SYMBOLCOMMON_NAMEaka. SYNONYMS
win.caddywiper (Back to overview)

CaddyWiper

aka: KillDisk.NCX

Actor(s): APT28


CaddyWiper is another destructive malware believed to be deployed to target Ukraine.

CaddyWiper wipes all files under C:\Users and all also all files under available drives from D: to Z: by overwriting the data with NULL value. If the target file is greater than 0xA00000 bytes in size (10MB), it will only wipe the first 0xA00000 bytes.

It also wipes disk partitions from \\.\PHYSICALDRIVE9 to \\.\PHYSICALDRIVE0 by overwriting the first 0x780 bytes with NULL.

References
2022-12-03MicrosoftCliff Watts
@online{watts:20221203:preparing:139621a, author = {Cliff Watts}, title = {{Preparing for a Russian cyber offensive against Ukraine this winter}}, date = {2022-12-03}, organization = {Microsoft}, url = {https://blogs.microsoft.com/on-the-issues/2022/12/03/preparing-russian-cyber-offensive-ukraine/}, language = {English}, urldate = {2022-12-05} } Preparing for a Russian cyber offensive against Ukraine this winter
CaddyWiper HermeticWiper Prestige
2022-09-26CrowdStrikeIoan Iacob, Iulian Madalin Ionita
@online{iacob:20220926:anatomy:248e6ff, author = {Ioan Iacob and Iulian Madalin Ionita}, title = {{The Anatomy of Wiper Malware, Part 3: Input/Output Controls}}, date = {2022-09-26}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-3/}, language = {English}, urldate = {2022-09-29} } The Anatomy of Wiper Malware, Part 3: Input/Output Controls
CaddyWiper DEADWOOD DistTrack DoubleZero DUSTMAN HermeticWiper IsaacWiper Meteor Petya Sierra(Alfa,Bravo, ...) StoneDrill WhisperGate ZeroCleare
2022-09-23MandiantMandiant Intelligence
@online{intelligence:20220923:gru:511ea47, author = {Mandiant Intelligence}, title = {{GRU: Rise of the (Telegram) MinIOns}}, date = {2022-09-23}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/blog/gru-rise-telegram-minions}, language = {English}, urldate = {2022-09-26} } GRU: Rise of the (Telegram) MinIOns
ArguePatch CaddyWiper
2022-08-18TrustwavePawel Knapczyk
@online{knapczyk:20220818:overview:a12950c, author = {Pawel Knapczyk}, title = {{Overview of the Cyber Weapons Used in the Ukraine - Russia War}}, date = {2022-08-18}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war}, language = {English}, urldate = {2022-08-22} } Overview of the Cyber Weapons Used in the Ukraine - Russia War
AcidRain CaddyWiper Cobalt Strike CredoMap DCRat DoubleZero GraphSteel GrimPlant HermeticWiper INDUSTROYER2 InvisiMole IsaacWiper PartyTicket
2022-08-18TrustwavePawel Knapczyk
@online{knapczyk:20220818:overview:bf3eca2, author = {Pawel Knapczyk}, title = {{Overview of the Cyber Weapons Used in the Ukraine - Russia War}}, date = {2022-08-18}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/}, language = {English}, urldate = {2022-08-28} } Overview of the Cyber Weapons Used in the Ukraine - Russia War
AcidRain CaddyWiper Cobalt Strike CredoMap DCRat DoubleZero GraphSteel GrimPlant HermeticWiper INDUSTROYER2 InvisiMole IsaacWiper PartyTicket
2022-08-12CrowdStrikeIoan Iacob, Iulian Madalin Ionita
@online{iacob:20220812:anatomy:b13ce32, author = {Ioan Iacob and Iulian Madalin Ionita}, title = {{The Anatomy of Wiper Malware, Part 1: Common Techniques}}, date = {2022-08-12}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/}, language = {English}, urldate = {2022-08-15} } The Anatomy of Wiper Malware, Part 1: Common Techniques
Apostle CaddyWiper DistTrack DoubleZero DUSTMAN HermeticWiper IsaacWiper IsraBye KillDisk Meteor Olympic Destroyer Ordinypt Petya Sierra(Alfa,Bravo, ...) StoneDrill WhisperGate ZeroCleare
2022-05-02AT&TFernando Martinez
@online{martinez:20220502:analysis:e5d626b, author = {Fernando Martinez}, title = {{Analysis on recent wiper attacks: examples and how wiper malware works}}, date = {2022-05-02}, organization = {AT&T}, url = {https://cybersecurity.att.com/blogs/labs-research/analysis-on-recent-wiper-attacks-examples-and-how-they-wiper-malware-works}, language = {English}, urldate = {2022-05-04} } Analysis on recent wiper attacks: examples and how wiper malware works
AcidRain CaddyWiper DoubleZero HermeticWiper INDUSTROYER2 IsaacWiper
2022-04-28FortinetGergely Revay
@online{revay:20220428:overview:0ac963f, author = {Gergely Revay}, title = {{An Overview of the Increasing Wiper Malware Threat}}, date = {2022-04-28}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/the-increasing-wiper-malware-threat}, language = {English}, urldate = {2022-04-29} } An Overview of the Increasing Wiper Malware Threat
