A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #29046  by EP_X0FF
 Tue Aug 16, 2016 5:55 am
Since github removed repository and d/l links die so fast (using mega in 2016 is a very smart move) here is the copy of this package.

Original drama readme.md
Code: Select all
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

From:

bitmessage = BM-NBvAHfp5Y6wBykgbirVLndZtEFCYGht8
i2p-bote =  o1uHOkOcMoFEa7O7dbEilzfMvWzo7bDu~td3x9gYz4b4t5OriJ7U6GUWr5GZoWxQ9f2TrIY5RzhpIMVP6hTLXZ


Equation Group Cyber Weapons Auction - Invitation
- ------------------------------------------------

!!! Attention government sponsors of cyber warfare and those who profit from it !!!!

How much you pay for enemies cyber weapons? Not malware you find in networks. Both sides, RAT + LP, full state sponsor tool set? We find cyber weapons made by creators of stuxnet, duqu, flame. Kaspersky calls Equation Group. We follow Equation Group traffic. We find Equation Group source range. We hack Equation Group. We find many many Equation Group cyber weapons. You see pictures. We give you some Equation Group files free, you see. This is good proof no? You enjoy!!! You break many things. You find many intrusions. You write many words. But not all, we are auction the best files.

Picture Urls
- ------------
http://imgur.com/a/sYpyn
https://theshadowbrokers.tumblr.com/
https://github.com/theshadowbrokers/EQGRP-AUCTION

File Urls
- ----------

magnet:?xt=urn:btih:40a5f1514514fb67943f137f7fde0a7b5e991f76&tr=http://diftracker.i2p/announce.php

https://mega.nz/#!zEAU1AQL!oWJ63n-D6lCuCQ4AY0Cv_405hX8kn7MEsa1iLH5UjKU
https://app.box.com/s/amgkpu1d9ttijyeyw2m4lso3egb4sola
https://www.dropbox.com/s/g8kvfl4xtj2vr24/EQGRP-Auction-Files.zip
https://ln.sync.com/dl/5bd1916d0#eet5ufvg-tjijei4j-vtadjk6b-imyg2qkd
https://yadi.sk/d/QY6smCgTtoNz6


Free Files (Proof)
- ------------------
eqgrp-free-file.tar.xz.gpg

sha256sum = b5961eee7cb3eca209b92436ed7bdd74e025bf615b90c408829156d128c7a169

gpg --decrypt --output eqgrp-free-file.tar.xz eqgrp-free-file.tar.xz.gpg

Password = theequationgroup


Auction Files
- -------------
eqgrp_auction_file.tar.xz.asc

sha256sum = af1dabd8eceec79409742cc9d9a20b9651058bbb8d2ce60a0edcfa568d91dbea

Password = ????


Auction Instructions
- --------------------
We auction best files to highest bidder. Auction files better than stuxnet. Auction files better than free files we already give you. The party which sends most bitcoins to address: <removed> before bidding stops is winner, we tell how to decrypt. Very important!!! When you send bitcoin you add additional output to transaction. You add OP_Return output. In Op_Return output you put your (bidder) contact info. We suggest use bitmessage or I2P-bote email address. No other information will be disclosed by us publicly. Do not believe unsigned messages. We will contact winner with decryption instructions. Winner can do with files as they please, we not release files to public.


FAQ
- ---
Q: Why I want auction files, why send bitcoin? A: If you like free files (proof), you send bitcoin. If you want know your networks hacked, you send bitcoin. If you want hack networks as like equation group, you send bitcoin. If you want reverse, write many words, make big name for self, get many customers, you send bitcoin. If want to know what we take, you send bitcoin.

Q: What is in auction files? A: Is secret. Equation Group not know what lost. We want Equation Group to bid so we keep secret. You bid against Equation Group, win and find out or bid pump price up, piss them off, everyone wins.

Q: What if bid and no win, get bitcoins back? A: Sorry lose bidding war lose bitcoin and files. Lose Lose. Bid to win! But maybe not total loss. Instead to losers we give consolation prize. If our auction raises 1,000,000 (million) btc total, then we dump more Equation Group files, same quality, unencrypted, for free, to everyone. 

Q: When does auction end? A: Unknown. When we feel is time to end. Keep bidding until we announce winner.

Q: Why I trust you? A: No trust, risk. You like reward, you take risk, maybe win, maybe not, no guarantees. There could be hack, steal, jail, dead, or war tomorrow. You worry more, protect self from other bidders, trolls, and haters.


Closing Remarks
- --------------------------------------------------

!!! Attention Wealthy Elites !!!

We have final message for "Wealthy Elites". We know what is wealthy but what is Elites? Elites is making laws protect self and friends, lie and fuck other peoples. Elites is breaking laws, regular peoples go to jail, life ruin, family ruin, but not Elites. Elites is breaking laws, many peoples know Elites guilty, Elites call top friends at law enforcement and government agencies, offer bribes, make promise future handjobs, (but no blowjobs). Elites top friends announce, no law broken, no crime commit. Reporters (not call journalist) make living say write only nice things about Elites, convince dumb cattle, is just politics, everything is awesome, check out our ads and our prostitutes. Then Elites runs for president. Why run for president when already control country like dictatorship? What this have do with fun Cyber Weapons Auction? We want make sure Wealthy Elite recognizes the danger cyber weapons, this message, our auction, poses to their wealth and control. Let us spell out for Elites. Your wealth and control depends on electronic data. You see what "Equation Group" can do. You see what cryptolockers and stuxnet can do. You see free files we give for free. You see attacks on banks and SWIFT in news. Maybe there is Equation Group version of cryptolocker+stuxnet for banks and financial systems? If Equation Group lose control of cyber weapons, who else lose or find cyber weapons? If electronic data go bye bye where leave Wealthy Elites? Maybe with dumb cattle? "Do you feel in charge?" Wealthy Elites, you send bitcoins, you bid in auction, maybe big advantage for you?


bitmessage = BM-NBvAHfp5Y6wBykgbirVLndZtEFCYGht8
i2p-bote =  o1uHOkOcMoFEa7O7dbEilzfMvWzo7bDu~td3x9gYz4b4t5OriJ7U6GUWr5GZoWxQ9f2TrIY5RzhpIMVP6hTLXZ

END MESSAGE


 






-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJXrr2sAAoJEAQSTyzLXAwbVzwP/jR5sQcS8VzH2jmuRjbE6RLV
P3RkY6RWyyTyCtTiyTXK4RtWQoz8CfEjnXdIaR3BIZG4u827iI2fbQMVlWu0jMn4
NYN1I/neBoDaagApRgGQqYXip3IdHsqJennOAxRqr0ZoOgJ3IVtiZK8/6vtEnXRK
03IJvKu0zOVROuP0a9OPX0jko2g3Rl2tvo1ljkU1bqLKHs6xb1VzmdoqlAOYR1Bv
4Kb/Gbr6uc5fG84sM8FzSdiyJgS3U21SqfUENyFLyyP05iCyKCybFMne1JckFre8
gI/nUhdRHJaETYorY49PTQvdBaD30aT1I7efyAAM9uxsF97Au/UEvk0hkzh0YfoR
/m+htNKlaP/oclL5GhJEq2O4wWb1KJuyrHU3FZYdUWRA4SlELBb0oR64cw/8kDo+
6WftSANdlolgQLMbng2/ORGTeXHQ033mX6Op93o2oZUuNNhHvR1PnhWPUA2vMcIs
ndo6YuYV2TZR/4GVNiJYQhTcWVNZ7a10FuvWk7yyHkTKXRVHG43G5Rzzm9ZxMUcL
DMAExiPnrehGYTcxrrOP28RB+Mw7Is5YwRpc/h0mwDYGijjUzXGLXPWKFLa8ksxR
zdaUnAjJzhVwR4IVGmGlU687Ox0FayJz9LAhst5eiittciY0iooz8YLee8hrxD7C
XqUIpr4n+QKMYs4AfWd+
=5yni
-----END PGP SIGNATURE-----
Note: bitcoin address removed (and I wonder how many idiots actually paid them).

In case if you interested whats inside "free" part of archive

https://www.riskbasedsecurity.com/2016/ ... ion-group/

As for me I don't see anything interesting here, unless someone will point me on hidden extraordinal interesting stuff inside.

Since file is too big to upload directly on forum here is the link to mail.ru cloud.

https://cloud.mail.ru/public/2NN4/QdfDQUjaJ
 #29055  by p1nk
 Wed Aug 17, 2016 1:09 am
Bitcoin address is up to 1.629 BTC from 15 transactions.
 #29057  by tizanidine
 Wed Aug 17, 2016 2:51 am
Let us remember, though, that ugly code doesn't devalue a working exploit itself.. If they indeed are working exploits, that is.
But it is certainly an interesting fact that most of the actual (or "alleged") code that we've seen from NSA is not in any way subtle or pretty. Flame & stuxnet are about as agile and subtle as a fucking mammoth in a porcelain store.
It all seems to reinforce the notion that their power is mostly in sheer infrastructure, manpower and opsec, rather than world-class programming.
Although I guess that alleged HDD firmware stuff mentioned in the leaks could be something special, for one.
 #29062  by flrud2208
 Thu Aug 18, 2016 4:10 am
Members,

Recently theShadowServers posted tools supposedly used by Equation Group. The tools were posted on GitHub and can be downloaded from here. I will analysing the file and update on my blog makflwana.wordpress.com

Please note, analyses is for education and research purpose only and the attached files should be used in the same way.

Link below will also show a demo - https://xorcatt.wordpress.com/2016/08/1 ... acon-demo/

Regards
FL
Attachments
(889.02 KiB) Downloaded 58 times
 #29064  by frame4-mdpro
 Thu Aug 18, 2016 5:18 pm
tizanidine wrote:Let us remember, though, that ugly code doesn't devalue a working exploit itself.. If they indeed are working exploits, that is....
Cisco and Fortinet have confirmed these indeed work for (some of) their product lines.