18 строки
663 B
Plaintext
18 строки
663 B
Plaintext
rule MAL_HERMETIC_WIPER {
|
|
meta:
|
|
desc = "Hermetic Wiper - broad hunting rule"
|
|
author = "Hegel @ SentinelLabs"
|
|
version = "1.0"
|
|
last_modified = "02.23.2022"
|
|
hash = "1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591"
|
|
reference = "https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/"
|
|
strings:
|
|
$string1 = "DRV_XP_X64" wide ascii nocase
|
|
$string2 = "EPMNTDRV\\%u" wide ascii nocase
|
|
$string3 = "PhysicalDrive%u" wide ascii nocase
|
|
$cert1 = "Hermetica Digital Ltd" wide ascii nocase
|
|
condition:
|
|
uint16(0) == 0x5A4D and
|
|
all of them
|
|
}
|