ioc[.]one - OSINT Cyber Threat Intelligence Database

Threat Thursday: HermeticWiper Targets Defense Sectors in Ukraine

Tags

country:	Latvia Lithuania Ukraine
attack-pattern:	Data Data Destruction - T1662 Data Destruction - T1485 Malware - T1587.001 Malware - T1588.001 Software - T1592.002 Tool - T1588.002 New Service - T1050 Data Destruction

Show in Graph

Common Information

Type	Value
UUID	eb460593-8704-4ba8-a5ed-69b207ced81a
Fingerprint	a404895a212eacd3
Analysis status	DONE
Considered CTI value	2
Text language
Published	March 17, 2022, 1:01 a.m.
Added to db	Sept. 26, 2022, 9:34 a.m.
Last updated	Nov. 17, 2024, 6:55 p.m.
Headline	Threat Thursday: HermeticWiper Targets Defense Sectors in Ukraine
Title	Threat Thursday: HermeticWiper Targets Defense Sectors in Ukraine
Detected Hints/Tags/Attributes	55/2/25

Source URLs

	Redirection	Url
Details	Source	https://blogs.blackberry.com/en/2022/03/threat-thursday-hermeticwiper

URL Provider

Details	Provider	Source level domain
Details	blackberry.com	blogs.blackberry.com

Attributes

Details	Type	#Events	Value
Details	Domain	33	www.apache.org
Details	Domain	2	resource.zip
Details	Domain	37	www.blackberry.com
Details	File	137	conhost.exe
Details	File	3	compress.exe
Details	File	2	resource.zip
Details	sha256	18	0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
Details	sha256	9	4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382
Details	sha256	7	06086c1da4590dcc7f1e10a6be3431e1166286a9e7761f2de9de79d7fda9c397
Details	sha256	11	3c557727953a8f6b4788984464fb77741b821991acbf5e746aebdd02615b1767
Details	sha256	11	2c10b2ec0b995b88c27d141d6f7b14d6b8177c52818687e4ff8e6ecf53adf5bf
Details	sha256	23	1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591
Details	sha256	1	4aa186b5fdcc8248a9672bf21241f77dd395872ec4876c90af5d27ae565e4cb7
Details	sha256	1	92b9198b4aed95932db029236cb8879a01c73494b545bcacb1ed40596d56990c
Details	sha256	9	e5f3ef69a534260e899a36cec459440dc572388defd8f1d98760d31c700f42d5
Details	sha256	7	96b77284744f8761c4f2558388e0aee2140618b484ff53fa8b222b340d2a9c84
Details	sha256	9	b01e0c6ac0b8bcde145ab7b68cf246deea9402fa7ea3aede7105f7051fe240c1
Details	sha256	6	8c614cf476f871274aa06153224e8f7354bf5e23e6853358591bf35a381fb75b
Details	sha256	9	b6f2e008967c5527337448d768f2332d14b92de22a1279fd4d91000bb3d4a0fd
Details	sha256	6	23ef301ddba39bb00f0819d2061c9c14d17dc30f780a945920a51bc3ba0198a4
Details	sha256	9	fd7eacc2f87aceac865b0aa97a50503d44b799f27737e009f91f3c281233c17d
Details	sha256	6	2c7732da3dcfc82f60f063f2ec9fa09f9d38d5cfbe80c850ded44de43bdb666d
Details	Url	20	https://www.apache.org/licenses/license-2.0
Details	Url	17	https://www.blackberry.com/us/en/forms/cylance/handraiser/emergency-incident-response-containment
Details	Yara rule	1	rule HermeticWiper { meta: description = "Detects HermeticWiper" author = "BlackBerry Threat Research Team" date = "2022-03-09" license = "This Yara rule is provided under the Apache License 2.0 (https://www.apache.org/licenses/LICENSE-2.0) and open to any user or organization, as long as you use it under this license and ensure originator credit in any derivative to The BlackBerry Research & Intelligence Team" strings: $s1 = "\\\\.\\EPMNTDRV\\%u" wide $s2 = "\\\\.\\PhysicalDrive%u" wide $s3 = "SYSTEM\\CurrentControlSet\\Control\\CrashControl" wide $sd1 = "DRV_X64" wide $sd2 = "DRV_X86" wide $sd3 = "DRV_XP_X64" wide $sd4 = "DRV_XP_X86" wide $c = { 0C 48 73 28 73 AC 8C CE BA F8 F0 E1 E8 32 9C EC } $x = { 53 5A 44 44 88 F0 27 33 41 00 48 ?? 00 00 FF 4D 5A 90 00 03 00 00 00 7D 04 F5 F0 FF FF 00 00 B8 F5 F0 ?? 01 01 40 01 04 0F 0D 1C 09 ?? ?? ?? ?? } condition: uint16(0) == 0x5a4d and filesize < 150KB and all of them }