Analysis of the Shadow Broker/ Equation Group dumps.
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.

Shadow Brokers / Equation Group analysis


The Shadow Brokers Equation Group dump consists of a number of partial dumps.

I am currently looking at the list of compromised hosts (Intonation/Pitchimpair), which includes getting very distracted with all the really cool tricks of the trade included in the files. I'm working from x0rz repositories ( as well as the initial release on Mega. Just to start somewhere, I was using a list I found online which describes some of the implants and what they supposedly do. As I dive deeper (and as others also spend way too much time spelunking) I hope we get more clarity on this.

Tool name functionality
DEWDROP Command and Control
INCISION Rootkit/Backdoor linux
STOICSURGEON Rootkit/Backdoor


To understand what timeframes we are dealing with, I looked at some of the scripts and binaries. We probably cannot date things exactly, but having an upper margin (and perhaps some indication of the lower margin) might help us understand the timing of both the EQGRP actions and the ShadowBrokers theft better.

Firstly, I identified all binaries in de EQGRP folder. Then I ran a 'strings' on all of them, and a grep for 19[0-9]. and 20[0-9]. on those. After filtering out some rubbish results, I had a reasonably good list of possible years. For the upper limit, I found the year 2012:

⠠⠵ grep 2017 eqgrp-binaries-strings-years.txt
⠠⠵ grep 2016 eqgrp-binaries-strings-years.txt
⠠⠵ grep 2015 eqgrp-binaries-strings-years.txt
⠠⠵ grep 2014 eqgrp-binaries-strings-years.txt
⠠⠵ grep 2013 eqgrp-binaries-strings-years.txt
⠠⠵ grep 2012 eqgrp-binaries-strings-years.txt
 deflate 1.2.7 Copyright 1995-2012 Jean-loup Gailly and Mark Adler
$FreeBSD: src/lib/csu/amd64/crti.S,v 2012/03/03 06:15:13 kensmith Exp $
$FreeBSD: src/lib/csu/amd64/crtn.S,v 2012/03/03 06:15:13 kensmith Exp $
$FreeBSD: src/lib/csu/i386-elf/crti.S,v 2012/03/03 06:15:13 kensmith Exp $
$FreeBSD: src/lib/csu/i386-elf/crtn.S,v 2012/03/03 06:15:13 kensmith Exp $
 inflate 1.2.7 Copyright 1995-2012 Mark Adler

Next to the FreeBSD dates, inflate 1.2.7 was released in may 2012. Corroborating this are the Python versions found:

⠠⠵ grep -hR '#!.*python' * 2>/dev/null |sort -u
#!/bin/env python
#!/usr/bin/env python
#!/usr/bin/env python2.6
#!/usr/bin/env python2.7
#! /usr/local/bin/python2.7

Python 2.7:

Python 3.3:

With regards to the lower limit, I found one reference to 01-01-1980 (in some of the noclients), but without diving into the code, I currently think it is just a placeholder.

The other early 1990 dates are mostly from copyright statements:

⠠⠵ grep 1993 eqgrp-binaries-strings-years.txt
as: SC3.0 early access 01 Sep 1993
@(#) Copyright (c) 1991, 1993
@(#)SunOS 5.3 Generic September 1993
⠠⠵ grep 1994 eqgrp-binaries-strings-years.txt
as: SC3.1 dev 09 May 1994
@(#)SunOS 5.4 generic July 1994
  UUDEVIEW %s%s%s - the nice and friendly decoder - (w) 1994 Frank Pilhofer

A quick and dirty sample of everything looking remotely like a date:

⠠⠵ for i in 19{90..99}; do echo -n "$i " && grep -c $i eqgrp-binaries-strings-years.txt;done
1990 1
1991 2
1992 0
1993 3
1994 3
1995 16
1996 36
1997 10
1998 6
1999 40

⠵ for i in 20{00..17}; do echo -n "$i " && grep -c $i eqgrp-binaries-strings-years.txt;done
2000 56
2001 106
2002 163
2003 259
2004 172
2005 158
2006 6
2007 10
2008 16
2009 21
2010 16
2011 0
2012 6
2013 0
2014 0
2015 0
2016 0
2017 0

