5_2 = "decc2726599edcae8d1d1d0ca99d83a6"
  
         SHA256_2 = "3c557727953a8f6b4788984464fb77741b821991acbf5e746aebdd02615b1767"
  
         MD5_3 = "84ba0197920fd3e2b7dfa719fee09d2f"
  
         SHA256_3 = "0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da"
  
         MD5_4 = "3f4a16b29f2f0532b7ce3e7656799125"
  
         SHA256_4 = "1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591"
  
         MD5_5 = "f1a33b2be4c6215a1c39b45e391a3e85"
  
         SHA256_5 = "06086c1da4590dcc7f1e10a6be3431e1166286a9e7761f2de9de79d7fda9c397"
  
     strings:
  
         $rsrc1 = { 53 5A 44 44 }
  
         $rsrc2 = { 52 00 43 00 44 00 41 00 54 00 41 00 }
  
         $rsrc3 = { 44 00 52 00 56 00 5F 00 58 00 36 00 34 }
  
         $rsrc4 = { 44 00 52 00 56 00 5F 00 58 00 38 00 36 }
  
         $rsrc5 = { 44 00 52 00 56 00 5F 00 58 00 50 00 5F 00 58 00 36 00 34 }
  
         $rsrc6 = { 44 00 52 00 56 00 5F 00 58 00 50 00 5F 00 58 00 38 00 36 00 }
  
         $s1 = { 45 00 50 00 4D 00 4E 00 54 00 44 00 52 00 56 00 5C 00 25 00 75 }
  
         $s2 = { 50 00 68 00 79 00 73 00 69 00 63 00 61 00 6C 00 44 00 72 00 69 00 76 00 65 00 25 00 75 }
  
         $s3 = { 53 00 59 00 53 00 54 00 45 00 4D 00 5C 00 43 00 75 00 72 00 72 00 65 00 6E 00 74 00 43 00 6F 00 6E 00 74 00 72 00 6F 00 6C 00 53 00 65 00 74 00 5C 00 43 00 6F 00 6E 00 74 00 72 00 6F 00 6C 00 5C 00 43 00 72 00 61 00 73 00 68 00 43 00 6F 00 6E 00 74 00 72 00 6F 00 6C }
  
         $s4 = { 43 00 72 00 61 00 73 00 68 00 44 00 75 00 6D 00 70 00 45 00 6E 00 61 00 62 00 6C 00 65 00 64 }
  
         $s5 = { 24 00 49 00 4E 00 44 00 45 00 58 00 5F 00 41 00 4C 00 4C 00 4F 00 43 00 41 00 54 00 49 00 4F 00 4E }
  
         $s6 = { 53 00 65 00 4C 00 6F 00 61 00 64 00 44 00 72 00 69 00 76 00 65 00 72 00 50 00 72 00 69 00 76 00 69 00 6C 00 65 00 67 00 65 }
  
         $s7 = { 53 00 65 00 42 00 61 00 63 00 6B 00 75 00 70 00 50 00 72 00 69 00 76 00 69 00 6C 00 65 00 67 00 65 }
  
         $s8 = { 43 00 3A 00 5C 00 57 00 69 00 6E 00 64 00 6F 00 77 00 73 00 5C 00 53 00 59 00 53 00 56 00 4F 00 4C }
  
     condition:
  
         uint16(0) == 0x5A4D and ((3 of ($rsrc*)) and (7 of ($s*)))
  
  }

ssdeep Matches

PE Metadata

PE Sections

Packers/Compilers/Cryptors

Relationships

Description

This file is identified as a 32-bit HermeticWiper. The resource section of the HermeticWiper is embedded with four SZDD compressed driver files as displayed in Figure 1. Depending on the OS major version and system architecture type (32-bit/64-bit), the corresponding SZDD compressed file will be extracted into the System32 directory and expanded to a driver file <random-2-characters>dr.sys (Figures 2-4). The expanded file is a copy of the EaseUs Partition Manager (epmntdrv.sys). The wiper enables SeLoadDriverPrivilege and registers the driver as a system service. The new system service starts immediately and the driver process runs in memory. Then the wiper immediately removes the following registry key and deletes the SZDD file and the expanded driver file from System32 in order to remove its tracks on the victim's system.



--Begin sample device service installed--

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\lxdr, Data: "C:\Windows\system32\Drivers\lxdr.sys"

--End sample device service installed--



In preparation, the wiper disables the crash dump service by disabling the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl\CrashDumpEnabled key. In addition, the wiper disables the Volume Snapshot Service (VSS).



In order to run on user mode, the wiper enables SeBackupPrivilege. If the wiper's name begins with a 'c', it will reconstruct the "SeShutDownPrivilege" string and enable it (Figure 5). The SeShutDownPrivilege is necessary for the wiper when it runs in user mode, to be able to execute InitiateSystemShutdownExW, which is configured to force applications to close, shutdown the system without warning and immediately force a reboot (Figure 13, line 199). The SeShutDownPrivilege is not needed if the wiper runs on administrative privilege; the system will shutdown and reboot regardless of the wiper's name.



The wiper uses the same method to locate and wipe files. First, it locates target files and stores their disk locations into a customized structure type. Meanwhile, a random buffer is generated using CryptGenRandom (Figure 7) for each group of targeted files and stored into the same structure. The stuffed structure is passed to a wipe function, which runs as a separated process thread later in the program (Figure 6).



The wiper coordinates the destruction process into groups, each handled by its own process thread. First, the wiper creates a thread to overwrite itself (Figure 13, lines 173, 209). This thread is passed to WaitForMultipleObjects which waits till the very end when the overwrite occurs.



Next, the wiper makes the system unusable and cannot be revived. First, the wiper locates the MBR and the boot sector of all available physical drives from 0 to 100 (Figure 13, lines 178-179). Then it generates a 4096 byte buffer filled with random bytes. 4096 is the Windows default allocation size (Figure 8). The destruction of MBR and boot sector render the OS unable to reboot (Figure 13, line 213).



Then, the wiper makes it impossible to restore the system by overwriting the $I30 and the $DATA attributes of the C:\System Volume Information directory (Figure 13, lines 183 and 213). The C:\System Volume Information directory contains system restore points and information used by VSS.



--Begin target attributes--

The $I30 attribute covers both of the following attributes:

    1. $INDEX_ROOT - contains information about the files and sub-directories .

    2. $INDEX_ALLOCATION - contains spilled over information from $INDEX_ROOT.

The $DATA attribute contains user or system stored content.

--End target attributes--



Then the wiper starts a low priority process thread for fragmentation, skipping the following Windows system directories when enumerating files (Figure 13, line 203 and Figure 9). User files that are not in the following directories will be fragmented using FSCTL_GET_RETRIEVAL_POINTERS to obtain the file's allocation and location on disk. The output is randomized and passed to FSCTL_MOVE_FILE to relocate the file's virtual clusters (Figure 10).



