{
	"id": "421a8076-ebec-42be-93a3-e2039a3ccaaa",
	"created_at": "2026-04-06T00:17:42.58165Z",
	"updated_at": "2026-04-10T03:21:05.314916Z",
	"deleted_at": null,
	"sha1_hash": "cca82183973e6996bd77b91514087654346fb4de",
	"title": "Shamoon 2: Return of the Disttrack Wiper",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 241679,
	"plain_text": "Shamoon 2: Return of the Disttrack Wiper\r\nBy Robert Falcone\r\nPublished: 2016-11-30 · Archived: 2026-04-05 20:12:48 UTC\r\nIn August 2012, an attack campaign known as Shamoon targeted a Saudi Arabian energy company to deliver a\r\nmalware called Disttrack. Disttrack is a multipurpose tool that exhibits worm-like behavior by attempting to\r\nspread to other systems on a local network using stolen administrator credentials. More importantly, its claim to\r\nfame is the ability to destroy data and to render infected systems unusable. The attack four years ago resulted in\r\n30,000 or more systems being damaged.\r\nLast week, Unit 42 came across new Disttrack samples that appear to have been used in an updated attack\r\ncampaign. The attack targeted at least one organization in Saudi Arabia, which aligns with the targeting of the\r\ninitial Shamoon attacks. It appears the purpose of the new Disttrack samples were solely focused on destruction,\r\nas the samples were configured with a non-operational C2 server to report to and were set to begin wiping data\r\nexactly on 2016/11/17 20:45. In another similarity to Shamoon, this is the end of the work week in Saudi Arabia\r\n(their work week is from Sunday to Thursdays), so the malware had potentially the entire weekend to spread.  The\r\n2012 Shamoon attacks took place on Lailat al Qadr, the holiest night of the year for Muslims; another time the\r\nattackers could be reasonably certain employees would not be at work.\r\nComposition of Disttrack\r\nDisttrack is comprised of three distinct parts: the dropper, communications and wiper components. The main\r\nDisttrack executable is a dropper that extracts additional tools from embedded resources and coordinates when to\r\nsave and execute them. Embedded within each Disttrack sample is a component responsible for communicating\r\nwith a C2 server and a separate component used to carry out the wiping functionality.\r\nThe dropper extracts the communications and wiper components from resources named \"PKCS7\" and \"PKCS12\"\r\nrespectively, while the x86 sample extracts the x64 variant of Disttrack from a resource named “X509”. To extract\r\nthe components, the dropper is configured to seek specific offsets within the resource, read a specified number of\r\nbytes and decrypt the contents using a specified key. The key exists in the sample as a base64 encoded string that\r\nthe dropper will decode then use each byte of the resulting string to XOR the data obtained from the resource.\r\nWhen determining the location of the ciphertext within the resource, the dropper subtracts 14 from the offset value\r\nin the sample's configuration as an additional layer of obfuscation. Table 1 shows the resources within the\r\nDisttrack x86 sample, the component it contains and the values needed to decrypt its contents.\r\nComponent Resource Name Offset Size Base64 key\r\nx64 Variant X509 812 -14 = 798 717312 5tGLQqku0m02...\r\nCommunications PKCS7 879 -14 = 865 159744 UPi0IzQOAyiL...\r\nWiper PKCS12 792 -14 = 778 282112 3Lmqr/nJgzFZ7...\r\nhttps://unit42.paloaltonetworks.com/unit42-shamoon-2-return-disttrack-wiper/\r\nPage 1 of 9\n\nTable 1 Resources containing Disttrack components\r\nDisttrack Functionality\r\nDisttrack is mainly focused on data destruction and attempting to damage as many systems as possible. To do so,\r\nthis malware attempts to spread to other systems on network using what are likely stolen administrator credentials.\r\nThis is again similar to the 2012 Shamoon attacks, where compromised but legitimate credentials obtained in\r\nadvance of the attacks were also hard coded into the malware to aid in its propagation. Disttrack also has the\r\nability to download and execute additional applications to the system, as well as remotely set the date to start\r\nwiping systems.\r\nLocal Network Spreading\r\nThe Disttrack malware spreads to other systems automatically using stolen credentials. The Disttrack we analyzed\r\ncontained the internal domain names and administrator credentials associated with the targeted organization. The\r\ninternal domain and credentials appear to be stolen prior to the creation of this tool, as it is not a public domain\r\nand the credentials are not weak enough to have obtained through guessing, brute force or dictionary attacks.