# Analysis of CaddyWiper **nioguard.com/2022/03/analysis-of-caddywiper.html** ## Summary Name: CaddyWiper Discovered in March 2022 Was used in a targeted attack in Ukraine Deployed via Microsoft Active Directory GPO Corrupts files and disk partitions PE32 sample written in C++ Compiled on the same day when it was deployed on targeted systems in Ukraine _by Denis Popov_ ----- ## Introduction [On March 14 2022 ESET research found a new disruptive malware deployed in Ukraine. It](https://twitter.com/ESETresearch/status/1503436420886712321) was called CandyWiper and it is already the third wiper that was found in the Ukrainian systems. The previous ones were WhisperGate and HermeticWiper. As well as the HermeticWiper, CaddyWiper was also deployed via Microsoft Active Directory GPO. ## Technical Details ### Overview The CaddyWiper sample was written in C++ and had compilation timestamp 14-03-2022, which matches with the day when it was deployed in the victim's system. This sample has only 10 functions. ### Execution All code in the sample is obfuscated in an interesting way. All strings are separated by one character. Even function calls are obfuscated in the same way, so malware has only one imported function and library, but others will be imported during execution. ----- CaddyWiper retrieves the machine role in the system using the ‘DsRoleGetPrimaryDomainInformation’ function. If the obtained value is ‘DsRole_RolePrimaryDomainController’, the wiper terminates its execution, if other, then it proceeds. The first folder where CaddyWiper starts its operation is the “C:\Users”. File corruption routine is the ‘sub_6522A0()’ function. ----- During ‘sub_6522A0()’ execution wiper loads and uses next functions: FindFirstFileA FindNextFileA CreateFileA LocalAlloc SetFilePointer WriteFile LocalFree CloseHandle FindClose SetEntriesInAclA AllocateAndInitializeSid SetNamedSecurityInfoA GetCurrentProcess OpenProcessToken ----- FreeSid If the current file is used by another process, CaddyWiper obtains access to it using “SeTakeOwnershipPrivilege”. The first file in the system which CaddyWiper overwrites is ‘C:\Users\desktop.ini’. After overwriting this file the desktop background will be deleted and all shortcuts will be unusable. After corrupting the ‘C:\Users’ folder, malware proceeds and goes to the ‘D:\’ logical drive. If it’s present, malware will corrupt its files in the same way as the previous one. This operation will be repeated for all logical drives from ‘D:\’ to ‘Z:\’. If these drives are missing or file corruption is done, it calls the ‘sub_4011D0()’ function, which will corrupt the disk partition. ----- To perform disk corruption CaddyWiper obtains access to the disk partitions from ‘\.\\\PHYSICALDRIVE9’ to ‘\.\\\PHYSICALDRIVE0’ and performs overwriting the first 1920 bytes of data with ‘0’ using ‘CreateFileW’ and ‘DeviceIoControl’ functions. This operation can be done only if the malware was executed as administrator. Overwriting first 780h(1920 in decimal) bytes ----- After disk partitions are corrupted the machine will be rebooted, but the system won’t be started, instead the “FATAL: INT18: BOOT FAILURE” message will be shown on the screen. ### Obfuscation All function calls and library names are separated in the PE file. Also, malware employs WinAPI calls obfuscation. ----- ## Conclusion CaddyWiper continues the trend of data wipers in Ukraine. It is the third one found. The [previous ones were WhisperGate and HermeticWiper. CaddyWiper doesn’t have any](https://www.nioguard.com/2022/01/analysis-of-whispergate.html) similarities with them, but as well as HermeticWiper, was deployed via Microsoft Active Directory GPO. The analyzed sample has obfuscated strings and API calls. It has two main disruptive functions, one of them corrupts files in the ‘C:\Users’ folder and logical drives from ‘D:\’ to ‘Z:\’, the second one overwrites disk partitions from ‘\.\\\PHYSICALDRIVE9’ to ‘\.\\\PHYSICALDRIVE0’. After the corruption process is done the system will be rebooted, but won’t be started. ## IoCs ### Files File name SHA256 caddy1.exe a294620543334a721a2ae8eaaf9680a0786f4b9a216d75b55cfd28f39e9430ea ### MITRE attack techniques ----- Tactic Technique Defense evasion [T1140 – Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140/) [T1027 – Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027/) Discovery [T1083 – File and Directory Discovery](https://attack.mitre.org/techniques/T1083/) [T1082 - System Information Discovery](https://attack.mitre.org/techniques/T1082/) Impact [T1485 – Data Destruction](https://attack.mitre.org/techniques/T1485/) [T1529 – System Shutdown/Reboot](https://attack.mitre.org/techniques/T1529/) ## References 1. https://www.bleepingcomputer.com/news/security/new-caddywiper-data-wiping malware-hits-ukrainian-networks/ 2. https://www.virustotal.com/gui/file/a294620543334a721a2ae8eaaf9680a0786f4b9a216 d75b55cfd28f39e9430ea/details [3. https://app.any.run/tasks/399165f5-4f4d-417f-93dd-077718d81512/](https://app.any.run/tasks/399165f5-4f4d-417f-93dd-077718d81512/) -----