Equation APT YARA Rules

Equation APT YARA Rules

1 - apt_equation_exploitlib_mutexes

rule apt_equation_exploitlib_mutexes {

meta:

copyright = “Kaspersky Lab”

description = “Rule to detect Equation group's Exploitation library”

version = “1.0”

last_modified = “2015-02-16”

reference = “https://securelist.com/blog/”

strings:

$mz=“MZ”

$a1=“prkMtx” wide

$a2=“cnFormSyncExFBC” wide

$a3=“cnFormVoidFBC” wide

$a4=“cnFormSyncExFBC”

$a5=“cnFormVoidFBC”

condition:

(($mz at 0) and any of ($a*))

}

Equation APT IoC

Equation APT  Indicators Of Compromise

C&C Domain Adresleri

·         advancing-technology.com

·         avidnewssource.com

·         businessdealsblog.com

·         businessedgeadvance.com

·         charging-technology.com

·         computertechanalysis.com

·         config.getmyip.com

·         globalnetworkanalys.com

·         melding-technology.com

·         myhousetechnews.com

·         newsterminalvelocity.com

·         selective-business.com

·         slayinglance.com

Carbanak APT

 BAT file to detect infection

@echo off
for /f %%a in ('hostname') do set "name=%%a" echo %name%
del /f %name%.log 2> nul
if exist "c:\Documents and settings\All users\application data\
mozilla\*.bin" echo "BIN detected" >> %name%.log
if exist %SYSTEMROOT%\System32\com\svchost.exe echo "COM
detected" >> %name%.log
if exist "c:\ProgramData\mozilla\*.bin" echo "BIN2 detected"
>> %name%.log
if exist %SYSTEMROOT%\paexec* echo "Paexec detected"
>> %name%.log
if exist %SYSTEMROOT%\Syswow64\com\svchost.exe echo "COM64
detected" >> %name%.log
SC QUERY state= all | find "SERVICE_NAME" | findstr "Sys$"
if q%ERRORLEVEL% == q0 SC QUERY state= all | find
"SERVICE_NAME" | findstr "Sys$" >> %name%.log
if not exist %name%.log echo Ok > %name%.log xcopy /y %name%.log
"\\<IP>\logVirus