010
EXH-0102010Fictional reconstruction
Two Staged Drivers
June 2010. A Belarusian AV company publishes a strange Windows worm. It talks to Siemens PLC software, carries stolen Realtek certificates, and spreads through USB sticks.
Type
Classic
Difficulty
Advanced
Era
2010s
Time
12 min
Briefing
This exhibit is document-only. You have hashes, imports, and timeline notes from Symantec / Langner-era public reporting. Your output is a short IOC list for the plant's incident bridge.
Your role
Malware analyst documenting indicators before sharing with ICS-CERT.
Objective
List the worm's unusual traits: PLC targets, driver signing abuse, and air-gap crossing, without ever running the binary.
Terminal environment
- user
- reverse
- host
- lab-win
- cwd
- /home/reverse
- steps
- 3
Enter the terminalAbout 12 minutesSafe simulation
Safety note. This is a safe reconstruction. All systems, files, hosts, credentials, and outputs are simulated. Do not use these techniques on systems you do not own or have explicit permission to test.