Equation Group hack tool leaked by ShadowBrokers- file jackpop

Hunt Hypothesis

The hunt hypothesis detects potential adversary use of the leaked Equation Group tool ‘jackpop’ to exploit vulnerabilities and gain unauthorized access to systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats leveraging known exploit tools.

YARA Rule

rule EquationGroup_jackpop {
   meta:
      description = "Equation Group hack tool leaked by ShadowBrokers- file jackpop"
      author = "Florian Roth"
      reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
      date = "2017-04-08"
      hash1 = "0b208af860bb2c7ef6b1ae1fcef604c2c3d15fc558ad8ea241160bf4cbac1519"
   strings:
      $x1 = "%x:%d  --> %x:%d %d bytes" fullword ascii

      $s1 = "client: can't bind to local address, are you root?" fullword ascii
      $s2 = "Unable to register port" fullword ascii
      $s3 = "Could not resolve destination" fullword ascii
      $s4 = "raw troubles" fullword ascii
   condition:
      ( uint16(0) == 0x457f and filesize < 30KB and 3 of them ) or ( all of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 5 string patterns in its detection logic.

References

• https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1
• Source Rule

False Positive Guidance

• Scenario: Legitimate Use of jackpop for File Access in a Security Audit
  Description: A security team member uses the jackpop tool (a known component of the Equation Group toolkit) during a red team exercise or penetration test to simulate file access.
  Filter/Exclusion: Check for process.owner or user.name matching known security teams or red team members. Exclude processes initiated by users with “security” or “pentest” in their username.

• Scenario: Scheduled Job for Log File Rotation Using jackpop
  Description: A system administrator uses jackpop as part of a custom script to rotate and archive log files, which is a common administrative task.
  Filter/Exclusion: Filter by process.name or process.args containing keywords like “rotate”, “logrotate”, or “archive”. Exclude processes running under a scheduled task with a known name (e.g., LogRotationJob).

• Scenario: File Integrity Monitoring Tool Using jackpop
  Description: A third-party file integrity monitoring tool (e.g., Tripwire, OSSEC) uses jackpop as part of its internal logic to check file hashes or access patterns.
  Filter/Exclusion: Check for process.parent or process.command_line containing known FIM tool names. Exclude processes with parent_process matching the FIM tool’s service name.

• Scenario: Admin Task to Access System Files for Troubleshooting
  Description: An administrator uses jackpop to access system files (e.g., /etc/passwd, /etc/shadow) during a troubleshooting session.
  Filter/Exclusion: Filter by process.args containing paths like /etc/ or /bin/ and exclude processes initiated by users with elevated privileges (e.g., root, `admin