AcidRain CaddyWiper DistTrack DoubleZero EternalPetya HermeticWiper IsaacWiper Olympic Destroyer Ordinypt WhisperGate ZeroCleare
2022-04-27MicrosoftMicrosoft Digital Security Unit (DSU)
@online{dsu:20220427:special:f1a2031, author = {Microsoft Digital Security Unit (DSU)}, title = {{Special Report: Ukraine An overview of Russia’s cyberattack activity in Ukraine}}, date = {2022-04-27}, organization = {Microsoft}, url = {https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4Vwwd}, language = {English}, urldate = {2022-05-03} } Special Report: Ukraine An overview of Russia’s cyberattack activity in Ukraine
CaddyWiper DoubleZero HermeticWiper INDUSTROYER2 IsaacWiper PartyTicket WhisperGate
2022-04-12Max Kersten's BlogMax Kersten
@online{kersten:20220412:ghidra:4afe367, author = {Max Kersten}, title = {{Ghidra script to handle stack strings}}, date = {2022-04-12}, organization = {Max Kersten's Blog}, url = {https://maxkersten.nl/binary-analysis-course/analysis-scripts/ghidra-script-to-handle-stack-strings/}, language = {English}, urldate = {2022-04-20} } Ghidra script to handle stack strings
CaddyWiper PlugX
2022-04-12Cert-UACert-UA
@online{certua:20220412:cyberattack:5f28c75, author = {Cert-UA}, title = {{Cyberattack of Sandworm Group (UAC-0082) on energy facilities of Ukraine using malicious programs INDUSTROYER2 and CADDYWIPER (CERT-UA # 4435)}}, date = {2022-04-12}, organization = {Cert-UA}, url = {https://cert.gov.ua/article/39518}, language = {Ukrainian}, urldate = {2022-05-25} } Cyberattack of Sandworm Group (UAC-0082) on energy facilities of Ukraine using malicious programs INDUSTROYER2 and CADDYWIPER (CERT-UA # 4435)
CaddyWiper Industroyer INDUSTROYER2
2022-04-12Twitter (@silascutler)Silas Cutler
@online{cutler:20220412:analysis:561c2a2, author = {Silas Cutler}, title = {{Tweet on analysis of CADDYWIPER used alongside with INDUSTROYER2}}, date = {2022-04-12}, organization = {Twitter (@silascutler)}, url = {https://twitter.com/silascutler/status/1513870210398363651}, language = {English}, urldate = {2022-05-25} } Tweet on analysis of CADDYWIPER used alongside with INDUSTROYER2
CaddyWiper INDUSTROYER2
2022-04-12ESET ResearchESET Research
@online{research:20220412:industroyer2:4d6c5f8, author = {ESET Research}, title = {{Industroyer2: Industroyer reloaded}}, date = {2022-04-12}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/}, language = {English}, urldate = {2022-04-13} } Industroyer2: Industroyer reloaded
ArguePatch CaddyWiper Industroyer INDUSTROYER2
2022-04-12ESET ResearchESET Ireland
@online{ireland:20220412:industroyer2:aa61be3, author = {ESET Ireland}, title = {{Industroyer2: Industroyer reloaded}}, date = {2022-04-12}, organization = {ESET Research}, url = {https://blog.eset.ie/2022/04/12/industroyer2-industroyer-reloaded/}, language = {English}, urldate = {2022-05-04} } Industroyer2: Industroyer reloaded
CaddyWiper INDUSTROYER2
2022-04-05MorphisecMichael Dereviashkin
@online{dereviashkin:20220405:new:2f2f8a9, author = {Michael Dereviashkin}, title = {{New Analysis: The CaddyWiper Malware Attacking Ukraine}}, date = {2022-04-05}, organization = {Morphisec}, url = {https://blog.morphisec.com/caddywiper-analysis-new-malware-attacking-ukraine}, language = {English}, urldate = {2022-04-07} } New Analysis: The CaddyWiper Malware Attacking Ukraine
CaddyWiper
2022-04-01splunkSplunk Threat Research Team
@online{team:20220401:threat:1955941, author = {Splunk Threat Research Team}, title = {{Threat Update: CaddyWiper}}, date = {2022-04-01}, organization = {splunk}, url = {https://www.splunk.com/en_us/blog/security/threat-update-caddywiper.html}, language = {English}, urldate = {2022-04-12} } Threat Update: CaddyWiper
CaddyWiper
2022-03-31eSentireeSentire Threat Response Unit (TRU)
@online{tru:20220331:esentire:287e4dd, author = {eSentire Threat Response Unit (TRU)}, title = {{eSentire Threat Intelligence Malware Analysis: CaddyWiper}}, date = {2022-03-31}, organization = {eSentire}, url = {https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-caddywiper}, language = {English}, urldate = {2022-05-23} } eSentire Threat Intelligence Malware Analysis: CaddyWiper
CaddyWiper
2022-03-26n0p BlogAli Mosajjal
