SYMBOLCOMMON_NAMEaka. SYNONYMS
win.equationgroup (Back to overview)

Equationgroup (Sorting)


Rough collection EQGRP samples, to be sorted

References
2021-12-27Checkpoint Research
@online{research:20211227:deep:c94d67d, author = {Checkpoint Research}, title = {{A Deep Dive into DoubleFeature, Equation Group’s Post-Exploitation Dashboard}}, date = {2021-12-27}, url = {https://research.checkpoint.com/2021/a-deep-dive-into-doublefeature-equation-groups-post-exploitation-dashboard/}, language = {English}, urldate = {2022-01-05} } A Deep Dive into DoubleFeature, Equation Group’s Post-Exploitation Dashboard
Equationgroup (Sorting) Fanny MISTYVEAL PeddleCheap
2016-09-23Laanwj's Blog@orionwl
@online{orionwl:20160923:seconddate:12ca0d9, author = {@orionwl}, title = {{SECONDDATE in action}}, date = {2016-09-23}, organization = {Laanwj's Blog}, url = {https://laanwj.github.io/2016/09/23/seconddate-adventures.html}, language = {English}, urldate = {2019-10-18} } SECONDDATE in action
Equationgroup (Sorting)
2016-09-17Laanwj
@online{laanwj:20160917:few:2572d3c, author = {Laanwj}, title = {{A few notes on SECONDDATE's C&C protocol}}, date = {2016-09-17}, url = {https://laanwj.github.io/2016/09/17/seconddate-cnc.html}, language = {English}, urldate = {2020-01-07} } A few notes on SECONDDATE's C&C protocol
Equationgroup (Sorting)
2016-09-13Laanwj
@online{laanwj:20160913:curious:fa20b98, author = {Laanwj}, title = {{The curious case of BLATSTING's RSA implementation}}, date = {2016-09-13}, url = {https://laanwj.github.io/2016/09/13/blatsting-rsa.html}, language = {English}, urldate = {2020-01-09} } The curious case of BLATSTING's RSA implementation
Equationgroup (Sorting)
2016-09-11Laanwj's BlogWladimir J. van der Laan
@online{laan:20160911:buzzdirection:2f24cce, author = {Wladimir J. van der Laan}, title = {{BUZZDIRECTION: BLATSTING reloaded}}, date = {2016-09-11}, organization = {Laanwj's Blog}, url = {https://laanwj.github.io/2016/09/11/buzzdirection.html}, language = {English}, urldate = {2020-01-08} } BUZZDIRECTION: BLATSTING reloaded
Equationgroup (Sorting)
2016-09-06Laanwj
@online{laanwj:20160906:blatsting:67dc773, author = {Laanwj}, title = {{Blatsting C&C Transcript}}, date = {2016-09-06}, url = {https://laanwj.github.io/2016/09/09/blatsting-lp-transcript.html}, language = {English}, urldate = {2019-12-04} } Blatsting C&C Transcript
Equationgroup (Sorting)
2016-09-04Laanwj's BlogWladimir J. van der Laan
@online{laan:20160904:blatsting:26f14e8, author = {Wladimir J. van der Laan}, title = {{BLATSTING Command-and-Control protocol}}, date = {2016-09-04}, organization = {Laanwj's Blog}, url = {https://laanwj.github.io/2016/09/04/blatsting-command-and-control.html}, language = {English}, urldate = {2019-07-11} } BLATSTING Command-and-Control protocol
Equationgroup (Sorting)
2016-09-01Laanwj
@online{laanwj:20160901:tadaqueous:c25857a, author = {Laanwj}, title = {{TADAQUEOUS moments}}, date = {2016-09-01}, url = {https://laanwj.github.io/2016/09/01/tadaqueos.html}, language = {English}, urldate = {2020-01-07} } TADAQUEOUS moments
Equationgroup (Sorting)
2016-08-28Laanwj's BlogWladimir J. van der Laan
@online{laan:20160828:feintcloud:628f6af, author = {Wladimir J. van der Laan}, title = {{FEINTCLOUD}}, date = {2016-08-28}, organization = {Laanwj's Blog}, url = {https://laanwj.github.io/2016/08/28/feintcloud.html}, language = {English}, urldate = {2020-01-13} } FEINTCLOUD
Equationgroup (Sorting)
2016-08-22Laanwj
@online{laanwj:20160822:blatsting:11dc652, author = {Laanwj}, title = {{BLATSTING FUNKSPIEL}}, date = {2016-08-22}, url = {https://laanwj.github.io/2016/08/22/blatsting.html}, language = {English}, urldate = {2020-01-07} } BLATSTING FUNKSPIEL
Equationgroup (Sorting)
Yara Rules
[TLP:WHITE] win_equationgroup_w0 (20170925 | Rule to detect Equation group's Exploitation library http://goo.gl/ivt8EW)
rule win_equationgroup_w0 {
    meta:
        copyright = "Kaspersky Lab"
        author = "Kaspersky Lab"
        description = "Rule to detect Equation group's Exploitation library http://goo.gl/ivt8EW"
        version = "1.0"
        last_modified = "2015-02-16"
        reference = "http://securelist.com/blog/research/68750/equation-the-death-star-of-malware-galaxy/"
        source = "https://github.com/mattulm/sfiles_yara/blob/master/malware/Equation.yar"
        note = "pnx: using this as a catchall for now, excluding fanny, which is covered by its own rule"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.equationgroup"
        malpedia_version = "20170925"
        malpedia_sharing = "TLP:WHITE"
        malpedia_license = ""
    strings:
        $a1="prkMtx" wide
        $a2="cnFormSyncExFBC" wide
        $a3="cnFormVoidFBC" wide
        $a4="cnFormSyncExFBC"
        $a5="cnFormVoidFBC"
        $fanny = "fanny.bmp"
    condition:
        any of ($a*) and not $fanny
}
Download all Yara Rules