Latest Shadow Brokers dump — owning SWIFT Alliance Access, Cisco and Windows

Here’s the quick rundown on the latest Shadow Brokers “Equation Group” dump.

The headlines — the Equation Group are owning banks using VPN edge gateways, internal Cisco firewalls, and then owning SWIFT Alliance Access boxes.

Borrowed from Matt Suiche

IMPLANTS

Darkpulsar-1.1.0.exe

SHA256:b439ed18262aec387984184e86bfdb31ca501172b1c066398f8c56d128ba855a



PluginHelper.py — cross platform implant helper (Linux, Windows, Solaris)

SHA256: f3fe9c4ad27c11ffcfc4e362e9a1689c416b0c8f054eaa6849ee5cc7fecc284e


EXPLOITS

Easybee-1.0.1.exe — exploit for MDaemon private email server

SHA256:59c17d6cb564edd32c770cd56b5026e4797cf9169ff549735021053268b31611

Easypi-3.1.0.exe — Lotus cc:Mail exploit

SHA256:dc1ddad7e8801b5e37748ec40531a105ba359654ffe8bdb069bd29fb0b5afd94

Eclipsedwing-1.5.2.exe — SMB exploit for 2000, 2003 and XP, patched by MS08–67.

SHA256:48251fb89c510fb3efa14c4b5b546fbde918ed8bb25f041a801e3874bd4f60f8

Educatedscholar-1.0.0.exe — SMB exploit, patched by MS09–050.

SHA256:4cce9e39c376f67c16df3bcd69efd9b7472c3b478e2e5ef347e1410f1105c38d

Emeraldthread-3.0.0.exe — EMERALDTHREAD is a remote SMB exploit for XP and 2003, which drops an implant Stuxnet style. Patched by MS10–061.

SHA256:7fe425cd040608132d4f4ab2671e04b340a102a20c97ffdcf1b75be43a9369b5

Emphasismine-3.4.0.exe — IMAP exploit for IBM Lotus Domino

SHA256:dcaf91bd4af7cc7d1fb24b5292be4e99c7adf4147892f6b3b909d1d84dd4e45b

Englishmansdentist-1.2.0.exe — appears to use OWA and SMTP, maybe remote rule trigger on client — needs unsupported MS products to run.

SHA256:2a6ab28885ad7d5d64ac4c4fb8c619eca3b7fb3be883fc67c90f3ea9251f34c6

Erraticgopher-1.0.1.exe — SMB exploit, targets XP and 2003 — tested, works. Zero day, won’t be patched.

SHA256:3d11fe89ffa14f267391bc539e6808d600e465955ddb854201a1f31a9ded4052

Eskimoroll-1.1.1.exe — some kind of Kerberos exploit targeting domain controllers running Windows Server 2000, 2003, 2008 and 2008 R2. Patched by MS14–068.

SHA256:0989bfe351342a7a1150b676b5fd5cbdbc201b66abcb23137b1c4de77a8f61a6

Esteemaudit-2.1.0.exe — a remote RDP (Remote Desktop) exploit targeting Windows Server 2003 and XP, installs an implant. Tested, works — exploits SmartCard authentication. Zero day, won’t be patched.

SHA256:61f98b12c52739647326e219a1cf99b5440ca56db3b6177ea9db4e3b853c6ea6

Eternalromance-1.3.0.exe- ETERNALROMANCE is an remote SMB1 exploit which targets XP, 2003, Vista, 7, Windows 8, 2008, 2008 R2. Tested, works. Patched by MS17–010

SHA256:f1ae9fdbb660aae3421fd3e5b626c1e537d8e9ee2f9cd6d56cb70b6878eaca5d

Eternalromance-1.4.0.exe — ETERNALROMANCE is an remote SMB1 exploit which targets XP, 2003, Vista, 7, Windows 8, 2008, 2008 R2. Patched by MS17–010.

SHA256:b99c3cc1acbb085c9a895a8c3510f6daaf31f0d2d9ccb8477c7fb7119376f57b

Eternalsynergy-1.0.1.exe — this is a remote code execution against SMB, patched by MS17–010.

SHA256:92c6a9e648bfd98bbceea3813ce96c6861487826d6b2c3d462debae73ed25b34

Ewokfrenzy-2.0.0.exe — Lotus Domino 6 & 7 exploit

SHA256:348eb0a6592fcf9da816f4f7fc134bcae1b61c880d7574f4e19398c4ea467f26

Explodingcan-2.0.2.exe — Microsoft IIS 6 exploit — tested, works. Exploits WebDav. 2003 only. Very well done and robust exploit. Won’t be patched.

SHA256:97af543cf1fb59d21ba5ec6cb2f88c8c79c835f19c8f659057d2f58c321a0ad4

Zippybeer-1.0.2.py — authenticated Microsoft Domain Controller exploit

SHA256:110969f7a6e7149da7bec1a21140008bbb46ed3338bcbe32e01a233af24badad

Eternalblue-2.2.0.exe — SMBv1 exploit — tested, works — remote unauthenticated exploit, works against 2008 R2. Patched by MS17–010.

SHA256:85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5

Eternalchampion-2.0.0.exe — SMB exploit — tested, works. Fixed in CVE-2017–0147.

SHA256:ce734596c2b760aa4b3f340227dd9ec48204a96cf0464ad1a97ae648b0a40789

GangsterThief and GrDo implant modules

GangsterThief_Lp.dll
4720fca15bb09a3d5cac0f62f453cc5195a067679c95fdc4abd4d709d713cde3 GangsterThief_Implant.dll
b6707786a10aad02edb051e9de3a77d7aa91ff01baf58087be4f454fab54834c
GeZu_KernelMemory_Target.dll
6b1c02b9ce1d380e505f1b3bd3d52a27c39482e31d68207b5ce4dd619525d9aa
GeZu_KernelMemory_Target.dll
0235c0845596cf3038a6304111df6a19d9ce20d3db303e98c45a9e5f0a5b9862 GeZu_KernelMemory_Target.dll
1a8ca79951490ac2c7a5f7e4a35a92b8eb4afa64894bee5db13816e6071ff282
GrDo_ProcessScanner_Implant.dll
197bc44aa7a7f4ea80de11a9dff39fab0e7d9dd0ff09e0ff6d97a6be42a33446
GangsterThief_Implant.dll
1ed588fa567c7e768a8014aa5ccd9ee5e2ad3df11be0a778daa1666bc5b1130e
GrDo_FileScanner_Implant.dlle8212d51936e4c8f56658fd404ef3a708abf2dfaab96fdd880e073f5557cb81e
GrDo_ProcessScanner_Implant.dll 
4459e04f9453b71afb19e707f2b637d0c48f59e1ece4e4d414e6024fae5e5fc0
GrDo_FileScanner_Implant.dll 
c7609ab1484ad01717b9138c7f29b523d426280588db7f1f301d5fa8abdda01e
GrDo_FileScanner_Lp.dll 
ca1529a014bc8f549b651832bc8b2987e0464eccf203ca0d5ff9364a96595a55
GrDo_FileScanner_LpData.dll
423ae2e13c6a9d2735a27b4a999fc63a24534bf36d704ca9c474b8d907ae94b6
GrDo_ProcessScanner_Lp.dll
178f6470a8a934b7e24874dbc6079977491792359ae520703f3098154f48d8d0
GrDo_ProcessScanner_LpData.dll
d03938d6597e580366b64c8189ef61ed5a4c28fb8f0e0e28ae0454f120f42f02