# WhisperGate :: rxOred's blog

**rxored.github.io/post/analysis/whispergate/whispergate/**

## WhisperGate

2022-01-19

## Table of content⌗

 Introduction⌗

Dozens of Ukranian government sites, including Ministry of foreign affairs, Cabinet of
ministers and security council have been hit by a massive cyber attack.

Microsoft incident response team recently released samples of destructive malware used in
the campaign.

## Samples⌗

[virustotal](https://www.virustotal.com/gui/file/a196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92) [filescan.io](https://www.filescan.io/uploads/61e5524c0f8c757253c42839)

## Environment⌗
```
  Windows 10 guest (Virtualbox)
  Windows 10 host

```

-----

## Tools⌗
```
  Die
  IDA
  x32dbg
  bochs

 Analysis⌗

 Behavioral analysis⌗

```
malware needs administrative privileges to be successful.

Malware does not create any network traffic, registry modifications or file modifications

Upon restarting, device will boot into a screen displaying the following ransom note.

## Static analysis⌗

### The pe⌗


-----

According to detect it easy, the file is a 32 bit PE file.

it is compiled and linked using MinGW (GCC 6.3.0) and GNU linker.

die shows entropy as 6.07208, which is high but it also says executable is not packed.

As usual, entropy in the .text section is higher than in the other sections.


-----

strings in the binary are not encrypted. several strings shown in the above diagram gives
hints about malware’s capabilities such as disk corruption.

Also, note that it shows a bitcoin wallet and a tox ID that can be used as signatures.
```
- 1AVNM68gj6PGPFcJuftKATa4WLnzg8fpfv
- 8BEDC411012A33BA34F49130D0F186993C6A32DAD8976F6A5D82C1ED23054C057ECED5496F65

```
Executable does not have many imports. There are no APIs related to cryptography
eventhough malware claims to encrypt the files.

### Reversing the pe⌗

IDA shows that PE contains two TLS callbacks. Initially suspected these were for antidebugging purposes but turns out to be no.


-----

first TLS callback starts calling some function pointers if `Reason is` `DLL_THREAD_ATTACH .`

the second TLS callback simply returns if `Reason is something other than`
```
DLL_THREAD_DETACH or DLL_PROCESS_DETACH, suggesting this may be de initializing

```
whatever initialized by the `tlscallback1 .`


-----

start function calls `sub_4011b0 after setting the app type.`
```
sub_4011b0 calls function sub_403b60 that is responsible for main functionality of the

```
malware.


-----

the function copies 2048 bytes at offset `boot_sector_code into the stack.`

offset contains bytes of compiled x86 real mode boot sector code, along with the boot
signature `0x55AA .`


-----

Then it calls `CreateFileW passing` `\\\\.\\PhysicalDrive0 as filename argument.`
returned handle is then passed to `WriteFile along with the stack buffer that contains boot`
sector code. If the call is successful, it will overwrite MBR (master boot record) with a custom
boot sector.

After BIOS has done selecting the boot device it will load overwritten MBR into memory and
the CPU will start executing a parasite bootloader.

Also, note that malware does not encrypt anything.

## Extracting boot sector code⌗

buffer containing boot sector code can be extracted by placing a breakpoint at the address
where it is accessed and using the show in dump feature in x32dbg.

extracted buffer can be then saved as a raw binary file for further analysis.

## Reversing boot sector code⌗


-----

cs segment register is initially initialized to 0x0, it is used to zero out `ax and set up other`
segment registers. then loads the ransom note into `si register.`

Next instruction calls `print_loop, which then calls` `print_char after loading` `al with`
the byte at `si . And it will repeat this operation until` `[si] is null.`
```
print_char uses BIOS interrupts to put a single character into the screen. A BIOS

```
interrupt call is a feature of BIOS that allows bootloaders and early kernels to access BIOS
services such as video memory access and low-level disk access. To use BIOS interrupts,
```
ah register should be initialized to the function number. parameters passed down through

```
registers and similar to x86 syscalls, `int instruction is used to do the software interrupt`
along with the BIOS service number

For instance, in the above image, malware loads Display character function number `0x0e`
into `ah and calls BIOS video service.`

More about BIOS interrupts - [Ralf Brown’s BIOS interrupt list.](http://www.cs.cmu.edu/~ralf/files.html)

After printing the ransom note, the overwritten code jumps into another label


-----

which then jumps to label `corrupt_c`

Two insutrctions after segment register initialization sets word at `0x7c78 to 0x0000 and`
dword at `0x7c76 to` `0x7c82 (‘AAAA’).`

This initializes the DAP (Disk Address Packet) structure. DAP is a structure that should be
initialized in memory in order to use Logical block addressing with interrupt 0x13. This
structure is then should be passed through `si register.`

the layout of the structure
```
  Offset Size  Description
  0  1  size of the packet (16 bytes)
  1  1  always 0
  2  2  number of sectors to transfer (max 127 on some BIOSes)
  4  4  transfer buffer (16 bit segment:16 bit offset) (see note #1)
  8  4  lower 32-bits of 48-bit starting LBA
  12 4  upper 16-bits of 48-bit starting LBA

```
[source osdev](https://wiki.osdev.org/Disk_access_using_the_BIOS_(INT_13h)#LBA_in_Extended_Mode)

before the interrupt call `int 0x13, which is used for low-level disk access,` `ah register is`
initialized to 0x43, BIOS function number for writing sectors to the disk.

following registers are also initialized
```
  al   - 0x0 (close clock write)
  dl   - 0x80 (hard disk)
  si   - 0x7c72 (DAP)

```
The `si register is loaded with address` `0x7c72, which must be the address of disk`
address packet.


-----

A successful BIOS interrupt call will overwrite the first Logical Block Address of the disk with
```
AAAA, corrupting the C drive.

```
The next few instructions check whether an extended write operation is successful or not. if
```
cf is set (error) control flow gets redirected to loc_7c45 (failed), else, to
loc_7c5d (success).

```
if fails, the malware tries to overwrite the next disk drive by incrementing the value that adds
up with 0x80.

Adds 0xc7 (199) to `[0x7c7a], incrementing next LBA to be overwritten by 199.`

The loop is going to continue until the hard disk is completely overwritten by `AAAA s for each`
200 Logical Block Address, entirely corrupting the disk.

## The end⌗

It is clear that financial gain is not the motivation behind this malware. Malware is created to
do the maximum possible damage to the infeected computer.

#Spread Anarchy!


-----