@online{mosajjal:20220326:analysis:b94c029, author = {Ali Mosajjal}, title = {{Analysis of a Caddy Wiper Sample Targeting Ukraine}}, date = {2022-03-26}, organization = {n0p Blog}, url = {https://n0p.me/2022/03/2022-03-26-caddywiper/}, language = {English}, urldate = {2022-03-28} } Analysis of a Caddy Wiper Sample Targeting Ukraine
CaddyWiper
2022-03-25GOV.UAState Service of Special Communication and Information Protection of Ukraine (CIP)
@online{cip:20220325:who:e75f0ac, author = {State Service of Special Communication and Information Protection of Ukraine (CIP)}, title = {{Who is behind the Cyberattacks on Ukraine's Critical Information Infrastructure: Statistics for March 15-22}}, date = {2022-03-25}, organization = {GOV.UA}, url = {https://cip.gov.ua/en/news/khto-stoyit-za-kiberatakami-na-ukrayinsku-kritichnu-informaciinu-infrastrukturu-statistika-15-22-bereznya}, language = {English}, urldate = {2022-08-05} } Who is behind the Cyberattacks on Ukraine's Critical Information Infrastructure: Statistics for March 15-22
Xloader Agent Tesla CaddyWiper Cobalt Strike DoubleZero GraphSteel GrimPlant HeaderTip HermeticWiper IsaacWiper MicroBackdoor Pandora RAT
2022-03-24NextGovBrandi Vincent
@online{vincent:20220324:ukrainian:74b1566, author = {Brandi Vincent}, title = {{Ukrainian Cyber Lead Says ‘At Least 4 Types of Malware’ in Use to Target Critical Infrastructure and Humanitarian Aid}}, date = {2022-03-24}, organization = {NextGov}, url = {https://www.nextgov.com/cybersecurity/2022/03/ukrainian-cyber-lead-least-4-types-malware-are-targeting-ukrainian-institutions/363558/}, language = {English}, urldate = {2022-03-25} } Ukrainian Cyber Lead Says ‘At Least 4 Types of Malware’ in Use to Target Critical Infrastructure and Humanitarian Aid
CaddyWiper DoubleZero HermeticWiper IsaacWiper
2022-03-18MalwarebytesThreat Intelligence Team
@online{team:20220318:double:fde615f, author = {Threat Intelligence Team}, title = {{Double header: IsaacWiper and CaddyWiper}}, date = {2022-03-18}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-intelligence/2022/03/double-header-isaacwiper-and-caddywiper/}, language = {English}, urldate = {2022-03-28} } Double header: IsaacWiper and CaddyWiper
CaddyWiper IsaacWiper
2022-03-17NioGuardNioGuard Security Lab
@online{lab:20220317:analysis:90c9558, author = {NioGuard Security Lab}, title = {{Analysis of CaddyWiper}}, date = {2022-03-17}, organization = {NioGuard}, url = {https://www.nioguard.com/2022/03/analysis-of-caddywiper.html}, language = {English}, urldate = {2022-03-22} } Analysis of CaddyWiper
CaddyWiper
2022-03-16Cyber Security NewsGurubaran
@online{gurubaran:20220316:destructive:f915ddf, author = {Gurubaran}, title = {{Destructive Data Wiper Malware Targeting high-profile Ukrainian Organizations}}, date = {2022-03-16}, organization = {Cyber Security News}, url = {https://cybersecuritynews.com/destructive-data-wiper-malware/}, language = {English}, urldate = {2022-03-17} } Destructive Data Wiper Malware Targeting high-profile Ukrainian Organizations
CaddyWiper
2022-03-15Twitter (@HackNPatch)HackNPatch
@online{hacknpatch:20220315:exploring:5399622, author = {HackNPatch}, title = {{Tweet on Exploring CaddyWiper API resolution}}, date = {2022-03-15}, organization = {Twitter (@HackNPatch)}, url = {https://twitter.com/HackPatch/status/1503538555611607042}, language = {English}, urldate = {2022-03-28} } Tweet on Exploring CaddyWiper API resolution
CaddyWiper
2022-03-15SecurityIntelligenceChristopher Del Fierro, John Dwyer
@online{fierro:20220315:caddywiper:6504bd2, author = {Christopher Del Fierro and John Dwyer}, title = {{CaddyWiper: Third Wiper Malware Targeting Ukrainian Organizations}}, date = {2022-03-15}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/posts/caddywiper-malware-targeting-ukrainian-organizations/}, language = {English}, urldate = {2022-03-16} } CaddyWiper: Third Wiper Malware Targeting Ukrainian Organizations
CaddyWiper
2022-03-15ESET ResearchESET Research
@online{research:20220315:caddywiper:0edb827, author = {ESET Research}, title = {{CaddyWiper: New wiper malware discovered in Ukraine}}, date = {2022-03-15}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2022/03/15/caddywiper-new-wiper-malware-discovered-ukraine/}, language = {English}, urldate = {2022-03-15} } CaddyWiper: New wiper malware discovered in Ukraine
CaddyWiper
2022-03-15The Hacker NewsRavie Lakshmanan
