/* Yara Rule Set Author: Florian Roth Date: 2016-08-15 Identifier: EQGRP */ import "pe" /* Rule Set ----------------------------------------------------------------- */ rule EQGRP_noclient_3_0_5 { meta: description = "Detects tool from EQGRP toolset - file noclient-3.0.5.3" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "Research" date = "2016-08-15" score = 75 id = "af7472ce-0605-5f50-8180-23438d2196b8" strings: $x1 = "-C %s 127.0.0.1\" scripme -F -t JACKPOPIN4 '&" fullword ascii $x2 = "Command too long! What the HELL are you trying to do to me?!?! Try one smaller than %d bozo." fullword ascii $x3 = "sh -c \"ping -c 2 %s; grep %s /proc/net/arp >/tmp/gx \"" fullword ascii $x4 = "Error from ourtn, did not find keys=target in tn.spayed" fullword ascii $x5 = "ourtn -d -D %s -W 127.0.0.1:%d -i %s -p %d %s %s" fullword ascii condition: ( uint16(0) == 0x457f and filesize < 700KB and 1 of them ) or ( all of them ) } rule EQGRP_installdate { meta: description = "Detects tool from EQGRP toolset - file installdate.pl" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "Research" date = "2016-08-15" score = 75 id = "029b1213-1206-5b7c-bd72-93239a23fe8a" strings: $x1 = "#Provide hex or EP log as command-line argument or as input" fullword ascii $x2 = "print \"Gimme hex: \";" fullword ascii $x3 = "if ($line =~ /Reg_Dword: (\\d\\d:\\d\\d:\\d\\d.\\d+ \\d+ - )?(\\S*)/) {" fullword ascii $s1 = "if ($_ =~ /InstallDate/) {" fullword ascii $s2 = "if (not($cmdInput)) {" fullword ascii $s3 = "print \"$hex in decimal=$dec\\n\\n\";" fullword ascii condition: filesize < 2KB and ( 1 of ($x*) or 3 of them ) } rule EQGRP_teflondoor { meta: description = "Detects tool from EQGRP toolset - file teflondoor.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "Research" date = "2016-08-15" score = 75 id = "188f9ef1-5524-50be-ac62-91cb9726b155" strings: $x1 = "%s: abort. Code is %d. Message is '%s'" fullword ascii $x2 = "%s: %li b (%li%%)" fullword ascii $s1 = "no winsock" fullword ascii $s2 = "%s: %s file '%s'" fullword ascii $s3 = "peer: connect" fullword ascii $s4 = "read: write" fullword ascii $s5 = "%s: done!" fullword ascii $s6 = "%s: %li b" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 30KB and 1 of ($x*) and 3 of them } rule EQGRP_durablenapkin_solaris_2_0_1 { meta: description = "Detects tool from EQGRP toolset - file durablenapkin.solaris.2.0.1.1" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "Research" date = "2016-08-15" score = 75 id = "7b49a26d-9ee3-5aff-93fc-509239daef28" strings: $s1 = "recv_ack: %s: Service not supplied by provider" fullword ascii $s2 = "send_request: putmsg \"%s\": %s" fullword ascii $s3 = "port undefined" fullword ascii $s4 = "recv_ack: %s getmsg: %s" fullword ascii $s5 = ">> %d -- %d" fullword ascii condition: ( uint16(0) == 0x457f and filesize < 40KB and 2 of them ) } rule EQGRP_teflonhandle { meta: description = "Detects tool from EQGRP toolset - file teflonhandle.