24 строки
703 B
Plaintext
24 строки
703 B
Plaintext
rule HermeticWiper : malware {
|
|
meta:
|
|
description = "Hermetic Wiper loading epmntdrv.sys by resources"
|
|
source = "Orange CD"
|
|
date = "24/02/22"
|
|
researcher = "Alexandre MATOUSEK"
|
|
category = "apt"
|
|
strings:
|
|
$s1 = "\\\\.\\EPMNTDRV\\%u" wide fullword
|
|
$s2 = "\\\\.\\PhysicalDrive%u" wide fullword
|
|
$s3 = "%s%.2s" wide fullword
|
|
$s4 = "\\\\?\\C:\\Windows\\System32\\winevt\\Logs" wide fullword
|
|
$os1 = "DRV_XP_X86" wide fullword
|
|
$os2 = "DRV_XP_X64" wide fullword
|
|
$os3 = "DRV_X86" wide fullword
|
|
$os4 = "DRV_X64" wide fullword
|
|
$cert = /Hermetica Digital Ltd[0-1]/
|
|
condition:
|
|
uint16(0) == 0x5A4D and
|
|
all of ($s*) and
|
|
2 of ($os*) and
|
|
$cert
|
|
}
|