SHARE
TWEET

Equation Group Malware - Yara Signatures

JohnGalt14 Feb 16th, 2015 (edited) 4,101 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. /*
  2.  
  3. EQUATION GROUP YARA RULES
  4.  
  5. These rules are not the ones published by Kaspersky in the original report.
  6. They were derived from the samples listed with MD5 hash on page 32 and 33 of this FAQs and Appendix published by Kaspersky https://securelist.com/files/2015/02/Equation_group_questions_and_answers.pdf
  7.  
  8. To get a complete signature set add the Yara rules that were published in the original report.
  9. http://securelist.com/blog/research/68750/equation-the-death-star-of-malware-galaxy/
  10.  
  11. Check your systems with these rules and all the published IOCs using the FREE IOC Scanner LOKI
  12. https://github.com/Neo23x0/Loki
  13.  
  14. Please report back false positives via private message here on pastebin - state filename and a hash (MD5/SHA1/SHA256).
  15.  
  16. v1.1
  17. 17.02.2015
  18.  
  19. CHANGES:
  20. 1.1 Added a new rule based on suspicious keywords and strings
  21. 1.0 Initial Rule Set
  22.  
  23. */
  24.  
  25. rule Equation_Kaspersky_TripleFantasy_1 {
  26.         meta:
  27.                 description = "Equation Group Malware - TripleFantasy http://goo.gl/ivt8EW"
  28.                 author = "Florian Roth"
  29.                 reference = "http://goo.gl/ivt8EW"
  30.                 date = "2015/02/16"
  31.                 hash = "b2b2cd9ca6f5864ef2ac6382b7b6374a9fb2cbe9"
  32.         strings:
  33.                 $mz = { 4d 5a }
  34.        
  35.                 $s0 = "%SystemRoot%\\system32\\hnetcfg.dll" fullword wide
  36.                 $s1 = "%WINDIR%\\System32\\ahlhcib.dll" fullword wide
  37.                 $s2 = "%WINDIR%\\sjyntmv.dat" fullword wide
  38.                 $s3 = "Global\\{8c38e4f3-591f-91cf-06a6-67b84d8a0102}" fullword wide
  39.                 $s4 = "%WINDIR%\\System32\\owrwbsdi" fullword wide
  40.                 $s5 = "Chrome" fullword wide
  41.                 $s6 = "StringIndex" fullword ascii
  42.                
  43.                 $x1 = "itemagic.net@443" fullword wide
  44.                 $x2 = "team4heat.net@443" fullword wide
  45.                 $x5 = "62.216.152.69@443" fullword wide
  46.                 $x6 = "84.233.205.37@443" fullword wide
  47.                
  48.                 $z1 = "www.microsoft.com@80" fullword wide
  49.                 $z2 = "www.google.com@80" fullword wide
  50.                 $z3 = "127.0.0.1:3128" fullword wide
  51.         condition:
  52.                 ( $mz at 0 ) and filesize < 300000 and
  53.                 (
  54.                         ( all of ($s*) and all of ($z*) ) or
  55.                         ( all of ($s*) and 1 of ($x*) )
  56.                 )
  57. }
  58.  
  59. rule Equation_Kaspersky_DoubleFantasy_1 {
  60.         meta:
  61.                 description = "Equation Group Malware - DoubleFantasy"
  62.                 author = "Florian Roth"
  63.                 reference = "http://goo.gl/ivt8EW"
  64.                 date = "2015/02/16"
  65.                 hash = "d09b4b6d3244ac382049736ca98d7de0c6787fa2"
  66.         strings:
  67.                 $mz = { 4d 5a }
  68.                
  69.                 $z1 = "msvcp5%d.dll" fullword ascii
  70.                
  71.                 $s0 = "actxprxy.GetProxyDllInfo" fullword ascii
  72.                 $s3 = "actxprxy.DllGetClassObject" fullword ascii
  73.                 $s5 = "actxprxy.DllRegisterServer" fullword ascii
  74.                 $s6 = "actxprxy.DllUnregisterServer" fullword ascii
  75.                