The trickortreat files point in the same direction:

trickortreat⠠⠵ grep -hR -o '__200[[:digit:]]' * |sort |uniq -c |sort -n
     14 __2000
     16 __2008
     31 __2009
     54 __2001
     74 __2002
     78 __2003
     85 __2007
    170 __2005
    182 __2004
    189 __2006

So, activity seems to have focussed on the early 2000s, but some of the tools used are from as late as 2012. I'll probably spend some time trying to link campaigns to certain newer tools. Until I do, I can think of two likely explanations for the current discrepancies between activities and tooling timestamps:

  1. The tooling directories (perhaps on network shares?) were updated after the system(s) were used for the INTONATION and PITCHIMPAIR campaigns.
  2. There is information about other actions missing.

Intonation Onesies

The initial Shadow Brokers dump was called trickortreat. It contains two directories pitchimpair and intonation. These in turn contain directories in the format <hostname>__<ipaddress>. In each directory is/are file(s) containing parameters to be fed into different tools. When I figure out exactly what is happening, I'll go into that further. For instance, the incision example below seems to have been fed into tn to set up an INCISION shell called ish.


INTONATION___bgl1dr1-a-fixed.sancharnet.in___61.1.128.17___20040323-141833() {
    ## INCISION Version:4.9.1 OS:sparc-sun-solaris2.8
    export TARG_AYT="36eb9564 129b94c7 695de5dc"

Both intonation and pitchimpair include a number of targets which have only one implant. Being Dutch, ( caught my eye. OPCW is the Organisation for the Prohibition of Chemical Weapons. That would seem like a prime target for the NSA to have backdoor access to. Which started me wondering: why only one (JACKLADDER) implant?

It is generally thought that the tools Shadow Brokers initially released, were meant for what can be crudely described as "plumbing": a group gaining footholds in networks which could be used (by others, or from different systems than the Shadow Brokers had access to) to stage subsequent attacks.

This is my thesis: If access was (accidentally) gained to a high-value target, no further "plumbing" was done and the access was leveraged for other activities (by others/from elsewhere?). For this to be true, we would need to see a distinct difference between the "onesies" and the systems with multiple implants.

To start, I looked at all the onesies in the intonation list, combining historical and current data to determine what type of organizations where behind the hosts/IP addresses. For my theory to pan out, these onesies would have to be prime targets.

Each host with multiple implants would also have to be a lesser-value target for my thesis to hold up. I will be looking into the intonation list first, working from onesies to the multiple ones.

Rather large amounts of work still need to be done, but I'll share my findings as I go. Lets see where it gets me.

Starting with the list of onesies as part of the intonation "pitch":

ip address hostname implant type YYYYMMDD-HHMMSS jackladder 20000817-131726 jackladder 20000822-135045 jackladder 20000824-112840 jackladder 20000828-113641 jackladder 20000830-141831 jackladder 20000906-160642 jackladder 20000920-080519 jackladder 20000921-123525 jackladder 20000921-123455 jackladder 20000921-123547 jackladder 20000927-064730 jackladder 20001018-150945 jackladder 20001107-133342 jackladder 20010213-092903 jackladder 20010227-160012 jackladder 20010712-142300 jackladder 20010822-105425 jackladder 20010915-191446 jackladder 20010929-205746 reticulum 20011101-224414 orangutan 20020506-121324 jackladder 20021212-171056 incision 20030327-165934 reticulum 20030423-123428 orangutan 20030522-152610 patchicillin 20031023-175029 orangutan 20031204-134957 incision 20031204-134957 incision 20050124-103318 incision 20061205-165032 incision 20070126-160444 dewdrop 20070205-150930 stoicsurgeon 20070205-150930 unk.vver.kiae.rr jackladder 20070412-144249 jackladder 20070417-154636 incision 20030411-160713

