{
	"id": "11886cf3-1209-486a-9e05-a1edf13deba3",
	"created_at": "2026-04-06T00:07:13.610361Z",
	"updated_at": "2026-04-10T03:21:37.637145Z",
	"deleted_at": null,
	"sha1_hash": "dfd51bcaf03e002b0c85a0d4048f470aff09e430",
	"title": "Hermetic Wiper Malware Report - CYFIRMA",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2787797,
	"plain_text": "Hermetic Wiper Malware Report - CYFIRMA\r\nArchived: 2026-04-05 22:38:09 UTC\r\nPublished On : 2022-04-07\r\nDate: 04-April-22\r\nAuthor: Dilpreet Singh Bajwa (Cyfirma-Malware Research Team)\r\nSuspected Malware: Hermetic Wiper\r\nFunction: Wiper\r\nRisk Score: 8\r\nConfidence Level: High\r\nThreat actor Associations: Unknown – Pro Russian\r\nFirst Seen: Feb 2022\r\nDeCyfir presence: Yes\r\nExecutive Summary:\r\nThe HermeticWiper is related to one of the early malware attacks against Ukraine during Russia invasion in Feb 2022.\r\nHermeticWiper is a new malware use to wipe data from the victim machine and targeted mainly the infrastructure and\r\ndefense sectors of Ukraine. It’s a tool of destruction as it wipes data from the victim’s disk and then it targets the Master\r\nBoot Record (MBR) resulting in complete boot failure and made system inoperable. The research community given name\r\nHermeticWiper based on a valid certificate from “HERMETICA Digital Ltd” used by the malware. To evade detection and\r\ngaining trust, the malware used a valid certificate as well as the embedded files use a legitimate data recovery program from\r\n“EaseUS” packed as drivers by malware authors to enumerate and overwrite MBR to corrupt the file system.\r\nhttps://www.cyfirma.com/outofband/hermetic-wiper-malware-report/\r\nPage 1 of 14\n\nHermeticWiper Analysis:\r\nSample Details:\r\nFile Type: Windows PE EXE\r\nArchitecture: 32 Bit\r\nMD5: 84ba0197920fd3e2b7dfa719fee09d2f\r\nSHA256: 0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da\r\nSubsystem: GUI\r\nLanguage:\r\nCompilation Time: 28 Dec 2021\r\nDigital Signatures:\r\nFigure 1\r\nThe malware used a valid certificate from “Hermetica Digital Ltd” (see Figure1) which helps it to evade detection and gain\r\ntrust to be run as legitimate application.\r\nEmbedded Files:\r\nThe malware contains four embedded files named as DRV_X64, DRV_X86, DRV_XP_64, DRV_XP_X86 with each having\r\nmagic bytes “SZZD” which indicates that the files are compressed with the built-in MS-DOS compress.exe (see Figure2 and\r\nFigure3).\r\nThe hashes corresponding to compressed files are given below:\r\n1. DRV_X64: a952e288a1ead66490b3275a807f52e5\r\n2. DRV_X86: 231b3385ac17e41c5bb1b1fcb59599c4\r\n3. DRV_XP_X64: 095a1678021b034903c85dd5acb447ad\r\n4. DRV_XP_X86: eb845b7a16ed82bd248e395d9852f467\r\nhttps://www.cyfirma.com/outofband/hermetic-wiper-malware-report/\r\nPage 2 of 14\n\nFigure 2\r\nFigure 3\r\nDrivers Information:\r\nOur research team extracted these embedded files and decompressed them. The hashes corresponding to extracted\r\ndecompressed file are given below:\r\n1. Uncompressed DRV_X64: 6106653b08f4f72eeaa7f099e7c408a4\r\n2. Uncompressed DRV_X86: 093cee3b45f0954dce6cb891f6a920f7\r\n3. Uncompressed DRV_XP_X64: bdf30adb4e19aff249e7da26b7f33ead\r\n4. Uncompressed DRV_XP_X86: d57f1811d8258d8d277cd9f53657eef9\r\nThe names chosen for drivers are as per different versions of windows like XP or others and different architecture 32 or 64-\r\nbit. These four files are legitimate drivers from the “EaseUS” software signed by “CHENGDU YIWO Tech Development\r\nCo., Ltd”. and used to perform low-level disk operations (see Figure4). A quick internet search tells the linkage between\r\n“EaseUS” disk recovery program and “CHENGDU YIWO Tech Development Co., Ltd” (see Figure5).