A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #25252  by R136a1
 Sun Feb 15, 2015 11:49 am
Hi folks,

attached is the x64 driver of Trojan:WinNT/Fetrog.A from 2012. Except a signature from Microsoft, there is no public information available about this malware. It seems to be a bigger project, maybe it's more than just another Chinese patchwork...

Remarkable strings:
KSDriver.pdb
\??\C:\Windows\TEMP\Net_U1ocike._2k
\??\C:\Windows\TEMP\f3t_0g.dat
\DosDevices\rmpdk0g
\Registry\Machine\System\CurrentControlSet\Services\ati2mtag\Parameters
\registry\machine\SYSTEM\CurrentControlSet\Services\EmcOM\Parameters
perfnw
You do not have the required permissions to view the files attached to this post.
 #25273  by Es07er1K
 Wed Feb 18, 2015 2:55 am
Here are some samples from the Equation group.
You do not have the required permissions to view the files attached to this post.
 #25276  by CloneRanger
 Thu Feb 19, 2015 1:24 am
@ Xylitol & R136a1 & Es07er1K

Thanx for the nasties. I'll see which, if any, can penetrate my defences. I tried to give you all a thumbs up, but the board only let me give one !
 #25302  by stevegs1821
 Fri Feb 20, 2015 4:11 pm
Has anyone been able to replicate, or directly observe, the HD Firmware modification (reprogramming)? Interested in steps and findings . . .
 #25307  by R136a1
 Sat Feb 21, 2015 8:14 am
@Es07er1K
Next time, please give credits when you upload samples which do not come from yourself.

@Admin
Can you rename the thread title to include the group's dubbed name "Equation", please. Thanks!
 #25323  by asido
 Tue Feb 24, 2015 5:14 pm
Handle is created in In sub_415d50
Code: Select all
HANDLE hDevice = CreateFile("\\\\.\\NUL", 0xC0000000, 0, 0, 3, 0x80, 0);
DeviceIoControl is used to operate with handle returned by CreateFile in sub_413cb0.
Code: Select all
DeviceIoControl(hDevice, 0x85892400, 0, 0, &OutBuffer, 4, &BytesReturned, 0);
sub_4154d0 is a constructor of class which a created in sub_40ad9b through sub_40edd1 which gets pointer.

what is needed to do with equation files?
 #25338  by oep_000
 Sat Feb 28, 2015 2:43 pm
You can read this article

GrayFish hooked DeviceIoContorl for Null.sys with win32k.sys vulnerability
and send IOCTL for WriteFile and CreateReg and ....
:D
Last edited by EP_X0FF on Mon Dec 17, 2018 4:15 pm, edited 1 time in total. Reason: link removed by request