Skip to content

R
rules
Commit 6ddb9952 by Marc Rivero López Committed by GitHub
Options

Update APT_Equation.yar 

Fixed style rule
parent 8da187d5
Showing with 146 additions and 65 deletions
malware/APT_Equation.yar
...@@ -7,13 +7,16 @@ import "pe" ...@@ -7,13 +7,16 @@ import "pe"
/* Equation APT ------------------------------------------------------------ */ /* Equation APT ------------------------------------------------------------ */
rule apt_equation_exploitlib_mutexes : mutex { rule apt_equation_exploitlib_mutexes
{
meta: meta:
copyright = "Kaspersky Lab" copyright = "Kaspersky Lab"
description = "Rule to detect Equation group's Exploitation library http://goo.gl/ivt8EW" description = "Rule to detect Equation group's Exploitation library http://goo.gl/ivt8EW"
version = "1.0" version = "1.0"
last_modified = "2015-02-16" last_modified = "2015-02-16"
reference = "http://securelist.com/blog/research/68750/equation-the-death-star-of-malware-galaxy/" reference = "http://securelist.com/blog/research/68750/equation-the-death-star-of-malware-galaxy/"
strings: strings:
$mz="MZ" $mz="MZ"
$a1="prkMtx" wide $a1="prkMtx" wide
...@@ -21,33 +24,41 @@ rule apt_equation_exploitlib_mutexes : mutex { ...@@ -21,33 +24,41 @@ rule apt_equation_exploitlib_mutexes : mutex {
$a3="cnFormVoidFBC" wide $a3="cnFormVoidFBC" wide
$a4="cnFormSyncExFBC" $a4="cnFormSyncExFBC"
$a5="cnFormVoidFBC" $a5="cnFormVoidFBC"
condition: condition:
(($mz at 0) and any of ($a*)) (($mz at 0) and any of ($a*))
} }
rule apt_equation_doublefantasy_genericresource { rule apt_equation_doublefantasy_genericresource
{
meta: meta:
copyright = "Kaspersky Lab" copyright = "Kaspersky Lab"
description = "Rule to detect DoubleFantasy encoded config http://goo.gl/ivt8EW" description = "Rule to detect DoubleFantasy encoded config http://goo.gl/ivt8EW"
version = "1.0" version = "1.0"
last_modified = "2015-02-16" last_modified = "2015-02-16"
reference = "http://securelist.com/blog/research/68750/equation-the-death-star-of-malware-galaxy/" reference = "http://securelist.com/blog/research/68750/equation-the-death-star-of-malware-galaxy/"
strings: strings:
$mz="MZ" $mz="MZ"
$a1={06 00 42 00 49 00 4E 00 52 00 45 00 53 00} $a1={06 00 42 00 49 00 4E 00 52 00 45 00 53 00}
$a2="yyyyyyyyyyyyyyyy" $a2="yyyyyyyyyyyyyyyy"
$a3="002" $a3="002"
condition: condition:
(($mz at 0) and all of ($a*)) and filesize < 500000 (($mz at 0) and all of ($a*)) and filesize < 500000
} }
rule apt_equation_equationlaser_runtimeclasses { rule apt_equation_equationlaser_runtimeclasses
{
meta: meta:
copyright = "Kaspersky Lab" copyright = "Kaspersky Lab"
description = "Rule to detect the EquationLaser malware" description = "Rule to detect the EquationLaser malware"
version = "1.0" version = "1.0"
last_modified = "2015-02-16" last_modified = "2015-02-16"
reference = "https://securelist.com/blog/" reference = "https://securelist.com/blog/"
strings: strings:
$a1="?a73957838_2@@YAXXZ" $a1="?a73957838_2@@YAXXZ"
$a2="?a84884@@YAXXZ" $a2="?a84884@@YAXXZ"
...@@ -55,35 +66,42 @@ rule apt_equation_equationlaser_runtimeclasses { ...@@ -55,35 +66,42 @@ rule apt_equation_equationlaser_runtimeclasses {
$a4="?e747383_94@@YAXXZ" $a4="?e747383_94@@YAXXZ"
$a5="?e83834@@YAXXZ" $a5="?e83834@@YAXXZ"
$a6="?e929348_827@@YAXXZ" $a6="?e929348_827@@YAXXZ"
condition: condition:
any of them any of them
} }
rule apt_equation_cryptotable : crypto { rule apt_equation_cryptotable
{
meta: meta:
copyright = "Kaspersky Lab" copyright = "Kaspersky Lab"
description = "Rule to detect the crypto library used in Equation group malware" description = "Rule to detect the crypto library used in Equation group malware"
version = "1.0" version = "1.0"
last_modified = "2015-02-16" last_modified = "2015-02-16"
reference = "https://securelist.com/blog/" reference = "https://securelist.com/blog/"
strings: strings:
$a={37 DF E8 B6 C7 9C 0B AE 91 EF F0 3B 90 C6 80 85 5D 19 4B 45 44 12 3C E2 0D 5C 1C 7B C4 FF D6 05 17 14 4F 03 74 1E 41 DA 8F 7D DE 7E 99 F1 35 AC B8 46 93 CE 23 82 07 EB 2B D4 72 71 40 F3 B0 F7 78 D7 4C D1 55 1A 39 83 18 FA E1 9A 56 B1 96 AB A6 30 C5 5F BE 0C 50 C1} $a={37 DF E8 B6 C7 9C 0B AE 91 EF F0 3B 90 C6 80 85 5D 19 4B 45 44 12 3C E2 0D 5C 1C 7B C4 FF D6 05 17 14 4F 03 74 1E 41 DA 8F 7D DE 7E 99 F1 35 AC B8 46 93 CE 23 82 07 EB 2B D4 72 71 40 F3 B0 F7 78 D7 4C D1 55 1A 39 83 18 FA E1 9A 56 B1 96 AB A6 30 C5 5F BE 0C 50 C1}
condition: condition:
$a $a
} }
/* Equation Group - Kaspersky ---------------------------------------------- */ /* Equation Group - Kaspersky ---------------------------------------------- */
rule Equation_Kaspersky_TripleFantasy_1 { rule Equation_Kaspersky_TripleFantasy_1
{
meta: meta:
description = "Equation Group Malware - TripleFantasy http://goo.gl/ivt8EW" description = "Equation Group Malware - TripleFantasy http://goo.gl/ivt8EW"
author = "Florian Roth" author = "Florian Roth"
reference = "http://goo.gl/ivt8EW" reference = "http://goo.gl/ivt8EW"
date = "2015/02/16" date = "2015/02/16"
hash = "b2b2cd9ca6f5864ef2ac6382b7b6374a9fb2cbe9" hash = "b2b2cd9ca6f5864ef2ac6382b7b6374a9fb2cbe9"
strings: strings:
$mz = { 4d 5a } $mz = { 4d 5a }
$s0 = "%SystemRoot%\\system32\\hnetcfg.dll" fullword wide $s0 = "%SystemRoot%\\system32\\hnetcfg.dll" fullword wide
$s1 = "%WINDIR%\\System32\\ahlhcib.dll" fullword wide $s1 = "%WINDIR%\\System32\\ahlhcib.dll" fullword wide
$s2 = "%WINDIR%\\sjyntmv.dat" fullword wide $s2 = "%WINDIR%\\sjyntmv.dat" fullword wide
...@@ -91,40 +109,35 @@ rule Equation_Kaspersky_TripleFantasy_1 { ...@@ -91,40 +109,35 @@ rule Equation_Kaspersky_TripleFantasy_1 {
$s4 = "%WINDIR%\\System32\\owrwbsdi" fullword wide $s4 = "%WINDIR%\\System32\\owrwbsdi" fullword wide
$s5 = "Chrome" fullword wide $s5 = "Chrome" fullword wide
$s6 = "StringIndex" fullword ascii $s6 = "StringIndex" fullword ascii
$x1 = "itemagic.net@443" fullword wide $x1 = "itemagic.net@443" fullword wide
$x2 = "team4heat.net@443" fullword wide $x2 = "team4heat.net@443" fullword wide
$x5 = "62.216.152.69@443" fullword wide $x5 = "62.216.152.69@443" fullword wide
$x6 = "84.233.205.37@443" fullword wide $x6 = "84.233.205.37@443" fullword wide
$z1 = "www.microsoft.com@80" fullword wide $z1 = "www.microsoft.com@80" fullword wide
$z2 = "www.google.com@80" fullword wide $z2 = "www.google.com@80" fullword wide
$z3 = "127.0.0.1:3128" fullword wide $z3 = "127.0.0.1:3128" fullword wide
condition: condition:
( $mz at 0 ) and filesize < 300000 and ( $mz at 0 ) and filesize < 300000 and (( all of ($s*) and all of ($z*) ) or ( all of ($s*) and 1 of ($x*) ))
(
( all of ($s*) and all of ($z*) ) or
( all of ($s*) and 1 of ($x*) )
)
} }
rule Equation_Kaspersky_DoubleFantasy_1 { rule Equation_Kaspersky_DoubleFantasy_1
{
meta: meta:
description = "Equation Group Malware - DoubleFantasy" description = "Equation Group Malware - DoubleFantasy"
author = "Florian Roth" author = "Florian Roth"
reference = "http://goo.gl/ivt8EW" reference = "http://goo.gl/ivt8EW"
date = "2015/02/16" date = "2015/02/16"
hash = "d09b4b6d3244ac382049736ca98d7de0c6787fa2" hash = "d09b4b6d3244ac382049736ca98d7de0c6787fa2"
strings: strings:
$mz = { 4d 5a } $mz = { 4d 5a }
$z1 = "msvcp5%d.dll" fullword ascii $z1 = "msvcp5%d.dll" fullword ascii
$s0 = "actxprxy.GetProxyDllInfo" fullword ascii $s0 = "actxprxy.GetProxyDllInfo" fullword ascii
$s3 = "actxprxy.DllGetClassObject" fullword ascii $s3 = "actxprxy.DllGetClassObject" fullword ascii
$s5 = "actxprxy.DllRegisterServer" fullword ascii $s5 = "actxprxy.DllRegisterServer" fullword ascii
$s6 = "actxprxy.DllUnregisterServer" fullword ascii $s6 = "actxprxy.DllUnregisterServer" fullword ascii
$x1 = "yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy" ascii $x1 = "yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy" ascii
$x2 = "191H1a1" fullword ascii $x2 = "191H1a1" fullword ascii
$x3 = "November " fullword ascii $x3 = "November " fullword ascii
...@@ -132,26 +145,25 @@ rule Equation_Kaspersky_DoubleFantasy_1 { ...@@ -132,26 +145,25 @@ rule Equation_Kaspersky_DoubleFantasy_1 {
$x5 = "January " fullword ascii $x5 = "January " fullword ascii