\r\nhttps://www.cyfirma.com/outofband/hermetic-wiper-malware-report/\r\nPage 3 of 14\n\nFigure 4\r\nFigure 5\r\nAs per the timestamps of the extracted drivers, the compilation time is quite old for all drivers i.e., Aug 2008 (see Figure6)\r\nand each one having almost same debug path:\r\n1. h:\\epm2.0\\01_projectarea\\00_source\\epm2\\mod.windiskaccessdriver\\windiskaccessdriver\\objfre_wlh_amd64\\amd64\\epmntdrv\r\n2. h:\\epm2.0\\01_projectarea\\00_source\\epm2\\mod.windiskaccessdriver\\windiskaccessdriver\\objfre_wlh_x86\\i386\\epmntdrv.pdb\r\n3. h:\\epm2.0\\01_projectarea\\00_source\\epm2\\mod.windiskaccessdriver\\windiskaccessdriver\\objfre_wnet_amd64\\amd64\\epmntdr\r\n4. h:\\epm2.0\\01_projectarea\\00_source\\epm2\\mod.windiskaccessdriver\\windiskaccessdriver\\objfre_wxp_x86\\i386\\epmntdrv.pdb\r\nhttps://www.cyfirma.com/outofband/hermetic-wiper-malware-report/\r\nPage 4 of 14\n\nFigure 6\r\nBehaviour:\r\nMalware parsing command line arguments and gathering system information.\r\nFigure 7\r\nMalware locating the correct driver version and deploy them as per the OS, version, and system information.\r\nhttps://www.cyfirma.com/outofband/hermetic-wiper-malware-report/\r\nPage 5 of 14\n\nFigure 8\r\nDisable WOW64 Redirection:\r\nAfter selecting the driver, the malware disables WOW64 Redirection if the OS is 64 bit as this prevents the OS to load 32 bit\r\ndrivers from WOW64 directory and instead forced the OS to load driver from System32\\drivers directory where the\r\nmalware placed the driver in actual (see Figure9).\r\nFigure 9\r\nDisable Crash Dumps:\r\nThe malware access HKLM\\SYSTEM\\ CurrentControlSet\\Control\\CrashControl and disabled Crash Dumps by changing\r\nthe value of “CrashDumpEnabled” to 0 in registry. This is done so that the system is not able to write crash dump on the\r\nhttps://www.cyfirma.com/outofband/hermetic-wiper-malware-report/\r\nPage 6 of 14\n\ndisk. Crashdump generally contains information about the system crash and status to help debugging and disabling it by\r\nmalware authors to ensure that system can’t be recovered in any way.\r\nFigure 10\r\nDisable Volume Shadow Service:\r\nTo make recovery more difficult, the Volume shadow service is stopped and disabled.\r\nFigure 11\r\nDecompressing Drivers:\r\nThen the driver is decompressed with LZMA algorithm.\r\nhttps://www.cyfirma.com/outofband/hermetic-wiper-malware-report/\r\nPage 7 of 14\n\nFigure 12\r\nService Started and Configured:\r\nThe service is temporarily created to load the driver and process’s token privileges are modified to create the service.\r\nFigure 13\r\nThe service is then created, configured, and started.\r\nhttps://www.cyfirma.com/outofband/hermetic-wiper-malware-report/\r\nPage 8 of 14\n\nFigure 14\r\nMalware set privilege “SeBackUpPrivilege” required to manipulate system backups.\r\nFigure 15\r\nMalware fragments the files present on the disk instead of defragmentation and before that it modifies some settings of\r\nexplorer as shown in Figure16 and the reason most probably is to hide the status of files so that changes can’t be noticed for\r\nlonger duration to the user as “ShowCompColor” displays compressed and encrypted NTFS files in color while\r\n“ShowInfoTip” Shows pop-up descriptions for folder and desktop items.\r\nFigure 16\r\nExcluding Folders:\r\nThe malware excluded standard windows folder and not corrupting standard files to avoid making system instable while\r\ndoing its operation.\r\nhttps://www.cyfirma.com/outofband/hermetic-wiper-malware-report/\r\nPage 9 of 14\n\nFigure 17\r\nCorrupting Disk:\r\nThe malware used the installed driver to overwrite hard disk data and for it the malware used the \\Device\\EPMNTDRV\r\nsymbolic link, communicates through DeviceIOControl API and pass IOCTL codes to driver to do specific task.\r\nFigure 18\r\nThe malware iterates through all physical drives through \\\\.