The hypothesis is that the detection rule identifies potential Fanny Worm activity, which is associated with the Equation Group and may indicate lateral movement or data exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect advanced persistent threats and mitigate potential data breaches.
YARA Rule
rule Equation_Kaspersky_FannyWorm
{
meta:
description = "Equation Group Malware - Fanny Worm"
author = "Florian Roth"
reference = "http://goo.gl/ivt8EW"
date = "2015/02/16"
hash = "1f0ae54ac3f10d533013f74f48849de4e65817a7"
strings:
$mz = { 4d 5a }
$s1 = "x:\\fanny.bmp" fullword ascii
$s2 = "32.exe" fullword ascii
$s3 = "d:\\fanny.bmp" fullword ascii
$x1 = "c:\\windows\\system32\\kernel32.dll" fullword ascii
$x2 = "System\\CurrentControlSet\\Services\\USBSTOR\\Enum" fullword ascii
$x3 = "System\\CurrentControlSet\\Services\\PartMgr\\Enum" fullword ascii
$x4 = "\\system32\\win32k.sys" fullword wide
$x5 = "\\AGENTCPD.DLL" fullword ascii
$x6 = "agentcpd.dll" fullword ascii
$x7 = "PADupdate.exe" fullword ascii
$x8 = "dll_installer.dll" fullword ascii
$x9 = "\\restore\\" fullword ascii
$x10 = "Q:\\__?__.lnk" fullword ascii
$x11 = "Software\\Microsoft\\MSNetMng" fullword ascii
$x12 = "\\shelldoc.dll" fullword ascii
$x13 = "file size = %d bytes" fullword ascii
$x14 = "\\MSAgent" fullword ascii
$x15 = "Global\\RPCMutex" fullword ascii
$x16 = "Global\\DirectMarketing" fullword ascii
condition:
( $mz at 0 ) and filesize < 300000 and (( 2 of ($s*) ) or ( 1 of ($s*) and 6 of ($x*) ) or ( 14 of ($x*)))
}This YARA rule can be deployed in the following contexts:
This rule contains 20 string patterns in its detection logic.
Scenario: Scheduled System Maintenance Task
Description: A legitimate system maintenance task, such as schtasks.exe running a cleanup job, may trigger the rule due to similar process behavior.
Filter/Exclusion: Exclude processes initiated by schtasks.exe with a known benign command line, e.g., schtasks.exe /Run /TN "System Maintenance".
Scenario: Windows Update or Patching Job
Description: Windows Update or patching tools like wuauclt.exe or wusa.exe may exhibit behavior similar to the Fanny Worm, such as downloading or executing payloads.
Filter/Exclusion: Exclude processes with command lines containing wuauclt.exe or wusa.exe and associated update paths (e.g., C:\Windows\SoftwareDistribution\).
Scenario: Admin Task Using PsExec
Description: An administrator may use PsExec to remotely execute commands on multiple systems, which could be flagged due to similar execution patterns.
Filter/Exclusion: Exclude processes initiated by PsExec with known administrative tasks, such as psexec.exe -s -i 1 -d cmd.exe.
Scenario: Logon Script Execution
Description: A logon script using cmd.exe or PowerShell.exe to perform user-specific tasks may trigger the rule due to process execution patterns.
Filter/Exclusion: Exclude processes launched from user-specific logon scripts, such as those in C:\Users\<User>\AppData\Roaming\Microsoft\Windows\Run or via LogonUser API.
Scenario: Antivirus or Endpoint Protection Scan
Description: Antivirus tools like Microsoft Defender or Kaspersky may execute payloads or modify files during a scan, mimicking malware