$x6 = "October " fullword ascii $x6 = "October " fullword ascii
$x7 = "September " fullword ascii $x7 = "September " fullword ascii
condition: condition:
( $mz at 0 ) and filesize < 350000 and ( $mz at 0 ) and filesize < 350000 and (( $z1 ) or ( all of ($s*) and 6 of ($x*) ))
(
( $z1 ) or
( all of ($s*) and 6 of ($x*) )
)
} }
rule Equation_Kaspersky_GROK_Keylogger { rule Equation_Kaspersky_GROK_Keylogger
{
meta: meta:
description = "Equation Group Malware - GROK keylogger" description = "Equation Group Malware - GROK keylogger"
author = "Florian Roth" author = "Florian Roth"
reference = "http://goo.gl/ivt8EW" reference = "http://goo.gl/ivt8EW"
date = "2015/02/16" date = "2015/02/16"
hash = "50b8f125ed33233a545a1aac3c9d4bb6aa34b48f" hash = "50b8f125ed33233a545a1aac3c9d4bb6aa34b48f"
strings: strings:
$mz = { 4d 5a } $mz = { 4d 5a }
$s0 = "c:\\users\\rmgree5\\" ascii $s0 = "c:\\users\\rmgree5\\" ascii
$s1 = "msrtdv.sys" fullword wide $s1 = "msrtdv.sys" fullword wide
$x1 = "svrg.pdb" fullword ascii $x1 = "svrg.pdb" fullword ascii
$x2 = "W32pServiceTable" fullword ascii $x2 = "W32pServiceTable" fullword ascii
$x3 = "In forma" fullword ascii $x3 = "In forma" fullword ascii
...@@ -160,47 +172,48 @@ rule Equation_Kaspersky_GROK_Keylogger { ...@@ -160,47 +172,48 @@ rule Equation_Kaspersky_GROK_Keylogger {
$x6 = "astMutex" fullword ascii $x6 = "astMutex" fullword ascii
$x7 = "ARASATAU" fullword ascii $x7 = "ARASATAU" fullword ascii
$x8 = "R0omp4ar" fullword ascii $x8 = "R0omp4ar" fullword ascii
$z1 = "H.text" fullword ascii $z1 = "H.text" fullword ascii
$z2 = "\\registry\\machine\\software\\Microsoft\\Windows NT\\CurrentVersion" fullword wide $z2 = "\\registry\\machine\\software\\Microsoft\\Windows NT\\CurrentVersion" fullword wide
$z4 = "\\registry\\machine\\SYSTEM\\ControlSet001\\Control\\Session Manager\\Environment" wide fullword $z4 = "\\registry\\machine\\SYSTEM\\ControlSet001\\Control\\Session Manager\\Environment" wide fullword
condition: condition:
( $mz at 0 ) and filesize < 250000 and ( $mz at 0 ) and filesize < 250000 and ($s0 or ( $s1 and 6 of ($x*) ) or ( 6 of ($x*) and all of ($z*) ))
(
$s0 or
( $s1 and 6 of ($x*) ) or
( 6 of ($x*) and all of ($z*) )
)
} }
rule Equation_Kaspersky_GreyFishInstaller { rule Equation_Kaspersky_GreyFishInstaller
{
meta: meta:
description = "Equation Group Malware - Grey Fish" description = "Equation Group Malware - Grey Fish"
author = "Florian Roth" author = "Florian Roth"
reference = "http://goo.gl/ivt8EW" reference = "http://goo.gl/ivt8EW"
date = "2015/02/16" date = "2015/02/16"
hash = "58d15d1581f32f36542f3e9fb4b1fc84d2a6ba35" hash = "58d15d1581f32f36542f3e9fb4b1fc84d2a6ba35"
strings: strings:
$s0 = "DOGROUND.exe" fullword wide $s0 = "DOGROUND.exe" fullword wide
$s1 = "Windows Configuration Services" fullword wide $s1 = "Windows Configuration Services" fullword wide
$s2 = "GetMappedFilenameW" fullword ascii $s2 = "GetMappedFilenameW" fullword ascii
condition: condition:
all of them all of them
} }
rule Equation_Kaspersky_EquationDrugInstaller { rule Equation_Kaspersky_EquationDrugInstaller
{
meta: meta:
description = "Equation Group Malware - EquationDrug installer LUTEUSOBSTOS" description = "Equation Group Malware - EquationDrug installer LUTEUSOBSTOS"
author = "Florian Roth" author = "Florian Roth"
reference = "http://goo.gl/ivt8EW" reference = "http://goo.gl/ivt8EW"
date = "2015/02/16" date = "2015/02/16"
hash = "61fab1b8451275c7fd580895d9c68e152ff46417" hash = "61fab1b8451275c7fd580895d9c68e152ff46417"
strings: strings:
$mz = { 4d 5a } $mz = { 4d 5a }
$s0 = "\\system32\\win32k.sys" fullword wide $s0 = "\\system32\\win32k.sys" fullword wide
$s1 = "ALL_FIREWALLS" fullword ascii $s1 = "ALL_FIREWALLS" fullword ascii
$x1 = "@prkMtx" fullword wide $x1 = "@prkMtx" fullword wide
$x2 = "STATIC" fullword wide $x2 = "STATIC" fullword wide
$x3 = "windir" fullword wide $x3 = "windir" fullword wide
...@@ -208,17 +221,21 @@ rule Equation_Kaspersky_EquationDrugInstaller { ...@@ -208,17 +221,21 @@ rule Equation_Kaspersky_EquationDrugInstaller {
