{
	"id": "a9351065-8e1a-43dd-8474-ea1ad3998ab0",
	"created_at": "2026-04-06T00:10:13.50305Z",
	"updated_at": "2026-04-10T03:20:24.682862Z",
	"deleted_at": null,
	"sha1_hash": "428c5396cdb0fa908269fbc8728c8e5fbc88996b",
	"title": "Analysis of CaddyWiper, Wiper Targeting Ukraine - Truesec",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 208546,
	"plain_text": "Analysis of CaddyWiper, Wiper Targeting Ukraine - Truesec\r\nBy siteadmin\r\nPublished: 2022-03-15 · Archived: 2026-04-05 20:18:01 UTC\r\nMalware threat report\r\nLeading up to and after the war broke out in Ukraine, many destructive cyber attacks have been conducted to\r\ndisrupt the country’s digital infrastructure. This blog post will analyze the latest malware targeting Ukraine.\r\nMalware Execution\r\nAccording to the Twitter post by ESET the wiper is deployed by group policy to the infected system. Once run, as\r\nadministrator, the system will crash and the following screen will be displayed.\r\nOnce the computer is rebooted it crashes and will not start anymore and prompt that it cannot locate the operating\r\nsystem.\r\nStatic Analysis\r\nInvestigating the time stamp for the sample, it indicates that is compiled on March 14, 2022, showing that it was\r\ndone just before the attack was conducted.\r\nhttps://www.truesec.com/hub/blog/analysis-of-caddywiper-wiper-targeting-ukraine\r\nPage 1 of 5\n\nLooking at the Import Address table, there is only one function called, DsRoleGetPrimaryDomainInformation,\r\nindicating that there are more functionalities in the malware that are hidden from static tools.\r\nIf the sample is opened in a disassembler, in this case Ghidra, it can be seen that it uses a lot of stack strings for\r\nobfuscation.\r\nTo investigate the stack strings, and reveal what they are hiding, first the tool FLOSS was run on the sample that\r\ngave the following output.\r\nFLOSS static ASCII strings\r\n!This program cannot be run in DOS mode.\r\nRich%\r\n.text\r\n`.rdata\r\n@.reloc\r\nDsRoleGetPrimaryDomainInformation\r\nNETAPI32.dll\r\nFLOSS static Unicode strings\r\njjjjjjjj0040113A\r\njjjjjj\r\nFLOSS decoded 13 strings\r\nC:Users\r\nC:Users*\r\nFindFirstFileA\r\nkernel32.dll\r\nD:\\\r\nD:\\*\r\nWriteFile\r\nadvapi32.dll\r\nSetEntriesInAclA\r\nLookupPrivilegeValueA\r\nDeviceIoControl\r\nCreateFileW\r\nWkernel32.dll\r\nFLOSS extracted 38 stackstrings\r\nC:Users\r\nnetapi32.dll\r\nkernel32.dll\r\nadvapi32.dll\r\nCreateFileA\r\nkernel32.dll\r\nFindFirstFileA\r\nhttps://www.truesec.com/hub/blog/analysis-of-caddywiper-wiper-targeting-ukraine\r\nPage 2 of 5\n\nOpenProcessToken\r\nCreateFileW\r\nAdjustTokenPrivileges\r\nWkernel32.dll\r\nFreeSid\r\nSetEntriesInAclA\r\nAllocateAndInitializeSid\r\nLocalFree\r\nSetFilePointer\r\nLookupPrivilegeValueA\r\nLocalAlloc\r\nLoadLibraryA\r\nGetLastError\r\nadvapi32.dll\r\nFindClose\r\nkernel32.dll\r\nDeviceIoControl\r\nCloseHandle\r\nCloseHandle\r\nkernel32.dll\r\nCloseHandle\r\nSeTakeOwnershipPrivilege\r\nadvapi32.dll\r\n\\.PHYSICALDRIVE9\r\nkernel32.dll\r\nLocalFree\r\nFindNextFileA\r\nGetFileSize\r\nGetCurrentProcess\r\nWriteFile\r\nSetNamedSecurityInfoA\r\nTo give context for the stacked strings the tool CAPA was used to find the different locations in the code where\r\nstacked strings are used.\r\ncontain obfuscated stackstrings (8 matches)\r\nnamespace anti-analysis/obfuscation/string/stackstring\r\nscope basic block\r\nmatches 0x401000\r\n0x40114A\r\n0x4011D0\r\n0x401750\r\n0x401A10\r\n0x402025\r\n0x40215E\r\n0x4022A0\r\nhttps://www.truesec.com/hub/blog/analysis-of-caddywiper-wiper-targeting-ukraine\r\nPage 3 of 5\n\nTo get an overview of the intent of each function in relation to where the different stack strings are used for\r\nobfuscation, API calls and libraries are mapped to every function that CAPA found in the sample.