Actor(s): Equation Group
There is no description at this point.
rule win_equationdrug_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-01-25" version = "1" description = "Detects win.equationdrug." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.equationdrug" malpedia_rule_date = "20230124" malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686" malpedia_version = "20230125" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 83c414 c20800 5f 5e 5d 66b80100 } // n = 6, score = 100 // 83c414 | add esp, 0x14 // c20800 | ret 8 // 5f | pop edi // 5e | pop esi // 5d | pop ebp // 66b80100 | mov ax, 1 $sequence_1 = { 889c244c010000 3bf3 8d4c243c 741d e8???????? 8d4c2410 } // n = 6, score = 100 // 889c244c010000 | mov byte ptr [esp + 0x14c], bl // 3bf3 | cmp esi, ebx // 8d4c243c | lea ecx, [esp + 0x3c] // 741d | je 0x1f // e8???????? | // 8d4c2410 | lea ecx, [esp + 0x10] $sequence_2 = { 64892500000000 83ec38 56 57 8b7c2454 } // n = 5, score = 100 // 64892500000000 | mov dword ptr fs:[0], esp // 83ec38 | sub esp, 0x38 // 56 | push esi // 57 | push edi // 8b7c2454 | mov edi, dword ptr [esp + 0x54] $sequence_3 = { e8???????? 6685c0 740c b842070000 5e 83c41c c20800 } // n = 7, score = 100 // e8???????? | // 6685c0 | test ax, ax // 740c | je 0xe // b842070000 | mov eax, 0x742 // 5e | pop esi // 83c41c | add esp, 0x1c // c20800 | ret 8 $sequence_4 = { 51 8bcf e8???????? 6685c0 755b 8d542414 8d442408 } // n = 7, score = 100 // 51 | push ecx // 8bcf | mov ecx, edi // e8???????? | // 6685c0 | test ax, ax // 755b | jne 0x5d // 8d542414 | lea edx, [esp + 0x14] // 8d442408 | lea eax, [esp + 8] $sequence_5 = { 56 6a00 6a31 6a07 8bcf c7402000000000 e8???????? } // n = 7, score = 100 // 56 | push esi // 6a00 | push 0 // 6a31 | push 0x31 // 6a07 | push 7 // 8bcf | mov ecx, edi // c7402000000000 | mov dword ptr [eax + 0x20], 0 // e8???????? | $sequence_6 = { 8b6f04 896b04 668b7f08 66897b08 75e0 8b7c2414 8b742410 } // n = 7, score = 100 // 8b6f04 | mov ebp, dword ptr [edi + 4] // 896b04 | mov dword ptr [ebx + 4], ebp // 668b7f08 | mov di, word ptr [edi + 8] // 66897b08 | mov word ptr [ebx + 8], di // 75e0 | jne 0xffffffe2 // 8b7c2414 | mov edi, dword ptr [esp + 0x14] // 8b742410 | mov esi, dword ptr [esp + 0x10] $sequence_7 = { f7d1 49 6a01 8d4401ff 40 50 e8???????? } // n = 7, score = 100 // f7d1 | not ecx // 49 | dec ecx // 6a01 | push 1 // 8d4401ff | lea eax, [ecx + eax - 1] // 40 | inc eax // 50 | push eax // e8???????? | $sequence_8 = { 7505 397006 730f 83c00a 3bc2 75ed } // n = 6, score = 100 // 7505 | jne 7 // 397006 | cmp dword ptr [eax + 6], esi // 730f | jae 0x11 // 83c00a | add eax, 0xa // 3bc2 | cmp eax, edx // 75ed | jne 0xffffffef $sequence_9 = { 8b742428 53 8b5c2428 c744241800000000 8b11 03c3 50 } // n = 7, score = 100 // 8b742428 | mov esi, dword ptr [esp + 0x28] // 53 | push ebx // 8b5c2428 | mov ebx, dword ptr [esp + 0x28] // c744241800000000 | mov dword ptr [esp + 0x18], 0 // 8b11 | mov edx, dword ptr [ecx] // 03c3 | add eax, ebx // 50 | push eax condition: 7 of them and filesize < 449536 }
/* EquationDrug Update 11.03.2015 - http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/ */ rule win_equationdrug_w0 { meta: description = "EquationDrug - Backdoor driven by network sniffer - mstcp32.sys, fat32.sys" author = "Florian Roth @4nc4p" reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/" date = "2015/03/11" hash = "26e787997a338d8111d96c9a4c103cf8ff0201ce" source = "https://github.com/mattulm/sfiles_yara/blob/master/malware/Equation.yar" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.equationdrug" malpedia_version = "20170517" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $s0 = "Microsoft(R) Windows (TM) Operating System" fullword wide $s1 = "\\Registry\\User\\CurrentUser\\" fullword wide $s3 = "sys\\mstcp32.dbg" fullword ascii $s7 = "mstcp32.sys" fullword wide $s8 = "p32.sys" fullword ascii $s9 = "\\Device\\%ws_%ws" fullword wide $s10 = "\\DosDevices\\%ws" fullword wide $s11 = "\\Device\\%ws" fullword wide condition: all of them }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY