[APT] Equation

Forum for analysis and discussion about malware.
Disillusion
Posts: 14
Joined: Tue Mar 16, 2010 2:35 am

Mon Feb 10, 2014 6:51 pm

I've managed to find infected boot sectors on VT but I'm looking for droppers for either.

http://www.microsoft.com/security/porta ... true#tab=1

Thanks

EDIT: Topic changed/moved to "[APT] Equation"
User avatar
Xylitol
Global Moderator
Posts: 1684
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Mon Feb 10, 2014 8:21 pm

I've found only DOS/Fetrog.A that you have already probably.
You do not have the required permissions to view the files attached to this post.
User avatar
R136a1
Forum Admin
Posts: 238
Joined: Wed Jul 13, 2011 4:30 pm
Location: Netherlands

Sun Feb 15, 2015 11:49 am

Hi folks,

attached is the x64 driver of Trojan:WinNT/Fetrog.A from 2012. Except a signature from Microsoft, there is no public information available about this malware. It seems to be a bigger project, maybe it's more than just another Chinese patchwork...

Remarkable strings:
KSDriver.pdb
\??\C:\Windows\TEMP\Net_U1ocike._2k
\??\C:\Windows\TEMP\f3t_0g.dat
\DosDevices\rmpdk0g
\Registry\Machine\System\CurrentControlSet\Services\ati2mtag\Parameters
\registry\machine\SYSTEM\CurrentControlSet\Services\EmcOM\Parameters
perfnw
You do not have the required permissions to view the files attached to this post.
User avatar
R136a1
Forum Admin
Posts: 238
Joined: Wed Jul 13, 2011 4:30 pm
Location: Netherlands

Mon Feb 16, 2015 8:54 pm

User avatar
Es07er1K
Posts: 3
Joined: Thu Jan 24, 2013 11:39 pm

Wed Feb 18, 2015 2:55 am

Here are some samples from the Equation group.
You do not have the required permissions to view the files attached to this post.
User avatar
CloneRanger
Posts: 124
Joined: Sat Aug 14, 2010 11:54 pm

Thu Feb 19, 2015 1:24 am

@ Xylitol & R136a1 & Es07er1K

Thanx for the nasties. I'll see which, if any, can penetrate my defences. I tried to give you all a thumbs up, but the board only let me give one !
Malware = If your names not down, you're Not coming in !
stevegs1821
Posts: 9
Joined: Mon Jan 27, 2014 6:28 pm

Fri Feb 20, 2015 4:11 pm

Has anyone been able to replicate, or directly observe, the HD Firmware modification (reprogramming)? Interested in steps and findings . . .
User avatar
R136a1
Forum Admin
Posts: 238
Joined: Wed Jul 13, 2011 4:30 pm
Location: Netherlands

Sat Feb 21, 2015 8:14 am

@Es07er1K
Next time, please give credits when you upload samples which do not come from yourself.

@Admin
Can you rename the thread title to include the group's dubbed name "Equation", please. Thanks!
asido
Posts: 1
Joined: Sat Jul 13, 2013 7:22 am

Tue Feb 24, 2015 5:14 pm

Handle is created in In sub_415d50

Code: Select all

HANDLE hDevice = CreateFile("\\\\.\\NUL", 0xC0000000, 0, 0, 3, 0x80, 0);
DeviceIoControl is used to operate with handle returned by CreateFile in sub_413cb0.

Code: Select all

DeviceIoControl(hDevice, 0x85892400, 0, 0, &OutBuffer, 4, &BytesReturned, 0);
sub_4154d0 is a constructor of class which a created in sub_40ad9b through sub_40edd1 which gets pointer.

what is needed to do with equation files?
oep_000
Posts: 4
Joined: Sat Dec 15, 2012 5:39 pm

Sat Feb 28, 2015 2:43 pm

You can read this article

GrayFish hooked DeviceIoContorl for Null.sys with win32k.sys vulnerability
and send IOCTL for WriteFile and CreateReg and ....
:D
Last edited by EP_X0FF on Mon Dec 17, 2018 4:15 pm, edited 1 time in total.
Reason: link removed by request
Post Reply