--Begin skipped directories--

Windows

Program Files

Program Files(x86)

PerfLogs

Boot

System Volume Information

AppData

--End skipped directories--



In this newer version of HermeticWiper that was compiled in 2022 ensures the wiper will bring down a Domain Controller in the shortest possible time. First, the wiper checks for the presence of C:\Windows\SYSVOL using GetFileAttributesW (Figure 13, line 220). The SYSVOL directory indicates the victim's system is a Domain Controller Server, which is responsible for security authentication requests within a domain. In this case, the wiper waits for three minutes to ensure the destruction of the MBR, boot sector and data requires for a system restore (that already happened in the thread created in Figure 13, line 211). The wiper process and all its process threads exit (Figure 13, lines 220-224). The domain controller continues to function until the next reboot.



The second stage of data wipe continues on systems that are not identified as a Domain Controller server (Figure 14) .



The wiper will locate the MFT and its backup in the $MFTMirr file in NTFS, or the Boot Sector in a FAT file system (Figure 11) of all available physical drives from 0 to 100 and store them in a customized structure to be wiped later (Figure 14, lines 228-229, 266). A buffer with random bytes is also generated and passed to the structure.



Then it locates $Bitmap (contains clusters allocation statuses) and $LogFile (contains journals of metadata transactions) from all available logical drives, such as "C:\" and "D:\" (Figure 14, line 232) and stores them in the same customized structure for these data to be wiped later (Figure 14, line 266).



Next, it recursively locates users files from the user's directory, avoiding the AppData directory and user filename that contains the "ntuser" string. It also recursively locates files under the user's Desktop and My Document directory (Figure 14, lines 236, 239). These locations are also stored into the same customized structure to be wiped later (Figure 14, line 266).



The C:\Windows\System32\winevt\Logs directory contains all Windows events logs. The locations of $I30 (includes $INDEX_ROOT and $INDEX_ALLOCATION) as well as locations of $DATA attributes are collected into the same customized structure for these data to be wiped later (Figure 14, lines 242, 266).



The wiper terminates the data fragmentation in 30 seconds, then calls the same function utilizing FSCTL_GET_VOLUME_BITMAP to obtain occupied clusters in a volume. This information is passed to a separated write structure to be wiped by random buffer later (Figure 14, line 267).



The HermeticWiper accepts up to two optional numeric inputs (Figure 15). The first numeric input is used to set the first sleep timer that triggers InitiateSystemShutdownExW in a process thread (Figure 13, line 197). If no input is provided, the resulting 34 minutes will be used and the least significant four digits in milliseconds are randomized (Figure 13, lines 187-192) before passing to the sleep timer. That randomization in sleep time is negligible when measuring in minutes. The second numeric input, if provided, will be compared with the first input and the smaller value will be used. If no input is provided, the resulting 19 minutes will be used and the least significant four digits in milliseconds are randomized (Figure 14, lines 244-253). This second sleep time keeps the main wiper thread alive.



This HermeticWiper variant is signed with the following digital certificate issued by Hermetica Digital Ltd as displayed below:



--Begin Digital Certificate--

Certificate:

   Data:

       Version: 3 (0x2)

       Serial Number:

           0c:48:73:28:73:ac:8c:ce:ba:f8:f0:e1:e8:32:9c:ec

   Signature Algorithm: sha256WithRSAEncryption

       Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2)

       Validity

           Not Before: Apr 13 00:00:00 2021 GMT

           Not After : Apr 14 23:59:59 2022 GMT

       Subject: businessCategory=Private Organization/jurisdictionCountryName=CY/serialNumber=HE 419469, C=CY, L=Nicosia, O=Hermetica Digital Ltd, CN=Hermetica Digital Ltd

       Subject Public Key Info:

           Public Key Algorithm: rsaEncryption

               Public-Key: (2048 bit)

               Modulus:

                   00:92:62:5f:e5:0c:1e:d0:de:a6:75:e5:50:58:1a:

                   02:87:e4:4f:3c:b4:f1:d9:6d:e7:b6:4c:94:c6:78:

                   59:31:39:58:a3:18:d4:d2:56:44:d6:09:1f:ab:8b:

                   fc:3f:72:bf:15:fa:56:ae:64:16:21:13:5b:44:e3:

                   29:68:27:4d:30:eb:2e:b1:05:5c:e2:2d:48:d7:62:

                   ba:b7:1e:f8:de:74:28:e8:90:50:6f:1c:82:5f:7a:

                   e0:d8:60:5f:5c:62:7c:a3:25:bf:f1:99:ab:60:a6:

                   3d:e8:a9:0e:92:3f:4b:18:d7:fb:03:9e:1d:ec:89:

                   d5:73:aa:b0:a1:4c:1d:4b:a7:0e:b4:44:75:3a:41:

                   c0:30:82:a6:0c:b4:db:55:13:93:f2:c5:09:88:a3:

                   18:1e:7f:31:d0:1b:5a:ad:94:07:04:32:d9:8f:18:

                   65:5a:b8:a5:55:91:9f:ef:ea:9d:e1:ed:f1:bd:ff:

                   c6:3e:ff:83:28:87:2e:be:38:ad:21:96:2f:5c:40:

                   0f:6c:35:a8:48:2f:a7:a9:cd:bc:19:56:37:25:ec:

                   83:12:f5:90:e5:88:a0:bb:ef:4b:0b:11:85:2e:38:

                   c7:e3:9e:41:53:9f:9f:52:97:fe:b2:d2:0b:ff:74:

                   c9:5b:f0:e5:ad:ad:c2:40:e6:7a:5c:2f:3e:76:f6:

                   09:93

               Exponent: 65537 (0x10001)

       X509v3 extensions:

           X509v3 Authority Key Identifier:

               keyid:8F:E8:7E:F0:6D:32:6A:00:05:23:C7:70:97:6A:3A:90:FF:6B:EA:D4



           X509v3 Subject Key Identifier:

               C4:9F:18:1C:59:D2:5B:25:71:9E:F1:37:B7:60:59:D6:2A:07:99:E1

           X509v3 Subject Alternative Name:

               othername:<unsupported>

           X509v3 Key Usage: critical

               Digital Signature

           X509v3 Extended Key Usage:

               Code Signing

           X509v3 CRL Distribution Points:



               Full Name:

                URI:http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl



               Full Name:

                URI:http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl



           X509v3 Certificate Policies:

               Policy: 2.16.840.1.114412.3.2

                CPS: http://www.digicert.com/CPS

               Policy: 2.23.140.1.3



           Authority Information Access:

               OCSP - URI:http://ocsp.digicert.com

               CA Issuers - URI:http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt



           X509v3 Basic Constraints: critical

               CA:FALSE

   Signature Algorithm: sha256WithRSAEncryption

        44:da:48:c6:eb:9c:2f:04:bf:3d:64:18:61:13:e0:ad:ec:ec:

        51:93:df:7b:59:6a:95:c1:73:2c:c9:46:19:b1:c2:77:72:85:

        b0:40:c6:52:db:bc:d2:b2:07:19:0f:48:0a:26:c7:05:a3:f5:

        c6:10:f7:55:b2:f1:f3:a6:6f:75:24:04:e4:b5:51:8c:d9:41:

