{
	"id": "c6fb071a-e8ef-4b43-87b7-1e836e116db6",
	"created_at": "2026-04-06T01:29:53.823489Z",
	"updated_at": "2026-04-10T13:12:37.163656Z",
	"deleted_at": null,
	"sha1_hash": "eba10b362677a358948698defe00297427595c18",
	"title": "HermeticWiper/FoxBlade Analysis (in-depth)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1799352,
	"plain_text": "HermeticWiper/FoxBlade Analysis (in-depth)\r\nBy Abdallah Elnoty\r\nPublished: 2022-03-04 · Archived: 2026-04-06 00:48:07 UTC\r\nOn February 23 during the war between Russia and Ukrainian, A malware which is targeting Ukrainian\r\ninfrastructure (windows devices) by Russian Federation forces has since been observed in the neighboring\r\ncountries of Latvia and Lithuania. HermeticWiper makes a system inoperable by corrupting its data by\r\nmanipulating the MBR resulting in subsequent boot failure. Malware artifacts suggest that the attacks had been\r\nplanned for several months.\r\nSample OverviewPermalink\r\nSHA256: 0385EEAB00E946A302B24A91DEA4187C1210597B8E17CD9E2230450F5ECE21DA\r\nThe digital certificate is issued under the company name ‘Hermetica Digital Ltd’ and valid as of April 2021.\r\nGet PrivilegesPermalink\r\nFirst, the malware fetches the command line arguments an converts it to integer then gets the infected system time.\r\nhttps://eln0ty.github.io/malware%20analysis/HermeticWiper/\r\nPage 1 of 15\n\nMalware gets access token for the current process and tries to get executable file path. Here is a small trick.\r\nIf the file name can’t be obtained, the c letter is used by default (it’s the expected one). If the sample has a\r\ndifferent name, then some bytes of the string get placed somewhere unexpected on the stack, almost certainly\r\nleading to a crash later on.\r\nthe call to CharLowerW ensures the comparison is made using a lower-case “c”, as can be seen in the screenshot\r\nbelow.\r\nhttps://eln0ty.github.io/malware%20analysis/HermeticWiper/\r\nPage 2 of 15\n\nThen LookUpPriviledgevalueW API is being called for accessing privilege SeShutdownPrivilege \u0026\r\nSeBackupPrivilege on infected system.\r\nDropped payloadPermalink\r\nThe malware determines whether the system is x64 or x32.\r\nThen it gets information about the operating system version with dwMajorVersion \u0026 dwMinorVersion .\r\nIn our case, the wiper checks if windows version is vista or higher according to (6.0 is windows vista).\r\nhttps://eln0ty.github.io/malware%20analysis/HermeticWiper/\r\nPage 3 of 15\n\nAccording to these information, it drops the appropriate driver from RCDATA which is stored in the resources\r\nsection of the PE file. If the operation failed, the malware terminates.\r\nThis is a view from Resource Hacker tool.\r\nhttps://eln0ty.github.io/malware%20analysis/HermeticWiper/\r\nPage 4 of 15\n\nThen it sets CrashDumpEnabled to 0 to prevent windows from writing a log file if it stops unexpectedly.\r\nThen it calls ReadWrite_IO_on_disk which performs read write operations on disk using DeviceIoControl API.\r\nThe Malware creates \\Drivers dir in system32 directory path to drop its malicious driver.\r\nSo the full path is C:\\Windows\\System32\\Drivers\\EPMNTDRV.sys .\r\nLoading driver as a servicePermalink\r\nThe malware gets privilege to SeLoadDriverPrivilege to take access to load a driver as a service.\r\nhttps://eln0ty.github.io/malware%20analysis/HermeticWiper/\r\nPage 5 of 15\n\nI will give you the API sequence used to start this process: OpenSCManagerW() =\u003e OpenServiceW() =\u003e\r\nCreateServiceW() =\u003e StartServiceW()\r\nhttps://eln0ty.github.io/malware%20analysis/HermeticWiper/\r\nPage 6 of 15\n\nAnd so the driver process should be up and running.\r\nVSS service disablingPermalink\r\nAnother interesting capability presented by the sample is to disbable the shadow copy service in order to avoid\r\neven a partial recovery of the files.\r\nhttps://eln0ty.github.io/malware%20analysis/HermeticWiper/\r\nPage 7 of 15\n\nWiping PartitionsPermalink\r\nIn this step, malware is tampering and wiping the disk data, by carrying out a cycle of 100 iterations on the\r\n\\\\.\\PhysicalDrive object that is can access. The permission is gained by DeviceIoControl windows API.