SYMBOLCOMMON_NAMEaka. SYNONYMS
win.ordinypt (Back to overview)

Ordinypt

aka: GermanWiper, HSDFSDCrypt

This malware claims to be a ransomware, but it's actually a wiper. After execution, this malware terminates a number of processes such as database processes, likely to allow access to any files that these programs may have held open. Ordinypt will avoid wiping certain files and folders in order to prevent the infected machine from becoming unusable. Affected files are overwritten with null character and receive a random 5 character file extension. Finally, shadow copies are removed and Windows startup repair is disabled to complicate recovery of data from the affected system. The desktop background is changed and a ransom note is dropped for the victim. A C2 check-in occurs to keep track of the file extension used on that specific machine, as well as which BitCoin address was randomly provided for payment to the victim (drawn from a long list stored in the ransomware configuration).

References
2022-08-12CrowdStrikeIoan Iacob, Iulian Madalin Ionita
@online{iacob:20220812:anatomy:b13ce32, author = {Ioan Iacob and Iulian Madalin Ionita}, title = {{The Anatomy of Wiper Malware, Part 1: Common Techniques}}, date = {2022-08-12}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/}, language = {English}, urldate = {2022-08-15} } The Anatomy of Wiper Malware, Part 1: Common Techniques
Apostle CaddyWiper DistTrack DoubleZero DUSTMAN HermeticWiper IsaacWiper IsraBye KillDisk Meteor Olympic Destroyer Ordinypt Petya Sierra(Alfa,Bravo, ...) StoneDrill WhisperGate ZeroCleare
2022-04-28FortinetGergely Revay
@online{revay:20220428:overview:0ac963f, author = {Gergely Revay}, title = {{An Overview of the Increasing Wiper Malware Threat}}, date = {2022-04-28}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/the-increasing-wiper-malware-threat}, language = {English}, urldate = {2022-04-29} } An Overview of the Increasing Wiper Malware Threat
AcidRain CaddyWiper DistTrack DoubleZero EternalPetya HermeticWiper IsaacWiper Olympic Destroyer Ordinypt WhisperGate ZeroCleare
2019-09-05vmwareSwee Lai Lee
@online{lee:20190905:cb:5dd9651, author = {Swee Lai Lee}, title = {{CB Threat Analysis Unit Technical Breakdown: GermanWiper Ransomware}}, date = {2019-09-05}, organization = {vmware}, url = {https://www.carbonblack.com/2019/09/05/cb-threat-analysis-unit-technical-breakdown-germanwiper-ransomware/}, language = {English}, urldate = {2020-01-06} } CB Threat Analysis Unit Technical Breakdown: GermanWiper Ransomware
Ordinypt
2019-07-31Dissecting MalwareMarius Genheimer
@online{genheimer:20190731:tfw:3fa5aba, author = {Marius Genheimer}, title = {{TFW Ransomware is only your side hustle...}}, date = {2019-07-31}, organization = {Dissecting Malware}, url = {https://dissectingmalwa.re/tfw-ransomware-is-only-your-side-hustle.html}, language = {English}, urldate = {2020-01-10} } TFW Ransomware is only your side hustle...
Ordinypt
2017-11-09Bleeping ComputerCatalin Cimpanu
@online{cimpanu:20171109:ordinypt:cc9c071, author = {Catalin Cimpanu}, title = {{Ordinypt Ransomware Intentionally Destroys Files, Currently Targeting Germany}}, date = {2017-11-09}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ordinypt-ransomware-intentionally-destroys-files-currently-targeting-germany/}, language = {English}, urldate = {2019-12-20} } Ordinypt Ransomware Intentionally Destroys Files, Currently Targeting Germany
Ordinypt
2017-07-11G DataG Data
@online{data:20170711:ordinypt:a3f61cf, author = {G Data}, title = {{Ordinypt hat es auf Benutzer aus Deutschland abgesehen}}, date = {2017-07-11}, organization = {G Data}, url = {https://www.gdata.de/blog/2017/11/30151-ordinypt}, language = {Deutsch}, urldate = {2020-01-08} } Ordinypt hat es auf Benutzer aus Deutschland abgesehen
Ordinypt
Yara Rules
[TLP:WHITE] win_ordinypt_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_ordinypt_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ordinypt"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b0485786c4500 50 8b06 0fb64018 8d0480 8b0485506c4500 }
            // n = 6, score = 200
            //   8b0485786c4500       | mov                 eax, dword ptr [eax*4 + 0x456c78]
            //   50                   | push                eax
            //   8b06                 | mov                 eax, dword ptr [esi]
            //   0fb64018             | movzx               eax, byte ptr [eax + 0x18]
            //   8d0480               | lea                 eax, [eax + eax*4]
            //   8b0485506c4500       | mov                 eax, dword ptr [eax*4 + 0x456c50]

        $sequence_1 = { e8???????? 8b8524faffff ba???????? e8???????? 0f8430030000 8d9520faffff }
            // n = 6, score = 200
            //   e8????????           |                     
            //   8b8524faffff         | mov                 eax, dword ptr [ebp - 0x5dc]
            //   ba????????           |                     
            //   e8????????           |                     
            //   0f8430030000         | je                  0x336
            //   8d9520faffff         | lea                 edx, [ebp - 0x5e0]

        $sequence_2 = { e8???????? 0f84ec0a0000 8d95fcfaffff 8b45fc e8???????? }
            // n = 5, score = 200
            //   e8????????           |                     
            //   0f84ec0a0000         | je                  0xaf2
            //   8d95fcfaffff         | lea                 edx, [ebp - 0x504]
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   e8????????           |                     

