{ "Event": { "analysis": "0", "date": "2015-02-19", "extends_uuid": "", "info": "OSINT Backdoor.Win32.Equationdrug.A report by Telus", "publish_timestamp": "1498163341", "published": true, "threat_level_id": "1", "timestamp": "1498163215", "uuid": "5500579e-e1b4-43fe-b7c5-73da950d210b", "Orgc": { "name": "CthulhuSPRL.be", "uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f" }, "Tag": [ { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#33FF00", "local": false, "name": "tlp:green", "relationship_type": "" }, { "colour": "#096b00", "local": false, "name": "misp-galaxy:tool=\"EquationDrug\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:threat-actor=\"Equation Group\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1426085814", "to_ids": false, "type": "link", "uuid": "550057b6-5448-42be-8d12-78ac950d210b", "value": "http://telussecuritylabs.com/threats/show/TSL20150219-06" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1426085835", "to_ids": true, "type": "md5", "uuid": "550057cb-d4ec-49dc-af05-66d8950d210b", "value": "4556ce5eb007af1de5bd3b457f0b216d" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1426085835", "to_ids": true, "type": "md5", "uuid": "550057cb-04d4-466e-b522-66d8950d210b", "value": "5767b9d851d0c24e13eca1bfd16ea424" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1426085835", "to_ids": true, "type": "md5", "uuid": "550057cb-667c-4b34-9062-66d8950d210b", "value": "c4f8671c1f00dab30f5f88d684af1927" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1426085853", "to_ids": true, "type": "sha1", "uuid": "550057dd-bcdc-469d-87a2-b0e6950d210b", "value": "597715224249e9fb77dc733b2e4d507f0cc41af6" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1426085853", "to_ids": true, "type": "sha1", "uuid": "550057dd-ccf8-4241-9569-b0e6950d210b", "value": "61fab1b8451275c7fd580895d9c68e152ff46417" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1426085853", "to_ids": true, "type": "sha1", "uuid": "550057dd-e1cc-412b-a961-b0e6950d210b", "value": "febc4f30786db7804008dc9bc1cebdc26993e240" }, { "category": "Antivirus detection", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1426085929", "to_ids": false, "type": "text", "uuid": "55005815-743c-40a5-91ce-a62f950d210b", "value": "TROJAN.WIN32.EQUATIONDRUG.GEN" }, { "category": "Antivirus detection", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1426085929", "to_ids": false, "type": "text", "uuid": "55005815-0c10-4aa6-9901-a62f950d210b", "value": "BACKDOOR-FKQ" }, { "category": "Antivirus detection", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1426085929", "to_ids": false, "type": "text", "uuid": "55005815-f5b0-488a-8f44-a62f950d210b", "value": "TROJAN:WIN32/EQTONDRAG.A!DHA" }, { "category": "Antivirus detection", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1426085929", "to_ids": false, "type": "text", "uuid": "55005815-5b74-4b5f-8eda-a62f950d210b", "value": "TROJ/EQDRUG-A" }, { "category": "Antivirus detection", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1426085929", "to_ids": false, "type": "text", "uuid": "55005815-bbc8-4a52-b652-a62f950d210b", "value": "TROJAN.EQUDRUG" }, { "category": "Antivirus detection", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1426085929", "to_ids": false, "type": "text", "uuid": "55005815-1198-438e-acbd-a62f950d210b", "value": "TROJ_DOTTUN.VTH" }, { "category": "Antivirus detection", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1426085929", "to_ids": false, "type": "text", "uuid": "55005815-b4f8-4575-bd92-a62f950d210b", "value": "WIN-TROJAN/EQUATION.380928" }, { "category": "Antivirus detection", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1426085929", "to_ids": false, "type": "text", "uuid": "55005815-c87c-4ff5-965d-a62f950d210b", "value": "TR/DLDR.DOTTUN.380928" }, { "category": "Antivirus