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "Research" date = "2016-08-15" score = 75 id = "4d82cc41-3777-5f8c-9392-aca69e6ed781" strings: $s1 = "%s [infile] [outfile] /k 0x[%i character hex key] " fullword ascii $s2 = "File %s already exists. Overwrite? (y/n) " fullword ascii $s3 = "Random Key : 0x" fullword ascii $s4 = "done (%i bytes written)." fullword ascii $s5 = "%s --> %s..." fullword ascii condition: uint16(0) == 0x5a4d and filesize < 20KB and 2 of them } rule EQGRP_false { meta: description = "Detects tool from EQGRP toolset - file false.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "Research" date = "2016-08-15" score = 75 id = "3a68790b-38fc-570b-8b19-c5478cdd2842" strings: $s1 = { 00 25 64 2E 0A 00 00 00 00 25 64 2E 0A 00 00 00 00 25 6C 75 2E 25 6C 75 2E 25 6C 75 2E 25 6C 75 00 25 64 2E 0A 00 00 00 00 25 64 2E 0A 00 00 00 00 25 64 2E 0A 00 00 00 00 25 64 2E 0A 00 00 00 00 25 32 2E 32 58 20 00 00 0A 00 00 00 25 64 20 2D 20 25 64 20 25 64 0A 00 25 64 0A 00 25 64 2E 0A 00 00 00 00 25 64 2E 0A 00 00 00 00 25 64 2E 0A 00 00 00 00 25 64 20 2D 20 25 64 0A 00 00 00 00 25 64 20 2D 20 25 64 } condition: uint16(0) == 0x5a4d and filesize < 50KB and $s1 } rule EQGRP_dn_1_0_2_1 { meta: description = "Detects tool from EQGRP toolset - file dn.1.0.2.1.linux" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "Research" date = "2016-08-15" score = 75 id = "24b5fb51-2463-56ef-818a-949b4b3bbf5b" strings: $s1 = "Valid commands are: SMAC, DMAC, INT, PACK, DONE, GO" fullword ascii $s2 = "invalid format suggest DMAC=00:00:00:00:00:00" fullword ascii $s3 = "SMAC=%02x:%02x:%02x:%02x:%02x:%02x" fullword ascii $s4 = "Not everything is set yet" fullword ascii condition: ( uint16(0) == 0x457f and filesize < 30KB and 2 of them ) } rule EQGRP_morel { meta: description = "Detects tool from EQGRP toolset - file morel.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "Research" date = "2016-08-15" score = 75 hash1 = "a9152e67f507c9a179bb8478b58e5c71c444a5a39ae3082e04820a0613cd6d9f" id = "e741b727-0e41-53d0-832c-df7f4ea7964a" strings: $s1 = "%d - %d, %d" fullword ascii $s2 = "%d - %lu.%lu %d.%lu" fullword ascii $s3 = "%d - %d %d" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 60KB and all of them ) } rule EQGRP_bc_parser { meta: description = "Detects tool from EQGRP toolset - file bc-parser" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "Research" date = "2016-08-15" score = 75 hash1 = "879f2f1ae5d18a3a5310aeeafec22484607649644e5ecb7d8a72f0877ac19cee" id = "ed4523de-b126-503a-83bd-aafd8533b0e5" strings: $s1 = "*** Target may be susceptible to FALSEMOREL ***" fullword ascii $s2 = "*** Target is susceptible to FALSEMOREL ***" fullword ascii condition: uint16(0) == 0x457f and 1 of them } rule EQGRP_1212 { meta: description = "Detects tool from EQGRP toolset - file 1212.pl" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "Research" date = "2016-08-15" score = 75 id = "428fed4f-df5c-5fc2-ac4b-4dea69ea4f2d" strings: $s1 = "if (!(($srcip,$dstip,$srcport,$dstport) = ($line=~/^([a-f0-9]{8})([a-f0-9]{8})([a-f0-9]{4})([a-f0-9]{4})$/)))" fullword ascii $s2 = "$ans=\"$srcip:$srcport -> $dstip:$dstport\";" fullword ascii $s3 = "return \"ERROR:$line is not a valid port\";" fullword ascii $s4 = "$dstport=hextoPort($dstport);" fullword ascii $s5 = "sub hextoPort" fullword ascii $s6 = "$byte_table{\"$chars[$sixteens]$chars[$ones]\"}=$i;" fullword ascii condition: filesize < 6KB and 4 of them } rule EQGRP_1212_dehex { meta: