Analysis of Encryption Techniques in Some Components of the Equation
Antiy’s analysis team initiated the “EQUATION” analysis in February. After producing the first analysis report, subsequent overall analysis did not yield further progress or highlights. Given this situation, we first attempted to analyze and establish the encryption techniques in some components to facilitate future work. We are sharing this work and hope to receive criticism and guidance from industry colleagues.
DoubleFantasy Component
DoubleFantasy was a prerequisite module for environment authentication. Other analysts believe it was active from approximately 2004 to 2012, after which it was replaced by TripleFantasy. DoubleFantasy used encryption techniques for resources, registry storage, and network communication.
Resource encryption/decryption algorithm: DoubleFantasy’s built-in resources are encrypted using an XOR algorithm. There are two keys: 0x3C (xor 0x3C) and 0x7F (xor 0x7F), as shown in the figure.
Registry stores configuration and network communication encryption algorithms:
The DoubleFantasy component uses the RC6 symmetric encryption algorithm for both registry storage configuration information and network communication. The component code generates a 0x44*4 key, which is then used to encrypt configuration data and network communications. Because it’s a symmetric encryption algorithm, the encryption and decryption methods are the same. DoubleFantasy does not have a preset key, ensuring that different encryption keys are used for different targets.
| Explanation: It is a block cipher algorithm proposed by RSA Labs based on the RC5 algorithm. It participated in the selection of AES and became one of the five shortlisted candidate algorithms, but was ultimately defeated by Rijandael from Belgium. |
- Decryption function parameters
The function has a total of 5 parameters, 4 of which are…
Decode
{
Lpdata1; Ciphertext address
Lpdata2; Decrypted plaintext address
Lenth; Ciphertext length
Lpkey; Key address
}
- Key structure analysis
The key length is 4*49 = 196 bytes. Examples of the data components are as follows:
Sk1 Sk2 Sk3 Sk4
…… …… ……
Sk37 Sk38 SK39 SK40
Sk37 Sk38 SK39 SK40
Sk41 Sk42 Sk43 Sk44
Sk45 Sk46 Sk47 Sk48
Sk49
Where sk45-48 is the secondary key, and sk49 is the correction flag.
1. Decryption method
2. Calculate the secondary key (16 bytes long) based on the primary key.
3. Perform a byte-by-byte XOR operation between the first 16 bits of the ciphertext and the secondary key. The result is the plaintext.
4. Replace 16 bytes (k45-k48) in the primary key with the calculated secondary key in sequence.
5. Recalculate the next level key. Decrypt the remaining 16 bytes.
6. Repeat until the length of the uncracked ciphertext is less than 16 bytes.
7. The correction flag is the number of remaining ciphertext bytes.
8. Continue calculating the next level key and updating the primary key, decrypting byte by byte.
9. Secondary key calculation method
10. The secondary key consists of 16 bytes, with 4 bytes forming a parameter. The structure diagram is as follows:
R1 R2 R3 R4
Second-level key calculation cipher table
parameter name parameter value
L1 R2
L2 R4
L3 R1
L4 R3
L5 R1
L6 R2
L7 R4
L8 R2
L9 R3
L10 R1
L11 R3
L12 R4
L13 R2
L14 R3
Second-level key calculation method:
1. R2 = K1 + K46; R4 = K2 + K48
2. (L1 + L1 + 1) * L1 = M1; (L2 + L2 + 1) * L2 = M2
3. Shift M1 left by 5 bits to obtain the result M1; Shift M2 left by 5 bits to obtain the result M2
4. Perform an XOR operation on M1 and L3; perform an XOR operation on M2 and L4.
5. Take the lower 8 bits of M1 and M2 respectively: N1 and N2.
6. Circularly shift M1 left by N2 bits to obtain Z1; circularly shift M2 left by N1 bits to obtain Z2.
7. Write Z1 + K3 into the address corresponding to L3.
8. Write Z2 + K4 into the address corresponding to L4.
9. Repeat steps 2-8 4 times. Each time, the L index is incremented by 3, and the K index is incremented by 2.
10. Repeat steps 2-9 5 times, keeping the L index unchanged and incrementing the K index sequentially.
11. K43 + R1 = R1; K44 + R3 = R3.
This encryption algorithm presents a significant challenge for security researchers. Because there is no pre-defined key, the encrypted data cannot be decrypted unless the analyst has the complete data stream.
EquationDrug Component:
EquationDrug is a complex attack component, serving as a pre-verification module in the Fanny/Fantasy series. It acts as a central hub, handling information uploads and subsequent component downloads.
Its resource encryption/decryption algorithm employs a hybrid approach combining XOR and bit shifting.
The following is a process of retrieving data from the resource and decrypting it, resulting in multiple strings.
In the msnadt.exe module of EquationDrug, we found that the decryption operations related to releasing executable programs mainly use shift and XOR operations. The following figure shows the main decryption part.
GrayFish Components
The GrayFish component is one of the most complex components used by the Equation Group. It relies on the registry for block storage and uses a bootkit to load without a file carrier. Its resources and configurations extensively utilize encryption technology.
Resource encryption/decryption algorithm:
1. After GrayFish is restored to its executable form, the first 4 bytes of its resource section are the decryption key .
2. X = 0xDD483B8F – 0x6033A96D * key
. 3. Read the following data byte by byte, XOR it with X,
and use RtlCompressBuffer to repair the plaintext.
GrayFish’s resource decryption code
Configuration data decryption algorithm:
1. The password lookup table is located at offset 0x0042010C
2. Based on the hexadecimal number of the ciphertext as the offset, data is read from the password lookup table.
3. The data is read byte by byte and concatenated into plaintext data.
GrayFish configuration string decryption algorithm and password lookup table