Shares tag: Wiper • Shares 6 IOCs • Published within a week
Targeted Destructive Malware
2014-12-19 • USCISA •
US-CERT reports destructive malware activity against a major entertainment company using an SMB worm tool with multiple components for propagation, access, proxying, and wiping. The worm brute-forces Windows SMB shares on port 445, copies itself to reachable hosts, sends spread logs to command-and-control infrastructure, and accepts new scanning tasks. Installed components include a listening implant on TCP 195 or 444, a service-DLL backdoor with file transfer and command execution, a proxy tool often listening on TCP 443, and destructive tools that overwrite the MBR or delete files. The wiper can move laterally through Windows shares using configured hostnames, usernames, and passwords, copy taskhostXX.exe, timestomp it to match calc.exe, launch it remotely with wmic.exe, then remove the temporary share. The operational risk is high because successful execution can make systems inoperable and destroy data beyond practical recovery.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| HASH | 760c35a80d758f032d02cf4db12d3e55 | 2014-12-04 | 2023-05-02 |
| HASH | e904bf93403c0fb08b9683a9e858c73e | 2014-12-04 | 2018-11-01 |
| HASH | 4ef0ad7ad4fe3ef4fb3db02cd82bface | 2014-12-19 | 2014-12-28 |
| HASH | eb435e86604abced7c4a2b11c4637a52 | 2014-12-19 | 2014-12-28 |
| HASH | 7e48d5ba6e6314c46550ad226f2b3c67 | 2014-12-19 | 2014-12-28 |
| HASH | 93bc819011b2b3da8487f964f29eb934 | 2014-12-19 | 2014-12-28 |
| HASH | 7759c7d2c6d49c8b0591a3a7270a44da | 2014-12-19 | 2014-12-28 |
| HASH | 0bb82def661dd013a1866f779b455cf3 | 2014-12-19 | 2014-12-28 |
| HASH | 68a26b8eaf2011f16a58e4554ea576a1 | 2014-12-19 | 2014-12-28 |
| HASH | f6f48551d7723d87daeef2e840ae008f | 2014-12-19 | 2014-12-28 |
| HASH | 3b9da603992d8001c1322474aac25f87 | 2014-12-19 | 2014-12-28 |
| HASH | a385900a36cad1c6a2022f31e8aca9f7 | 2014-12-19 | 2014-12-28 |
| HASH | 838e57492f632da79dcd5aa47b23f8a9 | 2014-12-19 | 2014-12-28 |
| HASH | c905a30badb458655009799b1274205c | 2014-12-19 | 2014-12-28 |
| HASH | 11c9374cea03c3b2ca190b9a0fd2816b | 2014-12-19 | 2014-12-28 |
| HASH | 734740b16053ccc555686814a93dfbeb | 2014-12-19 | 2014-12-28 |
| HASH | b8ffff8b57586d24e1e65cd0b0ad9173 | 2014-12-19 | 2014-12-28 |
| HASH | 9ab7f2bf638c9d911c2c742a574db89e | 2014-12-19 | 2014-12-28 |
| HASH | 7bea4323807f7e8cf53776e24cbd71f1 | 2014-12-19 | 2014-12-28 |
| HASH | 0a87c6f29f34a09acecce7f516cc7fdb | 2014-12-19 | 2014-12-28 |
| HASH | 194ae075bf53aa4c83e175d4fa1b9d89 | 2014-12-19 | 2014-12-28 |
| HASH | f57e6156907dc0f6f4c9e2c5a792df48 | 2014-12-19 | 2014-12-28 |
| HASH | 7fb0441a08690d4530d2275d4d7eb351 | 2014-12-19 | 2014-12-28 |
