{
	"id": "9f1473a5-7ee5-4b95-a68c-88c7064fcc4e",
	"created_at": "2026-04-06T00:19:42.770435Z",
	"updated_at": "2026-04-10T03:27:18.738008Z",
	"deleted_at": null,
	"sha1_hash": "73b4994edf8f78d4e2eba82eb67cf4315bd21d11",
	"title": "GitHub - knight0x07/BiBi-Windows-Wiper-Analysis: Technical Analysis of Bibi-Windows Wiper Targeting Israeli Organizations",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 190184,
	"plain_text": "GitHub - knight0x07/BiBi-Windows-Wiper-Analysis: Technical\r\nAnalysis of Bibi-Windows Wiper Targeting Israeli Organizations\r\nBy knight0x07\r\nArchived: 2026-04-05 13:42:09 UTC\r\nOn 30th October, Security Joes Incident Response team discovered a new Linux Wiper named \"BiBi-Linux\"\r\nWiper been deployed by Pro-Hamas Hacktivist group to destroy their infrastructure. And then on November 1\r\n2023, ESET Research tweeted about a Windows version of the Bibi Wiper deployed by BiBiGun, a Hamas-backed\r\nhacktivist group that initially debuted during the 2023 Israel-Hamas conflict.\r\nIn this post, we will look at the Windows version of the BiBi Wiper known as the \"BiBi-Windows Wiper\"\r\nTechnical Analysis\r\nUpon execution, the BiBi-Windows Wiper checks to see if any arguments have been passed to the BiBi Wiper.\r\nThe arguments here is the directory to be destroyed - bibi.exe \u003cdirectory_to_destroyed\u003e . If no argument is\r\nprovided, it performs the following routine for fetching the target drives\r\nReads the hardcoded path: \"C:\\Users\"\r\nGets the currently available disk drives using GetLogicalDrives() where the return value is the bitmask,\r\nthen it iterates through the A-Z (26) drives. It next does a bittest with the retrieved bitmask to determine the\r\naccessible drives on the system and appends \":\\\" to the drive name.\r\nHere it excludes the C drive by checking for i != 2 where 2 is the bitmask position for C drive\r\nThen for the available drives except the C drive it executes the GetDriveTypeA() which retrives the drive\r\ntype, The BiBi-Windows Wiper here only targets the following drive types:\r\nDRIVE_FIXED\r\nDRIVE_REMOVABLE\r\nDRIVE_RAMDISK\r\nhttps://github.com/knight0x07/BiBi-Windows-Wiper-Analysis?tab=readme-ov-file\r\nPage 1 of 6\n\nTherefore the BiBi-Windows Wiper targets\r\nThe hardcoded directory - \"C:\\Users\"\r\nAnd all available drives except from \"C:\" drive\r\nFurther it prints the target directories on the console and retrieves the NumberOfProcessors from\r\nGetNativeSystemInfo() and based on the numberofprocessors it calculates the threads and then prints it onto the\r\nconsole.\r\nFurther it creates a new thread which reads the commands stored in reverse, \u0026 then creates a new process using\r\nCreateProcessA to execute those commands. Following are the commands\r\ncmd.exe /c bcdedit /set {default} recoveryenabled no - Disables Windows Recovery Environment\r\ncmd.exe / c bcdedit / set {default} bootstatuspolicy ignoreallfailures - Force the system to boot normally\r\nrather than into the Windows Recovery Environment\r\ncmd.exe /c wmic shadowcopy delete - Delete Volume Shadow Copies using WMIC\r\ncmd.exe /c vssadmin delete shadows /quIet /all - Delete Volume Shadow Copies using VssAdmin\r\nhttps://github.com/knight0x07/BiBi-Windows-Wiper-Analysis?tab=readme-ov-file\r\nPage 2 of 6\n\nFurthermore it creates another thread which executes of the Main Wiper routines. The Wiper routines perform the\r\nfollowing actions\r\nThe Arguments to the Wiper Function are:\r\nArg1 - Path of the Directory to be destroyed (Could be provided by the Operator or retrived as\r\nexplained before)\r\nArg2 - Number of threads\r\nThen it initiates an infinite loop where the counter is the Round \"[+] Round %d\\n\" value - therefore once\r\nthe Wiper is executed it would keep destroying the data infinitely!\r\nFurther based on the number of threads, it creates multiple threads in a loop which execute the main Wiper\r\nfunction.\r\nThe BiBi-Windows wiper excludes the files with \".exe\", \".dll\" and \".sys\" extension\r\nWiper Function Analysis\r\nhttps://github.com/knight0x07/BiBi-Windows-Wiper-Analysis?tab=readme-ov-file\r\nPage 3 of 6\n\nNow lets understand how BiBi-Windows Wiper destroys the data on the machine.