DiskKill/HermeticWiper, a disruptive cyber-weapon targeting Ukraine’s critical infrastructures - Yoroi
Tags
| country: | Russia Ukraine |
| attack-pattern: | Data Malware - T1587.001 Malware - T1588.001 Server - T1583.004 Server - T1584.004 Tool - T1588.002 Access Token Manipulation - T1134 |
Common Information
| Type | Value |
|---|---|
| UUID | f1a46942-c245-4f9c-a979-279be92a9dcf |
| Fingerprint | 6435099139f5238d |
| Analysis status | DONE |
| Considered CTI value | 2 |
| Text language | |
| Published | Feb. 26, 2022, 11:45 a.m. |
| Added to db | Sept. 26, 2022, 9:34 a.m. |
| Last updated | Nov. 14, 2024, 10:55 p.m. |
| Headline | DiskKill/HermeticWiper, a disruptive cyber-weapon targeting Ukraine’s critical infrastructures |
| Title | DiskKill/HermeticWiper, a disruptive cyber-weapon targeting Ukraine’s critical infrastructures - Yoroi |
| Detected Hints/Tags/Attributes | 38/2/6 |
Source URLs
URL Provider
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | sha256 | 23 | 1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591 |
|
| Details | sha256 | 7 | 96b77284744f8761c4f2558388e0aee2140618b484ff53fa8b222b340d2a9c84 |
|
| Details | sha256 | 18 | 0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da |
|
| Details | MITRE ATT&CK Techniques | 116 | T1134 |
|
| Details | Windows Registry Key | 3 | HKLM\SYSTEM\CurrentControlSet\Control\CrashControl |
|
| Details | Yara rule | 1 | rule hermetic_wiper {
meta:
description = "Yara rule for the detection of DiskKill/HermeticWiper sample"
author = "Yoroi Malware ZLab"
last_updated = "2022-02-24"
tlp = "WHITE"
category = "informational"
strings:
$a = { 45 8C 66 0F D6 45 9C FF D3 50 FF D7 8B F8 85 FF 0F 84 F7 00 00 00 6A 00 8D 85 78 FF FF FF 50 6A 60 57 6A 00 6A 00 68 64 00 09 00 FF 75 A4 FF 15 64 50 40 00 57 6A 00 85 C0 75 10 FF D3 8B 3D 70 }
condition:
$a and uint16(0) == 0x5A4D
} |