  76.                 $x1 = "yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy" ascii
  77.                 $x2 = "191H1a1" fullword ascii
  78.                 $x3 = "November " fullword ascii
  79.                 $x4 = "abababababab" fullword ascii
  80.                 $x5 = "January " fullword ascii
  81.                 $x6 = "October " fullword ascii
  82.                 $x7 = "September " fullword ascii
  83.         condition:
  84.                 ( $mz at 0 ) and filesize < 350000 and
  85.                 (
  86.                         ( $z1 ) or
  87.                         ( all of ($s*) and 6 of ($x*) )
  88.                 )
  89. }
  90.  
  91. rule Equation_Kaspersky_GROK_Keylogger {
  92.         meta:
  93.                 description = "Equation Group Malware - GROK keylogger"
  94.                 author = "Florian Roth"
  95.                 reference = "http://goo.gl/ivt8EW"
  96.                 date = "2015/02/16"
  97.                 hash = "50b8f125ed33233a545a1aac3c9d4bb6aa34b48f"
  98.         strings:
  99.                 $mz = { 4d 5a }
  100.                 $s0 = "c:\\users\\rmgree5\\" ascii
  101.                 $s1 = "msrtdv.sys" fullword wide
  102.                
  103.                 $x1 = "svrg.pdb" fullword ascii
  104.                 $x2 = "W32pServiceTable" fullword ascii
  105.                 $x3 = "In forma" fullword ascii
  106.                 $x4 = "ReleaseF" fullword ascii
  107.                 $x5 = "criptor" fullword ascii
  108.                 $x6 = "astMutex" fullword ascii
  109.                 $x7 = "ARASATAU" fullword ascii
  110.                 $x8 = "R0omp4ar" fullword ascii
  111.                
  112.                 $z1 = "H.text" fullword ascii
  113.                 $z2 = "\\registry\\machine\\software\\Microsoft\\Windows NT\\CurrentVersion" fullword wide
  114.                 $z4 = "\\registry\\machine\\SYSTEM\\ControlSet001\\Control\\Session Manager\\Environment" wide fullword
  115.         condition:
  116.                 ( $mz at 0 ) and filesize < 250000 and
  117.                 (
  118.                         $s0 or
  119.                         ( $s1 and 6 of ($x*) ) or
  120.                         ( 6 of ($x*) and all of ($z*) )
  121.                 )      
  122. }
  123.  
  124. rule Equation_Kaspersky_GreyFishInstaller {
  125.         meta:
  126.                 description = "Equation Group Malware - Grey Fish"
  127.                 author = "Florian Roth"
  128.                 reference = "http://goo.gl/ivt8EW"
  129.                 date = "2015/02/16"
  130.                 hash = "58d15d1581f32f36542f3e9fb4b1fc84d2a6ba35"
  131.         strings:
  132.                 $s0 = "DOGROUND.exe" fullword wide
  133.                 $s1 = "Windows Configuration Services" fullword wide
  134.                 $s2 = "GetMappedFilenameW" fullword ascii
  135.         condition:
  136.                 all of them
  137. }
  138.  
  139. rule Equation_Kaspersky_EquationDrugInstaller {
  140.         meta:
  141.                 description = "Equation Group Malware - EquationDrug installer LUTEUSOBSTOS"
  142.                 author = "Florian Roth"
  143.                 reference = "http://goo.gl/ivt8EW"
  144.                 date = "2015/02/16"
  145.                 hash = "61fab1b8451275c7fd580895d9c68e152ff46417"
  146.         strings:
  147.                 $mz = { 4d 5a }
  148.                
  149.                 $s0 = "\\system32\\win32k.sys" fullword wide
  150.                 $s1 = "ALL_FIREWALLS" fullword ascii
  151.                
  152.                 $x1 = "@prkMtx" fullword wide
  153.                 $x2 = "STATIC" fullword wide
  154.                 $x3 = "windir" fullword wide
  155.                 $x4 = "cnFormVoidFBC" fullword wide
  156.                 $x5 = "CcnFormSyncExFBC" fullword wide
  157.                 $x6 = "WinStaObj" fullword wide
  158.                 $x7 = "BINRES" fullword wide
  159.         condition:
  160.                 ( $mz at 0 ) and filesize < 500000 and all of ($s*) and 5 of ($x*)
  161. }
  162.  