$x5 = "CcnFormSyncExFBC" fullword wide $x5 = "CcnFormSyncExFBC" fullword wide
$x6 = "WinStaObj" fullword wide $x6 = "WinStaObj" fullword wide
$x7 = "BINRES" fullword wide $x7 = "BINRES" fullword wide
condition: condition:
( $mz at 0 ) and filesize < 500000 and all of ($s*) and 5 of ($x*) ( $mz at 0 ) and filesize < 500000 and all of ($s*) and 5 of ($x*)
} }
rule Equation_Kaspersky_EquationLaserInstaller { rule Equation_Kaspersky_EquationLaserInstaller
{
meta: meta:
description = "Equation Group Malware - EquationLaser Installer" description = "Equation Group Malware - EquationLaser Installer"
author = "Florian Roth" author = "Florian Roth"
reference = "http://goo.gl/ivt8EW" reference = "http://goo.gl/ivt8EW"
date = "2015/02/16" date = "2015/02/16"
hash = "5e1f56c1e57fbff96d4999db1fd6dd0f7d8221df" hash = "5e1f56c1e57fbff96d4999db1fd6dd0f7d8221df"
strings: strings:
$mz = { 4d 5a } $mz = { 4d 5a }
$s0 = "Failed to get Windows version" fullword ascii $s0 = "Failed to get Windows version" fullword ascii
...@@ -230,24 +247,26 @@ rule Equation_Kaspersky_EquationLaserInstaller { ...@@ -230,24 +247,26 @@ rule Equation_Kaspersky_EquationLaserInstaller {
$s6 = "%s %02x %s" fullword ascii $s6 = "%s %02x %s" fullword ascii
$s7 = "VIEWERS" fullword ascii $s7 = "VIEWERS" fullword ascii
$s8 = "5.2.3790.220 (srv03_gdr.040918-1552)" fullword wide $s8 = "5.2.3790.220 (srv03_gdr.040918-1552)" fullword wide
condition: condition:
( $mz at 0 ) and filesize < 250000 and 6 of ($s*) ( $mz at 0 ) and filesize < 250000 and 6 of ($s*)
} }
rule Equation_Kaspersky_FannyWorm { rule Equation_Kaspersky_FannyWorm
{
meta: meta:
description = "Equation Group Malware - Fanny Worm" description = "Equation Group Malware - Fanny Worm"
author = "Florian Roth" author = "Florian Roth"
reference = "http://goo.gl/ivt8EW" reference = "http://goo.gl/ivt8EW"
date = "2015/02/16" date = "2015/02/16"
hash = "1f0ae54ac3f10d533013f74f48849de4e65817a7" hash = "1f0ae54ac3f10d533013f74f48849de4e65817a7"
strings: strings:
$mz = { 4d 5a } $mz = { 4d 5a }
$s1 = "x:\\fanny.bmp" fullword ascii $s1 = "x:\\fanny.bmp" fullword ascii
$s2 = "32.exe" fullword ascii $s2 = "32.exe" fullword ascii
$s3 = "d:\\fanny.bmp" fullword ascii $s3 = "d:\\fanny.bmp" fullword ascii
$x1 = "c:\\windows\\system32\\kernel32.dll" fullword ascii $x1 = "c:\\windows\\system32\\kernel32.dll" fullword ascii
$x2 = "System\\CurrentControlSet\\Services\\USBSTOR\\Enum" fullword ascii $x2 = "System\\CurrentControlSet\\Services\\USBSTOR\\Enum" fullword ascii
$x3 = "System\\CurrentControlSet\\Services\\PartMgr\\Enum" fullword ascii $x3 = "System\\CurrentControlSet\\Services\\PartMgr\\Enum" fullword ascii
...@@ -264,26 +283,24 @@ rule Equation_Kaspersky_FannyWorm { ...@@ -264,26 +283,24 @@ rule Equation_Kaspersky_FannyWorm {
$x14 = "\\MSAgent" fullword ascii $x14 = "\\MSAgent" fullword ascii
$x15 = "Global\\RPCMutex" fullword ascii $x15 = "Global\\RPCMutex" fullword ascii
$x16 = "Global\\DirectMarketing" fullword ascii $x16 = "Global\\DirectMarketing" fullword ascii
condition: condition:
( $mz at 0 ) and filesize < 300000 and ( $mz at 0 ) and filesize < 300000 and (( 2 of ($s*) ) or ( 1 of ($s*) and 6 of ($x*) ) or ( 14 of ($x*)))
(
( 2 of ($s*) ) or
( 1 of ($s*) and 6 of ($x*) ) or
( 14 of ($x*) )
)
} }
rule Equation_Kaspersky_HDD_reprogramming_module { rule Equation_Kaspersky_HDD_reprogramming_module
{
meta: meta:
description = "Equation Group Malware - HDD reprogramming module" description = "Equation Group Malware - HDD reprogramming module"
author = "Florian Roth" author = "Florian Roth"
reference = "http://goo.gl/ivt8EW" reference = "http://goo.gl/ivt8EW"
date = "2015/02/16" date = "2015/02/16"
hash = "ff2b50f371eb26f22eb8a2118e9ab0e015081500" hash = "ff2b50f371eb26f22eb8a2118e9ab0e015081500"
strings: strings:
$mz = { 4d 5a } $mz = { 4d 5a }
$s0 = "nls_933w.dll" fullword ascii $s0 = "nls_933w.dll" fullword ascii
$s1 = "BINARY" fullword wide $s1 = "BINARY" fullword wide
