Rectifyq

2015-02-16 Equation The Death Star of Malware Galaxy

4 min read

📃Title: Equation: The Death Star of Malware Galaxy
📅Date: 2015-02-16
🔗References:

🔖Rectifyq Taxonomies:

🔖MISP Galaxies:

  • threat-actor Equation-Group
  • malpedia=“Regin”
  • malpedia=“DoubleFantasy (ELF)”
  • malpedia=“DoubleFantasy (Windows)”
  • malpedia=“EquationDrug”
  • malpedia=“Fanny”
  • target-information=“Afghanistan”
  • target-information=“Algeria”
  • target-information=“China”
  • target-information=“Egypt”
  • target-information=“India”
  • target-information=“Iran”
  • target-information=“Kenya”
  • target-information=“Lebanon”
  • target-information=“Libya”
  • target-information=“Malaysia”
  • target-information=“Mali”
  • target-information=“Mexico”
  • target-information=“Pakistan”
  • target-information=“Qatar”
  • target-information=“Russia”
  • target-information=“Syria”
  • target-information=“United Arab Emirates”
  • target-information=“United Kingdom”
  • target-information=“Yemen”
  • producer Kaspersky
  • mitre-attack-pattern=[‘T1091’, ‘T1190’]

MISP event uuid: 574f2274-bd92-4f01-a401-47d8909fc04c

Indicator of Compromise (IoCs)