  163. rule Equation_Kaspersky_EquationLaserInstaller {
  164.         meta:
  165.                 description = "Equation Group Malware - EquationLaser Installer"
  166.                 author = "Florian Roth"
  167.                 reference = "http://goo.gl/ivt8EW"
  168.                 date = "2015/02/16"
  169.                 hash = "5e1f56c1e57fbff96d4999db1fd6dd0f7d8221df"
  170.         strings:
  171.                 $mz = { 4d 5a }
  172.                 $s0 = "Failed to get Windows version" fullword ascii
  173.                 $s1 = "lsasrv32.dll and lsass.exe" fullword wide
  174.                 $s2 = "\\\\%s\\mailslot\\%s" fullword ascii
  175.                 $s3 = "%d-%d-%d %d:%d:%d Z" fullword ascii
  176.                 $s4 = "lsasrv32.dll" fullword ascii
  177.                 $s5 = "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!" fullword ascii
  178.                 $s6 = "%s %02x %s" fullword ascii
  179.                 $s7 = "VIEWERS" fullword ascii
  180.                 $s8 = "5.2.3790.220 (srv03_gdr.040918-1552)" fullword wide
  181.         condition:
  182.                 ( $mz at 0 ) and filesize < 250000 and 6 of ($s*)
  183. }
  184.  
  185. rule Equation_Kaspersky_FannyWorm {
  186.         meta:
  187.                 description = "Equation Group Malware - Fanny Worm"
  188.                 author = "Florian Roth"
  189.                 reference = "http://goo.gl/ivt8EW"
  190.                 date = "2015/02/16"
  191.                 hash = "1f0ae54ac3f10d533013f74f48849de4e65817a7"
  192.         strings:
  193.                 $mz = { 4d 5a }
  194.        
  195.                 $s1 = "x:\\fanny.bmp" fullword ascii
  196.                 $s2 = "32.exe" fullword ascii  
  197.                 $s3 = "d:\\fanny.bmp" fullword ascii
  198.        
  199.                 $x1 = "c:\\windows\\system32\\kernel32.dll" fullword ascii
  200.                 $x2 = "System\\CurrentControlSet\\Services\\USBSTOR\\Enum" fullword ascii
  201.                 $x3 = "System\\CurrentControlSet\\Services\\PartMgr\\Enum" fullword ascii
  202.                 $x4 = "\\system32\\win32k.sys" fullword wide
  203.                 $x5 = "\\AGENTCPD.DLL" fullword ascii
  204.                 $x6 = "agentcpd.dll" fullword ascii
  205.                 $x7 = "PADupdate.exe" fullword ascii
  206.                 $x8 = "dll_installer.dll" fullword ascii               
  207.                 $x9 = "\\restore\\" fullword ascii
  208.                 $x10 = "Q:\\__?__.lnk" fullword ascii
  209.                 $x11 = "Software\\Microsoft\\MSNetMng" fullword ascii
  210.                 $x12 = "\\shelldoc.dll" fullword ascii
  211.                 $x13 = "file size = %d bytes" fullword ascii
  212.                 $x14 = "\\MSAgent" fullword ascii
  213.                 $x15 = "Global\\RPCMutex" fullword ascii
  214.                 $x16 = "Global\\DirectMarketing" fullword ascii
  215.         condition:
  216.                 ( $mz at 0 ) and filesize < 300000 and
  217.                 (
  218.                         ( 2 of ($s*) ) or
  219.                         ( 1 of ($s*) and 6 of ($x*) ) or
  220.                         ( 14 of ($x*) )
  221.                 )
  222. }
  223.  
  224. rule Equation_Kaspersky_HDD_reprogramming_module {
  225.         meta:
  226.                 description = "Equation Group Malware - HDD reprogramming module"
  227.                 author = "Florian Roth"
  228.                 reference = "http://goo.gl/ivt8EW"
  229.                 date = "2015/02/16"
  230.                 hash = "ff2b50f371eb26f22eb8a2118e9ab0e015081500"
  231.         strings:
  232.                 $mz = { 4d 5a }
  233.                 $s0 = "nls_933w.dll" fullword ascii
  234.                