        31:0a:01:5e:4a:f8:e5:96:8c:82:31:49:2f:e1:92:46:a2:93:

        a5:69:d5:d7:a3:6f:56:eb:2f:c5:b6:8f:ff:6f:33:59:c1:9a:

        f6:80:69:20:c3:fe:66:28:f9:0a:75:44:0e:66:16:29:7a:03:

        1b:a6:07:51:00:d7:2d:fa:a9:82:9e:77:2e:45:d7:7b:89:f8:

        62:08:1e:af:db:19:b4:b2:dc:ef:3f:27:3f:f6:45:ac:ce:aa:

        4b:99:1f:98:37:39:73:c0:fb:25:82:9e:86:0d:9b:c1:95:ef:

        1a:0a:d9:21:94:56:ad:07:7d:42:86:8e:e0:3e:e0:0e:88:d0:

        4c:43:4b:a9:7e:88:df:99:27:3a:35:e2:c6:68:a1:c6:99:54:

        b4:76:23:90:ab:df:be:4c:d4:af:c8:65:e4:34:18:a5:6c:89:

        dc:37:25:34:28:03:b4:d4:6a:35:69:82:35:0a:e0:7f:01:c1:

        95:cb:26:e2

-----BEGIN CERTIFICATE-----

MIIFiTCCBHGgAwIBAgIQDEhzKHOsjM66+PDh6DKc7DANBgkqhkiG9w0BAQsFADBs

MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3

d3cuZGlnaWNlcnQuY29tMSswKQYDVQQDEyJEaWdpQ2VydCBFViBDb2RlIFNpZ25p

bmcgQ0EgKFNIQTIpMB4XDTIxMDQxMzAwMDAwMFoXDTIyMDQxNDIzNTk1OVowgacx

HTAbBgNVBA8MFFByaXZhdGUgT3JnYW5pemF0aW9uMRMwEQYLKwYBBAGCNzwCAQMT

AkNZMRIwEAYDVQQFEwlIRSA0MTk0NjkxCzAJBgNVBAYTAkNZMRAwDgYDVQQHEwdO

aWNvc2lhMR4wHAYDVQQKExVIZXJtZXRpY2EgRGlnaXRhbCBMdGQxHjAcBgNVBAMT

FUhlcm1ldGljYSBEaWdpdGFsIEx0ZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC

AQoCggEBAJJiX+UMHtDepnXlUFgaAofkTzy08dlt57ZMlMZ4WTE5WKMY1NJWRNYJ

H6uL/D9yvxX6Vq5kFiETW0TjKWgnTTDrLrEFXOItSNdiurce+N50KOiQUG8cgl96

4NhgX1xifKMlv/GZq2CmPeipDpI/SxjX+wOeHeyJ1XOqsKFMHUunDrREdTpBwDCC

pgy021UTk/LFCYijGB5/MdAbWq2UBwQy2Y8YZVq4pVWRn+/qneHt8b3/xj7/gyiH

Lr44rSGWL1xAD2w1qEgvp6nNvBlWNyXsgxL1kOWIoLvvSwsRhS44x+OeQVOfn1KX

/rLSC/90yVvw5a2twkDmelwvPnb2CZMCAwEAAaOCAekwggHlMB8GA1UdIwQYMBaA

FI/ofvBtMmoABSPHcJdqOpD/a+rUMB0GA1UdDgQWBBTEnxgcWdJbJXGe8Te3YFnW

KgeZ4TAnBgNVHREEIDAeoBwGCCsGAQUFBwgDoBAwDgwMQ1ktSEUgNDE5NDY5MA4G

A1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzB7BgNVHR8EdDByMDeg

NaAzhjFodHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRVZDb2RlU2lnbmluZ1NIQTIt

ZzEuY3JsMDegNaAzhjFodHRwOi8vY3JsNC5kaWdpY2VydC5jb20vRVZDb2RlU2ln

bmluZ1NIQTItZzEuY3JsMEoGA1UdIARDMEEwNgYJYIZIAYb9bAMCMCkwJwYIKwYB

BQUHAgEWG2h0dHA6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzAHBgVngQwBAzB+Bggr

BgEFBQcBAQRyMHAwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNv

bTBIBggrBgEFBQcwAoY8aHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lD

ZXJ0RVZDb2RlU2lnbmluZ0NBLVNIQTIuY3J0MAwGA1UdEwEB/wQCMAAwDQYJKoZI

hvcNAQELBQADggEBAETaSMbrnC8Evz1kGGET4K3s7FGT33tZapXBcyzJRhmxwndy

hbBAxlLbvNKyBxkPSAomxwWj9cYQ91Wy8fOmb3UkBOS1UYzZQTEKAV5K+OWWjIIx

SS/hkkaik6Vp1dejb1brL8W2j/9vM1nBmvaAaSDD/mYo+Qp1RA5mFil6AxumB1EA

1y36qYKedy5F13uJ+GIIHq/bGbSy3O8/Jz/2RazOqkuZH5g3OXPA+yWCnoYNm8GV

7xoK2SGUVq0HfUKGjuA+4A6I0ExDS6l+iN+ZJzo14sZoocaZVLR2I5Cr375M1K/I

ZeQ0GKVsidw3JTQoA7TUajVpgjUK4H8BwZXLJuI=

-----END CERTIFICATE-----

--End Digital Certificate--

Screenshots

06086c1da4590dcc7f1e10a6be3431e1166286a9e7761f2de9de79d7fda9c397

Tags

droppertrojanwiper

Details

Antivirus

YARA Rules

• rule CISA_10375867_01 : wiper HERMETICWIPER
  
  {
  
     meta:
  
         Author = "CISA Code & Media Analysis"
  
         Incident = "10375867"
  
         Date = "2022-04-05"
  
         Last_Modified = "20220406_1500"
  
         Actor = "n/a"
  
         Category = "Wiper"
  
         Family = "n/a"
  
         Description = "Detects Hermetic Wiper samples"
  
         MD5_1 = "382fc1a3c5225fceb672eea13f572a38"
  
         SHA256_1 = "2c10b2ec0b995b88c27d141d6f7b14d6b8177c52818687e4ff8e6ecf53adf5bf"
  
         MD5_2 = "decc2726599edcae8d1d1d0ca99d83a6"
  
         SHA256_2 = "3c557727953a8f6b4788984464fb77741b821991acbf5e746aebdd02615b1767"
  
         MD5_3 = "84ba0197920fd3e2b7dfa719fee09d2f"
  
         SHA256_3 = "0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da"
  
         MD5_4 = "3f4a16b29f2f0532b7ce3e7656799125"
  
         SHA256_4 = "1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591"
  
         MD5_5 = "f1a33b2be4c6215a1c39b45e391a3e85"
  
         SHA256_5 = "06086c1da4590dcc7f1e10a6be3431e1166286a9e7761f2de9de79d7fda9c397"
  
     strings:
  