\r\nThe Wiper firsty walks through the directory to be encrypted recursively and then retrives the file size of\r\nthe target files.\r\nThen it executes the wiper function in loop against the target files based on the file size, where the second\r\nargument to the wiper function is \"0xFF\"\r\nThe Wiper function implements the Mersenne Twister PseudoRandom Number Generator Algorithm\r\nwhich generates random numbers as shown below.\r\nThe random number generated from the function sub_140008BF0() then performs modulus (%) with the\r\nvalue \"0xFF + 1 = 100\" and the output (remainder) of the modulus operation is the byte which is been\r\noverwritten in the target file byte by byte.\r\nExample below against a file consisting of the data \"hello\" and is been overwritten by these 5 random bytes in a\r\nloop.\r\nogfile_val -\u003e rand_num % (hardcoded_val + 1) -\u003e overwrite_val\r\nh - 0xDD9B40A5 % 0x100 -\u003e 0xA5\r\ne - 0x37905317 % 0x100 -\u003e 0x17\r\nl - 0x54B7A20C % 0x100 -\u003e 0x0C\r\nl - 0xDBD10533 % 0x100 -\u003e 0x33\r\no - 0x18ED3C42 % 0x100 -\u003e 0x42\r\nFile Overwritten with Random bytes - Destroyed!\r\nhttps://github.com/knight0x07/BiBi-Windows-Wiper-Analysis?tab=readme-ov-file\r\nPage 4 of 6\n\nNow once the data in the file is overwritten with random bytes and the file is been destroyed, the BiBi Wiper\r\nchanges the name of the file in the following manner:\r\nIt calls the previous Mersenne Twister function again where the hardcoded argument this time is \"0x3D\".\r\nSo once the random number is generated it performs modulus with \"0x3E\" and the output (remainder)\r\nvalue is stored in the similar manner.\r\nFurther the output remainder value is been multiplied by 2 and then the value is indexed against a wide\r\nstring as represented below\r\nrand_no = twisterfunc()\r\nremainder_output = rand_no % (0x3D + 1)\r\nwide_string = \"0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz\"\r\nfilename_byte = wide_string[remainder_output * 2]\r\nThus,\r\nif random num = 0xC6D15D79\r\nmod_out = 0xC6D15D79 % 0x3E =\u003e 0x31\r\noffset = 0x31 × 0x2 = 0x62\r\nso the 62nd indexed value in the wide string becomes one of the character for the filename. In this case the val\r\nThe same routine is been executed 0xA (10) times and all the indexed values are appended together forming the\r\nrandom file name eg. 1wnRvB6teT and then the extension \".BiBi\" (Bibi is a nickname used for Israel's Prime\r\nMinister, Benjamin Netanyahu) is added along the round number at the end in the following manner -\r\n\u003crand_filename\u003e.BiBi\r\nTherefore in the following manner the BiBi-Windows Wiper would destroy all the files in the target directories by\r\noverwriting the data in the files with random bytes, now as the loop i.e the rounds are till infinity the Wiper will\r\nkeep on overwriting the files multiple time recursively with random bytes till infinity and wont stop thus\r\ndestroying the files on the machine completely!\r\nBiBi-Windows Wiper execution showcasing the Target directory, CPU Cores, Threads, Round Number, Stats, and\r\ndestroyed file with .BiBi extension\r\nhttps://github.com/knight0x07/BiBi-Windows-Wiper-Analysis?tab=readme-ov-file\r\nPage 5 of 6\n\nThanks for reading! - knight0x07\r\nSource: https://github.com/knight0x07/BiBi-Windows-Wiper-Analysis?tab=readme-ov-file\r\nhttps://github.com/knight0x07/BiBi-Windows-Wiper-Analysis?tab=readme-ov-file\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://github.com/knight0x07/BiBi-Windows-Wiper-Analysis?tab=readme-ov-file"
	],
	"report_names": [
		"BiBi-Windows-Wiper-Analysis?tab=readme-ov-file"
	],
	"threat_actors": [
		{
			"id": "1da809aa-9ae8-4641-807c-032ac827711d",
			"created_at": "2023-12-21T02:00:06.081556Z",
			"updated_at": "2026-04-10T02:00:03.499192Z",
			"deleted_at": null,
			"main_name": "BiBiGun",
			"aliases": [],
			"source_name": "MISPGALAXY:BiBiGun",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434782,
	"ts_updated_at": 1775791638,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/73b4994edf8f78d4e2eba82eb67cf4315bd21d11.pdf",
		"text": "https://archive.orkl.eu/73b4994edf8f78d4e2eba82eb67cf4315bd21d11.txt",
		"img": "https://archive.orkl.eu/73b4994edf8f78d4e2eba82eb67cf4315bd21d11.jpg"
	}
}