\\PhysicalDrive one at a time and junk data is written to different\r\nlocations on disk to corrupt it. Further, the partitions on each physical disk are enumerated and find whether it is FAT or\r\nNTFS and file system, then the malware wipes reserved sectors (see Figure19). Multiple threads are executed by the\r\nmalware to perform various activities (see Figure20)\r\nhttps://www.cyfirma.com/outofband/hermetic-wiper-malware-report/\r\nPage 10 of 14\n\nFigure 19\r\nhttps://www.cyfirma.com/outofband/hermetic-wiper-malware-report/\r\nPage 11 of 14\n\nFigure 20\r\nIOCTLs Calling:\r\nThe malware works silently in the background, and it calls various IOCTLs for retrieving details about disks.\r\nFigure 21\r\nSystem Inoperable:\r\nAfter complete operation, the disk gets corrupted. If we restart the system, the operating system will no longer work, and\r\nscreen greet the victim with message “Operating System Missing” as shown in Figure22.\r\nhttps://www.cyfirma.com/outofband/hermetic-wiper-malware-report/\r\nPage 12 of 14\n\nFigure 22\r\nConclusion:\r\nEarlier also Wiper campaigns were effective tool in hand of criminals and hermetic wiper is one of the latest in view of\r\nRussia-Ukraine conflict. The pro-Russian malware authors used it to target organizations in Ukraine. The malware is\r\ndesigned to done maximum damage on victim machine which includes corrupting MBR, corrupting file system and trash\r\nindividual files to make system inoperable.\r\nList of IOCs:\r\nSr\r\nNo.\r\nIndicator Type Remarks\r\n1 84ba0197920fd3e2b7dfa719fee09d2f MD5\r\nHermeticWiper\r\nEXE File\r\n2 a952e288a1ead66490b3275a807f52e5 MD5\r\nDRV_X64\r\nCompressed\r\n3 6106653b08f4f72eeaa7f099e7c408a4 MD5\r\nDRV_X64\r\nDeCompressed\r\n4 231b3385ac17e41c5bb1b1fcb59599c4 MD5\r\nDRV_X86\r\nCompressed\r\n5 093cee3b45f0954dce6cb891f6a920f7 MD5\r\nDRV_X86\r\nDeCompressed\r\n6 095a1678021b034903c85dd5acb447ad MD5\r\nDRV_XP_X64\r\nDeCompressed\r\n7 bdf30adb4e19aff249e7da26b7f33ead MD5\r\nDRV_XP_X64\r\nDeCompressed\r\nhttps://www.cyfirma.com/outofband/hermetic-wiper-malware-report/\r\nPage 13 of 14\n\n8 eb845b7a16ed82bd248e395d9852f467 MD5\r\nDRV_XP_X86\r\nDeCompressed\r\n9 d57f1811d8258d8d277cd9f53657eef9 MD5\r\nDRV_XP_X86\r\nDeCompressed\r\n10\r\nh:\\epm2.0\\01_projectarea\\00_source\\epm2\\mod.windiskaccessdriver\\\r\nwindiskaccessdriver\\objfre_wlh_amd64\\amd64\\epmntdrv.pdb\r\nPDB\r\nPath\r\nDRV_X64\r\n11\r\nh:\\epm2.0\\01_projectarea\\00_source\\epm2\\mod.windiskaccessdriver\\\r\nwindiskaccessdriver\\objfre_wlh_x86\\i386\\epmntdrv.pdb\r\nPDB\r\nPath\r\nDRV_X86\r\n12\r\nh:\\epm2.0\\01_projectarea\\00_source\\epm2\\mod.windiskaccessdriver\\\r\nwindiskaccessdriver\\objfre_wnet_amd64\\amd64\\epmntdrv.pdb\r\nPDB\r\nPath\r\nDRV_XP_X64\r\n13\r\nh:\\epm2.0\\01_projectarea\\00_source\\epm2\\mod.windiskaccessdriver\\\r\nwindiskaccessdriver\\objfre_wxp_x86\\i386\\epmntdrv.pdb\r\nPDB\r\nPath\r\nDRV_XP_X86\r\nMitre Attack Tactics and Techniques: (Based on our analysis)\r\nSr No. Tactic Technique\r\n1 Privilege Escalation (TA0004) T1134 Access Token Manipulation\r\n2 Discovery (TA0007)\r\nT1082 System Information Discovery\r\nT1083 File and Directory Discovery\r\n3 Defense Evasion (TA0005) T1112 Modify Registry\r\n4 Execution (TA0002) T1106 Native API\r\n5 Persistence (TA0003) T1543.003 Create or Modify System Process: Windows Service\r\n6 Impact (TA0040)\r\nT1561.003 Disk Wipe: Disk Structure Wipe\r\nT1489 Service Stop\r\nT1490 Inhibit System Recovery\r\nT1529 System Shutdown/Reboot\r\nSource: https://www.cyfirma.com/outofband/hermetic-wiper-malware-report/\r\nhttps://www.cyfirma.com/outofband/hermetic-wiper-malware-report/\r\nPage 14 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.cyfirma.com/outofband/hermetic-wiper-malware-report/"
	],
	"report_names": [
		"hermetic-wiper-malware-report"
	],
	"threat_actors": [],
	"ts_created_at": 1775434033,
	"ts_updated_at": 1775791297,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/dfd51bcaf03e002b0c85a0d4048f470aff09e430.pdf",
		"text": "https://archive.orkl.eu/dfd51bcaf03e002b0c85a0d4048f470aff09e430.txt",
		"img": "https://archive.orkl.eu/dfd51bcaf03e002b0c85a0d4048f470aff09e430.jpg"
	}
}