The hypothesis is that the presence of 1212.pl and dehex.pl files indicates potential exploitation by the EQGRP group, which may be used for data exfiltration or command and control activities. SOC teams should proactively hunt for these files in Azure Sentinel to identify early signs of compromise from known malicious toolsets.
YARA Rule
rule EQGRP_1212_dehex
{
meta:
description = "Detects tool from EQGRP toolset - from files 1212.pl, dehex.pl"
author = "Florian Roth"
reference = "Research"
date = "2016-08-15"
strings:
$s1 = "return \"ERROR:$line is not a valid address\";" fullword ascii
$s2 = "print \"ERROR: the filename or hex representation needs to be one argument try using \\\"'s\\n\";" fullword ascii
$s3 = "push(@octets,$byte_table{$tempi});" fullword ascii
$s4 = "$byte_table{\"$chars[$sixteens]$chars[$ones]\"}=$i;" fullword ascii
$s5 = "print hextoIP($ARGV[0]);" fullword ascii
condition:
( uint16(0) == 0x2123 and filesize < 6KB and ( 5 of ($s*) ) ) or ( all of them )
}This YARA rule can be deployed in the following contexts:
This rule contains 5 string patterns in its detection logic.
Scenario: System administrator runs 1212.pl as part of a routine log analysis or data normalization task.
Filter/Exclusion: Check for presence of admin or sysadmin in the user field, or check for execution within a known administrative script directory (e.g., /opt/admin/scripts/).
Scenario: Scheduled job executes dehex.pl to decode hexadecimal data during a data import process.
Filter/Exclusion: Filter by command line arguments containing --decode or --import, or check for execution within a known data processing directory (e.g., /data/processing/).
Scenario: Security team uses 1212.pl to analyze network traffic for anomaly detection during a security audit.
Filter/Exclusion: Check for presence of security or audit in the user field, or check for execution within a security analysis directory (e.g., /security/analysis/).
Scenario: Development team uses dehex.pl to process encoded payloads during application testing.
Filter/Exclusion: Filter by presence of dev, test, or development in the user field, or check for execution within a development environment directory (e.g., /dev/test/).
Scenario: Legacy system maintenance task runs 1212.pl to clean up old log files or convert file formats.
Filter/Exclusion: Check for execution in a legacy system directory (e.g., /legacy/logs/), or filter by presence of maintenance in the command line arguments.