{ "id": "45ba2832-1bc1-42f0-a4ca-281c0392a9ab", "created_at": "2026-04-06T00:06:37.296949Z", "updated_at": "2026-04-10T03:20:34.512103Z", "deleted_at": null, "sha1_hash": "07ef14e0eef5219bb8e907f0f9abe18da4d44e2c", "title": "BiBi Wiper: A Malware Analysis Amidst the Israel-Hamas-ISIS Conflict", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 40625, "plain_text": "BiBi Wiper: A Malware Analysis Amidst the Israel-Hamas-ISIS\r\nConflict\r\nArchived: 2026-04-05 22:56:47 UTC\r\nThe wiper collects information about the date and time of the system.\r\nThe wiper execution produces system information related to system paths, processor cores, threads, rounds, and\r\nstats.\r\nWhile executing the wiper, it renames the files to .BiBi extension and disrupts the file system.\r\nThe following string appears that it could be indicative of spyware or a keylogger.\r\nAfter gathering information about the disk drives on the system, the malware uses the ‘GetDriveTypeA’ API\r\nfunction to determine the type of each drive, such as removable, CD-ROM, network, etc.\r\nThe malware uses the ‘GetNativeSystemInfo’ API function to determine the processor architecture of the system\r\nand whether it is a 32-bit or 64-bit processor.\r\nThen, the wiper takes the number of processors of the system, moves the value to the eax register, and displays the\r\nvalue in the command prompt in the initial execution.\r\nThe malware loads the rstrtmgr.dll DLL file using the LoadLibraryA API function. If the DLL loads successfully,\r\nthe GetProcAddress function will get the DLL’s RmStartSession address.\r\nThe screenshot below demonstrates how the operation in Figure 15 is executed dynamically:\r\nWiper execution via the command line and specifying a specific path:\r\nThe malware uses the ‘Sleep’ API function to delay thread execution. This function is often employed for time-based evasion by adding delays in the code.\r\ncmd.exe /c wmic shadowcopy delete\r\ncmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures\r\ncmd.exe /c bcdedit /set {default} recoveryenabled no\r\nThe following commands executed can be viewed from the created cmd processes.\r\nAfter the execution of the commands, the wiper malware begins the corruption action in the file system. The\r\nmalware begins by utilizing the ‘CreateFileW’ API function to open files. It sets the ‘dwCreationDisposition’\r\nparameter to the value of ‘3’, which corresponds to ‘OPEN_EXISTING.’ This action allows the malware to\r\ndetermine whether the file exists in the file system or not.\r\nhttps://idanmalihi.com/bibi-wiper-a-malware-analysis-amidst-the-israel-hamas-isis-conflict/\r\nPage 1 of 2\n\nThe malware uses the ‘WriteFile’ API function to rewrite data to files in the file system. It handles the files using\r\nthe ‘hFile’ handle. If the write operation fails, the malware takes action at the ‘loc_140017C5E’ memory location.\r\nThe data written in the ‘lpBuffer’ pointer is what the malware writes when it handles a file.\r\nThe Wiper malware uses the ‘FindFirstFileExA’ API function to search for files, directories, and sub-directories.\r\nThe starting point for the search is the path that the threat actor specified during the execution of the Wiper, or it\r\ndefaults to the ‘C:\\Users’ path inside the ‘lpFileName’ pointer.\r\nThen, the malware continues the search progress with the ‘FindNextFileW’ function.\r\nDuring the corruption of the files in the file system, the wiper changes their extension to ‘.BiBi1’.\r\nYara Rule\r\nDetection\r\nSource: https://idanmalihi.com/bibi-wiper-a-malware-analysis-amidst-the-israel-hamas-isis-conflict/\r\nhttps://idanmalihi.com/bibi-wiper-a-malware-analysis-amidst-the-israel-hamas-isis-conflict/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://idanmalihi.com/bibi-wiper-a-malware-analysis-amidst-the-israel-hamas-isis-conflict/" ], "report_names": [ "bibi-wiper-a-malware-analysis-amidst-the-israel-hamas-isis-conflict" ], "threat_actors": [], "ts_created_at": 1775433997, "ts_updated_at": 1775791234, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/07ef14e0eef5219bb8e907f0f9abe18da4d44e2c.pdf", "text": "https://archive.orkl.eu/07ef14e0eef5219bb8e907f0f9abe18da4d44e2c.txt", "img": "https://archive.orkl.eu/07ef14e0eef5219bb8e907f0f9abe18da4d44e2c.jpg" } }