In recent days, two samples have been published and are linked to the recent #n3tw0rm threat actor cyber attacks.
While most of the buzz goes to #Ransomware, one of the files (FreeSpaceWorker.exe) appears to be a (new?) #DiskWiper.
bazaar.abuse.ch/browse/tag/Ira
Conversation
Replying to
Interestingly, if we try to observe the file in the debugger it will not fully execute. The reason for it is a large anti-debug function that uses the API calls QueryPerformanceFrequency & QueryPerformanceCounter in addition to other functions that verify & manipulate the results
1
To bypass it, set a breakpoint on QueryPerformanceFrequency, when you reach it, return to the calling function, and take the JG jump at the end of this function.
(To take the jump you can just change the OF flag). After taking the jump you can just click Run.
1
2
Then, the wiper will write a lot of ".TMP" files until there will be no space left in the machine's memory.
1
1
Replying to
Use SycllaHide, it bypasses all the manual work ;) also, top notch string encryption on this one 😂
1
I actually did it with ScyllaHide fully activated, still needed to bypass it manualy🤔
1
Show replies