(u) fourth party opportunities...2015/01/28 · top secret//comint//re to usal fve, y (u) voyeur...

TOP SECRET//COMINT//REL TO USA, FVEY

(U) Fourth Party Opportunities

O

SECRET//COMINT//REL TO USA, FVEY

(U) What is 4th Party o

(S//SI//REL) 4th party collection leverages CCNE accesses to provide Foreign Intelligence from foreign CNE victims (U) Types of 4th Party opportunities o (U) Passive Acquisition ° (U) Active Acquisition ° (U) Victim Stealing / Sharing ° (U) Re-purposing

SECRET//COMNT//REL TO USA, FVEY

S//SI//REL

(U) Passive Acquisition

Country A Foreign CNE C2 Node

Foreign CNE Infrastructure

Country Y

Countr \V

Foreign CNE Victims

(S//SI//REL) Passive acquisition utilizes mid-point collection to target information being ex-filtrated from victims of foreign CNE activities. This often involves CES efforts to decrypt or de-obfuscate the collected data.



S//SI//REL

(U) Active Acquisition


(S//SI//REL) Active acquisition utilizes end-point collection to target foreign CNE infrastructure in order to collect victim information.


S//SI//REL

(U) Victim Stealing / Sharing


(S//SI//REL) Victim stealing exploits weaknesses in foreign CNE implants and C2 systems to gain access to victims and either take control of the foreign implant or replace it with our own. This is NOT a disruption or CNA activity. It is solely used to further CNE accesses.

n SECRET//COMINT//REL TO USA, FVEY

(S//SI//REL) Re-purposing utilizes captured foreign CNE components (implants, exploits, etc) to shorten the development cycle of our own CNE tools.

v

S//SI//REL

(U) Re-purposing


a SECRET//REL TO USA, FVEY

S//SI//REL

(U) 4th Party Decision Tree (S//REL) The best sustained outcome is passive acquisition of valuable 4th party collected information. Where the 4th party is not collecting information of interest, but the victim is still of interest victim stealing can be pursued. Where passive or cryptographic issues prevent (or delay) passive acquisition, active acquisition will be pursued.


(U) 4th Party Lifecycle (S//REL) The prioritization, development and exploitation cycle is continuous until the priority is lowered to standby or the intelligence value is being realized through passive alone.

Prioritize

I J Develop

Passiv

Fourth Party Example o

VOYEUR

UNCLASSIFIED//FOR OFFICIAL USE ONLY

vor EUR VICTIMS

H E Z B O L L A H

V i C T I M S


(U) VOYEUR Network Map O

XOR I SCZ

Iranian MOIS Implant

Red ¡rectors

DK US K S

0 0 CA UK a 2

IT

IT

SSL

Voyeur C2 Servers

»

MOIS L i s t e n i n g P o s i

H û z b û i l a h

L i s t e n i n g P d s I

TOP SECRET//COMNT//REL TO USA, FVEY


(U) VOYEUR Backend O

Jjle C^it View I listory Dookmarks Tools JJsIp

®J Hez Start @MOIS Start

«] Start page K © Start page M @ Infection Statistics K _ [© Infection Statistics j ( i) me2 - Console

Console - Archive - Packed - Upload RimThis - Sysinfo Datamine - Pack All

3



(U) VOYEUR SQL Interface O

« 1 2 5 . 1 0 . 4 2 . 2 3 0 : 1 0 4 4 3 1 l o i a l h o s t / m e 2 / S e n d e r L o g | p h p M y A d m l n 3 .3 .2 - M o z i l l a r i r e f o : i

I file Çdit View 1 listory Bookmarks Tools Me p

v Google m | •::• Hez Start :::• MOIS Start

I©] Start paga M I®] Start page |®J Infection Statistics K |e] Infection Statistics M j j | | m e 2 - Console (®| me2 - Consols

dSBHffl gjj l o c a l h o s t > p m e 2 • |m| S e n d e r L o g

| | ] B r o w s e [ ^ s t r u c t u r e 5 ^ S Q L . S e a r c h - T r a c k i n g -¡-¿Insert P i E x p o r t f l j l m p o r t ^ O p e r a t i o n s [H E m p t y > v D r o p

n e 2 ( 2 0 )

jj 1 - 79 (5.CT fi tritai. Qi ipry f o r k Cl (11 M sac) SaECT 1

nun o • Profiling [ Edit ] [ Explain SQL ] [ Create PHP Cade ] t Refresh ]