description = "Detects tool from EQGRP toolset - from files 1212.pl, dehex.pl" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "Research" date = "2016-08-15" score = 75 id = "2cc375e6-2bff-5623-b86c-a6413f736c42" strings: $s1 = "return \"ERROR:$line is not a valid address\";" fullword ascii $s2 = "print \"ERROR: the filename or hex representation needs to be one argument try using \\\"'s\\n\";" fullword ascii $s3 = "push(@octets,$byte_table{$tempi});" fullword ascii $s4 = "$byte_table{\"$chars[$sixteens]$chars[$ones]\"}=$i;" fullword ascii $s5 = "print hextoIP($ARGV[0]);" fullword ascii condition: ( uint16(0) == 0x2123 and filesize < 6KB and ( 5 of ($s*) ) ) or ( all of them ) } /* Yara Rule Set Author: Florian Roth Date: 2016-08-16 Identifier: EQGRP */ /* Rule Set ----------------------------------------------------------------- */ rule install_get_persistent_filenames { meta: description = "EQGRP Toolset Firewall - file install_get_persistent_filenames" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "Research" date = "2016-08-16" hash1 = "4a50ec4bf42087e932e9e67e0ea4c09e52a475d351981bb4c9851fda02b35291" id = "cf74b479-4b78-537a-878c-2f3ce004b775" strings: $s1 = "Generates the persistence file name and prints it out." fullword ascii condition: ( uint16(0) == 0x457f and all of them ) } rule EQGRP_create_dns_injection { meta: description = "EQGRP Toolset Firewall - file create_dns_injection.py" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "Research" date = "2016-08-16" hash1 = "488f3cc21db0688d09e13eb85a197a1d37902612c3e302132c84e07bc42b1c32" id = "ef358ca6-ebd8-5d08-944b-f1fcd112f1f3" strings: $s1 = "Name: A hostname: 'host.network.com', a decimal numeric offset within" fullword ascii $s2 = " www.badguy.net,CNAME,1800,host.badguy.net \\\\" ascii condition: 1 of them } rule EQGRP_screamingplow { meta: description = "EQGRP Toolset Firewall - file screamingplow.sh" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "Research" date = "2016-08-16" hash1 = "c7f4104c4607a03a1d27c832e1ebfc6ab252a27a1709015b5f1617b534f0090a" id = "cb535ef0-e3ea-54cc-9082-3d63cc96d93a" strings: $s1 = "What is the name of your PBD:" fullword ascii $s2 = "You are now ready for a ScreamPlow" fullword ascii condition: 1 of them } rule EQGRP_MixText { meta: description = "EQGRP Toolset Firewall - file MixText.py" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "Research" date = "2016-08-16" hash1 = "e4d24e30e6cc3a0aa0032dbbd2b68c60bac216bef524eaf56296430aa05b3795" id = "99b06100-8a05-5c22-8b7d-ed451d5f4e81" strings: $s1 = "BinStore enabled implants." fullword ascii condition: 1 of them } rule EQGRP_tunnel_state_reader { meta: description = "EQGRP Toolset Firewall - file tunnel_state_reader" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "Research" date = "2016-08-16" hash1 = "49d48ca1ec741f462fde80da68b64dfa5090855647520d29e345ef563113616c" id = "e48c9482-eae5-5c34-b7b2-502d0252f4a0" strings: $s1 = "Active connections will be maintained for this tunnel. Timeout:" fullword ascii $s5 = "%s: compatible with BLATSTING version 1.2" fullword ascii condition: 1 of them } rule EQGRP_payload { meta: description = "EQGRP Toolset Firewall - file payload.py" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "Research" date = "2016-08-16" hash1 = "21bed6d699b1fbde74cbcec93575c9694d5bea832cd191f59eb3e4140e5c5e07" id = "949cb68b-e384-578c-a906-a4d9234dc668" strings: $s1 = "can't find target version module!" fullword ascii $s2 = "class Payload:" fullword ascii condition: all of them } rule EQGRP_eligiblecandidate { meta: description = "EQGRP Toolset Firewall - file eligiblecandidate.py" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "Research" date = "2016-08-16" hash1 = "c4567c00734dedf1c875ecbbd56c1561a1610bedb4621d9c8899acec57353d86" id = "e084b051-4aa1-54b2-9f56-69db386b46d6" strings: $o1 = "Connection timed out. Only a problem if the callback was not received." fullword ascii $o2 = "Could not reliably detect cookie. Using 'session_id'..." fullword ascii $c1 = "def build_exploit_payload(self,cmd=\"/tmp/httpd\"):" fullword ascii $c2 = "self.build_exploit_payload(cmd)" fullword ascii condition: 1 of them } rule EQGRP_BUSURPER_2211_724 { meta: description = "EQGRP Toolset Firewall - file BUSURPER-2211-724.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "Research" date = "2016-08-16" hash1 = "d809d6ff23a9eee53d2132d2c13a9ac5d0cb3037c60e229373fc59a4f14bc744" id = "d109210e-14df-5b90-a496-fa8a2454126b" strings: $s1 = ".got_loader" fullword ascii $s2 = "_start_text" ascii $s3 = "IMPLANT" fullword ascii $s4 = "KEEPGOING" fullword ascii $s5 = "upgrade_implant" fullword ascii condition: all of them } rule EQGRP_networkProfiler_orderScans { meta: description = "EQGRP Toolset Firewall - file networkProfiler_orderScans.sh" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "Research" date = "2016-08-16" hash1 = "ea986ddee09352f342ac160e805312e3a901e58d2beddf79cd421443ba8c9898" id = "2d48df0c-f950-5bb6-8d3e-77c2f970eb57" strings: $x1 = "Unable to save off predefinedScans directory" fullword ascii $x2 = "Re-orders the networkProfiler scans so they show up in order in the LP" fullword ascii condition: 1 of them } rule EQGRP_epicbanana_2_1_0_1 { meta: description = "EQGRP Toolset Firewall - file epicbanana_2.1.0.1.py" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "Research" date = "2016-08-16" hash1 = "4b13cc183c3aaa8af43ef3721e254b54296c8089a0cd545ee3b867419bb66f61" id = "cc3346bd-0347-5cf3-b946-5c017d68d93e" strings: $s1 = "failed to create version-specific payload" fullword ascii $s2 = "(are you sure you did \"make [version]\" in versions?)" fullword ascii condition: 1 of them } rule EQGRP_sniffer_xml2pcap { meta: description = "EQGRP Toolset Firewall - file sniffer_xml2pcap" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "Research" date = "2016-08-16" hash1 = "f5e5d75cfcd86e5c94b0e6f21bbac886c7e540698b1556d88a83cc58165b8e42" id = "c284ac58-923c-5c34-b420-e87797915233" strings: $x1 = "-s/--srcip Use given source IP (if sniffer doesn't collect source IP)" fullword ascii $x2 = "convert an XML file generated by the BLATSTING sniffer module into a pcap capture file." fullword ascii condition: 1 of them } rule EQGRP_BananaAid { meta: description = "EQGRP Toolset Firewall - file BananaAid" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "Research" date = "2016-08-16" hash1 = "7a4fb825e63dc612de81bc83313acf5eccaa7285afc05941ac1fef199279519f" id = "bdd3ce51-1809-5b2f-9c7e-6c0b056d022b" strings: $x1 = "(might have to delete key in ~/.ssh/known_hosts on linux box)" fullword ascii $x2 = "scp BGLEE-" ascii $x3 = "should be 4bfe94b1 for clean bootloader version 3.0; " fullword ascii $x4 = "scp @:onfig" fullword ascii condition: 1 of them } rule EQGRP_bo { meta: description = "EQGRP Toolset Firewall - file bo" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "Research" date = "2016-08-16" hash1 = "aa8b363073e8ae754b1836c30f440d7619890ded92fb5b97c73294b15d22441d" id = "6aa71528-3ce6-5597-bb1a-e44cff3856d6" strings: $s1 = "ERROR: failed to open %s: %d" fullword ascii $s2 = "__libc_start_main@@GLIBC_2.0" ascii $s3 = "serial number: %s" fullword ascii $s4 = "strerror@@GLIBC_2.0" fullword ascii $s5 = "ERROR: mmap failed: %d" fullword ascii condition: ( uint16(0) == 0x457f and filesize < 20KB and all of them ) } rule EQGRP_SecondDate_2211 { meta: description = "EQGRP Toolset Firewall - file SecondDate-2211.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "Research" date = "2016-08-16" hash1 = "2337d0c81474d03a02c404cada699cf1b86c3c248ea808d4045b86305daa2607" id = "00951270-6189-58b6-8b64-422c4ab15ebe" strings: $s1 = "SD_processControlPacket" fullword ascii $s2 = "Encryption_rc4SetKey" fullword ascii $s3 = ".got_loader" fullword ascii $s4 = "^GET.*(?:/ |\\.(?:htm|asp|php)).*\\r\\n" fullword ascii condition: ( uint16(0) == 0x457f and filesize < 200KB and all of them ) } rule EQGRP_config_jp1_UA { meta: description = "EQGRP Toolset Firewall - file config_jp1_UA.pl" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "Research" date = "2016-08-16" hash1 = "2f50b6e9891e4d7fd24cc467e7f5cfe348f56f6248929fec4bbee42a5001ae56" id = "947e6f90-4eb4-5241-9819-677cee0c15d8" strings: $x1 = "This program will configure a JETPLOW Userarea file." fullword ascii $x2 = "Error running config_implant." fullword ascii $x3 = "NOTE: IT ASSUMES YOU ARE OPERATING IN THE INSTALL/LP/JP DIRECTORY. THIS ASSUMPTION " fullword ascii $x4 = "First IP address for beacon destination [127.0.0.1]" fullword ascii condition: 1 of them } rule EQGRP_userscript { meta: description = "EQGRP Toolset Firewall - file userscript.FW" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "Research" date = "2016-08-16" hash1 = "5098ff110d1af56115e2c32f332ff6e3973fb7ceccbd317637c9a72a3baa43d7" id = "c6c1b70e-437f-50e7-9055-b943a1a62e6c" strings: $x1 = "Are you sure? Don't forget that NETSCREEN firewalls require BANANALIAR!! " fullword ascii condition: 1 of them } rule EQGRP_BBALL_M50FW08_2201 { meta: description = "EQGRP Toolset Firewall - file BBALL_M50FW08-2201.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "Research" date = "2016-08-16" hash1 = "80c0b68adb12bf3c15eff9db70a57ab999aad015da99c4417fdfd28156d8d3f7" id = "bced11a2-fac4-58e5-a4a8-1c6d5fe418f9" strings: $s1 = ".got_loader" fullword ascii $s2 = "LOADED" fullword ascii $s3 = "pageTable.c" fullword ascii $s4 = "_start_text" ascii $s5 = "handler_readBIOS" fullword ascii $s6 = "KEEPGOING" fullword ascii condition: ( uint16(0) == 0x457f and filesize < 40KB and 5 of ($s*) ) } rule EQGRP_BUSURPER_3001_724 { meta: description = "EQGRP Toolset Firewall - file BUSURPER-3001-724.