$30 off During Our Annual Pro Sale. View Details »

Hermetic Wiper Infographic

Hermetic Wiper Infographic

Thomas Roccia

March 14, 2022

More Decks by Thomas Roccia

Other Decks in Programming


  1. @F
    Thomas Roccia
    Overview of HermeticWiper
    Initial entry point and deployment
    Exchange Server
    Compromised Tomcat Exploit PowerShell for post
    (Wiper Loader)
    Name: Hermetica Digital Ltd
    :Status: Valid
    Issuer: DigiCert EV Code Signing CA (SHA2)
    Valid From: 12:00 AM 04/13/2021
    Valid To: 11:59 PM 04/14/2022
    Valid Usage: Code Signing
    Algorithm: sha256RSA
    Thumbprint: 1AE7556DFACD47D9EFBE79BE974661A5A6D6D923
    Serial Number: 0C48732873AC8CCEBAF8F0E1E8329CEC
    MBR and Partition corruptions
    Bytes overwriting
    Check OS Architecture and drop the resource
    RCDATA Resource MS compress: “empntdrv.sys“
    • DRV_X64: Windows 7+ 6’ bits
    • DRV-X86: Windows 7+ 32 bits
    • DRV_XP_X64: Windows XP 64 bits
    • DRV_XP_X86: Windows XP 32 bits
    Disable VSS Service if enabled
    • Set Registry key SYSTEM\\CurrentControlSet\\Control\CrashControl\
    CrashDumpEnabled = 0 to avoid that no file are written when the
    system terminates abnormally.
    • Delete the service registry key previously created to run the driver:
    • Disables ShowCompColor and ShowInfoTip in all HKEY_USERS
    ShowCompColor = 0
    ShowInfoTip = 0
    Drop the driver into C:\Windows\system32\Drivers\dr.sys
    Load the driver using SeLoadDriverPrivilege
    Run the driver as a service using API OpenSCManagerW(), OpenServiceW(),
    CreateServiceW() and StartServiceW()
    • Creates named pipe \\\\.\\EPMNTDRV\\%u for driver com
    • Get handle from the function DeviceIoControl with IoControlCode
    the device number.
    $LOGFILE log file containing all actions performed on the volume.
    $I30 Windows NTFS Index Attribute
    $ATTRIBUTE_LIST Lists the location of all attribute records that do not fit in
    the MFT record
    $EA Extended the attribute index
    $EA_INFORMATION Extended attribute information
    $SECURITY_DESCRIPTOR Security descriptor stores ACL and SIDs
    $DATA Contains the default file data
    $INDEX_ROOT Used to support folders and other indexes
    $INDEX_ALLOCATION The type name for a Directory Stream. A string for the
    attribute code for index allocation
    $BITMAP A bitmap index for a large directory.
    $REPARSE_POINT Used for volume mount points
    $LOGGED_UTILITY_STREAM Use by the encrypting file system
    Enumerates Windows files, Event Logs and Windows
    Restaure Points
    • “My Documents”, “Desktop”, “AppData”
    • "\\\\?\\C:\\Windows\\System32\\winevt\\Logs")
    • "C:\System Volume Information"
    EaseUS driver
    Get privileges:
    • SeShutdownPrivilege
    • SeBackupPrivilege
    • SeLoadDriverPrivilege
    Get MFT and NTFS Attributes
    Sample Analyzed:
    SHA256: 0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
    External Sources:
    Deployment via GPO
    Rev: Version 2

    View Slide