  235.                 $s1 = "BINARY" fullword wide
  236.                 $s2 = "KfAcquireSpinLock" fullword ascii
  237.                 $s3 = "HAL.dll" fullword ascii
  238.                 $s4 = "READ_REGISTER_UCHAR" fullword ascii
  239.         condition:
  240.                 ( $mz at 0 ) and filesize < 300000 and all of ($s*)
  241. }
  242.  
  243. rule Equation_Kaspersky_EOP_Package {
  244.         meta:
  245.                 description = "Equation Group Malware - EoP package and malware launcher"
  246.                 author = "Florian Roth"
  247.                 reference = "http://goo.gl/ivt8EW"
  248.                 date = "2015/02/16"
  249.                 hash = "2bd1b1f5b4384ce802d5d32d8c8fd3d1dc04b962"
  250.         strings:
  251.                 $mz = { 4d 5a }
  252.                 $s0 = "abababababab" fullword ascii
  253.                 $s1 = "abcdefghijklmnopq" fullword ascii
  254.                 $s2 = "@STATIC" fullword wide
  255.                 $s3 = "$aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" fullword ascii
  256.                 $s4 = "@prkMtx" fullword wide
  257.                 $s5 = "prkMtx" fullword wide
  258.                 $s6 = "cnFormVoidFBC" fullword wide
  259.         condition:
  260.                 ( $mz at 0 ) and filesize < 100000 and all of ($s*)
  261. }
  262.  
  263. rule Equation_Kaspersky_TripleFantasy_Loader {
  264.         meta:
  265.                 description = "Equation Group Malware - TripleFantasy Loader"
  266.                 author = "Florian Roth"
  267.                 reference = "http://goo.gl/ivt8EW"
  268.                 date = "2015/02/16"
  269.                 hash = "4ce6e77a11b443cc7cbe439b71bf39a39d3d7fa3"
  270.         strings:
  271.                 $mz = { 4d 5a }
  272.                
  273.                 $x1 = "Original Innovations, LLC" fullword wide
  274.                 $x2 = "Moniter Resource Protocol" fullword wide
  275.                 $x3 = "ahlhcib.dll" fullword wide      
  276.        
  277.                 $s0 = "hnetcfg.HNetGetSharingServicesPage" fullword ascii
  278.                 $s1 = "hnetcfg.IcfGetOperationalMode" fullword ascii
  279.                 $s2 = "hnetcfg.IcfGetDynamicFwPorts" fullword ascii
  280.                 $s3 = "hnetcfg.HNetFreeFirewallLoggingSettings" fullword ascii
  281.                 $s4 = "hnetcfg.HNetGetShareAndBridgeSettings" fullword ascii
  282.                 $s5 = "hnetcfg.HNetGetFirewallSettingsPage" fullword ascii
  283.         condition:
  284.                 ( $mz at 0 ) and filesize < 50000 and ( all of ($x*) and all of ($s*) )
  285. }
  286.  
  287. /* Rule derived from the mentioned strings in the FAQ paper on page 19 */
  288.  
  289. rule Equation_Kaspersky_SuspiciousString {
  290.         meta:
  291.                 description = "Equation Group Malware - suspicious string found in sample"
  292.                 author = "Florian Roth"
  293.                 reference = "https://securelist.com/files/2015/02/Equation_group_questions_and_answers.pdf"
  294.                 date = "2015/02/17"
  295.                 score = 60
  296.         strings:
  297.                 $mz = { 4d 5a }
  298.                
  299.                 $s1 = "i386\\DesertWinterDriver.pdb" fullword
  300.                 $s2 = "Performing UR-specific post-install..."
  301.                 $s3 = "Timeout waiting for the \"canInstallNow\" event from the implant-specific EXE!"
  302.                 $s4 = "STRAITSHOOTER30.exe"
  303.                 $s5 = "standalonegrok_2.1.1.1"
  304.                 $s6 = "c:\\users\\rmgree5\\"
  305.         condition:
  306.                 ( $mz at 0 ) and filesize < 500000 and all of ($s*)
  307. }
RAW Paste Data
Top