rule apt_equation_exploitlib_mutexes { meta:copyright = “Kaspersky Lab”descrip

1. rule apt_equation_exploitlib_mutexes { meta:
2. copyright = “Kaspersky Lab”
3. description = “Rule to detect Equation group's Exploitation library” version = “1.0”
4. last_modi ed = “2015-02-16”
5. reference = “https://securelist.com/blog/”
6. strings:
7. $mz=“MZ”
8. $a1=“prkMtx” wide $a2=“cnFormSyncExFBC” wide $a3=“cnFormVoidFBC” wide $a4=“cnFormSyncExFBC” $a5=“cnFormVoidFBC”
9. condition:
10. (($mz at 0) and any of ($a*)) }
11.  
12.  
13. rule apt_equation_doublefantasy_genericresource { meta:
14. copyright = “Kaspersky Lab”
15. description = “Rule to detect DoubleFantasy encoded con g” version = “1.0”
16. last_modi ed = “2015-02-16”
17. reference = “https://securelist.com/blog/”
18. strings:
19. $mz=“MZ”
20. $a1={06 00 42 00 49 00 4E 00 52 00 45 00 53 00} $a2=“yyyyyyyyyyyyyyyy”
21. $a3=“002”
22. condition:
23. (($mz at 0) and all of ($a*)) and lesize < 500000 }
24.  
25.  
26. rule apt_equation_equationlaser_runtimeclasses { meta:
27. copyright = “Kaspersky Lab”
28. description = “Rule to detect the EquationLaser malware” version = “1.0”
29. last_modi ed = “2015-02-16”
30. reference = “https://securelist.com/blog/”
31. strings: $a1=“?a73957838_2@@YAXXZ” $a2=“?a84884@@YAXXZ” $a3=“?b823838_9839@@YAXXZ” $a4=“?e747383_94@@YAXXZ” $a5=“?e83834@@YAXXZ” $a6=“?e929348_827@@YAXXZ”
32. condition: any of them
33. }
34.  
35. rule apt_equation_cryptotable { meta:
36. copyright = “Kaspersky Lab”
37. description = “Rule to detect the crypto library used in Equation group malware”
38. version = “1.0”
39. last_modi ed = “2015-02-16”
40. reference = “https://securelist.com/blog/”
41. strings:
42. $a={37 DF E8 B6 C7 9C 0B AE 91 EF F0 3B 90 C6 80 85 5D 19 4B 45 44 12 3C E2 0D 5C 1C 7B C4 FF D6 05 17 14 4F 03 74 1E 41 DA 8F 7D DE 7E 99 F1 35 AC B8 46 93 CE 23 82 07 EB 2B D4 72 71 40 F3 B0 F7 78 D7 4C D1 55 1A 39 83 18 FA E1 9A 56 B1 96 AB A6 30 C5 5F BE 0C 50 C1}
43. condition: $a
44. }