$s2 = "KfAcquireSpinLock" fullword ascii $s2 = "KfAcquireSpinLock" fullword ascii
$s3 = "HAL.dll" fullword ascii $s3 = "HAL.dll" fullword ascii
...@@ -292,13 +309,16 @@ rule Equation_Kaspersky_HDD_reprogramming_module { ...@@ -292,13 +309,16 @@ rule Equation_Kaspersky_HDD_reprogramming_module {
( $mz at 0 ) and filesize < 300000 and all of ($s*) ( $mz at 0 ) and filesize < 300000 and all of ($s*)
} }
rule Equation_Kaspersky_EOP_Package { rule Equation_Kaspersky_EOP_Package
{
meta: meta:
description = "Equation Group Malware - EoP package and malware launcher" description = "Equation Group Malware - EoP package and malware launcher"
author = "Florian Roth" author = "Florian Roth"
reference = "http://goo.gl/ivt8EW" reference = "http://goo.gl/ivt8EW"
date = "2015/02/16" date = "2015/02/16"
hash = "2bd1b1f5b4384ce802d5d32d8c8fd3d1dc04b962" hash = "2bd1b1f5b4384ce802d5d32d8c8fd3d1dc04b962"
strings: strings:
$mz = { 4d 5a } $mz = { 4d 5a }
$s0 = "abababababab" fullword ascii $s0 = "abababababab" fullword ascii
...@@ -308,65 +328,74 @@ rule Equation_Kaspersky_EOP_Package { ...@@ -308,65 +328,74 @@ rule Equation_Kaspersky_EOP_Package {
$s4 = "@prkMtx" fullword wide $s4 = "@prkMtx" fullword wide
$s5 = "prkMtx" fullword wide $s5 = "prkMtx" fullword wide
$s6 = "cnFormVoidFBC" fullword wide $s6 = "cnFormVoidFBC" fullword wide
condition: condition:
( $mz at 0 ) and filesize < 100000 and all of ($s*) ( $mz at 0 ) and filesize < 100000 and all of ($s*)
} }
rule Equation_Kaspersky_TripleFantasy_Loader { rule Equation_Kaspersky_TripleFantasy_Loader
{
meta: meta:
description = "Equation Group Malware - TripleFantasy Loader" description = "Equation Group Malware - TripleFantasy Loader"
author = "Florian Roth" author = "Florian Roth"
reference = "http://goo.gl/ivt8EW" reference = "http://goo.gl/ivt8EW"
date = "2015/02/16" date = "2015/02/16"
hash = "4ce6e77a11b443cc7cbe439b71bf39a39d3d7fa3" hash = "4ce6e77a11b443cc7cbe439b71bf39a39d3d7fa3"
strings: strings:
$mz = { 4d 5a } $mz = { 4d 5a }
$x1 = "Original Innovations, LLC" fullword wide $x1 = "Original Innovations, LLC" fullword wide
$x2 = "Moniter Resource Protocol" fullword wide $x2 = "Moniter Resource Protocol" fullword wide
$x3 = "ahlhcib.dll" fullword wide $x3 = "ahlhcib.dll" fullword wide
$s0 = "hnetcfg.HNetGetSharingServicesPage" fullword ascii $s0 = "hnetcfg.HNetGetSharingServicesPage" fullword ascii
$s1 = "hnetcfg.IcfGetOperationalMode" fullword ascii $s1 = "hnetcfg.IcfGetOperationalMode" fullword ascii
$s2 = "hnetcfg.IcfGetDynamicFwPorts" fullword ascii $s2 = "hnetcfg.IcfGetDynamicFwPorts" fullword ascii
$s3 = "hnetcfg.HNetFreeFirewallLoggingSettings" fullword ascii $s3 = "hnetcfg.HNetFreeFirewallLoggingSettings" fullword ascii
$s4 = "hnetcfg.HNetGetShareAndBridgeSettings" fullword ascii $s4 = "hnetcfg.HNetGetShareAndBridgeSettings" fullword ascii
$s5 = "hnetcfg.HNetGetFirewallSettingsPage" fullword ascii $s5 = "hnetcfg.HNetGetFirewallSettingsPage" fullword ascii
condition: condition:
( $mz at 0 ) and filesize < 50000 and ( all of ($x*) and all of ($s*) ) ( $mz at 0 ) and filesize < 50000 and ( all of ($x*) and all of ($s*) )
} }
/* Rule generated from the mentioned keywords */ /* Rule generated from the mentioned keywords */
rule Equation_Kaspersky_SuspiciousString { rule Equation_Kaspersky_SuspiciousString
{
meta: meta:
description = "Equation Group Malware - suspicious string found in sample" description = "Equation Group Malware - suspicious string found in sample"
author = "Florian Roth" author = "Florian Roth"
reference = "http://goo.gl/ivt8EW" reference = "http://goo.gl/ivt8EW"
date = "2015/02/17" date = "2015/02/17"
score = 60 score = 60
strings: strings:
$mz = { 4d 5a } $mz = { 4d 5a }
$s1 = "i386\\DesertWinterDriver.pdb" fullword $s1 = "i386\\DesertWinterDriver.pdb" fullword
$s2 = "Performing UR-specific post-install..." $s2 = "Performing UR-specific post-install..."
$s3 = "Timeout waiting for the \"canInstallNow\" event from the implant-specific EXE!" $s3 = "Timeout waiting for the \"canInstallNow\" event from the implant-specific EXE!"
