Analytics Story: Caddy Wiper

Description

Caddy Wiper is a destructive payload that detects if its running on a Domain Controller and executes killswitch if detected. If not in a DC it destroys Users and subsequent mapped drives. This wiper also destroys drive partitions inculding boot partitions.

Why it matters

Caddy Wiper is destructive malware operation found by ESET multiple organizations in Ukraine. This malicious payload destroys user files, avoids executing on Dnomain Controllers and destroys boot and drive partitions.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Windows Raw Access To Disk Volume Partition Disk Structure Wipe, Disk Wipe Anomaly
Windows Raw Access To Master Boot Record Drive Disk Structure Wipe, Disk Wipe TTP

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
Sysmon EventID 9 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

References


Source: GitHub | Version: 1