Rectifyq📃Title: Equation: The Death Star of Malware Galaxy
📅Date: 2015-02-16
🔗References:
- https://securelist.com/equation-the-death-star-of-malware-galaxy/68750/
- https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064459/Equation_group_questions_and_answers.pdf
🔖Rectifyq Taxonomies:
- relevancy: 🔴 Highly Relevant
- category: ⚔Threat
- sub-category: TA-profile
- target: targeted
- MY-relevancy: relevant
🔖MISP Galaxies:
- threat-actor= Equation-Group
- malpedia=“Regin”
- malpedia=“DoubleFantasy (ELF)”
- malpedia=“DoubleFantasy (Windows)”
- malpedia=“EquationDrug”
- malpedia=“Fanny”
- target-information=“Afghanistan”
- target-information=“Algeria”
- target-information=“China”
- target-information=“Egypt”
- target-information=“India”
- target-information=“Iran”
- target-information=“Kenya”
- target-information=“Lebanon”
- target-information=“Libya”
- target-information=“Malaysia”
- target-information=“Mali”
- target-information=“Mexico”
- target-information=“Pakistan”
- target-information=“Qatar”
- target-information=“Russia”
- target-information=“Syria”
- target-information=“United Arab Emirates”
- target-information=“United Kingdom”
- target-information=“Yemen”
- producer= Kaspersky
- mitre-attack-pattern=[‘T1091’, ‘T1190’]
MISP event uuid: 574f2274-bd92-4f01-a401-47d8909fc04c
Indicator of Compromise (IoCs)
type,value,comment
md5, 752af597e6d9fd70396accc0b9013dbe, 'EquationLaser installer'
md5, 6fe6c03b938580ebf9b82f3b9cd4c4aa, 'EoP package and malware launcher'
md5, 2a12630ff976ba0994143ca93fecd17f, 'DoubleFantasy installer'
md5, 4556ce5eb007af1de5bd3b457f0b216d, 'EquationDrug installer (“LUTEUSOBSTOS”)'
md5, 9b1ca66aab784dc5f1dfe635d8f8a904, 'GrayFish installer'
md5, 0a209ac0de4ac033f31d6ba9191a8f7a, 'Fanny worm'
md5, 9180d5affe1e5df0717d7385e7f54386, 'loader (17920 bytes .DLL)'
md5, ba39212c5b58b97bfc9f5bc431170827, 'encrypted payload (.DAT)'
md5, 03718676311de33dd0b8f4f18cffd488, 'DoubleFantasy installer + LNK exploit package'
md5, 11fb08b9126cdb4668b3f5135cf7a6c5, 'HDD reprogramming module'
md5, 24a6ec8ebf9c0867ed1c097f4a653b8d, 'GROK keylogger'
domain, advancing-technology.com, 'DoubleFantasy C&C'
domain, avidnewssource.com, 'DoubleFantasy C&C'
domain, businessdealsblog.com, 'DoubleFantasy C&C'
domain, businessedgeadvance.com, 'DoubleFantasy C&C'
domain, charging-technology.com, 'DoubleFantasy C&C'
domain, computertechanalysis.com, 'DoubleFantasy C&C'
hostname, config.getmyip.com, 'DoubleFantasy C&C'
domain, globalnetworkanalys.com, 'DoubleFantasy C&C'
domain, melding-technology.com, 'DoubleFantasy C&C'
domain, myhousetechnews.com, 'DoubleFantasy C&C'
domain, newsterminalvelocity.com, 'DoubleFantasy C&C'
domain, selective-business.com, 'DoubleFantasy C&C'
domain, slayinglance.com, 'DoubleFantasy C&C'
domain, successful-marketing-now.com, 'DoubleFantasy C&C'
domain, taking-technology.com, 'DoubleFantasy C&C'
domain, techasiamusicsvr.com, 'DoubleFantasy C&C'
domain, technicaldigitalreporting.com, 'DoubleFantasy C&C'
domain, timelywebsitehostesses.com, 'DoubleFantasy C&C'