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "Research" date = "2016-08-16" hash1 = "6b558a6b8bf3735a869365256f9f2ad2ed75ccaa0eefdc61d6274df4705e978b" id = "006877e9-1e73-5a27-8b3a-bca3513a2035" strings: $s1 = "IMPLANT" fullword ascii $s2 = "KEEPGOING" fullword ascii $s3 = "upgrade_implant" fullword ascii condition: ( uint16(0) == 0x457f and filesize < 200KB and 2 of them ) or ( all of them ) } rule EQGRP_workit { meta: description = "EQGRP Toolset Firewall - file workit.py" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "Research" date = "2016-08-16" modified = "2023-01-27" hash1 = "fb533b4d255b4e6072a4fa2e1794e38a165f9aa66033340c2f4f8fd1da155fac" id = "b582f990-5bd5-592d-a7c0-475fdfffc38c" strings: $s1 = "macdef init > /tmp/.netrc;" fullword ascii $s2 = "/usr/bin/wget http://" ascii $s3 = "HOME=/tmp ftp" fullword ascii $s4 = " >> /tmp/.netrc;" fullword ascii $s5 = "/usr/rapidstream/bin/tftp" fullword ascii $s6 = "created shell_command:" fullword ascii $s7 = "rm -f /tmp/.netrc;" fullword ascii $s8 = "echo quit >> /tmp/.netrc;" fullword ascii $s9 = "echo binary >> /tmp/.netrc;" fullword ascii $s10 = "chmod 600 /tmp/.netrc;" fullword ascii $s11 = "created cli_command:" fullword ascii condition: 6 of them } rule EQGRP_tinyhttp_setup { meta: description = "EQGRP Toolset Firewall - file tinyhttp_setup.sh" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "Research" date = "2016-08-16" hash1 = "3d12c83067a9f40f2f5558d3cf3434bbc9a4c3bb9d66d0e3c0b09b9841c766a0" id = "71dcc48f-f551-5596-9f03-dbbae470a62b" strings: $x1 = "firefox http://127.0.0.1:8000/$_name" fullword ascii $x2 = "What is the name of your implant:" fullword ascii /* it's called conscience */ $x3 = "killall thttpd" fullword ascii $x4 = "copy http://:80/$_name flash:/$_name" fullword ascii condition: ( uint16(0) == 0x2123 and filesize < 2KB and 1 of ($x*) ) or ( all of them ) } rule EQGRP_shellcode { meta: description = "EQGRP Toolset Firewall - file shellcode.py" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "Research" date = "2016-08-16" hash1 = "ac9decb971dd44127a6ca0d35ac153951f0735bb4df422733046098eca8f8b7f" id = "d923c1de-c6eb-511f-ae1f-bf3ac6e0eae8" strings: $s1 = "execute_post = '\\xe8\\x00\\x00\\x00\\x00\\x5d\\xbe\\xef\\xbe\\xad\\xde\\x89\\xf7\\x89\\xec\\x29\\xf4\\xb8\\x03\\x00\\x00\\x00" ascii $s2 = "tiny_exec = '\\x7f\\x45\\x4c\\x46\\x01\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x03\\x00\\x01\\x00\\x00" ascii $s3 = "auth_id = '\\x31\\xc0\\xb0\\x03\\x31\\xdb\\x89\\xe1\\x31\\xd2\\xb6\\xf0\\xb2\\x0d\\xcd\\x80\\x3d\\xff\\xff\\xff\\xff\\x75\\x07" ascii $c1 = { e8 00 00 00 00 5d be ef be ad de 89 f7 89 ec 29 f4 b8 03 00 00 00 } /* $c2 = { 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00 02 00 03 00 01 00 00 } too many fps */ $c3 = { 31 c0 b0 03 31 db 89 e1 31 d2 b6 f0 b2 0d cd 80 3d ff ff ff ff 75 07 } condition: 1 of them } rule EQGRP_EPBA { meta: description = "EQGRP Toolset Firewall - file EPBA.script" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "Research" date = "2016-08-16" hash1 = "53e1af1b410ace0934c152b5df717d8a5a8f5fdd8b9eb329a44d94c39b066ff7" id = "5159c2f4-20b7-590d-b216-b3468c26e459" strings: $x1 = "./epicbanana_2.0.0.1.py -t 127.0.0.1 --proto=ssh --username=cisco --password=cisco --target_vers=asa804 --mem=NA -p 22 " fullword ascii $x2 = "-t TARGET_IP, --target_ip=TARGET_IP -- Either 127.0.0.1 or Win Ops IP" fullword ascii $x3 = "./bride-1100 --lp 127.0.0.1 --implant 127.0.0.1 --sport RHP --dport RHP" fullword ascii $x4 = "--target_vers=TARGET_VERS target Pix version (pix712, asa804) (REQUIRED)" fullword ascii $x5 = "-p DEST_PORT, --dest_port=DEST_PORT defaults: telnet=23, ssh=22 (optional) - Change to LOCAL redirect port" fullword ascii $x6 = "this operation is complete, BananaGlee will" fullword ascii $x7 = "cd /current/bin/FW/BGXXXX/Install/LP" fullword ascii condition: ( uint16(0) == 0x2023 and filesize < 7KB and 1 of ($x*) ) or ( 3 of them ) } rule EQGRP_BPIE { meta: description = "EQGRP Toolset Firewall - file BPIE-2201.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "Research" date = "2016-08-16" hash1 = "697e80cf2595c85f7c931693946d295994c55da17a400f2c9674014f130b4688" id = "a73f0216-3994-5ee6-8a8c-cbcc1279898e" strings: $s1 = "profProcessPacket" fullword ascii $s2 = ".got_loader" fullword ascii $s3 = "getTimeSlotCmdHandler" fullword ascii $s4 = "getIpIpCmdHandler" fullword ascii $s5 = "LOADED" fullword ascii $s6 = "profStartScan" fullword ascii $s7 = "tmpData.1" fullword ascii $s8 = "resetCmdHandler" fullword ascii condition: ( uint16(0) == 0x457f and filesize < 70KB and 6 of ($s*) ) } rule EQGRP_jetplow_SH { meta: description = "EQGRP Toolset Firewall - file jetplow.sh" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "Research" date = "2016-08-16" hash1 = "ee266f84a1a4ccf2e789a73b0a11242223ed6eba6868875b5922aea931a2199c" id = "e7780540-29c9-5827-8ac0-a685d9ba8a5f" strings: $s1 = "cd /current/bin/FW/BANANAGLEE/$bgver/Install/LP/jetplow" fullword ascii $s2 = "***** Please place your UA in /current/bin/FW/OPS *****" fullword ascii $s3 = "ln -s ../jp/orig_code.bin orig_code_pixGen.bin" fullword ascii $s4 = "***** Welcome to JetPlow *****" fullword ascii condition: 1 of them } rule EQGRP_BBANJO { meta: description = "EQGRP Toolset Firewall - file BBANJO-3011.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "Research" date = "2016-08-16" hash1 = "f09c2f90464781a08436321f6549d350ecef3d92b4f25b95518760f5d4c9b2c3" id = "81af4769-7007-51f1-9569-bc370618b4ff" strings: $s1 = "get_lsl_interfaces" fullword ascii $s2 = "encryptFC4Payload" fullword ascii $s3 = ".got_loader" fullword ascii $s4 = "beacon_getconfig" fullword ascii $s5 = "LOADED" fullword ascii $s6 = "FormBeaconPacket" fullword ascii $s7 = "beacon_reconfigure" fullword ascii condition: ( uint16(0) == 0x457f and filesize < 50KB and all of them ) } rule EQGRP_BPATROL_2201 { meta: description = "EQGRP Toolset Firewall - file BPATROL-2201.