\r\nDisttrack uses the internal domain names and credentials to log into remote systems on the same network\r\nsegment. The malware determines the local network segment associated with the target system (call to\r\ngethostname) by obtaining the IP address for the system (call to gethostbyname). It then uses the system's IP\r\naddresses to enumerate the /24 network (x.x.x.0-255) that the system is networked with, and will attempt to spread\r\nto each of these remote systems.\r\nThe dropper then attempts to open the service manager on each remote system to start the RemoteRegistry service,\r\nwhich it will connect to using RegConnectRegistryW. Once connected, the dropper attempts to disable UAC (User\r\nAccess Control) remote restrictions by setting the following registry key to a value of \"1\":\r\nSOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\LocalAccountTokenFilterPolicy\r\nAfter disabling UAC, the dropper connects to the remote system (using NetUseAdd) and logs in using the\r\nembedded stolen credentials. The dropper then checks to see if it has administrator privileges on the remote\r\nsystem by attempting to open \"\\system32\\csrss.exe\", which allows it to determine if it can write its payload to the\r\n\"\\system32\" folder on the remote system. The dropper then has two different methods in which it can pivot to the\r\nremote system.\r\nThe first method involves the dropper writing itself to \"\\system32\\ntssrvr32.exe\" on the remote system. After\r\nwriting itself to the remote system, the dropper creates a service named \"ntssrv\", with a display name of\r\n\"Microsoft Network Realtime Inspection Service\" and a description of \"Helps guard against time change attempts\r\ntargeting known and newly discovered vulnerabilities in network time protocols\" to execute the payload.\r\nThe second, alternative method also involves the dropper copying itself to \"\\system32\\ntssrvr32.exe\" on the\r\nremote system; however, instead of creating a remote service, this method calls the NetScheduleJobAdd function\r\nwithin the Windows netapi32 library to create a scheduled task to run the payload. Scheduled tasks require a time\r\nin which the task will run, which the dropper determines by calling the function NetRemoteTOD to obtain the\r\ntime of day from the remote system. The dropper then adds 90 seconds to the time of day value on the remote\r\nhttps://unit42.paloaltonetworks.com/unit42-shamoon-2-return-disttrack-wiper/\r\nPage 2 of 9\n\nsystem and uses this value as the \"JobTime\" to run the task in three minutes, which executes the payload on the\r\nremote system. The following pseudo-code shows the scheduled task creation process:\r\nNetRemoteTOD(UncServerName, \u0026BufferPtr)\r\nNetApiBufferAllocate(0x10u, \u0026AT_INFO)\r\nAT_INFO-\u003eCommand = s_pathToPayload;\r\nAT_INFO-\u003eJobTime = 1000\r\n* (BufferPtr-\u003etod_secs\r\n  + 60 * (BufferPtr-\u003etod_mins + 60 * BufferPtr-\u003etod_hours - BufferPtr-\u003etod_timezone)\r\n  + 90);\r\nAT_INFO-\u003eFlags = JOB_NONINTERACTIVE;\r\nAT_INFO-\u003eDaysOfMonth = 0;\r\nAT_INFO-\u003eDaysOfWeek = 0;\r\nNetScheduleJobAdd(UncServerName, AT_INFO, \u0026v16)\r\nC2 Communications\r\nDisttrack extracts the communication component from its resource named “PKCS7”, decrypts it and saves the\r\nresulting cleartext to the file %WINDOWS%\\system32\\netinit.exe.\r\nThe communication module interacts with its C2 server using HTTP requests. The communications modules in\r\nboth the x86 and x64 variants of Disttrack we analyzed were configured to use “1.1.1.1:8080” for its C2 server,\r\nwhich does not host an operational Disttrack C2 server. The lack of an operational C2 server suggests that the\r\nthreat actors did not desire remote access to infected systems, rather the actors sought to render them unusable\r\ninstead. If the modules were configured with an operational C2 server,  the module would generate an HTTP GET\r\nrequest that resembles the following:\r\nThe interesting part of the request above is that the host \"server\", the URL \"category/page.php\", the parameter\r\n\"shinu\" and the user-agent \"Mozilla/5.0 (MSIE 7.1; Windows NT 6.0)\" are hardcoded into the tool. The data in\r\n\"shinu\" parameter is a combination of the system's tickcount, local IP address, operating system version, keyboard\r\nhttps://unit42.paloaltonetworks.com/unit42-shamoon-2-return-disttrack-wiper/\r\nPage 3 of 9\n\nlayout and the contents of %WINDOWS%\\inf\\netimm173.pnf. The C2 server can respond to this HTTP request\r\nwith one of the following two commands:\r\nCommand Description\r\nE\r\nProvides an executable to run on the system. The executable is saved to %TEMP%\\Temp\\filer\\\r\n\u003ctickcount\u003e.exe\r\nT\r\nSets the time to start wiping the system, by writing the date to\r\n%WINDOWS%\\inf\\usbvideo324.pnf.