395 lines
14 KiB
JSON
395 lines
14 KiB
JSON
|
{
|
||
|
"Event": {
|
||
|
"analysis": "0",
|
||
|
"date": "2022-02-24",
|
||
|
"extends_uuid": "56cb2bd3-5525-46bd-a454-ea895a5b4d0d",
|
||
|
"info": "HermeticWiper | New Destructive Malware Used In Cyber Attacks on Ukraine",
|
||
|
"publish_timestamp": "1664880606",
|
||
|
"published": true,
|
||
|
"threat_level_id": "1",
|
||
|
"timestamp": "1664880605",
|
||
|
"uuid": "b9b6dcfa-0b11-40dc-9bf4-9a36a2c1a046",
|
||
|
"Orgc": {
|
||
|
"name": "Centre for Cyber security Belgium",
|
||
|
"uuid": "5cf66e53-b5f8-43e7-be9a-49880a3b4631"
|
||
|
},
|
||
|
"Tag": [
|
||
|
{
|
||
|
"colour": "#0088cc",
|
||
|
"name": "misp-galaxy:target-information=\"Ukraine\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#0088cc",
|
||
|
"name": "misp-galaxy:mitre-attack-pattern=\"Data Destruction - T1485\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#0088cc",
|
||
|
"name": "misp-galaxy:mitre-attack-pattern=\"Disk Structure Wipe - T1561.002\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#0088cc",
|
||
|
"name": "misp-galaxy:mitre-attack-pattern=\"Signed Binary Proxy Execution - T1218\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#0088cc",
|
||
|
"name": "misp-galaxy:mitre-attack-pattern=\"Group Policy Modification - T1484.001\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#0088cc",
|
||
|
"name": "misp-galaxy:mitre-attack-pattern=\"Inhibit System Recovery - T1490\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#ffffff",
|
||
|
"name": "tlp:white"
|
||
|
},
|
||
|
{
|
||
|
"colour": "#054300",
|
||
|
"name": "admiralty-scale:source-reliability=\"a\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#0eb100",
|
||
|
"name": "admiralty-scale:information-credibility=\"1\""
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1645686071",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "de0bd41d-ffac-4e5a-8ffd-63c0ba4c6979",
|
||
|
"value": "231b3385ac17e41c5bb1b1fcb59599c4"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1645686071",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "dc288e70-bf4b-46cc-84aa-515e39f3b433",
|
||
|
"value": "095a1678021b034903c85dd5acb447ad"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1645686071",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "e499240c-bfd1-4e5b-a70b-244c11d69053",
|
||
|
"value": "eb845b7a16ed82bd248e395d9852f467"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1645688022",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "194c007c-eb84-4987-ae29-4dca3b02db47",
|
||
|
"value": "https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "Effectively disables crash dumps before the abused driver's execution starts",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"timestamp": "1645688123",
|
||
|
"to_ids": false,
|
||
|
"type": "regkey|value",
|
||
|
"uuid": "8c55aae8-9ee3-4488-93e8-ee3998518fce",
|
||
|
"value": "SYSTEM\\CurrentControlSet\\Control\\CrashControl CrashDumpEnabled|0"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1645688459",
|
||
|
"to_ids": true,
|
||
|
"type": "filename",
|
||
|
"uuid": "85ca7a94-fcfb-4097-affc-0b102ae4dff5",
|
||
|
"value": "empntdrv.sys"
|
||
|
}
|
||
|
],
|
||
|
"Object": [
|
||
|
{
|
||
|
"comment": "912342f1c840a42f6b74132f8a7c4ffe7d40fb77: Enriched via the virustotal module",
|
||
|
"deleted": false,
|
||
|
"description": "VirusTotal report",
|
||
|
"meta-category": "misc",
|
||
|
"name": "virustotal-report",
|
||
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
||
|
"template_version": "4",
|
||
|
"timestamp": "1645687145",
|
||
|
"uuid": "d611f80f-3015-4e5a-ba28-a4219aae2114",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "permalink",
|
||
|
"timestamp": "1645687142",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "df316954-b61d-436a-8804-d2f38a368eeb",
|
||
|
"value": "https://www.virustotal.com/gui/file/0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da/detection/f-0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da-1645685791"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "detection-ratio",
|
||
|
"timestamp": "1645687145",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "8becd4d8-0f4c-429a-a3d4-9e33ac8f55c5",
|
||
|
"value": "8/71"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "912342f1c840a42f6b74132f8a7c4ffe7d40fb77: Enriched via the virustotal module",
|
||
|
"deleted": false,
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"first_seen": "2022-02-24T06:35:51+00:00",
|
||
|
"last_seen": "2022-02-24T06:35:51+00:00",
|
||
|
"meta-category": "file",
|
||
|
"name": "file",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "24",
|
||
|
"timestamp": "1645687295",
|
||
|
"uuid": "f6a02b6b-91df-4a01-9115-798e59bc7023",
|
||
|
"ObjectReference": [
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "f6a02b6b-91df-4a01-9115-798e59bc7023",
|
||
|
"referenced_uuid": "d611f80f-3015-4e5a-ba28-a4219aae2114",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"timestamp": "1664880605",
|
||
|
"uuid": "dcd014f8-ccb2-4885-8563-6f2799ffd2a2"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "md5",
|