M Alias HI Allownucs g AllowTcMe2a g AllovwVersloi4 H Attacks g DenyRules ID Events g FileManCommands S FlashPFrmitt-ptJ-î g ForwardLinks @ Groups Hj Nomnter5hellCommand5 M RuriThis g SenderLog g ShellRequests Hj Sy;info-adaptor Hj Syiinfo-arp S Sysinfo-info S Sysinfo-program @ Vidms

Show : | |30 J row(s) s:art ing "rom re io rd # 30

in horizontal

Sert by key: None

+• Options

v I nrode and repeat headers after [ LOO ] cells

[ > j [ » j Page number: L | v ]

« - T - * Id User F r o m E m a i l F r o m N a m e T o E m a i l T c N a m e A t t a c k S e r i a l A t t a c k l O G r a u p N a m e M e s s a g e E f f e c t i v e P l u g i n s

• X 1 admin 4d4977754675776a63£a 44277 mehrab -link-8 B 1 Î 1 /

Please use UTF-8 Character tncod ing to v iew this e...

linkPlugin

• X 2 admin 69775941306d784239 £ 4 44278 mehrab -link-8 8 1 7

Please use u t f - 8 character FnrnHing fn uìpw this; e

linkPlugin

n X 3 admin 4 '5a58684b7063637032 44279 mehrab -link-881217

Please usa UTF-8 Character Encoding to v iew this e...

linkPlugin

0 J? X 4 admin 7 L38706d4a4d4b4c764a 44280 mehrab -link-881217

Please use UTF-8 Character EriLudiny Lo view Lhis e...

linkPlugin

• J- X • dmin 5231575fG731! ja713331 4^-281 mehrab -link-881217


linkPlugin

• & X 6 admin 3356505a55726c615953 44282 mehrab -link-881217

Please use UTF-8 Character Encoding to v iew this e...

linkPlugin

• J X 7 admin 537575765 f4931574132 44283 mehrab -link-881217


linkPlugin

• J' X 8 admin 6c685667305445552d71 44284 mehrab link 881217

Please use UTF 8 Character Encoding to v iew this e...

linkPlugin

El J? X admin 63693578797445463345 4^285 mehrab -link-881217


linkPlugin

• J? X 10 admin 757 13441725364496b?L 44286 mehrab -link-881217

Please use UTF-8 Character Encoding to v iew this c...

linkPlugin

• X L I admin 4a5ad4737574525f34É2 44287 hi

• X 12 admin 3331d56a384f52546259 44288 mehrab -iink-881217

Please use UTF-8 Character Encoding to v iew this e...

linkPlugin

El X 13 admin 776d&a49586848576333 44289 mehrab -link-881217


linkPlugin

• X 14 admin 3468624a48726e756b4f 44290 hi

• sf X L5 admin 7848536366&f5a345254 4*^29 _ h l < b r i >

<a

linkPlugin docxpPlugin

Find: aoou •^Prev ious + N e * t Highlight all • viatçh case



| j £ F i » [ M S ^ V F

6 W t L-j-d P• kJfi M FfiUH

PtMa Prrr Do«- Copy

CWT1RÖL i € M i F C X K E W O T B 5 C C M L C n S I J l i

I . 1 Pi i r i d [ • P e r s t a i l i L J P r i n t

i - .J IS 1 I n h a n t t J H

fr«

y 5 b l u d h i i M

« l l l ; i ( M ! « « h ^ i l ï i l j t L h F i m - u r i Ç

. 1 ri-, ¡ i n r : . n i n i / N ] n ] ] u 51 ; i - t « i i t i - C T r ú i u I . I I i . i ú L l T Ú L U ú i . b t I n D i ä l f O CS3 - T i M. I .J s 1 « S | 4 • f r ! - r - j l » h l n - l l l . t ì l i r m | r \ p r n ç r a i r i | • M - 5 1 g i l c 5 ) 5 b | r i t