\r\nWe believe the HTTP host value of \"server\" and the non-operational \"1.1.1.1\" C2 address may suggest that the\r\ncommunication module is created with a builder tool, which in this case the actor mistakenly or purposefully did\r\nnot provide an active C2 server when building this module. While completely speculative, the word “shinu” used\r\nas a parameter could be a reference to the Arabic slang for the word “what”, as well as a reference to a village\r\nname in northwestern Iran.\r\nDisttrack Data Destruction\r\nThe Disttrack dropper is responsible for installing the wiper component of this Trojan, however, it will only\r\nactivate this component if the system time is greater than a preset date. The dropper obtains a date used to activate\r\nthe wiping functionality by reading a specific file, or using a hardcoded timestamp of \"2016/11/17 20:45\". The file\r\ncontaining this timestamp is named \"\\inf\\usbvideo324.pnf\", which is not initially installed but is provided by the\r\nC2 server if it sends the communications module the \"T\" command. The \"usbvideo324.pnf\" file would have the\r\nfollowing structure:\r\nBYTE year;\r\nBYTE month;\r\nBYTE day;\r\nBYTE hour;\r\nBYTE year;\r\nBYTE minute;\r\nIf the dropper determines the system date is larger than the specified date, the dropper will extract the wiper\r\ncomponent from a resource named \"PKCS12\" and save it to the \"system32\" folder with one of the following\r\nfilenames appended with a \".exe\" extension:\r\ncaclsrv\r\ncertutl\r\nclean\r\nctrl\r\ndfrag\r\ndnslookup\r\ndvdquery\r\nevent\r\nhttps://unit42.paloaltonetworks.com/unit42-shamoon-2-return-disttrack-wiper/\r\nPage 4 of 9\n\nfindfile\r\ngpget\r\nipsecure\r\niissrv\r\nmsinit\r\nntfrsutil\r\nntdsutl\r\npower\r\nrdsadmin\r\nregsys\r\nsigver\r\nrouteman\r\nrrasrv\r\nsacses\r\nsfmsc\r\nsmbinit\r\nwcscript\r\nntnw\r\nnetx\r\nfsutl\r\nextract\r\nThe dropper then runs the wiper component with a command line argument of \"1\". The wiper component extracts\r\na driver from its resource section and decrypts it with a 226 byte XOR key. The wiper saves the extracted driver to\r\n\"C:\\Windows\\System32\\Drivers\\drdisk.sys\" and installs the kernel driver by creating a service named \"drdisk\"\r\nwith the following command line commands:\r\nsc create drdisk type= kernel start= demand binpath=\r\nSystem32\\Drivers\\drdisk.sys 2\u003e\u00261 \u003enul\r\nsc start drdisk 2\u003e\u00261 \u003enul\r\nThe kernel driver is a commercial product that the attackers are abusing called RawDisk by EldoS Corporation,\r\nwhich provides direct access to files, disks and partitions. It appears that the “drdisk.sys” driver (SHA256:\r\n4744df6ac02ff0a3f9ad0bf47b15854bbebb73c936dd02f7c79293a2828406f6) is the exact same driver as used in\r\nthe Shamoon attack in 2012. With the kernel driver installed, the wiper can begin writing to protected system\r\nlocations, such as the master boot record (MBR) and partition tables of storage volumes. The wiper can be\r\nconfigured to overwrite files in three different ways, specified by a configuration setting of \"F\", \"R\" or \"E\". If\r\nconfigured with the \"F\" setting, the wiper loads a resource named AJKEOA, which extracts a JPEG image to use\r\nto overwrite files and partition tables. If the wiper is configured with the \"E\" setting, the wiper will encrypt the\r\nhttps://unit42.paloaltonetworks.com/unit42-shamoon-2-return-disttrack-wiper/\r\nPage 5 of 9\n\ncontents of the file using a random value as a key and the RC4 algorithm. If configured with the \"R\" setting, the\r\nwiper will overwrite files with the random values that would be used as a key in \"E\".\r\nThe sample we analyzed was configured with \"F\", meaning it would overwrite files with an image obtained from\r\nits resource section. The image extracted is a picture of a Syrian boy named Alan Kurdi, whose drowning on\r\nSeptember 2, 2015 received international attention in regards to the ongoing Syrian refugee crisis. The previous\r\nShamoon attack in 2012 used an image of a burning American flag, continuing the political image theme.\r\nFrom a functionality standpoint, the wiper relies on EldoS' RawDisk driver to overwrite files on the system.