Analytics Story: Handala Wiper
Description
Handala Destructive Wiper detection involves monitoring for suspicious activities such as unexpected regasm processes, unauthorized AutoIt script executions, and the dropping of malicious drivers. Indicators such as abrupt system slowdowns, and the creation of unknown files or processes. Early detection of these signs is crucial for mitigating the severe impact of this destructive malware.
Why it matters
Handala Destructive Wiper is a potent malware strain known for its destructive capabilities. It targets and irreversibly wipes data from infected systems, rendering them inoperable. This malware is often used in cyber-attacks against critical infrastructure and organizations, causing significant disruption and data loss. This Wiper employs techniques to evade detection and spread rapidly across networks. Its deployment can lead to extensive downtime, financial loss, and compromised sensitive information, making it a severe threat in the cybersecurity landscape.
Detections
Data Sources
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| CrowdStrike ProcessRollup2 | N/A | crowdstrike:events:sensor |
crowdstrike |
| Sysmon EventID 1 |  Windows |
xmlwineventlog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
| Sysmon EventID 11 | Windows |
xmlwineventlog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
| Sysmon EventID 22 | Windows |
xmlwineventlog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
| Sysmon EventID 23 | Windows |
xmlwineventlog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
| Sysmon EventID 3 | Windows |
xmlwineventlog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
| Windows Event Log Security 4688 | Windows |
xmlwineventlog |
XmlWinEventLog:Security |
References
- https://www.trellix.com/blogs/research/handalas-wiper-targets-israel/
- https://cyberint.com/blog/threat-intelligence/handala-hack-what-we-know-about-the-rising-threat-actor/
Source: GitHub | Version: 1