[APT] Equation

Forum for analysis and discussion about malware.

[APT] Equation

Postby Disillusion » Mon Feb 10, 2014 6:51 pm

I've managed to find infected boot sectors on VT but I'm looking for droppers for either.

http://www.microsoft.com/security/porta ... true#tab=1

Thanks

EDIT: Topic changed/moved to "[APT] Equation"
Disillusion
 
Posts: 14
Joined: Tue Mar 16, 2010 2:35 am
Reputation point: 9

Re: Looking for Fetrog.A and Fetrog.B Samples

Postby Xylitol » Mon Feb 10, 2014 8:21 pm

I've found only DOS/Fetrog.A that you have already probably.
You do not have the required permissions to view the files attached to this post.
User avatar
Xylitol
Global Moderator
 
Posts: 1634
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Reputation point: 491

Trojan:WinNT/Fetrog.A

Postby R136a1 » Sun Feb 15, 2015 11:49 am

Hi folks,

attached is the x64 driver of Trojan:WinNT/Fetrog.A from 2012. Except a signature from Microsoft, there is no public information available about this malware. It seems to be a bigger project, maybe it's more than just another Chinese patchwork...

Remarkable strings:
KSDriver.pdb
\??\C:\Windows\TEMP\Net_U1ocike._2k
\??\C:\Windows\TEMP\f3t_0g.dat
\DosDevices\rmpdk0g
\Registry\Machine\System\CurrentControlSet\Services\ati2mtag\Parameters
\registry\machine\SYSTEM\CurrentControlSet\Services\EmcOM\Parameters
perfnw
You do not have the required permissions to view the files attached to this post.
User avatar
R136a1
 
Posts: 215
Joined: Wed Jul 13, 2011 4:30 pm
Location: Germany
Reputation point: 136

Re: Trojan:WinNT/Fetrog.A

Postby R136a1 » Mon Feb 16, 2015 8:54 pm

User avatar
R136a1
 
Posts: 215
Joined: Wed Jul 13, 2011 4:30 pm
Location: Germany
Reputation point: 136

Re: Trojan:WinNT/Fetrog.A

Postby Es07er1K » Wed Feb 18, 2015 2:55 am

Here are some samples from the Equation group.
You do not have the required permissions to view the files attached to this post.
User avatar
Es07er1K
 
Posts: 3
Joined: Thu Jan 24, 2013 11:39 pm
Reputation point: 2

Re: Trojan:WinNT/Fetrog.A

Postby CloneRanger » Thu Feb 19, 2015 1:24 am

@ Xylitol & R136a1 & Es07er1K

Thanx for the nasties. I'll see which, if any, can penetrate my defences. I tried to give you all a thumbs up, but the board only let me give one !
Malware = If your names not down, you're Not coming in !
User avatar
CloneRanger
 
Posts: 124
Joined: Sat Aug 14, 2010 11:54 pm
Reputation point: 14

Re: Trojan:WinNT/Fetrog.A

Postby stevegs1821 » Fri Feb 20, 2015 4:11 pm

Has anyone been able to replicate, or directly observe, the HD Firmware modification (reprogramming)? Interested in steps and findings . . .
stevegs1821
 
Posts: 3
Joined: Mon Jan 27, 2014 6:28 pm
Reputation point: 2

Re: Trojan:WinNT/Fetrog.A

Postby R136a1 » Sat Feb 21, 2015 8:14 am

@Es07er1K
Next time, please give credits when you upload samples which do not come from yourself.

@Admin
Can you rename the thread title to include the group's dubbed name "Equation", please. Thanks!
User avatar
R136a1
 
Posts: 215
Joined: Wed Jul 13, 2011 4:30 pm
Location: Germany
Reputation point: 136

Re: [APT] Equation

Postby asido » Tue Feb 24, 2015 5:14 pm

Handle is created in In sub_415d50
Code: Select all
HANDLE hDevice = CreateFile("\\\\.\\NUL", 0xC0000000, 0, 0, 3, 0x80, 0);

DeviceIoControl is used to operate with handle returned by CreateFile in sub_413cb0.
Code: Select all
DeviceIoControl(hDevice, 0x85892400, 0, 0, &OutBuffer, 4, &BytesReturned, 0);


sub_4154d0 is a constructor of class which a created in sub_40ad9b through sub_40edd1 which gets pointer.

what is needed to do with equation files?
asido
 
Posts: 1
Joined: Sat Jul 13, 2013 7:22 am
Reputation point: 0

Re: [APT] Equation

Postby oep_000 » Sat Feb 28, 2015 2:43 pm

You can read this article
http://view.padvish.amnpardaz.ir/conten ... 9%88%D9%84

GrayFish hooked DeviceIoContorl for Null.sys with win32k.sys vulnerability
and send IOCTL for WriteFile and CreateReg and ....
:D
oep_000
 
Posts: 4
Joined: Sat Dec 15, 2012 5:39 pm
Reputation point: 0

Next

Return to Malware

Who is online

Users browsing this forum: No registered users and 6 guests