W32/CaddyWiper.NCX!tr
Analysis
W32/CaddyWiper.NCX!tr is a generic detection for a trojan.
Since this is a generic detection, malware that are detected as W32/CaddyWiper.NCX!tr may have varying behaviour.
Below are some of its observed characteristics/behaviours:
- This data wiper malware, known as "CaddyWiper", is one of the many data wiping malware that was discovered on machines across multiple Ukranian organizations.
- The data wiper will first call DSRoleGetPrimaryDomainInformation to determine the machine role of the infected system. After it determines that the system is not a domain controller, it will continue on. The malware will traverse through the drives, "C:\Users" to "Z:\", and wipe out the data. It will then move on to cycle through the physical drives, going from 9-0, destroying the data on the drive partitions by overwriting the first 1920 bytes with 0's.
- Upon reboot of the system, an error message of "boot failure" will be displayed.
- Below are images of the malware:
- Figure 1: Error message after execution.
- Figure 2: Screen upon reboot after execution of malware.
- Following are some of the near/exact IOCs/file hash associated with this detection:
- Md5: 42e52b8daf63e6e26c3aa91e7e971492
Sha256: a294620543334a721a2ae8eaaf9680a0786f4b9a216d75b55cfd28f39e9430ea - Md5: 728f13a93b62699e8f94f2d14a989bac
Sha256: b66b179eac03afafdc69f62c207819eceecfbf994c9efa464fda0d2ba44fe2d7
- Md5: 42e52b8daf63e6e26c3aa91e7e971492
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
FortiClient | |
FortiAPS | |
FortiAPU | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |