12 lines
456 B
Text
12 lines
456 B
Text
|
import "pe"
|
||
|
rule HermeticWiper_Certificate {
|
||
|
meta:
|
||
|
description = "Detects a certificate used in HermeticWiper Attack"
|
||
|
date = "2022-02-24"
|
||
|
author = "@X0RC1SM"
|
||
|
hash = "0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da"
|
||
|
malware = "HermeticWiper"
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and for any i in (0 .. pe.number_of_signatures) : (pe.signatures[i].serial == "0c:48:73:28:73:ac:8c:ce:ba:f8:f0:e1:e8:32:9c:ec")
|
||
|
}
|