type,value,comment
domain, advancing-technology.com, 'DoubleFantasy C&C'
domain, avidnewssource.com, 'DoubleFantasy C&C'
domain, businessdealsblog.com, 'DoubleFantasy C&C'
domain, businessedgeadvance.com, 'DoubleFantasy C&C'
domain, charging-technology.com, 'DoubleFantasy C&C'
domain, computertechanalysis.com, 'DoubleFantasy C&C'
hostname, config.getmyip.com, 'DoubleFantasy C&C'
domain, globalnetworkanalys.com, 'DoubleFantasy C&C'
domain, melding-technology.com, 'DoubleFantasy C&C'
domain, myhousetechnews.com, 'DoubleFantasy C&C'
domain, newsterminalvelocity.com, 'DoubleFantasy C&C'
domain, selective-business.com, 'DoubleFantasy C&C'
domain, slayinglance.com, 'DoubleFantasy C&C'
domain, successful-marketing-now.com, 'DoubleFantasy C&C'
domain, taking-technology.com, 'DoubleFantasy C&C'
domain, techasiamusicsvr.com, 'DoubleFantasy C&C'
domain, technicaldigitalreporting.com, 'DoubleFantasy C&C'
domain, timelywebsitehostesses.com, 'DoubleFantasy C&C'
hostname, www.dt1blog.com, 'DoubleFantasy C&C'
hostname, www.forboringbusinesses.com, 'DoubleFantasy C&C'
domain, lsassoc.com, 'EquationLaser C2'
domain, gar-tech.com, 'EquationLaser C2'
hostname, webuysupplystore.mooo.com, 'Fanny C2'
domain, newjunk4u.com, 'EquationDrug C2'
domain, easyadvertonline.com, 'EquationDrug C2'
hostname, newip427.changeip.net, 'EquationDrug C2'
domain, ad-servicestats.net, 'EquationDrug C2'
domain, subad-server.com, 'EquationDrug C2'
domain, ad-noise.net, 'EquationDrug C2'
domain, ad-void.com, 'EquationDrug C2'
domain, aynachatsrv.com, 'EquationDrug C2'
domain, damavandkuh.com, 'EquationDrug C2'
domain, fnlpic.com, 'EquationDrug C2'
domain, monster-ads.net, 'EquationDrug C2'
domain, nowruzbakher.com, 'EquationDrug C2'
domain, sherkhundi.com, 'EquationDrug C2'
domain, quik-serv.com, 'EquationDrug C2'
domain, nickleplatedads.com, 'EquationDrug C2'
domain, arabtechmessenger.net, 'EquationDrug C2'
domain, amazinggreentechshop.com, 'EquationDrug C2'
domain, foroushi.net, 'EquationDrug C2'
domain, technicserv.com, 'EquationDrug C2'
domain, goldadpremium.com, 'EquationDrug C2'
domain, honarkhaneh.net, 'EquationDrug C2'
domain, parskabab.com, 'EquationDrug C2'
domain, technicupdate.com, 'EquationDrug C2'
domain, technicads.com, 'EquationDrug C2'
domain, customerscreensavers.com, 'EquationDrug C2'
domain, darakht.com, 'EquationDrug C2'
domain, ghalibaft.com, 'EquationDrug C2'
domain, adservicestats.com, 'EquationDrug C2'
domain, 247adbiz.net, 'EquationDrug C2'
domain, webbizwild.com, 'EquationDrug C2'
domain, roshanavar.com, 'EquationDrug C2'
domain, afkarehroshan.com, 'EquationDrug C2'
domain, thesuperdeliciousnews.com, 'EquationDrug C2'
domain, adsbizsimple.com, 'EquationDrug C2'
domain, goodbizez.com, 'EquationDrug C2'
domain, meevehdar.com, 'EquationDrug C2'
domain, xlivehost.com, 'EquationDrug C2'
domain, downloadmpplayer.com, 'EquationDrug C2'
domain, honarkhabar.com, 'EquationDrug C2'
domain, techsupportpwr.com, 'EquationDrug C2'
domain, zhalehziba.com, 'EquationDrug C2'
domain, serv-load.com, 'EquationDrug C2'
domain, wangluoruanjian.com, 'EquationDrug C2'
domain, islamicmarketing.net, 'EquationDrug C2'
domain, noticiasftpsrv.com, 'EquationDrug C2'
domain, coffeehausblog.com, 'EquationDrug C2'
domain, platads.com, 'EquationDrug C2'
domain, havakhosh.com, 'EquationDrug C2'
domain, toofanshadid.com, 'EquationDrug C2'
domain, bazandegan.com, 'EquationDrug C2'
domain, sherkatkonandeh.com, 'EquationDrug C2'
domain, mashinkhabar.com, 'EquationDrug C2'
domain, quickupdateserv.com, 'EquationDrug C2'
domain, rapidlyserv.com, 'EquationDrug C2'
domain, business-made-fun.com, 'GrayFish C2'
domain, businessdirectnessource.com, 'GrayFish C2'
domain, charmedno1.com, 'GrayFish C2'
domain, cribdare2no.com, 'GrayFish C2'
domain, dowelsobject.com, 'GrayFish C2'
domain, following-technology.com, 'GrayFish C2'
domain, forgotten-deals.com, 'GrayFish C2'
domain, functional-business.com, 'GrayFish C2'
domain, housedman.com, 'GrayFish C2'
domain, industry-deals.com, 'GrayFish C2'
domain, listennewsnetwork.com, 'GrayFish C2'
domain, phoneysoap.com, 'GrayFish C2'
domain, posed2shade.com, 'GrayFish C2'
domain, rehabretie.com, 'GrayFish C2'
domain, speedynewsclips.com, 'GrayFish C2'
domain, teatac4bath.com, 'GrayFish C2'
domain, unite3tubes.com, 'GrayFish C2'
domain, unwashedsound.com, 'GrayFish C2'
domain, arm2pie.com, 'TripleFantasy C2'
domain, brittlefilet.com, 'TripleFantasy C2'
domain, cigape.net, 'TripleFantasy C2'
domain, crisptic01.net, 'TripleFantasy C2'
domain, fliteilex.com, 'TripleFantasy C2'
domain, itemagic.net, 'TripleFantasy C2'
domain, micraamber.net, 'TripleFantasy C2'
domain, mimicrice.com, 'TripleFantasy C2'
domain, rampagegramar.com, 'TripleFantasy C2'
domain, rubi4edit.com, 'TripleFantasy C2'
domain, rubiccrum.com, 'TripleFantasy C2'
domain, rubriccrumb.com, 'TripleFantasy C2'
domain, team4heat.net, 'TripleFantasy C2'
domain, tropiccritics.com, 'TripleFantasy C2'
domain, standardsandpraiserepurpose.com, 'Equation group’s exploitation server'
domain, suddenplot.com, 'Equation group’s exploitation server'
domain, technicalconsumerreports.com, 'Equation group’s exploitation server'
domain, technology-revealed.com, 'Equation group’s exploitation server'
ip-dst, 149.12.71.2, 'IPs hardcoded in malware configuration blocks'
ip-dst, 190.242.96.212, 'IPs hardcoded in malware configuration blocks'
ip-dst, 190.60.202.4, 'IPs hardcoded in malware configuration blocks'
ip-dst, 195.128.235.227, 'IPs hardcoded in malware configuration blocks'
ip-dst, 195.128.235.231, 'IPs hardcoded in malware configuration blocks'
ip-dst, 195.128.235.233, 'IPs hardcoded in malware configuration blocks'
ip-dst, 195.128.235.235, 'IPs hardcoded in malware configuration blocks'
ip-dst, 195.81.34.67, 'IPs hardcoded in malware configuration blocks'
ip-dst, 202.95.84.33, 'IPs hardcoded in malware configuration blocks'
ip-dst, 203.150.231.49, 'IPs hardcoded in malware configuration blocks'
ip-dst, 203.150.231.73, 'IPs hardcoded in malware configuration blocks'
ip-dst, 210.81.52.120, 'IPs hardcoded in malware configuration blocks'
ip-dst, 212.61.54.239, 'IPs hardcoded in malware configuration blocks'
ip-dst, 41.222.35.70, 'IPs hardcoded in malware configuration blocks'
ip-dst, 62.216.152.67, 'IPs hardcoded in malware configuration blocks'
ip-dst, 64.76.82.52, 'IPs hardcoded in malware configuration blocks'
ip-dst, 80.77.4.3, 'IPs hardcoded in malware configuration blocks'
ip-dst, 81.31.34.175, 'IPs hardcoded in malware configuration blocks'
ip-dst, 81.31.36.174, 'IPs hardcoded in malware configuration blocks'
ip-dst, 81.31.38.163, 'IPs hardcoded in malware configuration blocks'
ip-dst, 81.31.38.166, 'IPs hardcoded in malware configuration blocks'
ip-dst, 84.233.205.99, 'IPs hardcoded in malware configuration blocks'
ip-dst, 85.112.1.83, 'IPs hardcoded in malware configuration blocks'
ip-dst, 87.255.38.2, 'IPs hardcoded in malware configuration blocks'
ip-dst, 89.18.177.3, 'IPs hardcoded in malware configuration blocks'

Full IOCs available in Rectifyq's MISP```

Graph View