Try in Splunk Security Cloud

Description

Handala Destructive Wiper detection involves monitoring for suspicious activities such as unexpected regasm processes, unauthorized AutoIt script executions, and the dropping of malicious drivers. Indicators such as abrupt system slowdowns, and the creation of unknown files or processes. Early detection of these signs is crucial for mitigating the severe impact of this destructive malware.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • Last Updated: 2024-07-31
  • Author: Teoderick Contreras, Splunk
  • ID: 1590c46a-e976-4b4b-a166-d9be06ab0056

Narrative

Handala Destructive Wiper is a potent malware strain known for its destructive capabilities. It targets and irreversibly wipes data from infected systems, rendering them inoperable. This malware is often used in cyber-attacks against critical infrastructure and organizations, causing significant disruption and data loss. This Wiper employs techniques to evade detection and spread rapidly across networks. Its deployment can lead to extensive downtime, financial loss, and compromised sensitive information, making it a severe threat in the cybersecurity landscape.

Detections

Name Technique Type
Detect Regasm Spawning a Process System Binary Proxy Execution, Regsvcs/Regasm TTP
Detect Regasm with Network Connection System Binary Proxy Execution, Regsvcs/Regasm TTP
Detect Regasm with no Command Line Arguments System Binary Proxy Execution, Regsvcs/Regasm TTP
Executables Or Script Creation In Suspicious Path Masquerading Anomaly
Suspicious Process File Path Create or Modify System Process TTP
Windows AutoIt3 Execution Command and Scripting Interpreter TTP
Windows Data Destruction Recursive Exec Files Deletion Data Destruction TTP
Windows Gather Victim Network Info Through Ip Check Web Services IP Addresses, Gather Victim Network Information Hunting
Windows High File Deletion Frequency Data Destruction Anomaly

Reference

source | version: 1