Analysis of the EQGRP leakage
As you know, yesterday TheShadowBrokers group released #EQGRP archive with some interesting data inside. As they mentioned, it’s a NSA leakage with a lot of “cyberweapon”.
I analysed this data yesterday to find the answers to following questions:
- When did the leak occur?
- Who were the targets?
Summary: 910 servers were hacker around the world between 2000 and 2010. Top targets are:
- Japan 110 servers
- China 109
- South Korea 108
- .NET servers 68
- Spain 56
- Taiwan 54
- Russia 45
- India 43
- .COM servers 40
- Germany 39
As a first step I analyzed GCC versions for all of the binary programs there. This simple bash command collect it:
$ find . -type f -exec sh -c “strings -a ‘{}’ | grep ‘GCC:’ | head -n 1 “ \; > gcc.list ; sort gcc.list | uniq -cd
The results addresses us back to 2000–2010 years. It’s GCC versions from 2.7.2 (1995) to 4.5.1 (2010)
https://infogr.am/eqgrp_gcc_by_years
After this I found a lot of registry files with the SHA-1 hashes of other files inside. Almost all of them includes meta information near these hashes with the dates. This command may helps to collect all these dates together:
find . -name “*sums*” -exec cat {} \; | egrep -o “ [1,2][0–9][0–9][0–9] “ > sums.stat ; sort sums.stat | uniq -cd
As a final step of this short analysis I analyzed the dates of servers infections from the log files of the exploits runs.
And then created the chart with stats of the targets by domain zones mentioned before.
I do not analyzed a lot of backdoors (called “rats”) from this archive. Hope it will be interesting to drill down into it.
All the data is available here: https://docs.google.com/spreadsheets/d/1TGH4WPX4KKcFQxx8Eoe_vC4ucrt7H95v-ZE3jbYxSIU