         $rsrc1 = { 53 5A 44 44 }
  
         $rsrc2 = { 52 00 43 00 44 00 41 00 54 00 41 00 }
  
         $rsrc3 = { 44 00 52 00 56 00 5F 00 58 00 36 00 34 }
  
         $rsrc4 = { 44 00 52 00 56 00 5F 00 58 00 38 00 36 }
  
         $rsrc5 = { 44 00 52 00 56 00 5F 00 58 00 50 00 5F 00 58 00 36 00 34 }
  
         $rsrc6 = { 44 00 52 00 56 00 5F 00 58 00 50 00 5F 00 58 00 38 00 36 00 }
  
         $s1 = { 45 00 50 00 4D 00 4E 00 54 00 44 00 52 00 56 00 5C 00 25 00 75 }
  
         $s2 = { 50 00 68 00 79 00 73 00 69 00 63 00 61 00 6C 00 44 00 72 00 69 00 76 00 65 00 25 00 75 }
  
         $s3 = { 53 00 59 00 53 00 54 00 45 00 4D 00 5C 00 43 00 75 00 72 00 72 00 65 00 6E 00 74 00 43 00 6F 00 6E 00 74 00 72 00 6F 00 6C 00 53 00 65 00 74 00 5C 00 43 00 6F 00 6E 00 74 00 72 00 6F 00 6C 00 5C 00 43 00 72 00 61 00 73 00 68 00 43 00 6F 00 6E 00 74 00 72 00 6F 00 6C }
  
         $s4 = { 43 00 72 00 61 00 73 00 68 00 44 00 75 00 6D 00 70 00 45 00 6E 00 61 00 62 00 6C 00 65 00 64 }
  
         $s5 = { 24 00 49 00 4E 00 44 00 45 00 58 00 5F 00 41 00 4C 00 4C 00 4F 00 43 00 41 00 54 00 49 00 4F 00 4E }
  
         $s6 = { 53 00 65 00 4C 00 6F 00 61 00 64 00 44 00 72 00 69 00 76 00 65 00 72 00 50 00 72 00 69 00 76 00 69 00 6C 00 65 00 67 00 65 }
  
         $s7 = { 53 00 65 00 42 00 61 00 63 00 6B 00 75 00 70 00 50 00 72 00 69 00 76 00 69 00 6C 00 65 00 67 00 65 }
  
         $s8 = { 43 00 3A 00 5C 00 57 00 69 00 6E 00 64 00 6F 00 77 00 73 00 5C 00 53 00 59 00 53 00 56 00 4F 00 4C }
  
     condition:
  
         uint16(0) == 0x5A4D and ((3 of ($rsrc*)) and (7 of ($s*)))
  
  }

ssdeep Matches

PE Metadata

PE Sections

Packers/Compilers/Cryptors

Relationships

Description

This is a 32-bit HermeticWiper with ninety-nine percent code-base similarity with 1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d29259, signed with the same digital certificate issued by Hermetica Digital Ltd (Figure 17). Refer to 1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591 for analysis.

Screenshots

2c10b2ec0b995b88c27d141d6f7b14d6b8177c52818687e4ff8e6ecf53adf5bf

Tags

droppertrojanwiper

Details

Antivirus

YARA Rules

• rule CISA_10375867_01 : wiper HERMETICWIPER
  
  {
  
     meta:
  
         Author = "CISA Code & Media Analysis"
  
         Incident = "10375867"
  
         Date = "2022-04-05"
  
         Last_Modified = "20220406_1500"
  
         Actor = "n/a"
  
         Category = "Wiper"
  
         Family = "n/a"
  
         Description = "Detects Hermetic Wiper samples"
  
         MD5_1 = "382fc1a3c5225fceb672eea13f572a38"
  
         SHA256_1 = "2c10b2ec0b995b88c27d141d6f7b14d6b8177c52818687e4ff8e6ecf53adf5bf"
  
         MD5_2 = "decc2726599edcae8d1d1d0ca99d83a6"
  
         SHA256_2 = "3c557727953a8f6b4788984464fb77741b821991acbf5e746aebdd02615b1767"
  
         MD5_3 = "84ba0197920fd3e2b7dfa719fee09d2f"
  
         SHA256_3 = "0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da"
  
         MD5_4 = "3f4a16b29f2f0532b7ce3e7656799125"
  
         SHA256_4 = "1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591"
  
         MD5_5 = "f1a33b2be4c6215a1c39b45e391a3e85"
  
         SHA256_5 = "06086c1da4590dcc7f1e10a6be3431e1166286a9e7761f2de9de79d7fda9c397"
  
     strings:
  
         $rsrc1 = { 53 5A 44 44 }
  
         $rsrc2 = { 52 00 43 00 44 00 41 00 54 00 41 00 }
  
         $rsrc3 = { 44 00 52 00 56 00 5F 00 58 00 36 00 34 }
  
         $rsrc4 = { 44 00 52 00 56 00 5F 00 58 00 38 00 36 }
  
         $rsrc5 = { 44 00 52 00 56 00 5F 00 58 00 50 00 5F 00 58 00 36 00 34 }
  
         $rsrc6 = { 44 00 52 00 56 00 5F 00 58 00 50 00 5F 00 58 00 38 00 36 00 }
  
         $s1 = { 45 00 50 00 4D 00 4E 00 54 00 44 00 52 00 56 00 5C 00 25 00 75 }
  
         $s2 = { 50 00 68 00 79 00 73 00 69 00 63 00 61 00 6C 00 44 00 72 00 69 00 76 00 65 00 25 00 75 }
  
         $s3 = { 53 00 59 00 53 00 54 00 45 00 4D 00 5C 00 43 00 75 00 72 00 72 00 65 00 6E 00 74 00 43 00 6F 00 6E 00 74 00 72 00 6F 00 6C 00 53 00 65 00 74 00 5C 00 43 00 6F 00 6E 00 74 00 72 00 6F 00 6C 00 5C 00 43 00 72 00 61 00 73 00 68 00 43 00 6F 00 6E 00 74 00 72 00 6F 00 6C }
  
         $s4 = { 43 00 72 00 61 00 73 00 68 00 44 00 75 00 6D 00 70 00 45 00 6E 00 61 00 62 00 6C 00 65 00 64 }
  
         $s5 = { 24 00 49 00 4E 00 44 00 45 00 58 00 5F 00 41 00 4C 00 4C 00 4F 00 43 00 41 00 54 00 49 00 4F 00 4E }
  
         $s6 = { 53 00 65 00 4C 00 6F 00 61 00 64 00 44 00 72 00 69 00 76 00 65 00 72 00 50 00 72 00 69 00 76 00 69 00 6C 00 65 00 67 00 65 }
  
         $s7 = { 53 00 65 00 42 00 61 00 63 00 6B 00 75 00 70 00 50 00 72 00 69 00 76 00 69 00 6C 00 65 00 67 00 65 }
  
         $s8 = { 43 00 3A 00 5C 00 57 00 69 00 6E 00 64 00 6F 00 77 00 73 00 5C 00 53 00 59 00 53 00 56 00 4F 00 4C }
  
     condition:
  
         uint16(0) == 0x5A4D and ((3 of ($rsrc*)) and (7 of ($s*)))
  
  }

ssdeep Matches

PE Metadata

PE Sections

Packers/Compilers/Cryptors

Relationships

Description

This HermeticWiper was compiled at an earlier time, 2021-12-28 03:37:16-05:00, instead of on February the 23rd, 2022. It has over ninety percent code-base similarity with 1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d29259, both signed with the same digital certificate issued by Hermetica Digital Ltd (Figure 20).



