rule HermeticWiper {
	meta:
		description = "Detects HermeticWiper"
		author = "BlackBerry Threat Research Team"
		date = "2022-03-09"
		license = "This Yara rule is provided under the Apache License 2.0 (https://www.apache.org/licenses/LICENSE-2.0) and open to any user or organization, as long as you use it under this license and ensure originator credit in any derivative to The BlackBerry Research & Intelligence Team"
	strings:
		$s1 = "\\\\.\\EPMNTDRV\\%u" wide
		$s2 = "\\\\.\\PhysicalDrive%u" wide
		$s3 = "SYSTEM\\CurrentControlSet\\Control\\CrashControl" wide
		$sd1 = "DRV_X64" wide
		$sd2 = "DRV_X86" wide
		$sd3 = "DRV_XP_X64" wide
		$sd4 = "DRV_XP_X86" wide
		$c = { 0C 48 73 28 73 AC 8C CE BA F8 F0 E1 E8 32 9C EC }
		$x = { 53 5A 44 44 88 F0 27 33 41 00 48 ?? 00 00 FF 4D 5A 90 00 03 00 00 00 7D 04 F5 F0 FF FF 00 00 B8 F5 F0 ?? 01 01 40 01 04 0F 0D 1C 09 ?? ?? ?? ?? }
	condition:
		uint16(0) == 0x5a4d and filesize < 150KB and all of them
}