| HASH | e509881b34a86a4e2b24449cf386af6a | 2014-12-19 | 2014-12-28 |
| HASH | 9761dd113e7e6673b94ab4b3ad552086 | 2014-12-19 | 2014-12-28 |
| HASH | a565e8c853b8325ad98f1fac9c40fb88 | 2014-12-19 | 2014-12-28 |
| HASH | 25fb1e131f282fa25a4b0dec6007a0ce | 2014-12-19 | 2014-12-28 |
| HASH | 74982cd1f3be3d0acfb0e6df22dbcd67 | 2014-12-19 | 2014-12-28 |
| HASH | ed7a9c6d9fc664afe2de2dd165a9338c | 2014-12-19 | 2014-12-28 |
| HASH | 8dec36d7f5e6cbd5e06775771351c54e | 2014-12-19 | 2014-12-28 |
| HASH | 40adcd738c5bdc5e1cc3ab9a48b3df39 | 2014-12-19 | 2014-12-28 |
| HASH | e1864a55d5ccb76af4bf7a0ae16279ba | 2014-12-04 | 2014-12-28 |
| HASH | 6aeac618e29980b69721158044c2e544 | 2014-12-04 | 2014-12-28 |
| HASH | 86e212b7fc20fc406c692400294073ff | 2014-12-04 | 2014-12-28 |
| HASH | d1c27ee7ce18675974edf42d4eea25c6 | 2014-12-04 | 2014-12-28 |
| IPv4 | 208.105.226.235 | 2014-12-04 | 2014-12-28 |
| IPv4 | 58.185.154.99 | 2014-12-04 | 2014-12-28 |
| IPv4 | 212.31.102.100 | 2014-12-04 | 2014-12-28 |
| IPv4 | 217.96.33.164 | 2014-12-04 | 2014-12-28 |
| IPv4 | 200.87.126.116 | 2014-12-04 | 2014-12-28 |
| IPv4 | 203.131.222.102 | 2014-12-04 | 2014-12-28 |
| IPv4 | 88.53.215.64 | 2014-12-04 | 2014-12-28 |
| YARA | Malwareusedbycyberthreatactor3 | 2014-12-19 | 2014-12-19 |
| YARA | Malwareusedbycyberthreatactor2 | 2014-12-19 | 2014-12-19 |
| YARA | Malwareusedbycyberthreatactor1 | 2014-12-19 | 2014-12-19 |
| YARA | DestructiveTargetCleaningTool8 | 2014-12-19 | 2014-12-19 |
| YARA | DestructiveTargetCleaningTool7 | 2014-12-19 | 2014-12-19 |
| YARA | DestructiveTargetCleaningTool6 | 2014-12-19 | 2014-12-19 |
| YARA | DestructiveTargetCleaningTool5 | 2014-12-19 | 2014-12-19 |
| YARA | DestructiveTargetCleaningTool4 | 2014-12-19 | 2014-12-19 |
| YARA | DestructiveTargetCleaningTool3 | 2014-12-19 | 2014-12-19 |
| YARA | DestructiveTargetCleaningTool2 | 2014-12-19 | 2014-12-19 |
| YARA | DestructiveTargetCleaningTool1 | 2014-12-19 | 2014-12-19 |
| YARA | DestructiveHardDriveTool1 | 2014-12-19 | 2014-12-19 |
| YARA | ProxyTool3 | 2014-12-19 | 2014-12-19 |
| YARA | ProxyTool2 | 2014-12-19 | 2014-12-19 |
| YARA | ProxyTool1 | 2014-12-19 | 2014-12-19 |
| YARA | LightweightBackdoor6 | 2014-12-19 | 2014-12-19 |
| YARA | LightweightBackdoor5 | 2014-12-19 | 2014-12-19 |
| YARA | LightweightBackdoor4 | 2014-12-19 | 2014-12-19 |
| YARA | LightweightBackdoor3 | 2014-12-19 | 2014-12-19 |
| YARA | LightweightBackdoor2 | 2014-12-19 | 2014-12-19 |
| YARA | Lightweight_Backdoor1 | 2014-12-19 | 2014-12-19 |
| YARA | SMB_Worm_Tool | 2014-12-19 | 2014-12-19 |
Related Reports
Shares tag: Wiper • Published within a week
Shares tag: Wiper • Published within a month
2014-12-28 •
46% Match
#Blockbuster
Shares 42 IOCs • Published within a month
Shares tag: Wiper
Shares tag: Wiper