Working with hostnames/ IP addresses/ whois data/ (scholar.) and was tricky, because most of the tools of the trade try to be current, not historical. In the end my endeavors resulted in the following list. If you have more or better information, please feel free to contact me.

hostname country vertical(s) implant type context CN OIL jackladder China University of Petroleum-Beijing PK TELCO/ISP jackladder Now part of Nayatel, A Premium Triple Play (Internet, Cable TV, Phone) Service provider JP TELCO/ISP jackladder A phone/webmail/adsl/isdn etc. provider in Japan. JP TELCO/ISP jackladder Japanese ADSL, ISDN, optical provider JP TELCO/ISP jackladder SOFTBANK TELECOM Corp/Japan Telecom: long-distance/international/direct connection telephone service. BO GOV/IT jackladder The Agency for the Development of the Information Society in Bolivia (ADSIB) NL/INT MIL/GOV jackladder The Organisation for the Prohibition of Chemical Weapons (OPCW, CO GOV jackladder ? Not sure, seeing this domain in old (consulate) email addresses, semi gov/university BA TELCO jackladder Bosnia And Herzegovina Sarajevo Bh Telecom D.d. Sarajevo MX GOV jackladder The Secretariat of Social Development (Secretaría de Desarrollo Social; SEDESOL) CN TELCO/ISP jackladder Chinese multinational networking and telecommunications equipment and services company JO GOV jackladder Name server of the Center of Excellence for development and implementation of government IT strategies EG TELCO/ISP jackladder Old. Probably Egypt Online/ Information available to me is sketchy. CN TELCO/ISP jackladder State owned enterprise (SASAC). Alcatel-Lucent Shanghai Bell end-to-end telecommunications solutions, wireless and wireline, optical access, LTE, optics, IP, core network, network management and services. KR IT jackladder ? Seems to be a rather small IT solutions company in Korea, now a part of/selling HP. Special interest? CU GOV jackladder pointing to Central Criminologist Laboratory of Cuba MX GOV jackladder Secretary of the Government of Mexico CN ATOMIC jackladder Nuclear Power Institute of China (NPIC), a subsidiary to China National Nuclear Corporation (CNNC), only large-scale comprehensive R&D base in China FR TELCO/ISP jackladder Caramail S.A. operates as a webmail service company offering instant messaging services. IT TELCO/ISP reticulum Telecom Italia Net (NET NOC) CN ATOMIC orangutan Northwest Institute of Nuclear Technology, Xi'an, China RU GOV/MIL/PETROL jackladder research in mathematical chemistry and computer synthesis. ZIOC focuses on basic research activities with practical solutions of top priority for Russia. [...] After the war, the main research was aimed at the build-up of USSR defense capacity. IT/INT FINANCE incision Probably sub dns of Leading transacting system for billions of unbanked and under-banked people in the world to engage in electronic transactions" JP FINANCE reticulum Japanse bank for International Cooperation PK IT/TELCO orangutan ITILahore, NET.PK ISP in Pakistan CN EDU patchicillin ? "non-onesie"?. Actually has 4 implants. A website to VPN into a Chinese educational enviroment IN TELCO orangutan ? "non-onesie"? nd11* seems to be a typo. I can find the ndl* host in old (email) posts on the internet, nd11 only in EQGRP files IN TELCO/ISP incision ? The above makes this a probable False Positive, at least as far as onesies go. It is, however, an interesting target: BSNL is India's no. 1 Internet service provider with more than 17 lakh (100.000) subscribers, providing Internet service throughout the entire country (except in New Delhi and Mumbai) under the brand name of " Sancharnet" CN GOV/IT incision Seems to be a mail server used by at least some people at College of Computer Science, Zhejiang University, HangZhou. Currently gone. IN GOV incision The Indian Institute of Tropical Meteorology (IITM), Pune, fully devoted to cutting edge research [...] The Institute has excellent infrastructural facilities such as High Performance Computers, observational facilities like RADARS, Radiometers, LIDAR etc., It has a strong link with various universities and national and international organizations. Major research areas at the institute are [...] satellite and radar[...] CN MIL incision Second Military Medical University RU GOV stoicsurgeon ? "non-onesie"? European and international law of UNN. I found some articles on referring to European law, Europe etc. Rather tangent. It seems to be two different OS’es but actually two attacks so might not be relevant. Also, DEWDROP might be C2 RU GOV dewdrop ? "non-onesie"? Might be two different OSes on different ports, both owned?
unk.vver.kiae.rr RU ATOMIC jackladder Russian Research Centre "Kurchatov Institute" (Kurchatov Institute of Atomic Energy) RU GOV jackladder Keldysh Institute of Applied Mathematics (Russian Academy of Sciences) was founded in 1953 to solve complex mathematical problems involved in national projects of space exploration, atomic and thermonuclear energy application, etc. IR GOV incision ? "non-onesie" Very interesting target, but multi-powned? ICT Research Institute or IRAN Telecommunication Research Center (ITRC) is the Iranian most experienced research entity in the Information and Communication Technology

