IsaacWiper Continues Trend of Wiper Attacks Against Ukraine
Common Information
| Type | Value |
|---|---|
| UUID | a8acb5fe-0fd1-4e4d-97a1-603abe0c0cbb |
| Fingerprint | 707d419a549cc428355951889c88ab596fc52e465d62032eae8ea1ee17a96344 |
| Analysis status | DONE |
| Considered CTI value | 2 |
| Text language | |
| Published | March 23, 2022, 6:27 p.m. |
| Added to db | March 10, 2024, 1:24 a.m. |
| Last updated | Aug. 31, 2024, 3:14 a.m. |
| Headline | IsaacWiper Continues Trend of Wiper Attacks Against Ukraine |
| Title | IsaacWiper Continues Trend of Wiper Attacks Against Ukraine |
| Detected Hints/Tags/Attributes | 64/3/24 |
Source URLs
| Redirection | Url | |
|---|---|---|
| Details | Source | https://go.recordedfuture.com/hubfs/reports/mtp-2022-0324.pdf |
URL Provider
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | Domain | 546 | www.recordedfuture.com |
|
| Details | Domain | 2 | help-for-ukraine.eu |
|
| Details | Domain | 2 | tokenukraine.com |
|
| Details | Domain | 2 | ukrainesolidarity.org |
|
| Details | Domain | 2 | ukraine-solidarity.com |
|
| Details | Domain | 2 | saveukraine.today |
|
| Details | Domain | 2 | supportukraine.today |
|
| Details | Domain | 262 | www.welivesecurity.com |
|
| Details | Domain | 1 | storagedevicenumber.de |
|
| Details | Domain | 265 | recordedfuture.com |
|
| Details | File | 13 | clean.exe |
|
| Details | File | 24 | cl.exe |
|
| Details | File | 4 | cl64.dll |
|
| Details | File | 5 | cld.dll |
|
| Details | File | 3 | cll.dll |
|
| Details | File | 7 | cleaner.dll |
|
| Details | File | 3 | %programdata%\log.txt |
|
| Details | File | 748 | kernel32.dll |
|
| Details | md5 | 1 | a4b162717c197e11b76a4d9bc58ea25d |
|
| Details | sha256 | 9 | 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 |
|
| Details | sha256 | 3 | 7bcd4ec18fc4a56db30e0aaebd44e2988f98f7b5d8c14f6689f650b4f11e16c0 |
|
| Details | sha256 | 1 | 0c61e11f4b056f9866f41c8d5b7f89f8892e44dbeaa0e03bd65a4cf81ce4dcb7 |
|
| Details | Url | 1 | https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting- |
|
| Details | Yara rule | 1 | import "pe"
rule MAL_IsaacWiper {
meta:
author = "CNANCE, Insikt Group, Recorded Future"
date = "2022-03-08"
description = "Detects IsaacWiper destructive malware"
version = "1.0"
reference = "https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-
ukraine/"
hash = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033"
hash = "7bcd4ec18fc4a56db30e0aaebd44e2988f98f7b5d8c14f6689f650b4f11e16c0"
RF_MALWARE = "IsaacWiper"
RF_MALWARE_ID = "lzQ5GL"
strings:
$physical_drive_check = { 6A 00 6A 00 6A 03 6A 00 6A 03 68 00 00 00 80 8D ?? CC 50 FF D? 8B F0 83 FE FF 0F 84 ?? ?? ?? ?? 6A 00 8D ?? E4 C7 4? ?? 00 00 00 00 50 6A 0C 8D ?? AC 50 6A 00 6A 00 68 80 10 2D 00 56 FF 15 ?? ?? ?? ?? 83 F8 01 0F 94 ?? 75 ?? 33 C0 83 7? ?? 07 0F 44 4? ?? 89 4? ?? 56 FF 15 ?? ?? ?? ?? 84 DB EB ?? 84 C9 0F 84 ?? ?? ?? ?? 8B 5? ?? 8B D3 8B 4? ?? 6A 01 E8 }
condition:
uint16(0) == 0x5a4d and filesize > 170KB and pe.imphash() == "a4b162717c197e11b76a4d9bc58ea25d" and pe.exports("_start@4") and pe.imports("kernel32.dll", "DeviceIoControl") and $physical_drive_check
} |