This article analyzes a malicious driver associated with the APT group Equation, detailing its functionality and methods of operation, including string decryption, API resolving, and registry manipulation. The write-up includes links to download the sample and access a decryption script. Affected: APT Equation, Microsoft Windows
Keypoints :
- The malicious driver is linked to the APT group Equation.
- Strings are decrypted using various algorithms, including Linear Congruential Generator and XOR.
- The driver dynamically resolves API names for its operations.
- It interacts with Windows registry keys for reading and writing values.
- Decryption scripts are provided to help analyze the content of the driver.
- Shellcode is used to execute tasks within targeted processes.
MITRE Techniques :
- T1070.001 – Indicator Removal on Host: The driver writes values to the registry to hide its presence.
- T1055 – Process Injection: The driver attempts to attach to running processes and inject shellcode.
- T1041 – Exfiltration Over Command and Control Channel: Utilization of system processes for obfuscating its operations and data handling.
- T1083 – File and Directory Discovery: The driver gathers information about loaded modules to identify targets.
- T1119 – Automated Exfiltration: The driver uses obfuscated API function calls to exfiltrate data from the compromised system dynamically.
Indicator of Compromise :
- [MD5] dd3024193ef3e05ec51106966544fc42
- [SHA-1] 4d3b600fd76d9905269e1e96bf2a42ed7a1d106f
- [SHA-256] 888dba9b6af3eefee1af6835639b59022aa5ccf487cbdf0965887ca27f7c0478
- [URL] https://malshare.com/sampleshare.php?action=getfile&hash=888dba9b6af3eefee1af6835639b59022aa5ccf487cbdf0965887ca27f7c0478
- [GitHub URL] https://github.com/ongahaia/deobfuscation/blob/main/Decryptor.py