Shamoon the Wiper in details
Jump to navigation
Jump to search
(Publication) Google search: [1]
Shamoon the Wiper in details | |
---|---|
Botnet | Shamoon |
Malware | |
Botnet/malware group | |
Exploit kits | |
Services | |
Feature | |
Distribution vector | |
Target | |
Origin | |
Campaign | |
Operation/Working group | |
Vulnerability | |
CCProtocol | |
Date | 2012 / 21 aug2012 |
Editor/Conference | Kaspersky lab |
Link | https://www.securelist.com/en/blog/208193795/Shamoon the Wiper in details (Archive copy) |
Author | Dmitry Tarakanov |
Type |
Abstract
“ We continue to analyse the Shamoon malware. This blog contains information about the internals of the malicious samples involved in this campaign.
Samples nesting The main executable (dropper) includes 3 resources, each maintains a ciphered program. The cipher is pretty simple – xor by dword. This was mentioned in our first blog-post. Resource PKCS12:112 maintains an encoded executable, xor’ed with key value 0xFB5D7F25. It is saved to disk using a name taken from a hardcoded list in the %WINDIR%\System32 folder during the dropper execution. In turn, this module maintains resource READONE :101 (xor key: 0xF052AF15), a driver decoded and saved to disk as %WINDIR%\System32\Drivers\DRDISK.SYS.
Bibtex
@misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2012BFR1113, editor = {Kaspersky lab}, author = {Dmitry Tarakanov}, title = {Shamoon the Wiper in details}, date = {21}, month = Aug, year = {2012}, howpublished = {\url{https://www.securelist.com/en/blog/208193795/Shamoon_the_Wiper_in_details}}, }