A code comparison indicates the only difference is that this HermeticWiper behaves the same on all Windows systems. It does not check for the presence of the C:\Windows\SYSVOL directory, and terminates the wiper process after 3 minutes (Figure 13, lines 218-223). Refer to 1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591 for the remaining analysis.

Screenshots

3c557727953a8f6b4788984464fb77741b821991acbf5e746aebdd02615b1767

Tags

droppertrojanwiper

Details

Antivirus

YARA Rules

• rule CISA_10375867_01 : wiper HERMETICWIPER
  
  {
  
     meta:
  
         Author = "CISA Code & Media Analysis"
  
         Incident = "10375867"
  
         Date = "2022-04-05"
  
         Last_Modified = "20220406_1500"
  
         Actor = "n/a"
  
         Category = "Wiper"
  
         Family = "n/a"
  
         Description = "Detects Hermetic Wiper samples"
  
         MD5_1 = "382fc1a3c5225fceb672eea13f572a38"
  
         SHA256_1 = "2c10b2ec0b995b88c27d141d6f7b14d6b8177c52818687e4ff8e6ecf53adf5bf"
  
         MD5_2 = "decc2726599edcae8d1d1d0ca99d83a6"
  
         SHA256_2 = "3c557727953a8f6b4788984464fb77741b821991acbf5e746aebdd02615b1767"
  
         MD5_3 = "84ba0197920fd3e2b7dfa719fee09d2f"
  
         SHA256_3 = "0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da"
  
         MD5_4 = "3f4a16b29f2f0532b7ce3e7656799125"
  
         SHA256_4 = "1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591"
  
         MD5_5 = "f1a33b2be4c6215a1c39b45e391a3e85"
  
         SHA256_5 = "06086c1da4590dcc7f1e10a6be3431e1166286a9e7761f2de9de79d7fda9c397"
  
     strings:
  
         $rsrc1 = { 53 5A 44 44 }
  
         $rsrc2 = { 52 00 43 00 44 00 41 00 54 00 41 00 }
  
         $rsrc3 = { 44 00 52 00 56 00 5F 00 58 00 36 00 34 }
  
         $rsrc4 = { 44 00 52 00 56 00 5F 00 58 00 38 00 36 }
  
         $rsrc5 = { 44 00 52 00 56 00 5F 00 58 00 50 00 5F 00 58 00 36 00 34 }
  
         $rsrc6 = { 44 00 52 00 56 00 5F 00 58 00 50 00 5F 00 58 00 38 00 36 00 }
  
         $s1 = { 45 00 50 00 4D 00 4E 00 54 00 44 00 52 00 56 00 5C 00 25 00 75 }
  
         $s2 = { 50 00 68 00 79 00 73 00 69 00 63 00 61 00 6C 00 44 00 72 00 69 00 76 00 65 00 25 00 75 }
  
         $s3 = { 53 00 59 00 53 00 54 00 45 00 4D 00 5C 00 43 00 75 00 72 00 72 00 65 00 6E 00 74 00 43 00 6F 00 6E 00 74 00 72 00 6F 00 6C 00 53 00 65 00 74 00 5C 00 43 00 6F 00 6E 00 74 00 72 00 6F 00 6C 00 5C 00 43 00 72 00 61 00 73 00 68 00 43 00 6F 00 6E 00 74 00 72 00 6F 00 6C }
  
         $s4 = { 43 00 72 00 61 00 73 00 68 00 44 00 75 00 6D 00 70 00 45 00 6E 00 61 00 62 00 6C 00 65 00 64 }
  
         $s5 = { 24 00 49 00 4E 00 44 00 45 00 58 00 5F 00 41 00 4C 00 4C 00 4F 00 43 00 41 00 54 00 49 00 4F 00 4E }
  
         $s6 = { 53 00 65 00 4C 00 6F 00 61 00 64 00 44 00 72 00 69 00 76 00 65 00 72 00 50 00 72 00 69 00 76 00 69 00 6C 00 65 00 67 00 65 }
  
         $s7 = { 53 00 65 00 42 00 61 00 63 00 6B 00 75 00 70 00 50 00 72 00 69 00 76 00 69 00 6C 00 65 00 67 00 65 }
  
         $s8 = { 43 00 3A 00 5C 00 57 00 69 00 6E 00 64 00 6F 00 77 00 73 00 5C 00 53 00 59 00 53 00 56 00 4F 00 4C }
  
     condition:
  
         uint16(0) == 0x5A4D and ((3 of ($rsrc*)) and (7 of ($s*)))
  
  }

ssdeep Matches

PE Metadata

PE Sections

Packers/Compilers/Cryptors

Relationships

Description

This is a 32-bit HermeticWiper with ninety-nine percent code-base similarity with 2c10b2ec0b995b88c27d141d6f7b14d6b8177c52818687e4ff8e6ecf53adf5bf, signed with the same digital certificate issued by Hermetica Digital Ltd (Figure 22). Refer to 2c10b2ec0b995b88c27d141d6f7b14d6b8177c52818687e4ff8e6ecf53adf5bf for analysis.

Screenshots

0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da

Tags

trojanviruswiper

Details

Antivirus

YARA Rules

• rule CISA_10375867_01 : wiper HERMETICWIPER
  
  {
  
     meta:
  
         Author = "CISA Code & Media Analysis"
  
         Incident = "10375867"
  
         Date = "2022-04-05"
  
         Last_Modified = "20220406_1500"
  
         Actor = "n/a"
  
         Category = "Wiper"
  
         Family = "n/a"
  
         Description = "Detects Hermetic Wiper samples"
  
         MD5_1 = "382fc1a3c5225fceb672eea13f572a38"
  
         SHA256_1 = "2c10b2ec0b995b88c27d141d6f7b14d6b8177c52818687e4ff8e6ecf53adf5bf"
  
         MD5_2 = "decc2726599edcae8d1d1d0ca99d83a6"
  
         SHA256_2 = "3c557727953a8f6b4788984464fb77741b821991acbf5e746aebdd02615b1767"
  
         MD5_3 = "84ba0197920fd3e2b7dfa719fee09d2f"
  
         SHA256_3 = "0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da"
  
         MD5_4 = "3f4a16b29f2f0532b7ce3e7656799125"
  
         SHA256_4 = "1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591"
  
