{
	"id": "76cfeaa5-ea8d-4032-9a05-c331a6c57ef5",
	"created_at": "2026-04-06T00:08:23.526119Z",
	"updated_at": "2026-04-10T03:20:45.498248Z",
	"deleted_at": null,
	"sha1_hash": "37d22d3a35955aebe405d92c0f677033f17fa027",
	"title": "WhisperGate",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1008227,
	"plain_text": "WhisperGate\r\nPublished: 2022-01-19 · Archived: 2026-04-05 23:03:43 UTC\r\nTable of content⌗\r\n1. Introduction\r\n1. Samples\r\n2. Environment\r\n1. Tools\r\n3. Analysis\r\n1. Behavioral analysis\r\n2. Static analysis\r\n1. The PE\r\n2. Code analysis\r\n3. Extracting boot sector code\r\n4. Reversing boot sector code\r\n4. The end\r\nIntroduction⌗\r\nOn 05.01.2022, Ukrain had to face a massive cyber attack. This attack was able to take down IT infrastructure of\r\nseveral organizations completely.\r\nMicrosoft incident response team recently released samples of malware used in the campaign.\r\nSamples⌗\r\nvirustotal filescan.io\r\nEnvironment⌗\r\n Windows 10 guest (Virtualbox)\r\n Windows 10 host\r\nTools⌗\r\n IDA\r\n x32dbg\r\n bochs\r\nhttps://rxored.github.io/post/analysis/whispergate/whispergate/\r\nPage 1 of 11\n\nAnalysis⌗\r\nBehavioral analysis⌗\r\nmalware needs administrative privileges in order to be successful.\r\nMalware does not create any network traffic, registry modifications or file modifications\r\nUpon restarting, device will boot into a screen displaying the following ransom note.\r\nStatic analysis⌗\r\nThe PE⌗\r\nAccording to detect it easy, the file is a 32 bit PE file.\r\nhttps://rxored.github.io/post/analysis/whispergate/whispergate/\r\nPage 2 of 11\n\nit is compiled and linked using MinGW (GCC 6.3.0) and GNU linker.\r\ndie shows entropy as 6.07208, which is high but it also says executable is not packed.\r\nAs usual, entropy in the .text section is higher than in the other sections.\r\nhttps://rxored.github.io/post/analysis/whispergate/whispergate/\r\nPage 3 of 11\n\nstrings in the binary are not encrypted. several strings shown in the above diagram gives hints about malware’s\r\ncapabilities such as disk corruption.\r\nAlso, note that it shows a bitcoin wallet and a tox ID that can be used as signatures.\r\n- 1AVNM68gj6PGPFcJuftKATa4WLnzg8fpfv\r\n- 8BEDC411012A33BA34F49130D0F186993C6A32DAD8976F6A5D82C1ED23054C057ECED5496F65\r\nExecutable does not have many imports. There’s no APIs related to cryptography eventhough malware claims to\r\nencrypt the files.\r\nCode analysis⌗\r\nIDA shows that PE contains two TLS callbacks. Initially suspected these were for anti-debugging purposes but\r\nturns out to be no.\r\nhttps://rxored.github.io/post/analysis/whispergate/whispergate/\r\nPage 4 of 11\n\nfirst TLS callback starts calling some function pointers if Reason is DLL_THREAD_ATTACH .\r\nthe second TLS callback simply returns if Reason is something other than DLL_THREAD_DETACH or\r\nDLL_PROCESS_DETACH , suggesting this may be de initializing whatever initialized by the tlscallback1 .\r\nhttps://rxored.github.io/post/analysis/whispergate/whispergate/\r\nPage 5 of 11\n\nstart function calls sub_4011b0 after setting the app type.\r\nsub_4011b0 calls function sub_403b60 that is responsible for main functionality of the malware.\r\nthe function copies 2048 bytes at global offset `` into the stack.\r\nhttps://rxored.github.io/post/analysis/whispergate/whispergate/\r\nPage 6 of 11\n\noffset contains bytes of compiled x86 real mode boot sector code, along with the boot signature 0x55AA .\r\nThen it calls CreateFileW passing \\\\\\\\.\\\\PhysicalDrive0 as filename argument. returned handle is then\r\npassed to WriteFile along with the stack buffer that contains boot sector code. If the call is successful, it will\r\noverwrite MBR (master boot record) with a custom boot sector.\r\nAfter BIOS has done selecting the boot device it will load overwritten MBR into memory and the CPU will start\r\nexecuting a parasite bootloader.\r\nAlso, note that malware does not encrypt anything.