$s4 = "STRAITSHOOTER30.exe" $s4 = "STRAITSHOOTER30.exe"
$s5 = "standalonegrok_2.1.1.1" $s5 = "standalonegrok_2.1.1.1"
$s6 = "c:\\users\\rmgree5\\" $s6 = "c:\\users\\rmgree5\\"
condition: condition:
( $mz at 0 ) and filesize < 500000 and all of ($s*) ( $mz at 0 ) and filesize < 500000 and all of ($s*)
} }
/* EquationDrug Update 11.03.2015 - http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/ */ /* EquationDrug Update 11.03.2015 - http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/ */
rule EquationDrug_NetworkSniffer1 { rule EquationDrug_NetworkSniffer1
{
meta: meta:
description = "EquationDrug - Backdoor driven by network sniffer - mstcp32.sys, fat32.sys" description = "EquationDrug - Backdoor driven by network sniffer - mstcp32.sys, fat32.sys"
author = "Florian Roth @4nc4p" author = "Florian Roth @4nc4p"
reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/" reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/"
date = "2015/03/11" date = "2015/03/11"
hash = "26e787997a338d8111d96c9a4c103cf8ff0201ce" hash = "26e787997a338d8111d96c9a4c103cf8ff0201ce"
strings: strings:
$s0 = "Microsoft(R) Windows (TM) Operating System" fullword wide $s0 = "Microsoft(R) Windows (TM) Operating System" fullword wide
$s1 = "\\Registry\\User\\CurrentUser\\" fullword wide $s1 = "\\Registry\\User\\CurrentUser\\" fullword wide
...@@ -376,44 +405,56 @@ rule EquationDrug_NetworkSniffer1 { ...@@ -376,44 +405,56 @@ rule EquationDrug_NetworkSniffer1 {
$s9 = "\\Device\\%ws_%ws" fullword wide $s9 = "\\Device\\%ws_%ws" fullword wide
$s10 = "\\DosDevices\\%ws" fullword wide $s10 = "\\DosDevices\\%ws" fullword wide
$s11 = "\\Device\\%ws" fullword wide $s11 = "\\Device\\%ws" fullword wide
condition: condition:
all of them all of them
} }
rule EquationDrug_CompatLayer_UnilayDLL { rule EquationDrug_CompatLayer_UnilayDLL
{
meta: meta:
description = "EquationDrug - Unilay.DLL" description = "EquationDrug - Unilay.DLL"
author = "Florian Roth @4nc4p" author = "Florian Roth @4nc4p"
reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/" reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/"
date = "2015/03/11" date = "2015/03/11"
hash = "a3a31937956f161beba8acac35b96cb74241cd0f" hash = "a3a31937956f161beba8acac35b96cb74241cd0f"
strings: strings:
$mz = { 4d 5a } $mz = { 4d 5a }
$s0 = "unilay.dll" fullword ascii $s0 = "unilay.dll" fullword ascii
condition: condition:
( $mz at 0 ) and $s0 ( $mz at 0 ) and $s0
} }
rule EquationDrug_HDDSSD_Op { rule EquationDrug_HDDSSD_Op
{
meta: meta:
description = "EquationDrug - HDD/SSD firmware operation - nls_933w.dll" description = "EquationDrug - HDD/SSD firmware operation - nls_933w.dll"
author = "Florian Roth @4nc4p" author = "Florian Roth @4nc4p"
reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/" reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/"
date = "2015/03/11" date = "2015/03/11"
hash = "ff2b50f371eb26f22eb8a2118e9ab0e015081500" hash = "ff2b50f371eb26f22eb8a2118e9ab0e015081500"
strings: strings:
$s0 = "nls_933w.dll" fullword ascii $s0 = "nls_933w.dll" fullword ascii
condition: condition:
all of them all of them
} }
rule EquationDrug_NetworkSniffer2 { rule EquationDrug_NetworkSniffer2
{
meta: meta:
description = "EquationDrug - Network Sniffer - tdip.sys" description = "EquationDrug - Network Sniffer - tdip.sys"
author = "Florian Roth @4nc4p" author = "Florian Roth @4nc4p"
reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/" reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/"
date = "2015/03/11" date = "2015/03/11"
hash = "7e3cd36875c0e5ccb076eb74855d627ae8d4627f" hash = "7e3cd36875c0e5ccb076eb74855d627ae8d4627f"
strings: strings:
$s0 = "Microsoft(R) Windows (TM) Operating System" fullword wide $s0 = "Microsoft(R) Windows (TM) Operating System" fullword wide
$s1 = "IP Transport Driver" fullword wide $s1 = "IP Transport Driver" fullword wide
...@@ -423,48 +464,60 @@ rule EquationDrug_NetworkSniffer2 { ...@@ -423,48 +464,60 @@ rule EquationDrug_NetworkSniffer2 {
$s5 = "\\Device\\%ws_%ws" fullword wide $s5 = "\\Device\\%ws_%ws" fullword wide
$s6 = "\\DosDevices\\%ws" fullword wide $s6 = "\\DosDevices\\%ws" fullword wide
$s7 = "\\Device\\%ws" fullword wide $s7 = "\\Device\\%ws" fullword wide
condition: condition:
all of them all of them
} }
rule EquationDrug_NetworkSniffer3 { rule EquationDrug_NetworkSniffer3
{
meta: meta:
description = "EquationDrug - Network Sniffer - tdip.sys" description = "EquationDrug - Network Sniffer - tdip.sys"
author = "Florian Roth @4nc4p" author = "Florian Roth @4nc4p"
reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/" reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/"
date = "2015/03/11" date = "2015/03/11"
hash = "14599516381a9646cd978cf962c4f92386371040" hash = "14599516381a9646cd978cf962c4f92386371040"
strings: strings:
$s0 = "Corporation. All rights reserved." fullword wide $s0 = "Corporation. All rights reserved." fullword wide
$s1 = "IP Transport Driver" fullword wide $s1 = "IP Transport Driver" fullword wide
$s2 = "tdip.sys" fullword wide $s2 = "tdip.sys" fullword wide
$s3 = "tdip.pdb" fullword ascii $s3 = "tdip.pdb" fullword ascii
condition: condition:
all of them all of them
} }
rule EquationDrug_VolRec_Driver { rule EquationDrug_VolRec_Driver
{
meta: meta:
description = "EquationDrug - Collector plugin for Volrec - msrstd.sys" description = "EquationDrug - Collector plugin for Volrec - msrstd.sys"
author = "Florian Roth @4nc4p" author = "Florian Roth @4nc4p"
reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/" reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/"
date = "2015/03/11" date = "2015/03/11"
hash = "ee2b504ad502dc3fed62d6483d93d9b1221cdd6c" hash = "ee2b504ad502dc3fed62d6483d93d9b1221cdd6c"
strings: strings:
$s0 = "msrstd.sys" fullword wide $s0 = "msrstd.sys" fullword wide
$s1 = "msrstd.pdb" fullword ascii $s1 = "msrstd.pdb" fullword ascii
$s2 = "msrstd driver" fullword wide $s2 = "msrstd driver" fullword wide
condition: condition:
all of them all of them
} }
rule EquationDrug_KernelRootkit { rule EquationDrug_KernelRootkit
{
meta: meta:
description = "EquationDrug - Kernel mode stage 0 and rootkit (Windows 2000 and above) - msndsrv.sys" description = "EquationDrug - Kernel mode stage 0 and rootkit (Windows 2000 and above) - msndsrv.sys"
author = "Florian Roth @4nc4p" author = "Florian Roth @4nc4p"
reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/" reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/"
date = "2015/03/11" date = "2015/03/11"
hash = "597715224249e9fb77dc733b2e4d507f0cc41af6" hash = "597715224249e9fb77dc733b2e4d507f0cc41af6"
strings: strings:
$s0 = "Microsoft(R) Windows (TM) Operating System" fullword wide $s0 = "Microsoft(R) Windows (TM) Operating System" fullword wide
$s1 = "Parmsndsrv.dbg" fullword ascii $s1 = "Parmsndsrv.dbg" fullword ascii
...@@ -474,33 +527,41 @@ rule EquationDrug_KernelRootkit { ...@@ -474,33 +527,41 @@ rule EquationDrug_KernelRootkit {
$s6 = "\\Device\\%ws_%ws" fullword wide $s6 = "\\Device\\%ws_%ws" fullword wide
$s7 = "\\DosDevices\\%ws" fullword wide $s7 = "\\DosDevices\\%ws" fullword wide
$s9 = "\\Device\\%ws" fullword wide $s9 = "\\Device\\%ws" fullword wide
condition: condition:
all of them all of them
} }
rule EquationDrug_Keylogger { rule EquationDrug_Keylogger
{
meta: meta:
description = "EquationDrug - Key/clipboard logger driver - msrtvd.sys" description = "EquationDrug - Key/clipboard logger driver - msrtvd.sys"
author = "Florian Roth @4nc4p" author = "Florian Roth @4nc4p"
reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/" reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/"
date = "2015/03/11" date = "2015/03/11"
hash = "b93aa17b19575a6e4962d224c5801fb78e9a7bb5" hash = "b93aa17b19575a6e4962d224c5801fb78e9a7bb5"
strings: strings:
$s0 = "\\registry\\machine\\software\\Microsoft\\Windows NT\\CurrentVersion" fullword wide $s0 = "\\registry\\machine\\software\\Microsoft\\Windows NT\\CurrentVersion" fullword wide
$s2 = "\\registry\\machine\\SYSTEM\\ControlSet001\\Control\\Session Manager\\En" wide $s2 = "\\registry\\machine\\SYSTEM\\ControlSet001\\Control\\Session Manager\\En" wide
$s3 = "\\DosDevices\\Gk" fullword wide $s3 = "\\DosDevices\\Gk" fullword wide
$s5 = "\\Device\\Gk0" fullword wide $s5 = "\\Device\\Gk0" fullword wide
condition: condition:
all of them all of them
} }
rule EquationDrug_NetworkSniffer4 { rule EquationDrug_NetworkSniffer4
{
meta: meta:
description = "EquationDrug - Network-sniffer/patcher - atmdkdrv.sys" description = "EquationDrug - Network-sniffer/patcher - atmdkdrv.sys"
author = "Florian Roth @4nc4p" author = "Florian Roth @4nc4p"
reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/" reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/"
date = "2015/03/11" date = "2015/03/11"
hash = "cace40965f8600a24a2457f7792efba3bd84d9ba" hash = "cace40965f8600a24a2457f7792efba3bd84d9ba"
strings: strings:
$s0 = "Copyright 1999 RAVISENT Technologies Inc." fullword wide $s0 = "Copyright 1999 RAVISENT Technologies Inc." fullword wide
$s1 = "\\systemroot\\" fullword ascii $s1 = "\\systemroot\\" fullword ascii
