Rule based on RC5/RC6 static key finding by Kaspersky

2024-11-06 18:15:20 +00:00 · 2016-08-17 09:32:56 +02:00 · 2016-08-17 09:32:56 +02:00 · 1fe1837c0f
commit 1fe1837c0f
parent cdb364758a
1 changed files with 19 additions and 0 deletions
--- a/yara/apt_eqgrp.yar
+++ b/yara/apt_eqgrp.yar
@ -1180,3 +1180,22 @@ rule EQGRP_Unique_Strings {
 	condition:
 		1 of them
 }
+
+rule EQGRP_RC5_RC6_Opcode {
+	meta:
+		description = "EQGRP Toolset Firewall - RC5 / RC6 opcode"
+		author = "Florian Roth"
+		reference = "https://securelist.com/blog/incidents/75812/the-equation-giveaway/"
+		date = "2016-08-17"
+	strings:
+		/*
+			mov     esi, [ecx+edx*4-4]
+			sub     esi, 61C88647h
+			mov     [ecx+edx*4], esi
+			inc     edx
+			cmp     edx, 2Bh
+		*/
+		$s1 = { 8B 74 91 FC 81 EE 47 86 C8 61 89 34 91 42 83 FA 2B }
+	condition:
+		1 of them
+}