\r\nIn this function, malware gets handle to 0x70050 (IOCTL_DISK_GET_DRIVE_LAYOUT_EX) from function\r\nDeviceIoControl with IoControlCode to get the device number.\r\nhttps://eln0ty.github.io/malware%20analysis/HermeticWiper/\r\nPage 8 of 15\n\nIn alloc_and_read_operations_on_disk function, malware reads operations using CreateFileW \u0026\r\nDeviceIoControl used for perform task on NTFS based disk for which\r\nFSCTL_GET_NTFS_VOLUME_DATA\r\nGlobal Folder OptionsPermalink\r\nThe malware modifies a couple of GlobalFolderOptions to achieve more stealth.\r\nshowCompColor : Displays compressed and encrypted NTFS files in color.\r\nShowInfoTip : Shows pop-up descriptions for folder and desktop items.\r\nhttps://eln0ty.github.io/malware%20analysis/HermeticWiper/\r\nPage 9 of 15\n\nEncrypting system filesPermalink\r\nAfter this preparation, the malware calls some functions to enumerate all important data on the disk and corrupt it.\r\nIf the system is FAT32, the malware overwrites random data on disk.\r\nIn this step, Disk is gonna die. Look at details from the function mw_encrypt_by_overwrite_random_data that\r\noverwrites disk.\r\nhttps://eln0ty.github.io/malware%20analysis/HermeticWiper/\r\nPage 10 of 15\n\nOtherwise, If the system is NTFS, the malware gets system attributes like $Bitmap \u0026 $LogFile that impacts\r\n**Master Boot Record **(MBR).\r\nhttps://eln0ty.github.io/malware%20analysis/HermeticWiper/\r\nPage 11 of 15\n\nThe so-called overwrite method is very brutal and prevents any way of data recovery.\r\nOf course, we don’t need to mention that these methods are used to encrypt “Documents \u0026 Desktop \u0026 AppData”\r\ndirectories.\r\nhttps://eln0ty.github.io/malware%20analysis/HermeticWiper/\r\nPage 12 of 15\n\nAnti ForensicsPermalink\r\nThe malware used anti-forensics techniques to corrupt logs file and prevent DFIR team from tracking what was\r\nhappening on disk.\r\nFirst, malware reads logs file on infected system by passing \\\\\\\\?\\\\C:\\\\Windows\\\\System32\\\\winevt\\\\Logs\r\nas argument then encrypts it.\r\nMulti ThreadingPermalink\r\nFinally I want to draw your attention to the fact that the malware uses multi-threading to make the job efficient\r\nand hurt victim well. As usual the bad guys are dedicated to their work.\r\nhttps://eln0ty.github.io/malware%20analysis/HermeticWiper/\r\nPage 13 of 15\n\nAs we see here, WaitForSingleObject function is used to force the malware to wait infinitely until all encryption\r\nthreads finish.\r\nConclusionPermalink\r\nHowever, during these last critical hours, as real war has been foreseen by the proliferation of weapons of cyber\r\nsabotage, such as DDoS attacks and wipers, like this one just analyzed. Many organizations are shocked,\r\npanicked, fall and lose almost all of their information. This is the first time for me to see this tragedy. I solved this\r\nserious wiper malware and hope to help our community to defend against bad guys. Now, we have a completely\r\ninfected system. We can’t get back anything we’ve lost, just delete everything and start over.\r\nIOCsPermalink\r\nhttps://eln0ty.github.io/malware%20analysis/HermeticWiper/\r\nPage 14 of 15\n\nName sha256\r\nSample hash 0385EEAB00E946A302B24A91DEA4187C1210597B8E17CD9E2230450F5ECE21DA\r\nDRV_X64 E5F3EF69A534260E899A36CEC459440DC572388DEFD8F1D98760D31C700F42D5\r\nDRV_X86 B01E0C6AC0B8BCDE145AB7B68CF246DEEA9402FA7EA3AEDE7105F7051FE240C1\r\nDRV_XP_X64 B6F2E008967C5527337448D768F2332D14B92DE22A1279FD4D91000BB3D4A0FD\r\nDRV_XP_X86 FD7EACC2F87ACEAC865B0AA97A50503D44B799F27737E009F91F3C281233C17D\r\nSource: https://eln0ty.github.io/malware%20analysis/HermeticWiper/\r\nhttps://eln0ty.github.io/malware%20analysis/HermeticWiper/\r\nPage 15 of 15",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://eln0ty.github.io/malware%20analysis/HermeticWiper/"
	],
	"report_names": [
		"HermeticWiper"
	],
	"threat_actors": [],
	"ts_created_at": 1775438993,
	"ts_updated_at": 1775826757,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/eba10b362677a358948698defe00297427595c18.pdf",
		"text": "https://archive.orkl.eu/eba10b362677a358948698defe00297427595c18.txt",
		"img": "https://archive.orkl.eu/eba10b362677a358948698defe00297427595c18.jpg"
	}
}