Equation Group hack tool leaked by ShadowBrokers- from files magicjack_v1.1.0.0_client-1.1.0.0.py

Hunt Hypothesis

The hypothesis is that the detection identifies potential exploitation of a leaked Equation Group hack tool, which could be used for unauthorized access or data exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential advanced persistent threats leveraging compromised tools.

YARA Rule

rule EquationGroup__magicjack_v1_1_0_0_client {
   meta:
      description = "Equation Group hack tool leaked by ShadowBrokers- from files magicjack_v1.1.0.0_client-1.1.0.0.py"
      author = "Florian Roth"
      reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
      date = "2017-04-08"
      super_rule = 1
      hash1 = "63292a2353275a3bae012717bb500d5169cd024064a1ce8355ecb4e9bfcdfdd1"
   strings:
      $s1 = "temp = ((left >> 1) ^ right) & 0x55555555" fullword ascii
      $s2 = "right ^= (temp <<  16) & 0xffffffff" fullword ascii
      $s3 = "tempresult = \"\"" fullword ascii
      $s4 = "num = self.bytes2long(data)" fullword ascii
   condition:
      ( uint16(0) == 0x2123 and filesize < 80KB and 3 of them ) or ( all of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

Microsoft Defender for Endpoint — Custom indicators / advanced hunting
Email Gateway — Attachment scanning
File Share Monitoring — Periodic scanning of shared drives
YARA CLI — Manual threat hunting on endpoints

This rule contains 4 string patterns in its detection logic.

References

False Positive Guidance

Scenario: A system administrator is using MagicJack (a VoIP service) and the script is part of the legitimate client software.
Filter/Exclusion: Check for process.name containing magicjack or magicjack_v1.1.0.0_client-1.1.0.0.py in known legitimate paths (e.g., /opt/magicjack/).
Scenario: A scheduled job runs a Python script named magicjack_v1.1.0.0_client-1.1.0.0.py as part of a system update or patching process.
Filter/Exclusion: Filter by process.parent_process matching a known update or patching service (e.g., yum, apt, wsus).
Scenario: A developer is testing or debugging the Equation Group tool in a sandboxed environment.
Filter/Exclusion: Filter by process.user matching a known development user or process.container indicating a sandbox.
Scenario: A Windows Scheduled Task is configured to run a Python script with the same filename as the malicious tool.
Filter/Exclusion: Filter by process.parent_process matching schtasks.exe or Task Scheduler and check for process.command_line containing schtasks or runonce.
Scenario: A remote management tool (e.g., Microsoft SCCM, Ansible, or Puppet) is executing a script with the same filename during a configuration push.
Filter/Exclusion: Filter by process.parent_process containing ansible, puppet, or ccmexec and verify the script path is within a known configuration management directory.