Threat Encyclopedia



W32/CaddyWiper.NCX!tr is a generic detection for a trojan.
Since this is a generic detection, malware that are detected as W32/CaddyWiper.NCX!tr may have varying behaviour.
Below are some of its observed characteristics/behaviours:

  • This data wiper malware, known as "CaddyWiper", is one of the many data wiping malware that was discovered on machines across multiple Ukranian organizations. The data wiper will first call DSRoleGetPrimaryDomainInformation to determine the machine role of the infected system. After it determines that the system is not a domain controller, it will continue on. The malware will traverse through the drives, "C:\Users" to "Z:\", and wipe out the data. It will then move on to cycle through the physical drives, going from 9-0, destroying the data on the drive partitions by overwriting the first 1920 bytes with 0's. Upon reboot of the system, an error message of "boot failure" will be displayed.

  • Below are images of the malware:

    • Figure 1: Determining machine role.

    • Figure 2: Traversing through drives "C:\Users" to "Z:\".

    • Figure 3: Traversing physical drives 9-0.

    • Figure 4: Overwriting first 1920 bytes with 0's.

    • Figure 5: Error message after execution.

    • Figure 6: Screen upon reboot after execution of malware.

  • Following are some of the near/exact IOCs/file hash associated with this detection:
    • Md5: 42e52b8daf63e6e26c3aa91e7e971492
      Sha256: a294620543334a721a2ae8eaaf9680a0786f4b9a216d75b55cfd28f39e9430ea
    • Md5: 728f13a93b62699e8f94f2d14a989bac
      Sha256: b66b179eac03afafdc69f62c207819eceecfbf994c9efa464fda0d2ba44fe2d7

recommended-action-logoRecommended Action

  • Make sure that your FortiGate/FortiClient system is using the latest AV database.
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.