The most interesting part is that, except for the (for me) unclear one in Korea, all of them point to targets which I could reason are high-value to the NSA. But is actually running multiple implants (it seemed a onesie because of the trailing dot in a directory name). So that makes the theory somewhat shaky.

Lets start by working down from the systems with most implants. Although there are a number of targets with 7 (and one target, apparently incorrect 8) implants, they are all in pitchimpair.

Intonation targets with six(6) implants

ip address hostname implant type YYYYMMDD-HHMMSS sidetrack patchicillin orangutan jackladder incision dewdrop 20060509-093858 sidetrack patchicillin orangutan jackladder incision dewdrop 20060322-144346 sidetrack patchicillin orangutan jackladder incision dewdrop 20060606-162122

Initial observations:

  1. They all have the same implants
  2. All files have the same INTONATION function(?) with the same timestamp for all implants per target
  3. All of them are from 2006
hostname country vertical(s) implant type context CN UNI sidetrack patchicillin orangutan jackladder incision dewdrop Beijing Medical University. Cannot easily establish relevance RU TELCO sidetrack patchicillin orangutan jackladder incision dewdrop From the page in 2006: "Equant ( serves Russian, foreign and transnational companies and banks/state institutions/SME [with] modern, reliable and high-performance telecommunication solution[s]." IN TELCO idetrack patchicillin orangutan jackladder incision dewdrop Bharat Sanchar Nigam Limited (abbreviated BSNL) is an Indian state-owned telecommunications company. On 15 September 2000 took over telecom services and network management from Central Government Departments of Telecom Services (DTS) and Telecom Operations (DTO) with effect from 1 October 2000.

For example:

[Aaj-ke-naam] Delivery Notification: Delivery has failed
Internet Mail Delivery postmaster at
Thu Apr 27 17:53:06 CEST 2006


Return-path: <aaj-ke-naam at>
Received: from by
(iPlanet Messaging Server 5.2 HotFix 1.21 (built Sep  8 2003))
id <0IYE00FDA1GIWZ at>
Received: from ( [])
(iPlanet Messaging Server 5.2 HotFix 1.21 (built Sep  8 2003))

But having no publicly known exploit didn't stop these people. They literally had a working exploit ready for most versions:

⠠⠵ grep -Ril iplanet * 2>/dev/null
EQGRP/archive_files/esna (2)/
EQGRP/archive_files/esna (2)/
EQGRP/archive_files/esna (2)/
EQGRP/archive_files/esna (2)/
EQGRP/archive_files/esna (2)/

Starting as it does with "badBytes" the script is immediately recognisable as an exploit to anyone who has ever written one.

1 import time
  2 import smtpUtils
  3 import systems
  4 import utils
  6 class iplanet:
  7    badBytes = [0x0, 0xa, 0xd]
  8    nAttempts = 1
 10    def buildBaseBuffer(self, imtaBase):
 11       filler = utils.buildBuffer(self.baseBufLen, self.badBytes)
 12       baseBuf = filler[0x0:]
 13       return baseBuf
 15    def buildBounceBuffer(self):
 16       imtaBase = self.imtaBase
 17       baseBuf = self.buildBaseBuffer(imtaBase)
 18       l7 = (imtaBase + self.l7Imta) + self.l7Offset
 19       fp = imtaBase + self.fp
 20       filler = utils.buildBuffer(0x18, self.badBytes)
 21       bounceBuf = baseBuf \
 22                   + utils.stringifyAddr(l7) \
 23                   + filler \
 24                   + utils.stringifyAddr(fp) \
 25                   + utils.stringifyAddr(self.pc - 8)
 26       return bounceBuf

It seems to be using smtp, so it very much seems like they had (or have) a way of gaining access to a ridiculously often used Enterprise Multi-Tier messaging platform... by sending an email. And it probably paid off nicely for these guys to have this 0-day (

Oracle Communications Messaging Server is Oracle's messaging (email) server software. The software was obtained by Oracle as part of the company's acquisition of Sun in 2010.

Oracle's Messaging Server could potentially be the most widely deployed commercial email server on the planet, with claims of 150 million mailboxes deployed worldwide (mostly by ISPs, telcos, universities, government, and cable TV broadband providers). History of development

Oracle Communications Messaging Server has a long history, drawing technology from

Sun Internet Mail Server (SIMS) Netscape Messaging Server (NMS)[2] PMDF from Innosoft

In addition to the Messaging Server's three parents, the software has undergone multiple brand naming changes:

iPlanet Messaging Server Sun ONE Messaging Server Sun Java System Messaging Server Oracle Communications Messaging Exchange Server Oracle Communications Messaging Server

The code base has been carried on throughout these minor brand changes with only feature enhancements and bug fixes.


I just shudder when I read that last sentence. I hope the guys at Oracle/that which was Sun are paying attention, because if I look at the list of typical users, this would have been (is?) a very fruitful 0-day to have:

Oracle Communications Messaging Server

It will be interesting to find out which other targets might have been compromised this way. Additionally of note is that I could not find esna nor something matching that acronym in any of the implant lists. This could mean that the initial RCE/0-day of a target is not included in those lists, although "absence of evidence is not evidence of absence". (

Finding indy proved simple enough:

⠠⠵ nslookup

Non-authoritative answer:

In Google I managed to find a question on a Chinese forum in 2009 where a user (tidzhang [离线]) tries to figure out why an address doesn't resolve:


My Chinese is non-existent, but Google is there to help:


Coolypf answers tidzhang:

"Figure: The North Medical DNS ranked first, [...]"

Clearly, indy has been a dns server for a while.

So, lets see:

⠠⠵ nslookup


⠠⠵ dig +noall +answer @ version.bind txt chaos
version.bind.		0	CH	TXT	"9.6-ESV-R5-P1"

The version is from 2011, so that is not going to help us see the what the (BIND?) version was in 2006.

To be continued ...


  1. It doesn't seem like sidetrack was not used for pitchimpair:
⠠⠵ ls -R intonation/ |grep -i sidetrack |wc -l
⠠⠵ ls -R pitchimpair/ |grep -i sidetrack |wc -l

Appendix A

Counting the implants per directory:

find . -type d -print0 | while read -d '' -r dir; do
printf "%5d files in directory %s\n" "${#files[@]}" "$dir"

targets with one(1) (registered) implant

⠠⠵ for dir in `bash | sort -n -r | grep '1 files' | awk '{print $5}'`; do echo -n "$dir: " && ls $dir;done

