Sneed-Reactivity/yara-mikesxrs/Cado Security/Wiper_Ukr_Feb_2022.yar

18 lines
742 B
Text
Raw Permalink Normal View History

rule Wiper_Ukr_Feb_2022 {
meta:
description = "Detects Wiper seen in Ukraine 23rd Feb 2022"
author = "cadosecurity.com"
date = "2022-02-23"
license = "Apache License 2.0"
hash = "1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591"
ref1 = "https://twitter.com/threatintel/status/1496578746014437376"
ref2 = "https://twitter.com/ESETresearch/status/1496581903205511181"
report = "https://github.com/cado-security/wiper_feb_2022"
strings:
$ = "Hermetica Digital Ltd" wide ascii
$ = "DRV_XP_X64" wide ascii
$ = "Windows\\System32\\winevt\\Logs" wide ascii
$ = "EPMNTDRV\\%u" wide ascii
condition:
uint16(0) == 0x5A4D and all of them
}