\r\n0x401000 kernel32.dll, advapi32.dll, LoadLibraryA, netapi32.dll\r\n0x40114A netapi32.dll, netapi32.dll\r\n0x4011D0 DeviceIoControl, kernel32.dll, CreateFileW, CloseHandle, \\.PHYSICALDRIVE9\r\n0x401750 advapi32.dll, LookupPrivilegeValueA, AdjustTokenPrivileges, GetLastErrorc\r\n0x401A10 advapi32.dll, SetEntriesInAclA, AllocateAndInitializeSid, SetNamedSecurityInfoA, kernel32.dl\r\n0x402025 SeTakeOwnershipPrivilege, FreeSid, LocalFree, CloseHandle\r\n0x40215E FreeSid, LocalFree, CloseHandle\r\n0x4022A0 FindFirstFileA, kernel32.dll, FindNextFileA, CreateFileA, GetFileSize, LocalAlloc, SetFilePo\r\nExecution Flow\r\nUpon start the wiper uses the API call DsRoleGetPrimaryDomainInformation to check if the computer is the\r\nprimary domain controller by comparing to the hard coded value 0x5, that comes from the struct\r\nDSROLE_MACHINE_ROLE. If it is the primary domain controller it will exit. This is probably done because the\r\nthreat actor is using the domain controller as the source of distribution of the wiper and not to ruin its own\r\nfoothold.\r\nThe next part of the wiper is the file destruction part. It calls the function 0x4022A0 that iterates over the files,\r\nusing the API calls that are resolved from the stack strings, and writes over the first 0xA00000 bytes with zeros.\r\nThen the wiper loops through the alphabet (0x18), starting with D all the way up to Z and then one additional\r\niteration, and applies the data destruction from the function in 0x4022A0 to the files in every partition it finds.\r\nThis is the last iteration and has gone past Z to Z+1.\r\nLastly the wiper loops through a list of open raw access to \\\\.\\PHYSICALDRIVE9 – \\\\.\\PHYSICALDRIVE0 and\r\nwriting to it using IOCTL_DISK_SET_DRIVE_LAYOUT_EX (0x7c054) by using the API DeviceIoControl. By\r\ndoing so it erases the Master Boot Record.\r\nDetection\r\nhttps://www.truesec.com/hub/blog/analysis-of-caddywiper-wiper-targeting-ukraine\r\nPage 4 of 5\n\nSince the wiper is using stack strings for obfuscation of the part that interacts with the disk, that part can be used\r\nas Yara rule for detection.\r\nrule caddy_wiper {\r\n meta:\r\n description = \"Search for caddy wiper\"\r\n author = \"Truesec\"\r\n reference = \"truesec.se\"\r\n date = \"2022-03-14\"\r\n hash1 = \"a294620543334a721a2ae8eaaf9680a0786f4b9a216d75b55cfd28f39e9430ea\"\r\n strings:\r\n $x1 = {c6 45 ?? 5c c6 45 ?? 00 c6 45 ?? 5c c6 45 ?? 00 c6 45 ?? 2e c6 45 ?? 00 c6 45 ?? 5c c6 45 ??\r\n $x2 = {c6 45 ?? 44 c6 45 ?? 65 c6 45 ?? 76 c6 45 ?? 69 c6 45 ?? 63 c6 45 ?? 65 c6 45 ?? 49 c6 45 ??\r\n $a1 = {c6 85 ?? fe ff ff 61 c6 85 ?? fe ff ff 00 c6 85 ?? fe ff ff 64 c6 85 ?? fe ff ff 00 c6 85 ??\r\n $a2 = {c6 85 ?? ff ff ff 41 c6 85 ?? ff ff ff 6c c6 85 ?? ff ff ff 6c c6 85 ?? ff ff ff 6f c6 85 ??\r\n condition:\r\n uint16(0) == 0x5A4D\r\n and any of ($x*)\r\n or all of ($a*) and filesize \u003c 50000\r\n}\r\nStay ahead with cyber insights\r\nNewsletter\r\nStay ahead in cybersecurity! Sign up for Truesec’s newsletter to receive the latest insights, expert tips, and\r\nindustry news directly to your inbox. Join our community of professionals and stay informed about emerging\r\nthreats, best practices, and exclusive updates from Truesec.\r\nSource: https://www.truesec.com/hub/blog/analysis-of-caddywiper-wiper-targeting-ukraine\r\nhttps://www.truesec.com/hub/blog/analysis-of-caddywiper-wiper-targeting-ukraine\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.truesec.com/hub/blog/analysis-of-caddywiper-wiper-targeting-ukraine"
	],
	"report_names": [
		"analysis-of-caddywiper-wiper-targeting-ukraine"
	],
	"threat_actors": [],
	"ts_created_at": 1775434213,
	"ts_updated_at": 1775791224,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/428c5396cdb0fa908269fbc8728c8e5fbc88996b.pdf",
		"text": "https://archive.orkl.eu/428c5396cdb0fa908269fbc8728c8e5fbc88996b.txt",
		"img": "https://archive.orkl.eu/428c5396cdb0fa908269fbc8728c8e5fbc88996b.jpg"
	}
}