Emdivi malware is likely being executed in the environment through suspicious process creation and network communication patterns indicative of command and control activity. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threats before they cause significant damage.
YARA Rule
rule Emdivi_Gen1
{
meta:
description = "Detects Emdivi Malware"
author = "Florian Roth @Cyber0ps"
reference = "https://securelist.com/blog/research/71876/new-activity-of-the-blue-termite-apt/"
date = "2015-08-20"
score = 80
super_rule = 1
hash1 = "17e646ca2558a65ffe7aa185ba75d5c3a573c041b897355c2721e9a8ca5fee24"
hash2 = "3553c136b4eba70eec5d80abe44bd7c7c33ab1b65de617dbb7be5025c9cf01f1"
hash3 = "6a331c4e654dd8ddaa2c69d260aa5f4f76f243df8b5019d62d4db5ae5c965662"
hash4 = "90d07ea2bb80ed52b007f57d0d9a79430cd50174825c43d5746a16ee4f94ea86"
strings:
$x1 = "wmic nteventlog where filename=\"SecEvent\" call cleareventlog" fullword wide
$s0 = "del %Temp%\\*.exe %Temp%\\*.dll %Temp%\\*.bat %Temp%\\*.ps1 %Temp%\\*.cmd /f /q" fullword wide
$x3 = "userControl-v80.exe" fullword ascii
$s1 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727.42)" fullword wide
$s2 = "http://www.msftncsi.com" fullword wide
$s3 = "net use | find /i \"c$\"" fullword wide
$s4 = " /del /y & " fullword wide
$s5 = "\\auto.cfg" fullword wide
$s6 = "/ncsi.txt" fullword wide
$s7 = "Dcmd /c" fullword wide
$s8 = "/PROXY" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 800KB and all of them
}This YARA rule can be deployed in the following contexts:
This rule contains 11 string patterns in its detection logic.
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that uses emdivi as part of a filename or command line argument during system maintenance.
Filter/Exclusion: Exclude processes initiated by schtasks.exe or tasks scheduled via the Task Scheduler with a known legitimate command line.
Scenario: Admin Debugging or Forensic Analysis
Description: An administrator uses a tool like Process Explorer or Procmon to manually inspect processes and temporarily runs a command containing “emdivi” in the command line.
Filter/Exclusion: Exclude processes where the parent process is procexp.exe, procmon.exe, or explorer.exe (if used in a forensic context).
Scenario: Log File Parsing or Data Extraction
Description: A log parsing tool like LogParser or PowerShell script extracts data from log files and includes the term “emdivi” in the output or command line.
Filter/Exclusion: Exclude processes where the parent process is logparser.exe, powershell.exe (with a known legitimate script), or cmd.exe running a known log parsing script.
Scenario: Software Development or Testing
Description: A developer is testing a tool like Wireshark or tcpdump and includes “emdivi” in a test payload or configuration file.
Filter/Exclusion: Exclude processes where the parent process is wireshark.exe, tcpdump.exe, or vscode.exe (if used in a development environment).
Scenario: Legacy System Compatibility or Migration
Description: A legacy system or migration tool like Robocopy, xcopy, or rsync uses “emdivi” as part of a filename or path during data transfer.