@online{lakshmanan:20220315:caddywiper:f70771d, author = {Ravie Lakshmanan}, title = {{CaddyWiper: Yet Another Data Wiping Malware Targeting Ukrainian Networks}}, date = {2022-03-15}, organization = {The Hacker News}, url = {https://thehackernews.com/2022/03/caddywiper-yet-another-data-wiping.html}, language = {English}, urldate = {2022-03-17} } CaddyWiper: Yet Another Data Wiping Malware Targeting Ukrainian Networks
CaddyWiper
2022-03-15TRUESECNicklas Keijser
@online{keijser:20220315:analysis:648df73, author = {Nicklas Keijser}, title = {{Analysis of CaddyWiper, wiper targeting Ukraine}}, date = {2022-03-15}, organization = {TRUESEC}, url = {https://www.truesec.com/hub/blog/analysis-of-caddywiper-wiper-targeting-ukraine}, language = {English}, urldate = {2022-03-16} } Analysis of CaddyWiper, wiper targeting Ukraine
CaddyWiper
2022-03-15SecurityAffairsPierluigi Paganini
@online{paganini:20220315:caddywiper:13b5403, author = {Pierluigi Paganini}, title = {{CaddyWiper, a new data wiper hits Ukraine}}, date = {2022-03-15}, organization = {SecurityAffairs}, url = {https://securityaffairs.co/wordpress/129069/cyber-warfare-2/caddywiper-wiper-hits-ukraine.html}, language = {English}, urldate = {2022-03-15} } CaddyWiper, a new data wiper hits Ukraine
CaddyWiper
2022-03-15CiscoCisco Talos
@online{talos:20220315:threat:67922cf, author = {Cisco Talos}, title = {{Threat Advisory: CaddyWiper}}, date = {2022-03-15}, organization = {Cisco}, url = {https://blog.talosintelligence.com/2022/03/threat-advisory-caddywiper.html}, language = {English}, urldate = {2022-03-18} } Threat Advisory: CaddyWiper
CaddyWiper
2022-03-14CybernewsJurgita Lapienytė
@online{lapienyt:20220314:new:965eae1, author = {Jurgita Lapienytė}, title = {{New destructive wiper malware deployed in Ukraine}}, date = {2022-03-14}, organization = {Cybernews}, url = {https://cybernews.com/cyber-war/new-destructive-wiper-malware-deployed-in-ukraine/}, language = {English}, urldate = {2022-03-15} } New destructive wiper malware deployed in Ukraine
CaddyWiper
2022-03-14Twitter (@ESETresearch)ESET Research
@online{research:20220314:caddywiper:ac25105, author = {ESET Research}, title = {{Tweet on CaddyWiper as 3rd destructive wiper found deployed against Ukraine}}, date = {2022-03-14}, organization = {Twitter (@ESETresearch)}, url = {https://twitter.com/ESETresearch/status/1503436420886712321}, language = {English}, urldate = {2022-03-14} } Tweet on CaddyWiper as 3rd destructive wiper found deployed against Ukraine
CaddyWiper
2022-03-14Bleeping ComputerSergiu Gatlan
@online{gatlan:20220314:new:b53c7a5, author = {Sergiu Gatlan}, title = {{New CaddyWiper data wiping malware hits Ukrainian networks}}, date = {2022-03-14}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-caddywiper-data-wiping-malware-hits-ukrainian-networks/}, language = {English}, urldate = {2022-03-17} } New CaddyWiper data wiping malware hits Ukrainian networks
CaddyWiper
2022-02-28MicrosoftMSRC Team
@online{team:20220228:cyber:69efe8b, author = {MSRC Team}, title = {{Cyber threat activity in Ukraine: analysis and resources}}, date = {2022-02-28}, organization = {Microsoft}, url = {https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine/}, language = {English}, urldate = {2022-07-25} } Cyber threat activity in Ukraine: analysis and resources
CaddyWiper DesertBlade DoubleZero HermeticWiper INDUSTROYER2 IsaacWiper PartyTicket WhisperGate DEV-0586
Yara Rules
[TLP:WHITE] win_caddywiper_auto (20221125 | Detects win.caddywiper.)
rule win_caddywiper_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-11-21"
        version = "1"
        description = "Detects win.caddywiper."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.caddywiper"
        malpedia_rule_date = "20221118"
        malpedia_hash = "e0702e2e6d1d00da65c8a29a4ebacd0a4c59e1af"
        malpedia_version = "20221125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c645cc72 c645cd6f c645ce6c c645cf00 c645dc6b }
            // n = 5, score = 100
            //   c645cc72             | mov                 byte ptr [ebp - 0x34], 0x72
            //   c645cd6f             | mov                 byte ptr [ebp - 0x33], 0x6f
            //   c645ce6c             | mov                 byte ptr [ebp - 0x32], 0x6c
            //   c645cf00             | mov                 byte ptr [ebp - 0x31], 0
            //   c645dc6b             | mov                 byte ptr [ebp - 0x24], 0x6b

