 |
สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์ Electronic Transactions Development Agency |
|
สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์ Electronic Transactions Development Agency |
Tool: SHARPKNOT| Names | SHARPKNOT Bitrep | |
| Category | Malware | |
| Type | Wiper | |
| Description | (US-CERT) This file is a malicious 32-bit Windows executable. Analysis indicates the primary purpose of this application is to destroy a compromised Windows system by overwriting and deleting the Master Boot Record (MBR) on the victim's system and deleting files on network mapped shares as well as physically attached storage devices. The malware must be executed from a command line using any alphanumeric character or string as an argument. Once executed, themalware first attempts to disable the 'System Event Notification' and 'Alerter' services. Note: The Alerter service is present in Windows XP and Windows 2003, which are no longer supported by Microsoft. Current operating systems supported by Microsoft do not run the Alerter service. Next, the malware overwrites the MBR, displaying a status in the command (CMD) window. If the malware is able to overwrite the MBR, an 'OK' status is displayed in the CMD window. If the malware is unable to overwrite the MBR, a 'Fail' status is displayed. After the MBR is overwritten, the malware attempts to gain access to physical and network drives attached to the victim's system and recursively enumerate through the drive’s contents. When the malware identifies a file, it overwrites the file's contents with NULL bytes, renames the file with a randomly generated file name, then deletes the file, making forensic recovery impossible. If the malware is able to overwrite, rename and delete the file, the CMD window will display a 'Break>' status. If the malware is only able to delete the file, the CMD window will display a 'Del>' status. Once the malware has completed deleting files, the system is rebooted. If the malware has executed successfully, the system is rendered inoperative. | |
| Information | <https://www.us-cert.gov/sites/default/files/publications/MAR-10135536.11.WHITE.pdf> <https://eromang.zataz.com/tag/agentbase-exe/> | |
| Malpedia | <https://malpedia.caad.fkie.fraunhofer.de/details/win.sharpknot> | |
| AlienVault OTX | <https://otx.alienvault.com/browse/pulses?q=tag:SHARPKNOT> | |
Last change to this tool card: 14 May 2020
Download this tool card in JSON format
Previous: SharpHound
Next: Sharp-SMBExec
| Changed | Name | Country | Observed | ||
APT groups | |||||
 | Lazarus Group, Hidden Cobra, Labyrinth Chollima |  | 2007-Feb 2024  |  | |
1 group listed (1 APT, 0 other, 0 unknown)
|
Digital Service Security Center Follow us on
|
Report incidents |
|
 |
+66 (0)2-123-1227 | |
 |
[email protected] | |