Analytics Story: Handala Wiper

Date: 2024-07-31 ID: 1590c46a-e976-4b4b-a166-d9be06ab0056 Author: Teoderick Contreras, Splunk Product: Splunk Enterprise Security

Description

Handala Destructive Wiper detection involves monitoring for suspicious activities such as unexpected regasm processes, unauthorized AutoIt script executions, and the dropping of malicious drivers. Indicators such as abrupt system slowdowns, and the creation of unknown files or processes. Early detection of these signs is crucial for mitigating the severe impact of this destructive malware.

Why it matters

Handala Destructive Wiper is a potent malware strain known for its destructive capabilities. It targets and irreversibly wipes data from infected systems, rendering them inoperable. This malware is often used in cyber-attacks against critical infrastructure and organizations, causing significant disruption and data loss. This Wiper employs techniques to evade detection and spread rapidly across networks. Its deployment can lead to extensive downtime, financial loss, and compromised sensitive information, making it a severe threat in the cybersecurity landscape.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Suspicious Process File Path Create or Modify System Process TTP
Detect Regasm Spawning a Process Regsvcs/Regasm TTP
Detect Regasm with Network Connection Regsvcs/Regasm TTP
Detect Regasm with no Command Line Arguments Regsvcs/Regasm TTP
Executables Or Script Creation In Suspicious Path Masquerading Anomaly
Executables Or Script Creation In Temp Path Masquerading Anomaly
Windows AutoIt3 Execution Command and Scripting Interpreter TTP
Windows Data Destruction Recursive Exec Files Deletion Data Destruction TTP
Windows Gather Victim Network Info Through Ip Check Web Services IP Addresses Hunting
Windows High File Deletion Frequency Data Destruction Anomaly
Windows Suspicious Process File Path Create or Modify System Process, Match Legitimate Name or Location TTP

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 11 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 22 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 23 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 26 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 3 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4688 Windows icon Windows xmlwineventlog XmlWinEventLog:Security

References

Source: GitHub | Version: 1