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "Research" date = "2016-08-16" hash1 = "aa892750b893033eed2fedb2f4d872f79421174eb217f0c34a933c424ae66395" id = "864a346c-e8aa-5c66-9867-faccb14b8bee" strings: $s1 = "dumpConfig" fullword ascii $s2 = "getstatusHandler" fullword ascii $s3 = ".got_loader" fullword ascii $s4 = "xtractdata" fullword ascii $s5 = "KEEPGOING" fullword ascii condition: ( uint16(0) == 0x457f and filesize < 40KB and all of them ) } rule EQGRP_extrabacon { meta: description = "EQGRP Toolset Firewall - file extrabacon_1.1.0.1.py" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "Research" date = "2016-08-16" hash1 = "59d60835fe200515ece36a6e87e642ee8059a40cb04ba5f4b9cce7374a3e7735" id = "79b998ef-e548-5038-b8ad-da1abf362e7f" strings: $x1 = "To disable password checking on target:" fullword ascii $x2 = "[-] target is running" fullword ascii $x3 = "[-] problem importing version-specific shellcode from" fullword ascii $x4 = "[+] importing version-specific shellcode" fullword ascii $s5 = "[-] unsupported target version, abort" fullword ascii condition: 1 of them } rule EQGRP_sploit_py { meta: description = "EQGRP Toolset Firewall - file sploit.py" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "Research" date = "2016-08-16" hash1 = "0316d70a5bbf068a7fc791e08e816015d04ec98f088a7ff42af8b9e769b8d1f6" id = "9f403965-5fb1-55b2-bef6-65c18e08e58f" strings: $x1 = "the --spoof option requires 3 or 4 fields as follows redir_ip" ascii $x2 = "[-] timeout waiting for response - target may have crashed" fullword ascii $x3 = "[-] no response from health check - target may have crashed" fullword ascii condition: 1 of them } rule EQGRP_uninstallPBD { meta: description = "EQGRP Toolset Firewall - file uninstallPBD.bat" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "Research" date = "2016-08-16" hash1 = "692fdb449f10057a114cf2963000f52ce118d9a40682194838006c66af159bd0" id = "0153cb2a-a0de-51f9-80c2-22136d56f16d" strings: $s1 = "memset 00e9a05c 4 38845b88" fullword ascii $s2 = "_hidecmd" ascii $s3 = "memset 013abd04 1 0d" fullword ascii condition: all of them } rule EQGRP_BICECREAM { meta: description = "EQGRP Toolset Firewall - file BICECREAM-2140" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "Research" date = "2016-08-16" hash1 = "4842076af9ba49e6dfae21cf39847b4172c06a0bd3d2f1ca6f30622e14b77210" id = "a10819ae-db48-5d30-8e2e-2e4fe33e005b" strings: $s1 = "Could not connect to target device: %s:%d. Please check IP address." fullword ascii $s2 = "command data size is invalid for an exec cmd" fullword ascii $s3 = "A script was specified but target is not a PPC405-based NetScreen (NS5XT, NS25, and NS50). Executing scripts is supported but ma" ascii $s4 = "Execute 0x%08x with args (%08x, %08x, %08x, %08x): [y/n]" fullword ascii $s5 = "Execute 0x%08x with args (%08x, %08x, %08x): [y/n]" fullword ascii $s6 = "[%d] Execute code." fullword ascii $s7 = "Execute 0x%08x with args (%08x): [y/n]" fullword ascii $s8 = "dump_value_LHASH_DOALL_ARG" fullword ascii $s9 = "Eggcode is complete. Pass execution to it? [y/n]" fullword ascii condition: ( uint16(0) == 0x457f and filesize < 5000KB and 2 of them ) or ( 5 of them ) } rule EQGRP_create_http_injection { meta: description = "EQGRP Toolset Firewall - file create_http_injection.py" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "Research" date = "2016-08-16" hash1 = "de52f5621b4f3896d4bd1fb93ee8be827e71a2b189a9f8552b68baed062a992d" id = "92b6dad0-c7d8-5522-8fc1-fbd0aae00960" strings: $x1 = "required by SECONDDATE" fullword ascii $s1 = "help='Output file name (optional). By default the resulting data is written to stdout.')" fullword ascii $s2 = "data = '