\r\nhttps://rxored.github.io/post/analysis/whispergate/whispergate/\r\nPage 7 of 11\n\nbuffer containing boot sector code can be extracted by placing a breakpoint at the address where it is accessed and\r\nusing the show in dump feature in x32dbg.\r\nextracted buffer can be then saved as a raw binary file for further analysis.\r\nReversing boot sector code⌗\r\ncs segment register is initially initialized to 0x0, it is used to zero out ax and set up other segment registers. then\r\nloads the ransom note into si register.\r\nhttps://rxored.github.io/post/analysis/whispergate/whispergate/\r\nPage 8 of 11\n\nNext instruction calls print_loop , which then calls print_char after loading al with the byte at si . And it\r\nwill repeat this operation until [si] is null.\r\nprint_char uses BIOS interrupts to put a single character into the screen. A BIOS interrupt call is a feature of\r\nBIOS that allows bootloaders and early kernels to access BIOS services such as video memory access and low-level disk access. To use BIOS interrupts, ah register should be initialized to the function number. parameters\r\npassed down through registers and similar to x86 syscalls, int instruction is used to do the software interrupt\r\nalong with the BIOS service number\r\nFor instance, in the above image, malware loads Display character function number 0x0e into ah and calls\r\nBIOS video service.\r\nMore about BIOS interrupts - Ralf Brown’s BIOS interrupt list.\r\nAfter printing the ransom note, the overwritten code jumps into another label\r\nwhich then jumps to label corrupt_c\r\nTwo insutrctions after segment register initialization sets word at 0x7c78 to 0x0000 and dword at 0x7c76 to\r\n0x7c82 (‘AAAA’).\r\nhttps://rxored.github.io/post/analysis/whispergate/whispergate/\r\nPage 9 of 11\n\nThis basically initializes the DAP (Disk Address Packet) structure. DAP is a structure that should be initialized in\r\nmemory in order to use Logical block addressing with interrupt 0x13. This structure is then should be passed\r\nthrough si register.\r\nlayout of the structure\r\n Offset Size Description\r\n 0 1 size of packet (16 bytes)\r\n 1 1 always 0\r\n 2 2 number of sectors to transfer (max 127 on some BIOSes)\r\n 4 4 transfer buffer (16 bit segment:16 bit offset) (see note #1)\r\n 8 4 lower 32-bits of 48-bit starting LBA\r\n 12 4 upper 16-bits of 48-bit starting LBA\r\nbefore the interrupt call int 0x13 , which is used for low-level disk access, ah register is initialized to 0x43,\r\nBIOS function number for writing sectors to the disk.\r\nfollowing registers are also initialized\r\n al - 0x0 (close clock write)\r\n dl - 0x80 (hard disk)\r\n si - 0x7c72 (DAP)\r\nThe si register is loaded with address 0x7c72 , which must be the disk address packet.\r\nThe next few instructions check whether an extended write operation is successful or not. if cf is set (errors)\r\ncontrol flow gets redirected to loc_7c45 , else, to loc_7c5d .\r\nat loc_7c45 , it increments the last element in the byte array by 1 and moves 0x1 to [0x7c7a] . int next\r\ninstruction zero out [0x7c7e] .\r\nhttps://rxored.github.io/post/analysis/whispergate/whispergate/\r\nPage 10 of 11\n\nloc_7c5d adds 0xc7 to [0x7c7a] and 0x0 [0x7c7e] . clc clears the carry flag.\r\nBoth blocks jumps back to corrupt_c .\r\nThe loop will continue until the hard disk is completely overwritten by AAAA s.\r\nThe end⌗\r\nquick analysis report of WhisperGate stage 01 ends here.\r\n#Spread Anarchy!\r\nSource: https://rxored.github.io/post/analysis/whispergate/whispergate/\r\nhttps://rxored.github.io/post/analysis/whispergate/whispergate/\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://rxored.github.io/post/analysis/whispergate/whispergate/"
	],
	"report_names": [
		"whispergate"
	],
	"threat_actors": [],
	"ts_created_at": 1775434103,
	"ts_updated_at": 1775791245,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/37d22d3a35955aebe405d92c0f677033f17fa027.pdf",
		"text": "https://archive.orkl.eu/37d22d3a35955aebe405d92c0f677033f17fa027.txt",
		"img": "https://archive.orkl.eu/37d22d3a35955aebe405d92c0f677033f17fa027.jpg"
	}
}