Regarding the hacking, a Sony spokesperson told that the company is “working closely with law enforcement to address it.

Hacker Group Guardians of Peace (#GOP) took credit for this infamous attack and threatened to release the stolen data if their conditions are not met.

Since then #GOP has started releasing stolen information on the Internet. The hackers claim that they have about 111 TB of Sony data which will be leaked if Sony did not capitulate to their demands.

Following this attack FBI has sent out Flash Alert warning law enforcement agencies of a cyber attack using wiper malware this week. Wiper Trojan is the section of the Shamoon agent responsible for destroying data on the infected machine’s hard drives.  The language pack referenced by the malicious files is Korean. The malware files used in Sony attack are similar to the malwares used to attack South Korean companies last year.

So far Five DVD screeners of Sony pictures were released online through torrent. Four out of the films have not been released in theatres yet. The movies have been downloaded over 2 million times.

List of movies leaked:

  • Fury (Released)
  • Annie (Release Date: Dec. 19)
  • Mr. Turner (Release date: Dec. 19)
  • Still Alice (Release date: Dec. 5)
  • To Write Love on Her Arms (Release date: March 2015)

The following files are released through links posted to Pastebin and now circulating on file sharing networks:

  • Password databases, security certificates, MAC addresses for workstations and servers and the usernames of every person with SUDO access
  • A spreadsheet including the names, birth dates, home address and social security numbers of 3,803 employees of Sony Pictures
  • Payroll breakdowns for the entire company in a spreadsheet
  • A spreadsheet detailing all the Sony Pictures employees terminated in 2014, including cause for termination
  • Employee performance reviews
  • The social security numbers of more than 47,000 current and former employees, including celebrities like Sylvester Stallone
  • Salaries for top executives
  • Number of pilot scripts for the 2014 TV seasons
  • Personal information of individuals who worked at Sony Pictures from as far back as 2000

The malware used in the Sony Entertainment attack is named as Backdoor.Destover (by Symantec), is a wiper Trojan capable of wiping disk drives. Below we share our analysis of the wiper malware.  We will conclude with additional thoughts on how users can better protect their network against such emerging advanced threats.

Targeted Attack

This Trojan uses stored user name and password combination to get access to the other machines. The usage of stored credentials by the Trojan adds evidence to the fact that this attack is targeted to breach Sony Pictures Entertainment Network (SPE).  Needless to say, previous steps of the attack campaign must have gathered the list of credentials.


Fig 1: Config File with usernames and passwords



This sample had three external IP addresses hard-coded inside:


The execution flow of the Trojan:



Fig 2: Code Flow


Main Dropper:

MD5: D1C27EE7CE18675974EDF42D4EEA25C6

This file when executed on the system launches itself with switch -i to register itself as a service with name  WinsSchMgmt that executes with switch -k.



Dropped File:


MD5: 760c35a80d758f032d02cf4db12d3e55

This file copies itself as taskhost%random%.exe (where %random% is 3 random characters) and executes with different switches to exhibit various malicious actions.

taskhost%random%.exe takes the following switches:

  • -w: drops and starts web server to display warning message
  • -m: drops eldos driver to system that is used to write to hard disk directly
  • -d: deletes all files on the system other than exe and dlls

Malware drop several copies of itself with names similar to windows system files and executes them with the above mentioned switches.


Fig 3: taskhost{random.exe} launched with different switches

Malware decrypts and drops the following files from its resource (ICON_PACKAGES) depending upon the switches:

  • net_ver.dat
  • ·Iissvr.exe
  • usbdrv3.sys


Fig 4: Resource ICON_PACKAGES containing encrypted files


Fig 5: Code to decrypt the embedded files in resource

This Trojan uses encrypted config file embedded in the resource that has several IP addresses later used for C&C communication.


Fig 6: net_ver.dat (Config file)


Functionalities displayed by taskhost%random%.exe:

-w switch:

Drops decrypted (from resource) iissvr.exe to the windows directory.


iissvr.exe hosts a http web server (port 80 ) on the infected machine.


Fig 7: iissvr.exe process creation


Fig 8: iissvr.exe

iissvr.exe runs a web server only to show the warning message in your browser if you visit http://localhost in your web browser.

The warning page hosted at local webserver (iissvr.exe):


Fig 9: Warning page

-m switch:

Drops usbdrv3.sys in %temp% directory

MD5: 6AEAC618E29980B69721158044C2E544

Signed : EldoS Corporation (by GlobalSign Time Stamping Authority)


Fig 10: EldoS driver

This signed driver is a part of Eldos RawDisk library that offers user mode applications direct access to files, disks and partitions of the disks bypassing security limitations of Windows OS. The driver has been also used with previous versions of wiper to directly write to hard disk.

It registers usbdrv3. sys driver as a service named usbdrv3.


Fig 11: Driver Started as a service

It communicates with Eldos driver service by acquiring the handle for:



Fig 12: Handle opened to EIRawDisk

It sends string of “AAAAA”s in a loop to the Eldos driver requesting it to write directly to the hard disk.


Fig 12: A’s written to the disk using the driver

-d switch:

It deletes all files in the system except the files with extension exe and dll.


Fig 13: Delete files on the system


The malware is also known to wipe out network drives.



In comparison to many reported breaches with retail stores, recent Sony attacks seem to be motivated by corporate espionage, political activism, or international politics, as opposed to financial. There is significant sophistication in tactics, techniques, and procedure (TTP) worth noting, e.g. delivery of attack payloads and configuration in the resource section of the dropper, extensive use of encryption, use of multiple attack components and Windows service objects. The best defense against such attacks requires an approach that continuously monitors network activities and file movements, detects threat activities across threat kill chain, and correlates observations across the enterprise network.

Wiper is a complex piece of malware used to carry out targeted attacks. We can expect more malware adopting similar design and tactics in the future. Cyphort’s threat defense platform detects all the Wiper Trojans related to Sony hack attack.

Thanks to Paul Kimayong, Marion Marschalek and rest of Cyphort Labs for their help.