The hypothesis is that the detection of EquationGroup Tool - April Leak indicates potential adversary use of sophisticated, legacy malware that may be part of a long-term persistence or data exfiltration campaign. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential advanced persistent threats that may have evaded traditional detection methods.
YARA Rule
rule EquationGroup_Toolset_Apr17_Gen4 {
meta:
description = "Detects EquationGroup Tool - April Leak"
author = "Florian Roth"
reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
date = "2017-04-15"
super_rule = 1
hash1 = "fe7ce2fdb245c62e4183c728bc97e966a98fdc8ffd795ed09da23f96e85dcdcd"
hash2 = "0989bfe351342a7a1150b676b5fd5cbdbc201b66abcb23137b1c4de77a8f61a6"
hash3 = "270850303e662be53d90fa60a9e5f4bd2bfb95f92a046c77278257631d9addf4"
hash4 = "7a086c0acb6df1fa304c20733f96e898d21ca787661270f919329fadfb930a6e"
hash5 = "c236e0d9c5764f223bd3d99f55bd36528dfc0415e14f5fde1e5cdcada14f4ec0"
hash6 = "9d98e044eedc7272823ba8ed80dff372fde7f3d1bece4e5affb21e16f7381eb2"
hash7 = "dfce29df4d198c669a87366dd56a7426192481d794f71cd5bb525b08132ed4f7"
hash8 = "87fdc6c32b9aa8ae97c7efbbd5c9ae8ec5595079fc1488f433beef658efcb4e9"
hash9 = "722f034ba634f45c429c7dafdbff413c08976b069a6b30ec91bfa5ce2e4cda26"
hash10 = "d94b99908f528fa4deb56b11eac29f6a6e244a7b3aac36b11b807f2f74c6d8be"
hash11 = "4b07d9d964b2c0231c1db7526237631bb83d0db80b3c9574cc414463703462d3"
hash12 = "30b63abde1e871c90df05137ec08df3fa73dedbdb39cb4bd2a2df4ca65bc4e53"
hash13 = "02c1b08224b7ad4ac3a5b7b8e3268802ee61c1ec30e93e392fa597ae3acc45f7"
hash14 = "690f09859ddc6cd933c56b9597f76e18b62a633f64193a51f76f52f67bc2f7f0"
strings:
$x1 = "[+] \"TargetPort\" %hu" fullword ascii
$x2 = "---<<< Complete >>>---" fullword ascii
$x3 = "[+] \"NetworkTimeout\" %hu" fullword ascii
$op1 = { 46 83 c4 0c 83 fe 0c 0f 8c 5e ff ff ff b8 }
condition:
( uint16(0) == 0x5a4d and filesize < 150KB and ( 1 of ($x*) or 2 of them ) )
}This YARA rule can be deployed in the following contexts:
This rule contains 4 string patterns in its detection logic.
Scenario: Scheduled System Maintenance Task
Description: A legitimate system maintenance task, such as schtasks.exe running a scheduled job to clean temporary files or update system settings.
Filter/Exclusion: Check for ProcessName = schtasks.exe and CommandLine containing clean, delete, or maintenance.
Scenario: Admin Performing Disk Cleanup
Description: An administrator using cleanmgr.exe (Disk Cleanup) to remove temporary files or system cache.
Filter/Exclusion: Filter by ProcessName = cleanmgr.exe and check for CommandLine containing clean or delete.
Scenario: Antivirus or Endpoint Protection Scan
Description: A legitimate security tool like Microsoft Defender or Kaspersky performing a full system scan, which may trigger similar behavior to the EquationGroup tool.
Filter/Exclusion: Check for ProcessName in msasc.exe, mpsvc.exe, or kavsvc.exe and ensure the process is associated with a known security vendor.
Scenario: Log File Rotation or Archive Task
Description: A system or application task that rotates or archives log files using tools like logrotate (Linux) or RoboCopy (Windows).
Filter/Exclusion: Filter for ProcessName = robocopy.exe or logrotate and check for command lines involving rotate, archive, or backup.
Scenario: Database Backup Job
Description: A scheduled SQL Server backup job using sqlbackup.exe or sqlcmd.exe that may exhibit similar process behavior.
Filter/Exclusion: Filter by ProcessName = sqlbackup.exe or sqlcmd.exe and verify the command line includes backup or restore keywords.