\r\nDuring this activity, we noticed the wiper changing the system time to August 2012, as the temporary license key\r\nfor the RawDisk driver requires the system time to not exceed the month of August, which is when the temporary\r\nlicense would expire. This modification to the system time was seen in the previous campaign, and the temporary\r\nlicense key within the wiper component is the exact same as wiper component from the 2012 attacks. The wiper\r\nitself queries the following registry keys to obtain a list of partitions to overwrite:\r\nHKLM\\SYSTEM\\CurrentControlSet\\Control\\FirmwareBootDevice\r\nHKLM\\SYSTEM\\CurrentControlSet\\Control\\SystemBootDevice\r\nIn addition to these partitions, the wiper attempts to overwrite files and subfolders within in the following folders:\r\nC:\\Documents and Settings\r\nC:\\Users\r\nC:\\Windows\\System32\\Drivers\r\nC:\\Windows\\System32\\Config\\systemprofile\r\nAfter overwriting these files and the partition tables, the wiper issues the following command to restart the\r\nsystem:\r\nThe arguments and switches used in the “shutdown” command above forces all running applications to close and\r\ncauses the system to reboot (‘-r’) after 2 seconds (‘-t 2’). This command does result in a dialog prompt, seen in\r\nFigure 1, that informs the user that the system is shutting down.\r\nhttps://unit42.paloaltonetworks.com/unit42-shamoon-2-return-disttrack-wiper/\r\nPage 6 of 9\n\nFigure 1 Dialog prompt displayed when the Wiper component runs the 'shutdown' command\r\nWith the partition tables overwritten, the system will no longer be able to properly boot, which renders the system\r\nunusable. During analysis, our analysis system was rendered unusable, as the virtual machine was unable to find\r\nthe operating system during boot up, as seen in Figure 2.\r\nhttps://unit42.paloaltonetworks.com/unit42-shamoon-2-return-disttrack-wiper/\r\nPage 7 of 9\n\nFigure 2 Analysis virtual machine unable to boot after executing Disttrack Wiper\r\nConclusion\r\nAfter a four year hiatus, threat actors likely associated with the Shamoon attack campaign have used their\r\nDisttrack malware to target at least one organization in Saudi Arabia. The current attack campaign has several TTP\r\noverlaps with the original Shamoon campaign, especially from a targeting and timing perspective. Also, Disttrack\r\nmalware used in the recent attacks is very similar to the variant used in the 2012 attacks, which uses the exact\r\nsame RawDisk device driver as well (down to the same, temporary license key).. The main purpose of the\r\nDisttrack malware is to overwrite files and storage partitions in an attempt to destroy data and render the system\r\nunusable. To maximize its destruction, the Disttrack tool attempts to spread to other systems on the network using\r\nstolen administrator credentials, which suggests that the threat actors had previous access to the network or carried\r\nout successful phishing attacks prior to the attack using Disttrack.\r\nPalo Alto Networks customers are protected from Disttrack:\r\nAll known samples have a malicious verdict in WildFire\r\nAutoFocus customers can monitor Disttrack activity via the Disttrack tag\r\nIndicators of Compromise\r\nDisttrack Droppers\r\n47bb36cd2832a18b5ae951cf5a7d44fba6d8f5dca0a372392d40f51d1fe1ac34 (x64)\r\n394a7ebad5dfc13d6c75945a61063470dc3b68f7a207613b79ef000e1990909b\r\n(x86)\r\nCommunication Components\r\nhttps://unit42.paloaltonetworks.com/unit42-shamoon-2-return-disttrack-wiper/\r\nPage 8 of 9\n\n772ceedbc2cacf7b16ae967de310350e42aa47e5cef19f4423220d41501d86a5 (x64)\r\n61c1c8fc8b268127751ac565ed4abd6bdab8d2d0f2ff6074291b2d54b0228842 (x86)\r\nWiper Components\r\nc7fc1f9c2bed748b50a599ee2fa609eb7c9ddaeb9cd16633ba0d10cf66891d8a (x64)\r\n128fa5815c6fee68463b18051c1a1ccdf28c599ce321691686b1efa4838a2acd (x86)\r\nEldoS RawDisk Samples\r\n5a826b4fa10891cf63aae832fc645ce680a483b915c608ca26cedbb173b1b80a (x64)\r\n4744df6ac02ff0a3f9ad0bf47b15854bbebb73c936dd02f7c79293a2828406f6 (x86)\r\nSource: https://unit42.paloaltonetworks.com/unit42-shamoon-2-return-disttrack-wiper/\r\nhttps://unit42.paloaltonetworks.com/unit42-shamoon-2-return-disttrack-wiper/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/unit42-shamoon-2-return-disttrack-wiper/"
	],
	"report_names": [
		"unit42-shamoon-2-return-disttrack-wiper"
	],
	"threat_actors": [],
	"ts_created_at": 1775434662,
	"ts_updated_at": 1775791265,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/cca82183973e6996bd77b91514087654346fb4de.pdf",
		"text": "https://archive.orkl.eu/cca82183973e6996bd77b91514087654346fb4de.txt",
		"img": "https://archive.orkl.eu/cca82183973e6996bd77b91514087654346fb4de.jpg"
	}
}