YARA rules for HermeticWiper
3 rules · scoped to actor · back to HermeticWiper
YARA rules whose family, name, or description matches this actor or its tooling. Use these for binary-pattern hunts.
rule APT_UA_Hermetic_Wiper_Feb22_1 {
meta:
description = "Detects Hermetic Wiper malware"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/"
date = "2022-02-24"
score = 75
hash1 = "0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da"
hash2 = "3c557727953a8f6b4788984464fb77741b821991acbf5e746aebdd02615b1767"
hash3 = "2c10b2ec0b995b88c27d141d6f7b14d6b8177c52818687e4ff8e6ecf53adf5bf"
hash4 = "1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591"
id = "2cbe4a69-e31a-5f5f-ab1a-9d71d16fb30f"
strings:
$xc1 = { 00 5C 00 5C 00 2E 00 5C 00 50 00 68 00 79 00 73
00 69 00 63 00 61 00 6C 00 44 00 72 00 69 00 76
00 65 00 25 00 75 00 00 00 5C 00 5C 00 2E 00 5C
00 45 00 50 00 4D 00 4E 00 54 00 44 00 52 00 56
00 5C 00 25 00 75 00 00 00 5C 00 5C 00 2E 00 5C
00 00 00 00 00 25 00 73 00 25 00 2E 00 32 00 73
00 00 00 00 00 24 00 42 00 69 00 74 00 6D 00 61
00 70 00 00 00 24 00 4C 00 6F 00 67 00 46 00 69
00 6C 00 65 }
$sc1 = { 00 44 00 72 00 69 00 76 00 65 00 72 00 73 00 00
00 64 00 72 00 76 00 00 00 53 00 79 00 73 00 74
00 65 00 6D 00 33 00 32 }
$s1 = "\\\\?\\C:\\Windows\\System32\\winevt\\Logs" wide fullword
$s2 = "\\\\.\\EPMNTDRV\\%u" wide fullword
$s3 = "DRV_XP_X64" wide fullword
$s4 = "%ws%.2ws" wide fullword
$op1 = { 8b 7e 08 0f 57 c0 8b 46 0c 83 ef 01 66 0f 13 44 24 20 83 d8 00 89 44 24 18 0f 88 3b 01 00 00 }
$op2 = { 13 fa 8b 55 f4 4e 3b f3 7f e6 8a 45 0f 01 4d f0 0f 57 c0 }
condition:
( uint16(0) == 0x5a53 or uint16(0) == 0x5a4d ) and
filesize < 400KB and ( 1 of ($x*) or 3 of them )
}
rule APT_UA_Hermetic_Wiper_Scheduled_Task_Feb22_1 {
meta:
description = "Detects scheduled task pattern found in Hermetic Wiper malware related intrusions"
author = "Florian Roth (Nextron Systems)"
reference = "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia"
date = "2022-02-25"
score = 85
id = "a628f773-9c71-5979-a4db-37b6b6bd6a56"
strings:
$a0 = "<Task version=" ascii wide
$sa1 = "CSIDL_SYSTEM_DRIVE\\temp" ascii wide
$sa2 = "postgresql.exe 1> \\\\127.0.0.1\\ADMIN$" ascii wide
$sa3 = "cmd.exe /Q /c move CSIDL_SYSTEM_DRIVE" ascii wide
condition:
$a0 and 1 of ($s*)
}
rule MAL_WIPER_IsaacWiper_Mar22_1 {
meta:
description = "Detects IsaacWiper malware"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/"
date = "2022-03-03"
score = 85
hash1 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033"
hash2 = "7bcd4ec18fc4a56db30e0aaebd44e2988f98f7b5d8c14f6689f650b4f11e16c0"
id = "97d8d8dd-db65-5156-8f97-56c620cf2d56"
strings:
$s1 = "C:\\ProgramData\\log.txt" wide fullword
$s2 = "Cleaner.dll" ascii fullword
$s3 = "-- system logical drive: " wide fullword
$s4 = "-- FAILED" wide fullword
$op1 = { 8b f1 80 3d b0 66 03 10 00 0f 85 96 00 00 00 33 c0 40 b9 a8 66 03 10 87 01 33 db }
$op2 = { 8b 40 04 2b c2 c1 f8 02 3b c8 74 34 68 a2 c8 01 10 2b c1 6a 04 }
$op3 = { 8d 4d f4 ff 75 08 e8 12 ff ff ff 68 88 39 03 10 8d 45 f4 50 e8 2d 1d 00 00 cc }
condition:
uint16(0) == 0x5a4d and
filesize < 700KB and
(
pe.imphash() == "a4b162717c197e11b76a4d9bc58ea25d" or
3 of them
)
}