The detection identifies potential adversary use of the BananaAid file, which may be part of the EQGRP toolset, indicating possible network reconnaissance or firewall manipulation. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify early-stage compromise and prevent lateral movement within the network.
YARA Rule
rule EQGRP_BananaAid
{
meta:
description = "EQGRP Toolset Firewall - file BananaAid"
author = "Florian Roth"
reference = "Research"
date = "2016-08-16"
hash1 = "7a4fb825e63dc612de81bc83313acf5eccaa7285afc05941ac1fef199279519f"
strings:
$x1 = "(might have to delete key in ~/.ssh/known_hosts on linux box)" fullword ascii
$x2 = "scp BGLEE-" ascii
$x3 = "should be 4bfe94b1 for clean bootloader version 3.0; " fullword ascii
$x4 = "scp <configured implant> <username>@<IPaddr>:onfig" fullword ascii
condition:
1 of them
}This YARA rule can be deployed in the following contexts:
This rule contains 4 string patterns in its detection logic.
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that temporarily uses a file named BananaAid.exe as part of a system cleanup or patching process.
Filter/Exclusion: process.parent_process_name == "Task Scheduler" or process.command_line contains "schtasks"
Scenario: Admin Debugging Session
Description: A system administrator is using a debugging tool like Procmon or Wireshark to analyze network traffic and temporarily executes a file named BananaAid.exe for testing purposes.
Filter/Exclusion: process.user == "Administrator" and process.parent_process_name contains "Procmon" or process.parent_process_name contains "Wireshark"
Scenario: Third-Party Software Integration
Description: A third-party application, such as Microsoft Endpoint Configuration Manager (SCCM), includes a file named BananaAid.exe as part of its deployment or inventory process.
Filter/Exclusion: process.file_name contains "sccm" or process.file_name contains "ConfigurationManager"
Scenario: Custom Script for Log Analysis
Description: A custom PowerShell or Python script, used for log analysis or data processing, includes a file named BananaAid.exe as part of its workflow.
Filter/Exclusion: process.file_name contains "PowerShell" or process.file_name contains "python" and process.command_line contains "log analysis"
Scenario: Legacy Tool for Network Monitoring
Description: An old network monitoring tool, such as Nmap or tcpdump, is used in the environment and includes a file named BananaAid.exe as part of its configuration or data handling.
Filter/Exclusion: `process.file_name contains