# Analysis of Destructive Malware (WhisperGate) targeting Ukraine **[medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3](https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3)** S2W January 19, 2022 [S2W](https://medium.com/@s2w?source=post_page-----9d5d158f19f3--------------------------------) Jan 18 5 min read BLKSMTH | S2W TALON Photo by on ## Executive Summary 2022–01–15, MSTIC (Microsoft Threat Intelligence Center) identified and unveiled a cyberattack targeting Ukrainian organizations with “” overwrites Master Boot Record(MBR) and files. ``` An actor who conducted this attack tracked as and has not yet been attributed to existing groups ``` It was confirmed that the actor uses a tool “” to perform `lateral movement and` `malware` ``` execution . Known working paths: C:\PerfLogs, C:\ProgramData, C:\, C:\temp ``` The flow consisting of a total of three stages revealed so far is as follows. ``` : Overwrites the MBR and destroy all partitions: Downloads Stage3 through the discord link: Executes file wiper & AdvancedRun.exe after decoding resources ``` ----- Flow chart The malware sets used in this attack not only overwrites the MBR and create a ransom note but also overwrites files without any backups, so it seems that the purpose is data destruction, not financial gain. As additional samples such as Stage3 are being shared among analysts on Twitter in addition to the two samples currently released by MSTIC, the IoC, and analysis reports will be continuously updated. ## Detailed Analysis Stage1 SHA256: a196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92 Creation Time: 2022–01–10 10:37:18 First Submission: 2022–01–16 20:30:19 File Type: Win32 EXE Stage1 directly accesses the MBR(Master Boot Record) and overwrites with the 0x200 size data that is hard-coded inside. After that, when the PC is rebooted, the overwritten code is executed, and the code traverses all drives on the disk and overwrites it with specific data at intervals of 199 LBAs. Overwrites MBR The overwritten code reads the ransom note string inside the MBR and sets it to appear on the display ----- Writes ransom note on the display After that, it traverses from the C drive and attempts to destroy it by overwriting it with fixed data as Extended Write mode. Drives wiper code Disk Address Packet(DAP) structure initialized when malicious code writes to disk (0x7C72) (offset 0 size 1) : size of packet (16 bytes) (0x7C73) (offset 1 size 1) : Reserved (always 0) ----- (0x7C74) (offset 2 size 2) : number of sectors to transfer (0x7C76) (offset 4 size 4) : transfer buffer (segment:offset) (0x7C7A) (offset 8 size 4) : lower 32-bits of 48-bit starting LBA (0x7C7E) (offset 12 size 4) : upper 16-bits of 48-bit starting LBA Write starts from LBA#1 of disk When disk access is successful, LBA is increased by 0xC7 (199) and written When disk access fails, increase the Drive Index and try to access the next disk Overwritten drives ## Stage2 SHA256: dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78 Creation Time: 2022–01–10 14:39:54 First Submission: 2022–01–16 20:31:26 File Type: Win32 EXE Stage2 does not perform malicious actions for 20 seconds to bypass the AV (Anti Virus). To do this, run the following command twice. Command: powershell -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwAA== —> Start-Sleep -s 10 Then, it downloads an additional file disguised as a JPG extension from the discord link. The downloaded file is reversed and takes the form of PE, and executes “Ylfwdwgmpilzyaph” method in the file in the memory. ----- Stage3 payload downloaded via Discord link URL: https[:]//cdn.discordapp[.]com/attachments/928503440139771947/930108637681184768/Tbopbh.jpg ## Stage3 (Tbopbh.jpg) : 923eb77b3c9e11d6c56052318c119c1a22d11ab71675e6b95d05eeb73d1accd6 **Tbopbh.jpg (Reversed)** : 9ef7dbd3da51332a78eff19146d21c82957821e464e8133e9594a07d716d892d : 2022–01–10 14:39:31 : 2022–01–16 21:29:58 : Win32 DLL The downloaded Stage3 is written in C# as in Stage2, and an obfuscation tool called Eazfuscator is detected by exeinfoPE. Detected Eazfuscator There are 3 resources inside Stage3, and except for the resource “78c855a088924e92a7f60d661c3d1845 ”, the use of the remaining 2 resources has not yet been confirmed, and the contents will be updated later. ----- 3 resources inside Stage3 Stage3 loads “78c855a088924e92a7f60d661c3d1845 ” resource inside and performs decoding by XOR operation. XOR decoding code Next, the decoded data is a DLL file and contains two additional resources. The two resources “AdvancedRun” and “Waqybg”, are extracted by Stage3, and decompressed with GZIP. AdvancedRun (GZIP Decompressed) Waqybg (Reversed and GZIP Decompressed) ----- 2 resources in the decoded resource 1. : Stop Windows Defender service Execute “%Temp%Nmddfrqqrbyjeygggda.vbs” to specify “C:\” as the exception folder Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe” Set-MpPreference ExclusionPath ‘C:\’ Stop Windows Defender service through AdvancedRun.exe and delete “C:\ProgramData\Microsoft\Windows Defender” directory Command: “C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe” /EXEFilename “C:\Windows\System32\sc.exe” /WindowState 0 /CommandLine “stop WinDefend” /StartDirectory “” /RunAs 8 /Run Command: “C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe” /EXEFilename “C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe” /WindowState 0 /CommandLine “rmdir ‘C:\ProgramData\Microsoft\Windows Defender’ -Recurse” /StartDirectory “” /RunAs 8 /Run 2. Waqybg: Overwrites target files Overwrites the 0x100000(1MB) of the file with 0xCC Extension: Random number Overwrites files Target file extensions (106) ----- ``` .MSG .EML .TXT .CSV .RTF .WKS .WK1 .PDF .DWG .JPEG .JPG .DOCM .DOT .DOTM .XLSM .XLSB .XLW .XLT .XLM .XLC .XLTX .XLTM .PPTM .POT .PPS .PPSM .PPSX .HWP .SXI .STI .SLDX .SLDM .BMP .PNG .GIF .RAW .TIF .TIFF .PSD .SVG .CLASS .JAR .SCH .VBS .BAT .CMD .ASM .PAS .CPP .SXM .STD .SXD .ODP .WB2 .SLK .DIF .STC .SXC .ODS .3DM .MAX .3DS .STW .SXW .ODT .PEM .P12 .CSR .CRT .KEY .PFX .DER .OGG .JAVA .INC .INI .PPK .LOG .VDI .VMDK .VHD .MDF .MYI .MYD .FRM .SAV .ODB .DBF .MDB .ACCDB .SQL .SQLITEDB .SQLITE3 .LDF .ARC .BAK .TAR .TGZ .RAR .ZIP .BACKUP .ISO .CONFIG ``` Executes ping command and delete itself cmd.exe /min /C ping 111.111.111.111 -n 5 -w 10 > Nul & Del /f /q \”[Filepath]\” ## Appendix Ransom Note ``` Your hard drive has been corrupted.In case you want to recover all hard drivesof your organization,You should pay us $10k via bitcoin wallet and send message viatox ID with your organization name.We will contact you to give further instructions. Related IoCs ``` a196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92 (Stage1) dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78 (Stage2) 923eb77b3c9e11d6c56052318c119c1a22d11ab71675e6b95d05eeb73d1accd6 (Stage3, Tbopbh.jpg) 9ef7dbd3da51332a78eff19146d21c82957821e464e8133e9594a07d716d892d (Stage3, Tbopbh.jpg ) 35FEEFE6BD2B982CB1A5D4C1D094E8665C51752D0A6F7E3CAE546D770C280F3A (Decoded Resource “78c855a088924e92a7f60d661c3d1845 ”) 29AE7B30ED8394C509C561F6117EA671EC412DA50D435099756BBB257FAFB10B(AdvancedRun.exe) DB5A204A34969F60FE4A653F51D64EEE024DBF018EDEA334E8B3DF780EDA846F (Nmddfrqqrbyjeygggda.vbs) 34CA75A8C190F20B8A7596AFEB255F2228CB2467BD210B2637965B61AC7EA907 (File Wiper) URL: https[:]//cdn.discordapp[.]com/attachments/928503440139771947/930108637681184768/Tbopbh.jpg ## Reference -----