        $sequence_1 = { c645e946 c645ea69 c645eb6c c645ec65 c645ed00 8d45e4 }
            // n = 6, score = 100
            //   c645e946             | mov                 byte ptr [ebp - 0x17], 0x46
            //   c645ea69             | mov                 byte ptr [ebp - 0x16], 0x69
            //   c645eb6c             | mov                 byte ptr [ebp - 0x15], 0x6c
            //   c645ec65             | mov                 byte ptr [ebp - 0x14], 0x65
            //   c645ed00             | mov                 byte ptr [ebp - 0x13], 0
            //   8d45e4               | lea                 eax, [ebp - 0x1c]

        $sequence_2 = { c645f42e c645f500 c645f664 c645f700 c645f86c c645f900 c645fa6c }
            // n = 7, score = 100
            //   c645f42e             | mov                 byte ptr [ebp - 0xc], 0x2e
            //   c645f500             | mov                 byte ptr [ebp - 0xb], 0
            //   c645f664             | mov                 byte ptr [ebp - 0xa], 0x64
            //   c645f700             | mov                 byte ptr [ebp - 9], 0
            //   c645f86c             | mov                 byte ptr [ebp - 8], 0x6c
            //   c645f900             | mov                 byte ptr [ebp - 7], 0
            //   c645fa6c             | mov                 byte ptr [ebp - 6], 0x6c