...@@ -514,17 +575,21 @@ rule EquationDrug_NetworkSniffer4 { ...@@ -514,17 +575,21 @@ rule EquationDrug_NetworkSniffer4 {
$s10 = "CineMaster C 1.1 WDM Main Driver" fullword wide $s10 = "CineMaster C 1.1 WDM Main Driver" fullword wide
$s11 = "\\Device\\%ws" fullword wide $s11 = "\\Device\\%ws" fullword wide
$s13 = "CineMaster C 1.1 WDM" fullword wide $s13 = "CineMaster C 1.1 WDM" fullword wide
condition: condition:
all of them all of them
} }
rule EquationDrug_PlatformOrchestrator { rule EquationDrug_PlatformOrchestrator
{
meta: meta:
description = "EquationDrug - Platform orchestrator - mscfg32.dll, svchost32.dll" description = "EquationDrug - Platform orchestrator - mscfg32.dll, svchost32.dll"
author = "Florian Roth @4nc4p" author = "Florian Roth @4nc4p"
reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/" reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/"
date = "2015/03/11" date = "2015/03/11"
hash = "febc4f30786db7804008dc9bc1cebdc26993e240" hash = "febc4f30786db7804008dc9bc1cebdc26993e240"
strings: strings:
$s0 = "SERVICES.EXE" fullword wide $s0 = "SERVICES.EXE" fullword wide
$s1 = "\\command.com" fullword wide $s1 = "\\command.com" fullword wide
...@@ -532,17 +597,21 @@ rule EquationDrug_PlatformOrchestrator { ...@@ -532,17 +597,21 @@ rule EquationDrug_PlatformOrchestrator {
$s3 = "LSASS.EXE" fullword wide $s3 = "LSASS.EXE" fullword wide
$s4 = "Windows Configuration Services" fullword wide $s4 = "Windows Configuration Services" fullword wide
$s8 = "unilay.dll" fullword ascii $s8 = "unilay.dll" fullword ascii
condition: condition:
all of them all of them
} }
rule EquationDrug_NetworkSniffer5 { rule EquationDrug_NetworkSniffer5
{
meta: meta:
description = "EquationDrug - Network-sniffer/patcher - atmdkdrv.sys" description = "EquationDrug - Network-sniffer/patcher - atmdkdrv.sys"
author = "Florian Roth @4nc4p" author = "Florian Roth @4nc4p"
reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/" reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/"
date = "2015/03/11" date = "2015/03/11"
hash = "09399b9bd600d4516db37307a457bc55eedcbd17" hash = "09399b9bd600d4516db37307a457bc55eedcbd17"
strings: strings:
$s0 = "Microsoft(R) Windows (TM) Operating System" fullword wide $s0 = "Microsoft(R) Windows (TM) Operating System" fullword wide
$s1 = "\\Registry\\User\\CurrentUser\\" fullword wide $s1 = "\\Registry\\User\\CurrentUser\\" fullword wide
...@@ -550,33 +619,45 @@ rule EquationDrug_NetworkSniffer5 { ...@@ -550,33 +619,45 @@ rule EquationDrug_NetworkSniffer5 {
$s4 = "\\Device\\%ws_%ws" fullword wide $s4 = "\\Device\\%ws_%ws" fullword wide
$s5 = "\\DosDevices\\%ws" fullword wide $s5 = "\\DosDevices\\%ws" fullword wide
$s6 = "\\Device\\%ws" fullword wide $s6 = "\\Device\\%ws" fullword wide
condition: condition:
all of them all of them
} }
rule EquationDrug_FileSystem_Filter { rule EquationDrug_FileSystem_Filter
{
meta: meta:
description = "EquationDrug - Filesystem filter driver – volrec.sys, scsi2mgr.sys" description = "EquationDrug - Filesystem filter driver – volrec.sys, scsi2mgr.sys"
author = "Florian Roth @4nc4p" author = "Florian Roth @4nc4p"
reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/" reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/"
date = "2015/03/11" date = "2015/03/11"
hash = "57fa4a1abbf39f4899ea76543ebd3688dcc11e13" hash = "57fa4a1abbf39f4899ea76543ebd3688dcc11e13"
strings: strings:
$s0 = "volrec.sys" fullword wide $s0 = "volrec.sys" fullword wide
$s1 = "volrec.pdb" fullword ascii $s1 = "volrec.pdb" fullword ascii
$s2 = "Volume recognizer driver" fullword wide $s2 = "Volume recognizer driver" fullword wide
condition: condition:
all of them all of them
} }
rule apt_equation_keyword {
rule apt_equation_keyword
{
meta: meta:
description = "Rule to detect Equation group's keyword in executable file" description = "Rule to detect Equation group's keyword in executable file"
author = "Florian Roth @4nc4p" author = "Florian Roth @4nc4p"
last_modified = "2015-09-26" last_modified = "2015-09-26"
reference = "http://securelist.com/blog/research/68750/equation-the-death-star-of-malware-galaxy/" reference = "http://securelist.com/blog/research/68750/equation-the-death-star-of-malware-galaxy/"
strings: strings:
$a1 = "Backsnarf_AB25" wide $a1 = "Backsnarf_AB25" wide
$a2 = "Backsnarf_AB25" ascii $a2 = "Backsnarf_AB25" ascii
condition: condition:
uint16(0) == 0x5a4d and 1 of ($a*) uint16(0) == 0x5a4d and 1 of ($a*)
} }
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment