[APT] Equation

Forum for analysis and discussion about malware.
Disillusion
Posts: 14
Joined: Tue Mar 16, 2010 2:35 am

[APT] Equation

Post by Disillusion » Mon Feb 10, 2014 6:51 pm

I've managed to find infected boot sectors on VT but I'm looking for droppers for either.

http://www.microsoft.com/security/porta ... true#tab=1

Thanks

EDIT: Topic changed/moved to "[APT] Equation"

User avatar
Xylitol
Global Moderator
Posts: 1665
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Re: Looking for Fetrog.A and Fetrog.B Samples

Post by Xylitol » Mon Feb 10, 2014 8:21 pm

I've found only DOS/Fetrog.A that you have already probably.
You do not have the required permissions to view the files attached to this post.

User avatar
R136a1
Forum Admin
Posts: 217
Joined: Wed Jul 13, 2011 4:30 pm
Location: Netherlands

Trojan:WinNT/Fetrog.A

Post by R136a1 » Sun Feb 15, 2015 11:49 am

Hi folks,

attached is the x64 driver of Trojan:WinNT/Fetrog.A from 2012. Except a signature from Microsoft, there is no public information available about this malware. It seems to be a bigger project, maybe it's more than just another Chinese patchwork...

Remarkable strings:
KSDriver.pdb
\??\C:\Windows\TEMP\Net_U1ocike._2k
\??\C:\Windows\TEMP\f3t_0g.dat
\DosDevices\rmpdk0g
\Registry\Machine\System\CurrentControlSet\Services\ati2mtag\Parameters
\registry\machine\SYSTEM\CurrentControlSet\Services\EmcOM\Parameters
perfnw
You do not have the required permissions to view the files attached to this post.

User avatar
R136a1
Forum Admin
Posts: 217
Joined: Wed Jul 13, 2011 4:30 pm
Location: Netherlands

Re: Trojan:WinNT/Fetrog.A

Post by R136a1 » Mon Feb 16, 2015 8:54 pm


User avatar
Es07er1K
Posts: 3
Joined: Thu Jan 24, 2013 11:39 pm

Re: Trojan:WinNT/Fetrog.A

Post by Es07er1K » Wed Feb 18, 2015 2:55 am

Here are some samples from the Equation group.
You do not have the required permissions to view the files attached to this post.

User avatar
CloneRanger
Posts: 124
Joined: Sat Aug 14, 2010 11:54 pm

Re: Trojan:WinNT/Fetrog.A

Post by CloneRanger » Thu Feb 19, 2015 1:24 am

@ Xylitol & R136a1 & Es07er1K

Thanx for the nasties. I'll see which, if any, can penetrate my defences. I tried to give you all a thumbs up, but the board only let me give one !
Malware = If your names not down, you're Not coming in !

stevegs1821
Posts: 5
Joined: Mon Jan 27, 2014 6:28 pm

Re: Trojan:WinNT/Fetrog.A

Post by stevegs1821 » Fri Feb 20, 2015 4:11 pm

Has anyone been able to replicate, or directly observe, the HD Firmware modification (reprogramming)? Interested in steps and findings . . .

User avatar
R136a1
Forum Admin
Posts: 217
Joined: Wed Jul 13, 2011 4:30 pm
Location: Netherlands

Re: Trojan:WinNT/Fetrog.A

Post by R136a1 » Sat Feb 21, 2015 8:14 am

@Es07er1K
Next time, please give credits when you upload samples which do not come from yourself.

@Admin
Can you rename the thread title to include the group's dubbed name "Equation", please. Thanks!

asido
Posts: 1
Joined: Sat Jul 13, 2013 7:22 am

Re: [APT] Equation

Post by asido » Tue Feb 24, 2015 5:14 pm

Handle is created in In sub_415d50

Code: Select all

HANDLE hDevice = CreateFile("\\\\.\\NUL", 0xC0000000, 0, 0, 3, 0x80, 0);
DeviceIoControl is used to operate with handle returned by CreateFile in sub_413cb0.

Code: Select all

DeviceIoControl(hDevice, 0x85892400, 0, 0, &OutBuffer, 4, &BytesReturned, 0);
sub_4154d0 is a constructor of class which a created in sub_40ad9b through sub_40edd1 which gets pointer.

what is needed to do with equation files?

oep_000
Posts: 4
Joined: Sat Dec 15, 2012 5:39 pm

Re: [APT] Equation

Post by oep_000 » Sat Feb 28, 2015 2:43 pm

You can read this article
http://view.padvish.amnpardaz.ir/conten ... 9%88%D9%84

GrayFish hooked DeviceIoContorl for Null.sys with win32k.sys vulnerability
and send IOCTL for WriteFile and CreateReg and ....
:D

Post Reply