        $sequence_3 = { 68000000c0 8d8dd0fbffff 51 ff9560f7ffff 8985acf1ffff 83bdacf1ffffff 7505 }
            // n = 7, score = 100
            //   68000000c0           | push                0xc0000000
            //   8d8dd0fbffff         | lea                 ecx, [ebp - 0x430]
            //   51                   | push                ecx
            //   ff9560f7ffff         | call                dword ptr [ebp - 0x8a0]
            //   8985acf1ffff         | mov                 dword ptr [ebp - 0xe54], eax
            //   83bdacf1ffffff       | cmp                 dword ptr [ebp - 0xe54], -1
            //   7505                 | jne                 7

        $sequence_4 = { 8d85c4feffff 50 8d4db8 51 }
            // n = 4, score = 100
            //   8d85c4feffff         | lea                 eax, [ebp - 0x13c]
            //   50                   | push                eax
            //   8d4db8               | lea                 ecx, [ebp - 0x48]
            //   51                   | push                ecx

        $sequence_5 = { c645d000 c645d100 c685c4feffff47 c685c5feffff65 c685c6feffff74 c685c7feffff43 c685c8feffff75 }
            // n = 7, score = 100
            //   c645d000             | mov                 byte ptr [ebp - 0x30], 0
            //   c645d100             | mov                 byte ptr [ebp - 0x2f], 0
            //   c685c4feffff47       | mov                 byte ptr [ebp - 0x13c], 0x47
            //   c685c5feffff65       | mov                 byte ptr [ebp - 0x13b], 0x65
            //   c685c6feffff74       | mov                 byte ptr [ebp - 0x13a], 0x74
            //   c685c7feffff43       | mov                 byte ptr [ebp - 0x139], 0x43
            //   c685c8feffff75       | mov                 byte ptr [ebp - 0x138], 0x75

