 |
 | Yara Signature For HermeticWiper Variants |  |
|
GuitarBob
|
|
Below is a Yara signature for ClamWin that can detect variants of the Russian Hermetic Wiper malware designed to wipe hard drives on Ukranian computers. Yara signatures are similar to C code, and they are used by lots of malware researchers. Clam AV was modified several years ago to process Yara signatures. To use a Yara signature in ClamWin, copy and paste the Yara code (make sure you get all of it), and save it in a Notepad file in the ClamWin database folder with the malware name and a .yar extension. Save it with an ALL Files designation, and make sure there is no .text after the .yar extension. Clam AV/ClamWin will give an error if the file is named with an extension other than .yar.
Name the signature file below HermeticWiper.yar. After you save the signature file, run a ClamWin scan on an individual file to make sure there are no errors. You can put all Yara signatures in one file--name it YaraSigs.yar in that case and put a blank line between signatures. Yara sigs start and end with a bracket, but they usually have identification information before the first bracket. If you get a scan error in one file, delete the file from the ClamWin database folder. If you get an error for the Yara signature you just created in a YaraSigs.yar file, delete the Yara signature you just made, make sure the deleted lines are gone from the file, and save the file again. Thanks to IBM X-Force Regards, import "pe" rule XFTI_HermeticWiper : HermeticWiper { meta: author = "IBM X-Force Threat Intelligence Malware Team" description = "Detects the wiper targeting Ukraine." threat_type = "Malware" rule_category = "Malware Family" usage = "Hunting and Identification" ticket = "IRIS-12790" hash = "1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591" yara_version = "4.0.2" date_created = "24 Feb 22" date_updated = "" reference = "" xfti_reference = "" strings: $s1 = "\\\\.\\EPMNTDRV\\%u" wide fullword $s2 = "C:\\Windows\\SYSVOL" wide fullword $s3 = "DRV_X64" wide fullword $s4 = "DRV_X86" wide fullword $s5 = "DRV_XP_X64" wide fullword $s6 = "DRV_XP_X86" wide fullword condition: uint16(0) == 0x5A4D and 4 of them and pe.imports("lz32.dll", "LZOpenFileW") and pe.imports("kernel32.dll", "FindResourceW") and pe.imports("advapi32.dll", "CryptAcquireContextW") } |
|||||||||||
|
|||||||||||||
 |
 | Yara Signature For HermeticWiper Variants | |
|
||
|
|
|
Powered by phpBB © phpBB Group
Design by phpBBStyles.com | Styles Database.
Content © ClamWin Free Antivirus GNU GPL Free Software Open Source Virus Scanner. Free Windows Antivirus. Stay Virus Free with Free Software.
Design by phpBBStyles.com | Styles Database.
Content © ClamWin Free Antivirus GNU GPL Free Software Open Source Virus Scanner. Free Windows Antivirus. Stay Virus Free with Free Software.