hostname, www.dt1blog.com, 'DoubleFantasy C&C'
hostname, www.forboringbusinesses.com, 'DoubleFantasy C&C'
domain, lsassoc.com, 'EquationLaser C2'
domain, gar-tech.com, 'EquationLaser C2'
hostname, webuysupplystore.mooo.com, 'Fanny C2'
domain, newjunk4u.com, 'EquationDrug C2'
domain, easyadvertonline.com, 'EquationDrug C2'
hostname, newip427.changeip.net, 'EquationDrug C2'
domain, ad-servicestats.net, 'EquationDrug C2'
domain, subad-server.com, 'EquationDrug C2'
domain, ad-noise.net, 'EquationDrug C2'
domain, ad-void.com, 'EquationDrug C2'
domain, aynachatsrv.com, 'EquationDrug C2'
domain, damavandkuh.com, 'EquationDrug C2'
domain, fnlpic.com, 'EquationDrug C2'
domain, monster-ads.net, 'EquationDrug C2'
domain, nowruzbakher.com, 'EquationDrug C2'
domain, sherkhundi.com, 'EquationDrug C2'
domain, quik-serv.com, 'EquationDrug C2'
domain, nickleplatedads.com, 'EquationDrug C2'
domain, arabtechmessenger.net, 'EquationDrug C2'
domain, amazinggreentechshop.com, 'EquationDrug C2'
domain, foroushi.net, 'EquationDrug C2'
domain, technicserv.com, 'EquationDrug C2'
domain, goldadpremium.com, 'EquationDrug C2'
domain, honarkhaneh.net, 'EquationDrug C2'
domain, parskabab.com, 'EquationDrug C2'
domain, technicupdate.com, 'EquationDrug C2'
domain, technicads.com, 'EquationDrug C2'
domain, customerscreensavers.com, 'EquationDrug C2'
domain, darakht.com, 'EquationDrug C2'
domain, ghalibaft.com, 'EquationDrug C2'
domain, adservicestats.com, 'EquationDrug C2'
domain, 247adbiz.net, 'EquationDrug C2'
domain, webbizwild.com, 'EquationDrug C2'
domain, roshanavar.com, 'EquationDrug C2'
domain, afkarehroshan.com, 'EquationDrug C2'
domain, thesuperdeliciousnews.com, 'EquationDrug C2'
domain, adsbizsimple.com, 'EquationDrug C2'
domain, goodbizez.com, 'EquationDrug C2'
domain, meevehdar.com, 'EquationDrug C2'
domain, xlivehost.com, 'EquationDrug C2'
domain, downloadmpplayer.com, 'EquationDrug C2'
domain, honarkhabar.com, 'EquationDrug C2'
domain, techsupportpwr.com, 'EquationDrug C2'
domain, zhalehziba.com, 'EquationDrug C2'
domain, serv-load.com, 'EquationDrug C2'
domain, wangluoruanjian.com, 'EquationDrug C2'
domain, islamicmarketing.net, 'EquationDrug C2'
domain, noticiasftpsrv.com, 'EquationDrug C2'
domain, coffeehausblog.com, 'EquationDrug C2'
domain, platads.com, 'EquationDrug C2'
domain, havakhosh.com, 'EquationDrug C2'
domain, toofanshadid.com, 'EquationDrug C2'
domain, bazandegan.com, 'EquationDrug C2'
domain, sherkatkonandeh.com, 'EquationDrug C2'
domain, mashinkhabar.com, 'EquationDrug C2'
domain, quickupdateserv.com, 'EquationDrug C2'
domain, rapidlyserv.com, 'EquationDrug C2'
domain, business-made-fun.com, 'GrayFish C2'
domain, businessdirectnessource.com, 'GrayFish C2'
domain, charmedno1.com, 'GrayFish C2'
domain, cribdare2no.com, 'GrayFish C2'
domain, dowelsobject.com, 'GrayFish C2'
domain, following-technology.com, 'GrayFish C2'
domain, forgotten-deals.com, 'GrayFish C2'
domain, functional-business.com, 'GrayFish C2'
domain, housedman.com, 'GrayFish C2'
domain, industry-deals.com, 'GrayFish C2'