        $sequence_6 = { c685cff1ffff00 8d8dc4f1ffff 51 8d95b4fbffff }
            // n = 4, score = 100
            //   c685cff1ffff00       | mov                 byte ptr [ebp - 0xe31], 0
            //   8d8dc4f1ffff         | lea                 ecx, [ebp - 0xe3c]
            //   51                   | push                ecx
            //   8d95b4fbffff         | lea                 edx, [ebp - 0x44c]

        $sequence_7 = { c645a061 c645a16c c645a275 c645a365 c645a441 c645a500 }
            // n = 6, score = 100
            //   c645a061             | mov                 byte ptr [ebp - 0x60], 0x61
            //   c645a16c             | mov                 byte ptr [ebp - 0x5f], 0x6c
            //   c645a275             | mov                 byte ptr [ebp - 0x5e], 0x75
            //   c645a365             | mov                 byte ptr [ebp - 0x5d], 0x65
            //   c645a441             | mov                 byte ptr [ebp - 0x5c], 0x41
            //   c645a500             | mov                 byte ptr [ebp - 0x5b], 0

        $sequence_8 = { c645a332 c645a42e c645a564 c645a66c c645a76c c645a800 }
            // n = 6, score = 100
            //   c645a332             | mov                 byte ptr [ebp - 0x5d], 0x32
            //   c645a42e             | mov                 byte ptr [ebp - 0x5c], 0x2e
            //   c645a564             | mov                 byte ptr [ebp - 0x5b], 0x64
            //   c645a66c             | mov                 byte ptr [ebp - 0x5a], 0x6c
            //   c645a76c             | mov                 byte ptr [ebp - 0x59], 0x6c
            //   c645a800             | mov                 byte ptr [ebp - 0x58], 0

        $sequence_9 = { c645eb00 c645ec65 c645ed00 c645ee6c }
            // n = 4, score = 100
            //   c645eb00             | mov                 byte ptr [ebp - 0x15], 0
            //   c645ec65             | mov                 byte ptr [ebp - 0x14], 0x65
            //   c645ed00             | mov                 byte ptr [ebp - 0x13], 0
            //   c645ee6c             | mov                 byte ptr [ebp - 0x12], 0x6c

    condition:
        7 of them and filesize < 33792
}
[TLP:WHITE] win_caddywiper_w0   (20220316 | Detects CaddyWiper)
rule win_caddywiper_w0 {
	meta:
		author = "IBM Security X-Force"
		description = "Detects CaddyWiper"
		threat_type = "Malware"
		rule_category = "Malware Family"
		usage = "Hunting and Identification"
		hash = "a294620543334a721a2ae8eaaf9680a0786f4b9a216d75b55cfd28f39e9430ea"
		yara_version = "4.0.2"
		date_created = "15 March 22"
        malpedia_rule_date = "20220315"
        malpedia_hash = ""
		malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.caddywiper"
		malpedia_version = "20220316"
		malpedia_license = "CC BY-NC-SA 4.0"
		malpedia_sharing = "TLP:WHITE"
	strings:
		$s1 = "DsRoleGetPrimaryDomainInformation" ascii fullword
		$hex1 = {
			C645??43 //'C'
			C645??3A //':'
			C645??5C //'\'
			C645??55 //'U'
			C645??73 //'s'
			C645??65 //'e'
			C645??72 //'r'
			C645??73 //'s'
		}
		$hex2 = {
			C645??44 // 'D'
			C645??65 // 'e'
			C645??76 // 'v'
			C645??69 // 'i'
			C645??63 // 'c'
			C645??65 // 'e'
			C645??49 // 'I'
			C645??6F // 'o'
			C645??43 // 'C'
			C645??6F // 'o'
			C645??6E // 'n'
			C645??74 // 't'
			C645??72 // 'r'
			C645??6F // 'o'
			C645??6C // 'l'
		}
	condition:
		uint16(0) == 0x5A4D and 
		all of them
}
Download all Yara Rules