Shamoon - An Advanced Static and Dynamic Analysis of Iran’s Wiper Malware

Introduction

This report details the technical analysis of Shamoon, a destructive malware specimen closely linked to Iranian state-sponsored Advanced Persistent Threat (APT) groups, most notably APT33 (Elfin). First discovered in 2012, Shamoon is infamous for its role in attacks against Saudi Aramco, where it wiped the data of over 30,000 machines. Shamoon resurfaced in later years, with updated versions like Shamoon 2 (2016) and Shamoon 3 (2018), each targeting energy, government, and financial sectors in the Middle East.

Shamoon’s geopolitical motivations are evident, with its primary goal being cyber-sabotage, typically targeting critical infrastructure. This analysis will focus on the most recent iteration of Shamoon, uncovering its advanced wiping techniques, anti-analysis mechanisms, and system-destroying capabilities through both static and dynamic analysis.

Static Analysis

Strings Analysis

A review of the embedded strings reveals several significant indicators of Shamoon's functionality:

• File Manipulation Functions:

getrandomfilename, writefile, createfile, GetFiles, GetDirectories

• These strings point to the malware’s use of the .NET framework to handle file enumeration, file creation, and writing operations—core functions in its file-wiping behavior.

• Device Interaction:

\\.\PhysicalDrive, System Volume Information

• These strings indicate direct access to physical drives and system volumes, which is consistent with Shamoon’s MBR overwriting and file system manipulation.

• Signature Indicators:

From Iran with love - Shamoon 4

• This string points to the likely geopolitical origin of the malware, linking it to Iranian state-sponsored APT groups.

• Development Paths:

C:\Users\Arnav\Desktop\Shamoon-4-master\Shamoon 4\obj\Debug\Shamoon.pdb

• The presence of debugging symbols indicates that this is a debug build of Shamoon, likely leaked or recovered during analysis or development.

  
  

PEStudio Analysis

• File Hash (SHA-256): E74567B575FF61B948CA3E4D41C2A488C67F09BCC29DE5E35302716D63796C54

• Signature: Microsoft.NET

  • Shamoon is developed using the .NET framework, which provides insight into its dependencies and runtime environment.

• Entropy: 5.067

  • This entropy level suggests that the file is not packed, but has sections of random data, likely due to the file-wiping routines involving random number generation.

  • 
    

Imports

The analysis of imported functions reveals that Shamoon leverages system calls related to:

• File creation, writing, and deletion (CreateFileW, WriteFile).

• Direct disk access (DeviceIoControl, NtWriteFile).

• System volume interaction, consistent with its MBR-wiping behavior.

  
  

Dynamic Analysis

After executing the Shamoon sample, the following behaviors were observed:

Delayed File Wiping Trigger

• Behavior: Shamoon does not immediately execute its payload. It appears to have a delayed trigger, allowing the system to continue running for a few minutes before it starts its destructive activities. This delay could be part of its evasion mechanism to avoid sandboxes that only observe short execution windows.

  
  

File Overwriting in the Recycle Bin

• Observation: After some time, Shamoon creates a corrupted file in the Recycle Bin with no name and a negative file size of -836959360 bytes. This behavior indicates that Shamoon is overwriting files with junk data, which prevents recovery and adds complexity to forensic investigations.

• Procmon Output: A CreateFile event targeting the Recycle Bin suggests that Shamoon is actively manipulating system directories. The negative file size and corruption point to intentional sabotage, likely overwriting existing files with random data or garbage content.

MBR Overwriting

• Observation: A significant finding is Shamoon’s write operation to the MBR. The process writes directly to \\Device\\Harddisk0\\DR0 at offset 0, which overwrites the Master Boot Record (MBR). This action aligns with Shamoon’s documented behavior of rendering systems unbootable by corrupting the MBR.

• Procmon Event: A successful WriteFile event confirms the overwrite of 512 bytes (the size of the MBR) with junk data, ensuring that the system cannot reboot without recovery intervention.

  
  

File Corruption and System Disruption

• Observation: Shamoon begins corrupting files in user directories and system-critical files in C:\Windows\System32. This corruption ensures that even if the MBR is restored, the system is likely to remain unusable due to missing or corrupted executables and libraries.

• Sysinternals Tools: After Shamoon’s execution, system tools such as Procmon are corrupted and fail to run, further demonstrating the malware’s intent to disrupt system recovery and analysis efforts.

  
  

Network Traffic Analysis

Wireshark Analysis

During dynamic analysis, several DNS and HTTP requests to Certificate Authority (CA) domains were captured, including:

• ocsp[.]sectigo.[]com

• crl[.]comodoca[.]com

These requests likely pertain to the validation of digital certificates. While this behavior is consistent with normal system communication, it is possible that Shamoon uses such requests to mimic legitimate network traffic and avoid detection. The presence of Base64-encoded traffic was noted but did not reveal anything immediately suspicious.

Advanced Static Analysis

File Deletion and Wiping Routine

Shamoon uses a secure file deletion mechanism, identified through static analysis in IDA Pro. The Delete method is responsible for securely wiping files before deletion, and it operates as follows:

• Parameters:

  • sPath: The file path to be deleted.

  • WipeType: The type of wipe (e.g., random data, zeros).

  • WipePass: The number of overwrite passes.

• Random Number Generators:

  
  

• 
  

  • Shamoon utilizes two methods for generating random data:

    • System.Random: For basic random data generation.

    • RNGCryptoServiceProvider: A cryptographically secure random number generator (CSPRNG), ensuring that the overwritten data cannot be easily reconstructed.

This routine highlights Shamoon’s attempt to ensure that file recovery is impossible by overwriting files with secure random data.

Branching Logic in Wipe Function

Further analysis shows that Shamoon’s wiping routine branches into two paths based on conditional logic. Depending on the input value (ldarg.1), Shamoon either proceeds with the main file-wiping routine or takes an alternative path that performs a different wiping behavior. This flexibility allows Shamoon to implement different file wiping strategies.

Anti-Debugging Techniques

Shamoon employs anti-debugging mechanisms to avoid reverse engineering:

• IsDebuggerPresent:

  • The malware checks for the presence of a debugger, and based on this information, it may modify its execution path to evade analysis.

• GetTickCount:

  • Shamoon uses timing checks to detect whether it is being executed in a virtualized or sandboxed environment. By checking how long certain instructions take to execute, the malware can identify potential attempts to debug or slow down its execution.

    
    

Conclusion

Shamoon is a sophisticated wiper malware designed for maximum destruction of infected systems. Through its use of delayed triggers, secure file wiping, and MBR corruption, it ensures that recovery is extremely difficult. Furthermore, the inclusion of anti-debugging techniques and the ability to corrupt both system and user files highlight its intent to disrupt forensic investigation and system recovery efforts.

Key Findings:

1. MBR Corruption: Shamoon directly overwrites the MBR, preventing systems from booting.

2. File Wiping: Shamoon securely wipes files using random data generated by cryptographic means, rendering data irrecoverable.

3. Anti-Analysis Techniques: The malware uses debugger checks and timing techniques to evade analysis.

4. System Disruption: Shamoon corrupts system-critical files, making recovery difficult even if the MBR is restored.

The combination of these techniques demonstrates Shamoon’s primary goal of causing irreparable damage to the infected systems.