Actor(s): Equation Group
There is no description at this point.
rule win_equationdrug_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-12-06" version = "1" description = "Detects win.equationdrug." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.equationdrug" malpedia_rule_date = "20231130" malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351" malpedia_version = "20230808" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 5b c21000 8bd0 56 81e2ff0f0000 53 83c704 } // n = 7, score = 100 // 5b | pop ebx // c21000 | ret 0x10 // 8bd0 | mov edx, eax // 56 | push esi // 81e2ff0f0000 | and edx, 0xfff // 53 | push ebx // 83c704 | add edi, 4 $sequence_1 = { 0f84f4000000 8b7c2414 f7c7ff010000 0f85e4000000 8b4e04 8d442410 50 } // n = 7, score = 100 // 0f84f4000000 | je 0xfa // 8b7c2414 | mov edi, dword ptr [esp + 0x14] // f7c7ff010000 | test edi, 0x1ff // 0f85e4000000 | jne 0xea // 8b4e04 | mov ecx, dword ptr [esi + 4] // 8d442410 | lea eax, [esp + 0x10] // 50 | push eax $sequence_2 = { 56 8d4c2418 c644245800 e8???????? 8d4c2414 e8???????? 84c0 } // n = 7, score = 100 // 56 | push esi // 8d4c2418 | lea ecx, [esp + 0x18] // c644245800 | mov byte ptr [esp + 0x58], 0 // e8???????? | // 8d4c2414 | lea ecx, [esp + 0x14] // e8???????? | // 84c0 | test al, al $sequence_3 = { 84c0 741a 668b4ef8 660fbed0 668b46fa 52 50 } // n = 7, score = 100 // 84c0 | test al, al // 741a | je 0x1c // 668b4ef8 | mov cx, word ptr [esi - 8] // 660fbed0 | movsx dx, al // 668b46fa | mov ax, word ptr [esi - 6] // 52 | push edx // 50 | push eax $sequence_4 = { 89542414 8b542410 0fbfc2 40 0fafc1 3bfb 73c4 } // n = 7, score = 100 // 89542414 | mov dword ptr [esp + 0x14], edx // 8b542410 | mov edx, dword ptr [esp + 0x10] // 0fbfc2 | movsx eax, dx // 40 | inc eax // 0fafc1 | imul eax, ecx // 3bfb | cmp edi, ebx // 73c4 | jae 0xffffffc6 $sequence_5 = { c644245c00 e8???????? 83c404 89442464 85c0 c644245802 7411 } // n = 7, score = 100 // c644245c00 | mov byte ptr [esp + 0x5c], 0 // e8???????? | // 83c404 | add esp, 4 // 89442464 | mov dword ptr [esp + 0x64], eax // 85c0 | test eax, eax // c644245802 | mov byte ptr [esp + 0x58], 2 // 7411 | je 0x13 $sequence_6 = { e8???????? 85c0 0f864b020000 53 8bcd e8???????? 50 } // n = 7, score = 100 // e8???????? | // 85c0 | test eax, eax // 0f864b020000 | jbe 0x251 // 53 | push ebx // 8bcd | mov ecx, ebp // e8???????? | // 50 | push eax $sequence_7 = { 33c0 eb07 8b4708 2bc6 d1f8 33d2 33db } // n = 7, score = 100 // 33c0 | xor eax, eax // eb07 | jmp 9 // 8b4708 | mov eax, dword ptr [edi + 8] // 2bc6 | sub eax, esi // d1f8 | sar eax, 1 // 33d2 | xor edx, edx // 33db | xor ebx, ebx $sequence_8 = { 8bca b001 83e103 f3a4 5f 5e 5d } // n = 7, score = 100 // 8bca | mov ecx, edx // b001 | mov al, 1 // 83e103 | and ecx, 3 // f3a4 | rep movsb byte ptr es:[edi], byte ptr [esi] // 5f | pop edi // 5e | pop esi // 5d | pop ebp $sequence_9 = { 6685c0 7537 8b442408 3dffff0000 772c c1e009 } // n = 6, score = 100 // 6685c0 | test ax, ax // 7537 | jne 0x39 // 8b442408 | mov eax, dword ptr [esp + 8] // 3dffff0000 | cmp eax, 0xffff // 772c | ja 0x2e // c1e009 | shl eax, 9 condition: 7 of them and filesize < 449536 }
/* EquationDrug Update 11.03.2015 - http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/ */ rule win_equationdrug_w0 { meta: description = "EquationDrug - Backdoor driven by network sniffer - mstcp32.sys, fat32.sys" author = "Florian Roth @4nc4p" reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/" date = "2015/03/11" hash = "26e787997a338d8111d96c9a4c103cf8ff0201ce" source = "https://github.com/mattulm/sfiles_yara/blob/master/malware/Equation.yar" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.equationdrug" malpedia_version = "20170517" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $s0 = "Microsoft(R) Windows (TM) Operating System" fullword wide $s1 = "\\Registry\\User\\CurrentUser\\" fullword wide $s3 = "sys\\mstcp32.dbg" fullword ascii $s7 = "mstcp32.sys" fullword wide $s8 = "p32.sys" fullword ascii $s9 = "\\Device\\%ws_%ws" fullword wide $s10 = "\\DosDevices\\%ws" fullword wide $s11 = "\\Device\\%ws" fullword wide condition: all of them }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY