This is a recording of the 2nd PROMIS ([ Ссылка ]) webinar in the series “Vulnerability of modern society exemplified with large cyber-attack against Ukraine”. In this webinar, Dr. Alexander Adamov shows the analysis of WhisperGate destroyers such as MBR Writer and File Corruptor that were used in the #attack13 to destroy target servers supposedly running the websites of the Ukrainian government agencies.
Time codes:
00:00:00 Intro by Dr. Anders Carlsson
00:01:00 Information about #attack13 on the Ukrainian government infrastructure
00:05:43 Analysis of Trojan-Downloader (stage2.exe)
00:21:12 Analysis of Trojan-Dropper (stage3.dll)
00:29:10 Analysis of File Wiper (stage4.exe)
00:41:11 Analysis of MBR Writer (stage1.exe)
00:45:50 Preparing for MBR debugging
01:04:15 Patching the new MBR
01:06:20 Starting debugging the Whisper's MBR
01:07:27 Printing the ransom note
01:13:20 Writing sectors to drive
01:27:00 Information about PROMIS project
References:
1) [ Ссылка ]
2) [ Ссылка ]
3) [ Ссылка ]
4) [ Ссылка ]
5) [ Ссылка ]
6) [ Ссылка ]
7) [ Ссылка ]
8) Rootkits and Bootkits: Reversing Modern Malware and Next Generation Threats by Alex Matrosov, Eugene Rodionov, Sergey Bratus
9) Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software. Michael Sikorski, Andrew Honig
10) PROMIS [ Ссылка ]
11) 1st webinar on #attack13 [ Ссылка ]
![](https://i.ytimg.com/vi/d3hCu1ARK1s/maxresdefault.jpg)