||
|
"timestamp": "1645687295",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "ec4a3df5-9479-4468-a990-a3f97ff69a1b",
|
||
|
"value": "84ba0197920fd3e2b7dfa719fee09d2f"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha1",
|
||
|
"timestamp": "1645687295",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "27637845-3dbd-4454-ad6c-51b7d05e22e9",
|
||
|
"value": "912342f1c840a42f6b74132f8a7c4ffe7d40fb77"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha256",
|
||
|
"timestamp": "1645687295",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "2b89b426-8ae3-483c-8a10-46acc4b9a441",
|
||
|
"value": "0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "61b25d11392172e587d8da3045812a66c3385451: Enriched via the virustotal module",
|
||
|
"deleted": false,
|
||
|
"description": "VirusTotal report",
|
||
|
"meta-category": "misc",
|
||
|
"name": "virustotal-report",
|
||
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
||
|
"template_version": "4",
|
||
|
"timestamp": "1645687548",
|
||
|
"uuid": "d9a1332e-3511-4417-97c8-f30621513106",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "permalink",
|
||
|
"timestamp": "1645687548",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "bafabadb-48ca-48a7-b192-ed30a1ffc57c",
|
||
|
"value": "https://www.virustotal.com/gui/file/1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591/detection/f-1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591-1645686225"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "detection-ratio",
|
||
|
"timestamp": "1645687545",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "fecf0286-1c32-478d-93e3-507253b34c26",
|
||
|
"value": "28/71"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "61b25d11392172e587d8da3045812a66c3385451: Enriched via the virustotal module",
|
||
|
"deleted": false,
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"meta-category": "file",
|
||
|
"name": "file",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "24",
|
||
|
"timestamp": "1645687557",
|
||
|
"uuid": "df7db285-8f67-49a0-a570-360c55604d2c",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "md5",
|
||
|
"timestamp": "1645687557",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "b5d4be4e-d2cf-479b-90bf-6ad348b213dd",
|
||
|
"value": "3f4a16b29f2f0532b7ce3e7656799125"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha1",
|
||
|
"timestamp": "1645687554",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "6f40134d-c3f6-45b0-bea8-10bcb3b68b1e",
|
||
|
"value": "61b25d11392172e587d8da3045812a66c3385451"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha256",
|
||
|
"timestamp": "1645687551",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "127e284e-9f47-46f6-a14d-118e7e59309a",
|
||
|
"value": "1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"meta-category": "file",
|
||
|
"name": "file",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "24",
|
||
|
"timestamp": "1645687512",
|
||
|
"uuid": "6e410e9b-426b-49ce-a8b9-4efdf1656f24",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "md5",
|
||
|
"timestamp": "1645687512",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "104e8a29-d087-4540-bcaa-ee455e21a157",
|
||
|
"value": "a952e288a1ead66490b3275a807f52e5"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
|
||
|
"meta-category": "misc",
|
||
|
"name": "yara",
|
||
|
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
|
||
|
"template_version": "5",
|
||
|
"timestamp": "1645688599",
|
||
|
"uuid": "c908378a-8f2a-49e1-b592-306424bd139b",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "comment",
|
||
|
"timestamp": "1645688599",
|
||
|
"to_ids": false,
|
||
|
"type": "comment",
|
||
|
"uuid": "f596d739-c866-436a-9f94-f0694db7a401",
|
||
|
"value": "HermeticWiper - broad hunting rule"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "context",
|
||
|
"timestamp": "1645688599",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "d47e6fda-a832-4855-8c6f-f2d3dc912138",
|
||
|
"value": "disk"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload installation",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "yara",
|
||
|
"timestamp": "1645688599",
|
||
|
"to_ids": true,
|
||
|
"type": "yara",
|
||
|
"uuid": "87bdab8d-c1f2-4996-86b6-b0c9ef9536eb",
|
||
|
"value": "rule MAL_HERMETIC_WIPER {\r\n meta:\r\n desc = \"HermeticWiper - broad hunting rule\"\r\n author = \"Friends @ SentinelLabs\"\r\n version = \"1.0\"\r\n last_modified = \"02.23.2022\"\r\n hash = \"1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591\"\r\n strings:\r\n $string1 = \"DRV_XP_X64\" wide ascii nocase\r\n $string2 = \"EPMNTDRV\\\\%u\" wide ascii nocase\r\n $string3 = \"PhysicalDrive%u\" wide ascii nocase\r\n $cert1 = \"Hermetica Digital Ltd\" wide ascii nocase\r\n condition:\r\n uint16(0) == 0x5A4D and\r\n all of them\r\n}"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "yara-rule-name",
|
||
|
"timestamp": "1645688599",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "045e7288-a031-4613-bd58-6b839f4fd53a",
|
||
|
"value": "MAL_HERMETIC_WIPER"
|
||
|
}
|
||
|
]
|
||
|
}
|
||
|
]
|
||
|
}
|
||
|
}
|