        $sequence_3 = { ff5134 8b8340020000 895814 c74010404c4400 b201 a1???????? e8???????? }
            // n = 7, score = 200
            //   ff5134               | call                dword ptr [ecx + 0x34]
            //   8b8340020000         | mov                 eax, dword ptr [ebx + 0x240]
            //   895814               | mov                 dword ptr [eax + 0x14], ebx
            //   c74010404c4400       | mov                 dword ptr [eax + 0x10], 0x444c40
            //   b201                 | mov                 dl, 1
            //   a1????????           |                     
            //   e8????????           |                     

        $sequence_4 = { 8b85f0faffff ba???????? e8???????? 0f845c0a0000 }
            // n = 4, score = 200
            //   8b85f0faffff         | mov                 eax, dword ptr [ebp - 0x510]
            //   ba????????           |                     
            //   e8????????           |                     
            //   0f845c0a0000         | je                  0xa62

        $sequence_5 = { 8b04b548614500 50 8bc7 e8???????? 50 }
            // n = 5, score = 200
            //   8b04b548614500       | mov                 eax, dword ptr [esi*4 + 0x456148]
            //   50                   | push                eax
            //   8bc7                 | mov                 eax, edi
            //   e8????????           |                     
            //   50                   | push                eax

        $sequence_6 = { e8???????? 0f8424060000 8d9574faffff 8b45fc e8???????? 8b8574faffff ba???????? }
            // n = 7, score = 200
            //   e8????????           |                     
            //   0f8424060000         | je                  0x62a
            //   8d9574faffff         | lea                 edx, [ebp - 0x58c]
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   e8????????           |                     
            //   8b8574faffff         | mov                 eax, dword ptr [ebp - 0x58c]
            //   ba????????           |                     

        $sequence_7 = { 8d95dcfbffff 8b45fc e8???????? 8b85dcfbffff }
            // n = 4, score = 200
            //   8d95dcfbffff         | lea                 edx, [ebp - 0x424]
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   e8????????           |                     
            //   8b85dcfbffff         | mov                 eax, dword ptr [ebp - 0x424]

        $sequence_8 = { 66c74304b3d7 897308 c74324e42e4000 c7431c5c2a4000 }
            // n = 4, score = 100
            //   66c74304b3d7         | mov                 word ptr [ebx + 4], 0xd7b3
            //   897308               | mov                 dword ptr [ebx + 8], esi
            //   c74324e42e4000       | mov                 dword ptr [ebx + 0x24], 0x402ee4
            //   c7431c5c2a4000       | mov                 dword ptr [ebx + 0x1c], 0x402a5c

        $sequence_9 = { 84db 7407 c605????????01 33c0 8ac3 c68020e9450001 }
            // n = 6, score = 100
            //   84db                 | test                bl, bl
            //   7407                 | je                  9
            //   c605????????01       |                     
            //   33c0                 | xor                 eax, eax
            //   8ac3                 | mov                 al, bl
            //   c68020e9450001       | mov                 byte ptr [eax + 0x45e920], 1

        $sequence_10 = { c705????????682d4200 c705????????d82c4200 c705????????002e4200 c705????????982e4200 c705????????6c2f4200 }
            // n = 5, score = 100
            //   c705????????682d4200     |     
            //   c705????????d82c4200     |     
            //   c705????????002e4200     |     
            //   c705????????982e4200     |     
            //   c705????????6c2f4200     |     

        $sequence_11 = { e8???????? 8b85d0fcffff ba???????? e8???????? 0f84da060000 8d95ccfcffff }
            // n = 6, score = 100
            //   e8????????           |                     
            //   8b85d0fcffff         | mov                 eax, dword ptr [ebp - 0x330]
            //   ba????????           |                     
            //   e8????????           |                     
            //   0f84da060000         | je                  0x6e0
            //   8d95ccfcffff         | lea                 edx, [ebp - 0x334]

        $sequence_12 = { 8b9548feffff b8???????? e8???????? 0bd8 8d953cfeffff 8b45fc e8???????? }
            // n = 7, score = 100
            //   8b9548feffff         | mov                 edx, dword ptr [ebp - 0x1b8]
            //   b8????????           |                     
            //   e8????????           |                     
            //   0bd8                 | or                  ebx, eax
            //   8d953cfeffff         | lea                 edx, [ebp - 0x1c4]
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   e8????????           |                     

        $sequence_13 = { c605????????02 c705????????94524000 e8???????? 84c0 7405 e8???????? }
            // n = 6, score = 100
            //   c605????????02       |                     
            //   c705????????94524000     |     
            //   e8????????           |                     
            //   84c0                 | test                al, al
            //   7405                 | je                  7
            //   e8????????           |                     

        $sequence_14 = { 833e03 7416 837e0400 7503 833e04 }
            // n = 5, score = 100
            //   833e03               | cmp                 dword ptr [esi], 3
            //   7416                 | je                  0x18
            //   837e0400             | cmp                 dword ptr [esi + 4], 0
            //   7503                 | jne                 5
            //   833e04               | cmp                 dword ptr [esi], 4

        $sequence_15 = { 33d2 8905???????? 8915???????? 68???????? e8???????? }
            // n = 5, score = 100
            //   33d2                 | xor                 edx, edx
            //   8905????????         |                     
            //   8915????????         |                     
            //   68????????           |                     
            //   e8????????           |                     

    condition:
        7 of them and filesize < 1064960
}
Download all Yara Rules