./pitchimpair/www.elim.net___203.239.130.7: orangutan
./pitchimpair/webshared-admin.colt.net___213.41.78.10: incision
./pitchimpair/ stoicsurgeon
./pitchimpair/ stoicsurgeon
./pitchimpair/sunbath.rrze.uni--erlangen.de___131.188.3.200: orangutan
./pitchimpair/ incision
./pitchimpair/ orangutan
./pitchimpair/nl37.yourname.nl___82.192.68.37: incision
./pitchimpair/ dewdrop
./pitchimpair/ jackladder
./pitchimpair/ stoicsurgeon v1.2.7.1 sparc-sun-solaris2.9
./pitchimpair/ jackladder
./pitchimpair/bambero1.cs.tin.it___194.243.154.57: orangutan
./pitchimpair/axil.eureka.lk___202.21.32.1: orangutan
./intonation/www.caramail.com___195.68.99.20: jackladder
./intonation/webnetra.entelnet.bo___166.114.10.28: jackladder
./intonation/unk.vver.kiae.rr___144.206.175.2: jackladder
./intonation/ jackladder
./intonation/ incision
./intonation/ jackladder
./intonation/segob.gob.mx___200.38.166.2: jackladder
./intonation/sedesol.sedesol.gob.mx___148.233.6.164: jackladder
./intonation/ jackladder
./intonation/ jackladder
./intonation/ orangutan
./intonation/opcwdns.opcw.nl___195.193.177.150: jackladder
./intonation/ orangutan
./intonation/ jackladder
./intonation/ndl1mc1-a-fixed.sancharnet.in___61.0.0.46: incision
./intonation/nd11mx1-a-fixed.sancharnet.in___61.0.0.46: orangutan
./intonation/ jackladder
./intonation/ jackladder
./intonation/ jackladder
./intonation/mail.tropmet.res.in___203.199.143.2: incision
./intonation/ orangutan
./intonation/mail.interq.or.jp___210.157.0.87: jackladder
./intonation/ incision
./intonation/mail-gw.jbic.go.jp___210.155.61.54: reticulum
./intonation/ jackladder
./intonation/ incision
./intonation/kserv.krldysh.ru___194.226.57.53: jackladder
./intonation/hakuba.janis.or.jp___210.232.42.3: jackladder
./intonation/gambero3.cs..tin.it___194.243.154.62: reticulum
./intonation/ jackladder
./intonation/eol1.egyptonline.com___206.48.31.2: jackladder
./intonation/dns2.net1.it___213.140.195.7: incision
./intonation/ jackladder

targets with eight(8) (registered) implants

⠠⠵ for dir in `bash | sort -n -r | grep '8 files' | awk '{print $5}'`; do echo -n "$dir: " && ls $dir;done
./pitchimpair/ stoicsurgeon v1.2.7.2 sparc-sun-solaris2.8  stoicsurgeon  sidetrack  patchicillin  orangutan  jackladder  incision  dewdrop

targets with seven(7) (registered) implants

./pitchimpair/ stoicsurgeon  sidetrack  patchicillin  orangutan  jackladder  incision	dewdrop
./pitchimpair/ stoicsurgeon  sidetrack  patchicillin  orangutan  jackladder  incision	dewdrop

targets with six(6) (registered) implants

⠠⠵ for dir in `bash | sort -n -r | grep '6 files' | awk '{print $5}'`; do echo -n "$dir: " && ls $dir;done
./pitchimpair/ sidetrack  patchicillin  orangutan  jackladder incision  dewdrop
./pitchimpair/tologorri.grupocorreo.es___194.30.32.109: sidetrack  patchicillin  orangutan  jackladder incision  dewdrop
./pitchimpair/ stoicsurgeon  sidetrack  patchicillin  orangutan  incision  dewdrop
./pitchimpair/ns1.gx.chinamobile.com___211.138.252.30: sidetrack  patchicillin  orangutan  jackladder incision  dewdrop
./pitchimpair/ sidetrack  patchicillin  orangutan  jackladder incision  dewdrop
./pitchimpair/ sidetrack  patchicillin  orangutan  jackladder incision  dewdrop
./intonation/ns2.rosprint.ru___194.84.23.125: sidetrack  patchicillin  orangutan  jackladder incision  dewdrop
./intonation/ndl1mx1-a-fixed.sancharnet.in___61.0.0.46: sidetrack  patchicillin  orangutan  jackladder incision  dewdrop
./intonation/ sidetrack  patchicillin  orangutan  jackladder incision  dewdrop