DoubleZero Malware: Behavioral Analysis

DoubleZero PE

Background

On 17 March 2022, the Computer Emergency Response Team of Ukraine (CERT-UA) detected evidence of a new wiper, known now as DoubleZero. According to the CERT-UA report:

It uses two methods to destroy files: overwriting files with zero blocks of 4096 bytes (FileStream.Write method) or using API-calls NtFileOpen, NtFsControlFile (code: FSCTL_SET_ZERO_DATA). First, all non-system files on all disks are overwritten. After that the list of system files on a mask is made, their sorting and the subsequent rewriting in the corresponding sequence is carried out. The following branches of the Windows registry are destroyed: HKCU, HKU, HKLM, HKLM \ BCD. Finally, the computer shuts down.

Analysis

Note: During my analysis, I could not replicate the effects observed by CERT-UA. DoubleZero may check if the device has certain features that tie it to Ukraine.

Below is a basic timeline of windows events generated with the sample.

Imports:

The only import observed was the mscoree.dll file. This dll is statically linked to kernel32.dll, which gives access to the NtFsControlFile function.

Sample of Strings output

Network Activity:

When executing DoubleZero, we observe an initial DNS query for the Domain Controller and then a small LDAP communication. Unfortunately, during PCAP analysis, I could not identify anything meaningful from the LDAP messages.

Network Connections

Interestingly, the malware sample used did open up a UDP port in the ephemeral range. This port was not always the same, and I speculate there may be some algorithmic means for generating the port to bind for that socket. Unfortunately, no traffic was seen being sent to or sent from that port. Later, I may try running the sample on a machine that has a public IP to see if there is any communication. DoubleZero may need a C2 server actually to trigger the wiping effects.

Conclusion

Unfortunately, I was unable to get this sample to actually wipe anything or generate meaningful effects, which leaves much of its behavioral characteristics shrouded in mystery. Next, I’m looking forward to analyzing the new Mustang Panda’s Hodur sample circulating in Europe.

Sources

--

--

--

Cybersecurity Professional, AI Engineer, Data Scientist

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Cyber Crime and Confusion Matrix

Alitas Monthly Report November

Wireless Hacking — Part7

The Dawn of BioCyber Warfare

Secure Insights with Satyavathi Divadari, Director Cyber Security, News Technology Services

Sathyavathi Divadari

{UPDATE} Tankio - Battle Arena Hack Free Resources Generator

{UPDATE} Dragon War Hack Free Resources Generator

UK cyber-threat agency confronts Covid-19 attacks

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Kyle Topasna

Kyle Topasna

Cybersecurity Professional, AI Engineer, Data Scientist

More from Medium

Let’s Defend: SOC 141 — Phishing URL Detected alert Walkthrough

Pico CTF — Tunnel Vision Forensics Exercise

LOLBINed — 360TotalSecurity (360AdvToolExecutor.exe)

Hack.INI 2022 CTF Writeups - Jail Escape Category :