W32/CaddyWiper.NCX!tr

Analysis

W32/CaddyWiper.NCX!tr is a generic detection for a trojan.
Since this is a generic detection, malware that are detected as W32/CaddyWiper.NCX!tr may have varying behaviour.
Below are some of its observed characteristics/behaviours:

• This data wiper malware, known as "CaddyWiper", is one of the many data wiping malware that was discovered on machines across multiple Ukranian organizations.


• The data wiper will first call DSRoleGetPrimaryDomainInformation to determine the machine role of the infected system. After it determines that the system is not a domain controller, it will continue on. The malware will traverse through the drives, "C:\Users" to "Z:\", and wipe out the data. It will then move on to cycle through the physical drives, going from 9-0, destroying the data on the drive partitions by overwriting the first 1920 bytes with 0's.


• Upon reboot of the system, an error message of "boot failure" will be displayed.


• Below are images of the malware:
  

  Figure 1: Error message after execution.

  
  

  Figure 2: Screen upon reboot after execution of malware.

  
  


• Following are some of the near/exact IOCs/file hash associated with this detection:
  
  • Md5: 42e52b8daf63e6e26c3aa91e7e971492
    Sha256: a294620543334a721a2ae8eaaf9680a0786f4b9a216d75b55cfd28f39e9430ea
  • Md5: 728f13a93b62699e8f94f2d14a989bac
    Sha256: b66b179eac03afafdc69f62c207819eceecfbf994c9efa464fda0d2ba44fe2d7

Recommended Action

• Make sure that your FortiGate/FortiClient system is using the latest AV database.
• Quarantine/delete files that are detected and replace infected files with clean backup copies.