← Back to SOC feed Coverage →

r4 wiper 2

yara LOW Yara-Rules
community
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at Yara-Rules →
Retrieved: 2026-05-26T23:00:01Z · Confidence: medium

Hunt Hypothesis

The hypothesis is that the detected behavior may indicate the presence of a wiper malware variant using specific file modification patterns, which could be used to erase data and disrupt operations. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential data destruction threats early, especially in environments with sensitive or critical data.

YARA Rule

rule r4_wiper_2
{
meta:
	source = "NCCIC Partner"
	date = "2017-12-12"
	report = "https://www.us-cert.gov/sites/default/files/publications/MAR-10135536.11.WHITE.pdf"
	report = "https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity"
strings:
	// BIOS Extended Write
	$PhysicalDriveSTR = "\\\\.\\PhysicalDrive" wide
	$ExtendedWrite = { B4 43 B0 00 CD 13 }
condition:
	uint16(0) == 0x5a4d and uint16(uint32(0x3c)) == 0x4550 and all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

This rule contains 2 string patterns in its detection logic.

False Positive Guidance

Original source: https://github.com/Yara-Rules/rules/blob/main/malware/APT_HiddenCobra.yar