Home / malwarePDF  

Win32/Depriz


First posted on 10 December 2016.
Source: Microsoft

Aliases :

There are no other names known for Win32/Depriz.

Explanation :

The dropper contains the other components of the attacks encoded in its resources in fake bitmap images. The decryption keys and offsets are hard-coded in the sample.

When decoded, the files are:

  • PKCS12 – Wiper component
  • PKCS7 – Communication module
  • X509 – 64bits variant of this dropper


We have observed that the dropper contains hard-coded credentials that is used to propagate in the local network.

It first tries to start the Remote Registry
service of the PC it is trying to copy itself to, then uses RegConnectRegistryW
to connect to it.

It then attempts to disable User Access Control
remote restrictions by setting the LocalAccountTokenFilterPolicy registry
key value to 1
. After it is modified, it connects to the target system and drops itself in the following folders before either setting a remote service called “ntssv” or a scheduled task
  • \system32\ntssrvr32.exe or
  • \system\ntssrvr64.exe


The dropper installs the wiper components contained in its resource section under “\system32\.exe”.

During our analysis, it used the name “event.exe”, but static analysis shows it can use several other names like:
  • caclsvr
  • caclsrv
  • certutl
  • clean
  • ctrl
  • dfrag
  • dnslookup
  • dvdquery
  • event
  • extract
  • findfile
  • fsutl
  • gpget
  • ipsecure
  • iissrv
  • msinit
  • netinit
  • ntfrsutil
  • ntdsutl
  • ntnw
  • netx
  • power
  • rdsadmin
  • regsys
  • routeman
  • rrasrv
  • sacses
  • sfmsc
  • sigver
  • smbinit
  • wcscript


The wiper component itself also contains encoded files in its resources as fake bitmap images. The first one is a driver that it saves under “\system32\drivers\drdisk.sys” and installs it by creating a service pointing to it using “sc create” and “sc start”. This driver is the exact same driver used in the 2012 attacks, namely the RawDisk driver from Eldos Corporation. It provides direct access to disks and partitions, allowing the wiper to write data even in protected locations like the MBR.

The other encoded resource is an image file, which is a famous picture referring to the Syrian refugee crisis. It appears that the wiper uses that picture to overwrite locations listed in:

HKLM\System\CurrentControlSet\Control\SystemBootDevice
HKLM\System\CurrentControlSet\Control\FirmwareBootDevice
C:\Windows\System32\Drivers
C:\Windows\System32\Config\systemprofile

Typical user folders like:
  • desktop
  • download
  • document
  • music
  • picture
  • video


We have seen this threat use the following command to reboot the system so it becomes unusable state:
  • shutdown -r -f -t 2




Analysis by Mathieu Letourneau

Last update 10 December 2016

 

TOP

Malware :