         MD5_5 = "f1a33b2be4c6215a1c39b45e391a3e85"
  
         SHA256_5 = "06086c1da4590dcc7f1e10a6be3431e1166286a9e7761f2de9de79d7fda9c397"
  
     strings:
  
         $rsrc1 = { 53 5A 44 44 }
  
         $rsrc2 = { 52 00 43 00 44 00 41 00 54 00 41 00 }
  
         $rsrc3 = { 44 00 52 00 56 00 5F 00 58 00 36 00 34 }
  
         $rsrc4 = { 44 00 52 00 56 00 5F 00 58 00 38 00 36 }
  
         $rsrc5 = { 44 00 52 00 56 00 5F 00 58 00 50 00 5F 00 58 00 36 00 34 }
  
         $rsrc6 = { 44 00 52 00 56 00 5F 00 58 00 50 00 5F 00 58 00 38 00 36 00 }
  
         $s1 = { 45 00 50 00 4D 00 4E 00 54 00 44 00 52 00 56 00 5C 00 25 00 75 }
  
         $s2 = { 50 00 68 00 79 00 73 00 69 00 63 00 61 00 6C 00 44 00 72 00 69 00 76 00 65 00 25 00 75 }
  
         $s3 = { 53 00 59 00 53 00 54 00 45 00 4D 00 5C 00 43 00 75 00 72 00 72 00 65 00 6E 00 74 00 43 00 6F 00 6E 00 74 00 72 00 6F 00 6C 00 53 00 65 00 74 00 5C 00 43 00 6F 00 6E 00 74 00 72 00 6F 00 6C 00 5C 00 43 00 72 00 61 00 73 00 68 00 43 00 6F 00 6E 00 74 00 72 00 6F 00 6C }
  
         $s4 = { 43 00 72 00 61 00 73 00 68 00 44 00 75 00 6D 00 70 00 45 00 6E 00 61 00 62 00 6C 00 65 00 64 }
  
         $s5 = { 24 00 49 00 4E 00 44 00 45 00 58 00 5F 00 41 00 4C 00 4C 00 4F 00 43 00 41 00 54 00 49 00 4F 00 4E }
  
         $s6 = { 53 00 65 00 4C 00 6F 00 61 00 64 00 44 00 72 00 69 00 76 00 65 00 72 00 50 00 72 00 69 00 76 00 69 00 6C 00 65 00 67 00 65 }
  
         $s7 = { 53 00 65 00 42 00 61 00 63 00 6B 00 75 00 70 00 50 00 72 00 69 00 76 00 69 00 6C 00 65 00 67 00 65 }
  
         $s8 = { 43 00 3A 00 5C 00 57 00 69 00 6E 00 64 00 6F 00 77 00 73 00 5C 00 53 00 59 00 53 00 56 00 4F 00 4C }
  
     condition:
  
         uint16(0) == 0x5A4D and ((3 of ($rsrc*)) and (7 of ($s*)))
  
  }

ssdeep Matches

PE Metadata

PE Sections

Packers/Compilers/Cryptors

Relationships

Description

This is a 32-bit HermeticWiper with ninety-nine percent code-base similarity with 2c10b2ec0b995b88c27d141d6f7b14d6b8177c52818687e4ff8e6ecf53adf5bf, signed with the same digital certificate issued by Hermetica Digital Ltd (Figure 24). Refer to 2c10b2ec0b995b88c27d141d6f7b14d6b8177c52818687e4ff8e6ecf53adf5bf for analysis.

Screenshots

96b77284744f8761c4f2558388e0aee2140618b484ff53fa8b222b340d2a9c84

Details

Antivirus

YARA Rules

No matches found.

ssdeep Matches

No matches found.

PE Metadata

PE Sections

Relationships

Description

This file is benign. It is a 64-bit variant of epmntdrv.sys, which is a component of the EaseUS Partition Master software that manages hard drive partitions. This file was digitally signed by the following expired certificate. This file is the expanded version of the SZDD file drv_x64 (e5f3ef69a534260e899a36cec459440dc572388defd8f1d98760d31c700f42d5). This file was submitted as the 64-bit variant of epmntdrv.sys.



The epmntdrv.sys creates I/O request packets (IRPs) to communicate directly with the device driver; it uses IRP_MJ_READ and IRP_MJ_WRITE to provide direct read write to the device. The HermeticWiper has access to these capabilities by running the <two-random-characters>dr.sys (a copy of epmntdrv.sys) in memory.



This 64-bit variant of epmntdrv.sys was signed with the following expired certificate.



--Begin Digital Certificate--

Certificate:

   Data:

       Version: 3 (0x2)

       Serial Number:

           33:c3:4c:ca:6e:68:16:b6:2b:67:7d:44:b0:68:35:e5

   Signature Algorithm: sha1WithRSAEncryption

       Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA

       Validity

           Not Before: Apr 23 00:00:00 2012 GMT

           Not After : Sep 11 23:59:59 2014 GMT

       Subject: C=CN, ST=Sichuan, L=Chengdu, O=CHENGDU YIWO Tech Development Co., Ltd., OU=Digital ID Class 3 - Microsoft Software Validation v2, CN=CHENGDU YIWO Tech Development Co., Ltd.

       Subject Public Key Info:

           Public Key Algorithm: rsaEncryption

               Public-Key: (2048 bit)

               Modulus:

                   00:c5:58:7e:31:12:6e:14:b8:98:55:4f:6f:cf:b6:

                   42:07:cf:8d:93:b2:57:36:09:c2:99:e4:40:9f:73:

                   bb:93:22:1e:5e:38:0d:c0:bb:ab:ca:4b:90:1e:df:

                   61:bd:6a:68:ee:32:53:72:8c:77:69:ab:7b:cd:a9:

                   39:c9:59:a2:82:d3:12:5d:d0:4f:03:70:ce:81:1f:

                   e9:12:62:67:f4:ae:87:40:bf:1a:b8:96:7c:a7:eb:

                   48:70:63:1e:17:b8:70:d4:7f:fa:8c:43:96:1e:b0:

                   b1:6d:fe:d7:b9:f3:ea:0f:ed:bb:9e:3b:55:af:6a:

                   3d:b7:80:99:82:10:01:6a:ff:22:76:96:a7:9a:45:

                   e2:4e:44:8f:ab:88:c4:dc:5e:26:71:db:9e:16:17:

                   58:1b:a2:46:74:f3:5d:61:89:57:c9:60:67:18:01:

                   05:fd:8d:44:6f:d7:48:f0:42:1d:39:d2:da:da:3b:

                   e9:8e:56:2b:23:cc:e9:ff:04:e1:a5:ad:51:89:c4:

                   e0:2e:06:f1:ca:72:2a:40:58:44:02:a2:1c:02:4e:

                   35:cb:ac:a7:41:44:57:c1:fe:7a:ad:af:82:3e:21:

                   ed:28:62:43:e9:2c:bf:de:e4:78:61:e1:99:0b:90:

                   6a:d1:19:b3:11:60:f1:21:72:4b:6c:a4:62:78:e9:

                   97:79

               Exponent: 65537 (0x10001)

       X509v3 extensions:

           X509v3 Basic Constraints:

               CA:FALSE

           X509v3 Key Usage: critical

               Digital Signature

           X509v3 CRL Distribution Points:



               Full Name:

                URI:http://csc3-2010-crl.verisign.com/CSC3-2010.crl



           X509v3 Certificate Policies:

               Policy: 2.16.840.1.113733.1.7.23.3

                CPS: https://www.verisign.com/rpa



           X509v3 Extended Key Usage:

               Code Signing

           Authority Information Access:

               OCSP - URI:http://ocsp.verisign.com

               CA Issuers - URI:http://csc3-2010-aia.verisign.com/CSC3-2010.cer



           X509v3 Authority Key Identifier:

               keyid:CF:99:A9:EA:7B:26:F4:4B:C9:8E:8F:D7:F0:05:26:EF:E3:D2:A7:9D



           Netscape Cert Type:

               Object Signing

           1.3.6.1.4.1.311.2.1.27:

               0.......

   Signature Algorithm: sha1WithRSAEncryption

        05:95:93:20:3a:55:66:38:4e:b4:11:d6:fa:85:28:c0:08:bb:

        ee:ae:79:13:f0:c3:40:5c:17:03:6e:5b:34:ea:b9:8a:c3:6c:

        af:35:45:6e:6b:5f:fe:3c:ac:8f:fa:b8:91:0d:9a:9c:68:5b:

        a1:50:d7:65:e6:fe:2b:c7:c2:25:33:d7:82:a8:21:88:c3:65:

        05:80:88:29:48:60:30:ee:78:f3:b7:86:b8:02:44:1b:48:3a:

        1c:65:a6:b6:f1:07:10:98:8c:57:bc:41:f2:04:88:a4:72:86:

        3e:ef:4f:36:37:67:b2:ef:32:77:e8:ab:97:49:28:eb:be:6d:

        5d:d9:5e:5f:ba:17:ce:95:e8:26:6e:63:87:74:58:99:42:39:

        fd:81:a4:a8:21:42:b1:50:11:6f:c0:05:d0:a1:d4:0d:29:c2:

        57:48:d8:dc:c8:07:94:52:cc:a3:0d:29:c1:1f:8a:9a:fa:63:

        74:99:50:f4:e8:63:3b:49:46:c7:b3:8a:51:08:ac:22:36:b1:

        ce:19:3e:8c:ed:7d:81:8f:a3:b7:72:e9:c7:bb:76:c7:42:b6:

        61:a8:10:54:6e:84:1d:83:28:b4:aa:cd:c1:6e:4b:77:44:bb:

        86:c1:56:0a:85:80:2d:52:2f:52:ed:56:3c:8d:ae:93:21:51:

        1b:eb:51:fd

-----BEGIN CERTIFICATE-----

MIIFkjCCBHqgAwIBAgIQM8NMym5oFrYrZ31EsGg15TANBgkqhkiG9w0BAQUFADCB

tDELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL

ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug

YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMDEuMCwGA1UEAxMl

VmVyaVNpZ24gQ2xhc3MgMyBDb2RlIFNpZ25pbmcgMjAxMCBDQTAeFw0xMjA0MjMw

MDAwMDBaFw0xNDA5MTEyMzU5NTlaMIHVMQswCQYDVQQGEwJDTjEQMA4GA1UECBMH

U2ljaHVhbjEQMA4GA1UEBxMHQ2hlbmdkdTEwMC4GA1UEChQnQ0hFTkdEVSBZSVdP

IFRlY2ggRGV2ZWxvcG1lbnQgQ28uLCBMdGQuMT4wPAYDVQQLEzVEaWdpdGFsIElE

IENsYXNzIDMgLSBNaWNyb3NvZnQgU29mdHdhcmUgVmFsaWRhdGlvbiB2MjEwMC4G

A1UEAxQnQ0hFTkdEVSBZSVdPIFRlY2ggRGV2ZWxvcG1lbnQgQ28uLCBMdGQuMIIB

IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxVh+MRJuFLiYVU9vz7ZCB8+N

k7JXNgnCmeRAn3O7kyIeXjgNwLurykuQHt9hvWpo7jJTcox3aat7zak5yVmigtMS

XdBPA3DOgR/pEmJn9K6HQL8auJZ8p+tIcGMeF7hw1H/6jEOWHrCxbf7XufPqD+27

njtVr2o9t4CZghABav8idpanmkXiTkSPq4jE3F4mcdueFhdYG6JGdPNdYYlXyWBn

GAEF/Y1Eb9dI8EIdOdLa2jvpjlYrI8zp/wThpa1RicTgLgbxynIqQFhEAqIcAk41

y6ynQURXwf56ra+CPiHtKGJD6Sy/3uR4YeGZC5Bq0RmzEWDxIXJLbKRieOmXeQID

AQABo4IBezCCAXcwCQYDVR0TBAIwADAOBgNVHQ8BAf8EBAMCB4AwQAYDVR0fBDkw

NzA1oDOgMYYvaHR0cDovL2NzYzMtMjAxMC1jcmwudmVyaXNpZ24uY29tL0NTQzMt

MjAxMC5jcmwwRAYDVR0gBD0wOzA5BgtghkgBhvhFAQcXAzAqMCgGCCsGAQUFBwIB

FhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vcnBhMBMGA1UdJQQMMAoGCCsGAQUF

BwMDMHEGCCsGAQUFBwEBBGUwYzAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AudmVy

aXNpZ24uY29tMDsGCCsGAQUFBzAChi9odHRwOi8vY3NjMy0yMDEwLWFpYS52ZXJp

c2lnbi5jb20vQ1NDMy0yMDEwLmNlcjAfBgNVHSMEGDAWgBTPmanqeyb0S8mOj9fw

BSbv49KnnTARBglghkgBhvhCAQEEBAMCBBAwFgYKKwYBBAGCNwIBGwQIMAYBAQAB

Af8wDQYJKoZIhvcNAQEFBQADggEBAAWVkyA6VWY4TrQR1vqFKMAIu+6ueRPww0Bc

FwNuWzTquYrDbK81RW5rX/48rI/6uJENmpxoW6FQ12Xm/ivHwiUz14KoIYjDZQWA

iClIYDDuePO3hrgCRBtIOhxlprbxBxCYjFe8QfIEiKRyhj7vTzY3Z7LvMnfoq5dJ

KOu+bV3ZXl+6F86V6CZuY4d0WJlCOf2BpKghQrFQEW/ABdCh1A0pwldI2NzIB5RS

zKMNKcEfipr6Y3SZUPToYztJRsezilEIrCI2sc4ZPoztfYGPo7dy6ce7dsdCtmGo

EFRuhB2DKLSqzcFuS3dEu4bBVgqFgC1SL1LtVjyNrpMhURvrUf0=

-----END CERTIFICATE-----

--End Digital Certificate--

8c614cf476f871274aa06153224e8f7354bf5e23e6853358591bf35a381fb75b

Details

Antivirus

YARA Rules

No matches found.

ssdeep Matches

No matches found.