domain, listennewsnetwork.com, 'GrayFish C2'
domain, phoneysoap.com, 'GrayFish C2'
domain, posed2shade.com, 'GrayFish C2'
domain, rehabretie.com, 'GrayFish C2'
domain, speedynewsclips.com, 'GrayFish C2'
domain, teatac4bath.com, 'GrayFish C2'
domain, unite3tubes.com, 'GrayFish C2'
domain, unwashedsound.com, 'GrayFish C2'
domain, arm2pie.com, 'TripleFantasy C2'
domain, brittlefilet.com, 'TripleFantasy C2'
domain, cigape.net, 'TripleFantasy C2'
domain, crisptic01.net, 'TripleFantasy C2'
domain, fliteilex.com, 'TripleFantasy C2'
domain, itemagic.net, 'TripleFantasy C2'
domain, micraamber.net, 'TripleFantasy C2'
domain, mimicrice.com, 'TripleFantasy C2'
domain, rampagegramar.com, 'TripleFantasy C2'
domain, rubi4edit.com, 'TripleFantasy C2'
domain, rubiccrum.com, 'TripleFantasy C2'
domain, rubriccrumb.com, 'TripleFantasy C2'
domain, team4heat.net, 'TripleFantasy C2'
domain, tropiccritics.com, 'TripleFantasy C2'
domain, standardsandpraiserepurpose.com, 'Equation group’s exploitation server'
domain, suddenplot.com, 'Equation group’s exploitation server'
domain, technicalconsumerreports.com, 'Equation group’s exploitation server'
domain, technology-revealed.com, 'Equation group’s exploitation server'
ip-dst, 149.12.71.2, 'IPs hardcoded in malware configuration blocks'
ip-dst, 190.242.96.212, 'IPs hardcoded in malware configuration blocks'
ip-dst, 190.60.202.4, 'IPs hardcoded in malware configuration blocks'
ip-dst, 195.128.235.227, 'IPs hardcoded in malware configuration blocks'
ip-dst, 195.128.235.231, 'IPs hardcoded in malware configuration blocks'
ip-dst, 195.128.235.233, 'IPs hardcoded in malware configuration blocks'
ip-dst, 195.128.235.235, 'IPs hardcoded in malware configuration blocks'
ip-dst, 195.81.34.67, 'IPs hardcoded in malware configuration blocks'
ip-dst, 202.95.84.33, 'IPs hardcoded in malware configuration blocks'
ip-dst, 203.150.231.49, 'IPs hardcoded in malware configuration blocks'
ip-dst, 203.150.231.73, 'IPs hardcoded in malware configuration blocks'
ip-dst, 210.81.52.120, 'IPs hardcoded in malware configuration blocks'
ip-dst, 212.61.54.239, 'IPs hardcoded in malware configuration blocks'
ip-dst, 41.222.35.70, 'IPs hardcoded in malware configuration blocks'
ip-dst, 62.216.152.67, 'IPs hardcoded in malware configuration blocks'
ip-dst, 64.76.82.52, 'IPs hardcoded in malware configuration blocks'
ip-dst, 80.77.4.3, 'IPs hardcoded in malware configuration blocks'
ip-dst, 81.31.34.175, 'IPs hardcoded in malware configuration blocks'
ip-dst, 81.31.36.174, 'IPs hardcoded in malware configuration blocks'
ip-dst, 81.31.38.163, 'IPs hardcoded in malware configuration blocks'
ip-dst, 81.31.38.166, 'IPs hardcoded in malware configuration blocks'
ip-dst, 84.233.205.99, 'IPs hardcoded in malware configuration blocks'
ip-dst, 85.112.1.83, 'IPs hardcoded in malware configuration blocks'
ip-dst, 87.255.38.2, 'IPs hardcoded in malware configuration blocks'
ip-dst, 89.18.177.3, 'IPs hardcoded in malware configuration blocks'
Full IOCs available in Rectifyq’s MISP