Overview

Sample: 1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591

Sample 2: 0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da

References

Backstory

Wiper binary is signed using a code signing certificate issued to Wiper binary is signed using a code signing certificate issued to Hermetica Digital Ltd
Wiper abuses legitimate drivers from the EaseUS Partition Master
Modifying CrashControl regkey, CrashDumpEnabled key to 0
Enumerating PhysicalDrives up to 100 - can you even have 100 drives??

Abused Legit Drivers

The following legit drivers are stored in the resources section of the PE. They are compressed.

RCDATA_DRV_X64 (mscompress) e5f3ef69a534260e899a36cec459440dc572388defd8f1d98760d31c700f42d5
RCDATA_DRV_X86 (mscompress) b01e0c6ac0b8bcde145ab7b68cf246deea9402fa7ea3aede7105f7051fe240c1
RCDATA_DRV_XP_X64 (mscompress) b6f2e008967c5527337448d768f2332d14b92de22a1279fd4d91000bb3d4a0fd
RCDATA_DRV_XP_X86 (mscompress) fd7eacc2f87aceac865b0aa97a50503d44b799f27737e009f91f3c281233c17d

Reversing Notes

Arg1 is a sleep before reboot (in minutes) Arg2 is sleep before ??? (minutes minus the arg1 sleep)

Grants itself SeBackupPrivilege, and SeShutdownPrivilege. Note, SeBackupPrivilege allows file content retrieval, even if the security descriptor on the file might not grant such access.

If the host is Windows Vista and above they use one set of drivers (64/32bit). For XP they use a different set of drivers (32/64bit).

Dissable crashdump using reg key SYSTEM\\CurrentControlSet\\Control\\CrashControl\\CrashDumpEnabled

Possible driver communication via named pipe \\.\EPMNTDRV\0

Write the driver from resource to \??\c:\Windows\system32\Drivers as an mscompress file. Then copy and decompress it to another file with the same name and a .sys file extension. Then grant SeLoadDriverPrivilege priviledges to self and load driver.

for i in range(0,41,4):
    print(f"DWORD d{i};")

DWORD d0;
DWORD d4;
DWORD d8;
DWORD d12;
DWORD d16;
DWORD d20;
DWORD d24;
DWORD d28;
DWORD d32;
DWORD d36;
DWORD d40;