Create HermeticWiper.yar

yara/HermeticWiper.yar

@@ -0,0 +1,23 @@
+rule HermeticWiper : malware {
+  meta:
+    description = "Hermetic Wiper loading epmntdrv.sys by resources"
+    source = "Orange CD"
+    date = "24/02/22"
+    researcher = "Alexandre MATOUSEK"
+    category = "apt"
+  strings:
+    $s1 = "\\\\.\\EPMNTDRV\\%u" wide fullword
+    $s2 = "\\\\.\\PhysicalDrive%u" wide fullword
+    $s3 = "%s%.2s" wide fullword
+    $s4 = "\\\\?\\C:\\Windows\\System32\\winevt\\Logs" wide fullword
+    $os1 = "DRV_XP_X86" wide fullword
+    $os2 = "DRV_XP_X64" wide fullword
+    $os3 = "DRV_X86" wide fullword
+    $os4 = "DRV_X64" wide fullword
+    $cert = /Hermetica Digital Ltd[0-1]/
+  condition:
+    uint16(0) == 0x5A4D and
+    all of ($s*) and
+    2 of ($os*) and
+    $cert
+}