PE Metadata

PE Sections

Relationships

Description

This file is benign. It is a 32-bit variant of epmntdrv.sys, which is a component of the EaseUS Partition Master software that manages hard drive partitions. This file is the expanded version of the SZDD file drv_x86 (b01e0c6ac0b8bcde145ab7b68cf246deea9402fa7ea3aede7105f7051fe240c1). This file was submitted as the 32-bit variant of epmntdrv.sys.



The epmntdrv.sys creates IRPs to communicate directly with the device driver; it uses IRP_MJ_READ and IRP_MJ_WRITE to provide direct read write to the device. The HermeticWiper has access to these capabilities by running the <two-random-characters>dr.sys (a copy of epmntdrv.sys) in memory.



This 32-bit variant of epmntdrv.sys was signed with the same certificate in 96b77284744f8761c4f2558388e0aee2140618b484ff53fa8b222b340d2a9c84.

2c7732da3dcfc82f60f063f2ec9fa09f9d38d5cfbe80c850ded44de43bdb666d

Details

Antivirus

YARA Rules

No matches found.

ssdeep Matches

No matches found.

PE Metadata

PE Sections

Relationships

Description

This file is benign. It is a 32-bit variant of epmntdrv.sys, which is a component of the EaseUS Partition Master software that manages hard drive partitions. This file is the expanded version of the SZDD file drv_xp_x86 (fd7eacc2f87aceac865b0aa97a50503d44b799f27737e009f91f3c281233c17d). The HermeticWiper selects drv_xp_x86 for 32-bit OS version numbers less than 6 (Windows OS earlier than Vista ).



The epmntdrv.sys creates IRPs to communicate directly with the device driver; it uses IRP_MJ_READ and IRP_MJ_WRITE to provide direct read write to the device. The HermeticWiper has access to these capabilities by running the <two-random-characters>dr.sys (a copy of epmntdrv.sys) in memory.



This 32-bit variant of epmntdrv.sys was signed with the same certificate in 96b77284744f8761c4f2558388e0aee2140618b484ff53fa8b222b340d2a9c84.

23ef301ddba39bb00f0819d2061c9c14d17dc30f780a945920a51bc3ba0198a4

Details

Antivirus

YARA Rules

No matches found.

ssdeep Matches

No matches found.

PE Metadata

PE Sections

Relationships

Description

This file is benign. It is a 64-bit variant of epmntdrv.sys, which is a component of the EaseUS Partition Master software that manages hard drive partitions. This file is the expanded version of the SZDD file drv_xp_x64 (b6f2e008967c5527337448d768f2332d14b92de22a1279fd4d91000bb3d4a0fd). The HermeticWiper selects drv_xp_x64 for 64-bit OS version numbers less than 6 (Windows OS earlier than Vista).



The epmntdrv.sys creates IRPs to communicate directly with the device driver; it uses IRP_MJ_READ and IRP_MJ_WRITE to provide direct read write to the device. The HermeticWiper has access to these capabilities by running the <two-random-characters>dr.sys (a copy of epmntdrv.sys) in memory.



This 64-bit variant of epmntdrv.sys was signed with the same certificate in 96b77284744f8761c4f2558388e0aee2140618b484ff53fa8b222b340d2a9c84.

e5f3ef69a534260e899a36cec459440dc572388defd8f1d98760d31c700f42d5

Details

Antivirus

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Relationships

Description

This SZDD compressed file is embedded within the resource section of 1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591, 06086c1da4590dcc7f1e10a6be3431e1166286a9e7761f2de9de79d7fda9c397, 2c10b2ec0b995b88c27d141d6f7b14d6b8177c52818687e4ff8e6ecf53adf5bf, 3c557727953a8f6b4788984464fb77741b821991acbf5e746aebdd02615b1767 and

0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da.

b01e0c6ac0b8bcde145ab7b68cf246deea9402fa7ea3aede7105f7051fe240c1

Details

Antivirus

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Relationships

Description

This compressed file is embedded within the resource section of 1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591, 06086c1da4590dcc7f1e10a6be3431e1166286a9e7761f2de9de79d7fda9c397, 2c10b2ec0b995b88c27d141d6f7b14d6b8177c52818687e4ff8e6ecf53adf5bf, 3c557727953a8f6b4788984464fb77741b821991acbf5e746aebdd02615b1767 and

0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da.

fd7eacc2f87aceac865b0aa97a50503d44b799f27737e009f91f3c281233c17d

Details

Antivirus

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Relationships

Description

This compressed file is embedded within the resource section of 1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591, 06086c1da4590dcc7f1e10a6be3431e1166286a9e7761f2de9de79d7fda9c397, 2c10b2ec0b995b88c27d141d6f7b14d6b8177c52818687e4ff8e6ecf53adf5bf, 3c557727953a8f6b4788984464fb77741b821991acbf5e746aebdd02615b1767 and

0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da.

b6f2e008967c5527337448d768f2332d14b92de22a1279fd4d91000bb3d4a0fd

Details

Antivirus

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Relationships

Description

This compressed file is embedded within the resource section of 1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591, 06086c1da4590dcc7f1e10a6be3431e1166286a9e7761f2de9de79d7fda9c397, 2c10b2ec0b995b88c27d141d6f7b14d6b8177c52818687e4ff8e6ecf53adf5bf, 3c557727953a8f6b4788984464fb77741b821991acbf5e746aebdd02615b1767 and

0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da.

CISA recommends that users and administrators consider using the following best practices to strengthen the security posture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.

• Maintain up-to-date antivirus signatures and engines.
• Keep operating system patches up-to-date.
• Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
• Restrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
• Enforce a strong password policy and implement regular password changes.
• Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
• Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
• Disable unnecessary services on agency workstations and servers.
• Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header).
• Monitor users' web browsing habits; restrict access to sites with unfavorable content.
• Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).
• Scan all software downloaded from the Internet prior to executing.
• Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).

Additional information on malware incident prevention and handling can be found in National Institute of Standards and Technology (NIST) Special Publication 800-83, "Guide to Malware Incident Prevention & Handling for Desktops and Laptops".

• 1-888-282-0870
• CISA Central (UNCLASS)
• CISA SIPR (SIPRNET)
• CISA IC (JWICS)

CISA continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: https://us-cert.cisa.gov/forms/feedback/

What is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in a timely manner. In most instances this report will provide initial indicators for computer and network defense. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

What is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware analysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

Can I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to this document should be directed to the CISA at 1-888-282-0870 or CISA Central.

Can I submit malware to CISA? Malware samples can be submitted via three methods:

• Web: https://malware.us-cert.gov
• E-Mail: submit@malware.us-cert.gov
• FTP: ftp.malware.us-cert.gov (anonymous)

CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on CISA's homepage at www.cisa.gov.