detection", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1426085929", "to_ids": false, "type": "text", "uuid": "55005815-e388-436f-98f6-a62f950d210b", "value": "TROJAN.WIN32.EQUATIONDRUG.AFQK" }, { "category": "Antivirus detection", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1426085929", "to_ids": false, "type": "text", "uuid": "55005815-f5d8-457a-868a-a62f950d210b", "value": "TROJAN.EQUATIONDRUG.R4" }, { "category": "Antivirus detection", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1426085929", "to_ids": false, "type": "text", "uuid": "55005816-1e40-4a7a-878a-a62f950d210b", "value": "TROJWARE.WIN32.EQUATIONDRUG.A" }, { "category": "Antivirus detection", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1426085929", "to_ids": false, "type": "text", "uuid": "55005816-8c14-4ffd-8bb9-a62f950d210b", "value": "TROJAN.SIGGEN6.30429" }, { "category": "Antivirus detection", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1426085929", "to_ids": false, "type": "text", "uuid": "55005816-fa70-4133-9ec0-a62f950d210b", "value": "WIN32/DOTTUN.AA" }, { "category": "External analysis", "comment": "Related Telus reports", "deleted": false, "disable_correlation": false, "timestamp": "1426085985", "to_ids": false, "type": "link", "uuid": "55005861-315c-4a3c-b489-6d66950d210b", "value": "http://telussecuritylabs.com/threats/show/TSL20110614-01" }, { "category": "External analysis", "comment": "Related Telus reports", "deleted": false, "disable_correlation": false, "timestamp": "1426085985", "to_ids": false, "type": "link", "uuid": "55005861-0cc0-4bc4-99fc-6d66950d210b", "value": "http://telussecuritylabs.com/threats/show/TSL20150217-05" }, { "category": "Artifacts dropped", "comment": "Trojan.Win32.Micstus.A", "deleted": false, "disable_correlation": false, "timestamp": "1426086018", "to_ids": true, "type": "md5", "uuid": "55005882-d8dc-47aa-b9d5-723f950d210b", "value": "51e0a0fb96fa2f6f7ea1b53f656c1b1a" }, { "category": "Artifacts dropped", "comment": "Trojan.Win32.Micstus.A", "deleted": false, "disable_correlation": false, "timestamp": "1426086037", "to_ids": true, "type": "sha1", "uuid": "55005895-b290-4c42-818e-66d8950d210b", "value": "99fe38d1c06b31803120598232e20b650a0616a7" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1426087646", "to_ids": false, "type": "text", "uuid": "55005ede-ce48-4b86-a041-6d66950d210b", "value": "Equation Group" }, { "category": "Artifacts dropped", "comment": "Automatically added (via 4556ce5eb007af1de5bd3b457f0b216d)", "deleted": false, "disable_correlation": false, "timestamp": "1455839160", "to_ids": true, "type": "sha256", "uuid": "56c657b8-fdf8-4a90-a5ee-c654950d210f", "value": "1b0eb1a1591140175d1ac111a98c89472b196599baf13ef67ee7f63d0052b00e" }, { "category": "Artifacts dropped", "comment": "Automatically added (via 5767b9d851d0c24e13eca1bfd16ea424)", "deleted": false, "disable_correlation": false, "timestamp": "1455839162", "to_ids": true, "type": "sha256", "uuid": "56c657ba-18c8-4ee5-bcbf-599f950d210f", "value": "9df733c565cf3c98878911af11ff17f8788c06e56466db6eaab81f8fa80344e4" }, { "category": "Artifacts dropped", "comment": "Automatically added (via c4f8671c1f00dab30f5f88d684af1927)", "deleted": false, "disable_correlation": false, "timestamp": "1455839162", "to_ids": true, "type": "sha256", "uuid": "56c657ba-b680-4acd-a75c-5ca1950d210f", "value": "9f1b82e6c2e9760284c53c5377a054d6cfcb2bd5e36329e0f7c395aa02d79d0d" }, { "category": "Artifacts dropped", "comment": "Automatically added (via 51e0a0fb96fa2f6f7ea1b53f656c1b1a)", "deleted": false, "disable_correlation": false, "timestamp": "1455839163", "to_ids": true, "type": "sha256", "uuid": "56c657bb-ed34-4fb5-a5f0-599d950d210f", "value": "40930aee76cdc9fff5db261154ed42f74945c17ad6f15905762aa024508b861a" } ] } }