TL;DR: Blue teamers can detect this by looking for Sysmon new file creation event for a file ending with ‘.sys’ in System32. You can also catch this with Windows event logs for registry value modification — event ID 4657 for SYSTEM\CurrentControlSet\Control\CrashControl.
Cyberwarfare is here, and like it or not, it is going to stay. I’m not going to discuss geopolitics here; I think the place for that is in a pub with your mates, over an ice-cold pint. I was doing exactly that a few hours back, enjoying a couple of cold ones with a few friends of mine in a nearby pub. Once I got home, I checked my email and noticed a new challenge released on our organizations’ upskilling platform.
Being curious & competitive and wanting to finish it first, I decided to log in and give it a whirl. Although I’m not a full-time malware analyst, I sometimes have to dabble with Ghidra & Cutter. So, take this with a pinch of salt.
Analysis
Metadata
File type
Win32 EXE
Magic
PE32 executable for MS Windows (GUI) Intel 80386 32-bit
SHA-256
1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591
Imphash
fe4a2284122da348258c83ef437fbd7b
Let’s run through the SOP and check the compile-time, compiler, size of the virtual/raw data, strings, imports, exports & the flow real quick.
A brief overview of the strings search output can be seen below.
Lots of interesting observables here. Let’s start with the imports, and curiously we can see LZ32.dll, which is used for compression. Taking a look at the references for LZOpenFileW, we can see an extension ‘.sys’ being added. So it’s a good guess that an archived file is extracted and written to disk with ‘.sys’ extension, or a driver is being extracted & written to System32 folder.
Checking the resource section in PE-tree reveals these files. Looking at the file magic, we deduce that this is an mscompressed file — SZDD magic. Extracting it and checking the same on VirusTotal reveals the execution parent, which is EaseUS Partition Master 9.2.1 Professional Edition.exe.
From this we can infer that the wiper is using a genuine utility for accessing the partitions.
Additionally, from imports, we can see RegOpenKeyW API being called. Checking the references, we can see that the registry key SYSTEM\CurrentControlSet\Control\CrashControl CrashDumpEnabled is set to 0, disabling crash dumps.
We can also see the RegDeleteKeyW API being used to delete the SYSTEM\Current\ControlSet\services key.
Although I’d finished answering all the challenge questions by this point, I figured I’d find out how exactly the ‘wipe’ is being performed. Looking at the imports, we can see several MS Crypto API functions being called. For example, we can see CryptGenRandom being called.
From MSDN docs, we can see that this fills a buffer with cryptographically random bytes, which would probably overwrite it with random data.
This pretty much walks you through the challenges and their answers. This is literally the first time I’ve tried to statically analyze this wiper, so this isn’t a thorough walkthrough. I plan to create part 2 of HermeticWiper analysis after dissecting the executable properly.