T . ÉC-1 ['...!:['7SC1 [ ' i , ' [ ' l , ' T [ ' l i 11 I » ( 4 1 p r : • H L n M i p n - B n r t m a i r * M 4 p i c - 0 C t E r H * * 1 p p c - í t l , f r C H ^ r t O t O I I f * ' - L * * S p > ï - l u « : rti p n • t t r * * * b L i J l r I DyZ IS • H t ' O P h o t b i n a p T M i ^ t r * * * i - r L u l H b l r - I Ù x Z Û Û Ë a ï |C ^ P O f f M i l I o f T I h d i d \ nd rà » ^ • r - I D ' I D O C D ! I O l / 0 1 ' Î O l l l î ï î 0 »

IQ t fOTâC]Add fa * I n O f c i l f r t Ç i ï • I l I n d o ^

« T l v U W K I D U I l f l D l ) i : t í ¡ 4 « M P l É v T 4 ( l * ' l t « f f U ( < j > « b ¿ i J p j j ^ j i i » - w t r t r i l l tom» • H t v l 111 1 [Ii:5 " [ " . ! C m i c r ù i L . f t Ih] r d » « • V ' 1 ' 1 I r - I Û b \ H | H d g j i l l On H * W ( c u i i | O i ï i n D û n ] F l c r n i n T t K u r d *

j l H b l r - I Û x ï l Ù t S - Ù J C i l I d i t t a i d d i L ù M d t 1 \ t * \ f r r t \d ta fc2\wkriArtrJ * i t * M " -, I ri , ¡ ] Tirs ri I n i . .T i i . . F n ] ] l ï : t s » : i j * * * • . : J : - [Q14GQAM] t j ^ i L - t

H l l i M U t l l I I t i t l i t d h r t h i « T < H > | i i » O M U i p i f g i q n i i ? s s t t h b u i O i W a i H i h ' J í í - l i m i ï m o o ' « n i tur „ J l > . j l i +

- b C i J t l b l E - I O ' ( O J ( f c l c V p r ù ( ' b t a M Ld£ \>QX l LLa t l 1 i t a x \ f i r d í a - t m • • T u r " I f l ï i ¡ , u l M | I I4 /Ú1 / i r t l l l ï t í Í T * t m - c i i i ' K ' v B S Î l l l Hf lct .c P h o t o s h o p [ i l Ex t e n d e d - [ S I . t i t 4 J J . H I L w r r 1 . n i f S I <

Vpr u i r • • M I d t T é d d b d ^ u d ù b d p h & t d d k d p d i J * H • r i l i n l t r W t l i q K r i U h l l I l î Ï 3 ! T »

a g i i p H M t W M l T r b i i i g d i w i ( j >d

n " - . c - 1 i n ¿¿L'ùbB m t , ' L i i , - f l u i î : no c îé f o w n - 1 0 ' O n i 11-1 A d n h r P h o t o j h o í C t ) t * t m r f t r t *

V p r ù ( f b t a M L d i \ 3 d G b d \ 3 0 0 b d p h ^ A i p £ f ] \ f l H t H l H t f p t * H * l M > < t 4 0 r U I M / 0 L / m i mi « »

ni s V :<• m t f ù ï d é c - C t f I + L - t m f ' i E X H ' o n p L ' - d P d • « * • w 4 l t ' é s : • ses : j l H b l r - I Û x â Ù T ^ C J d \ p - d [ r .m M I a f ^ H d d b d ^ u d d b d d d i ^ I n i * d L Cr-

» • T m - U f a M T Í C i n U í l / U l l l J : 01 t o *

í f > H - t t r i ' < : « * * ; D b [ - : t r i

. ' •E E l l A U ' '

b *

L M V ï F î i i * n i ö x í l JJ" ( d i n i j w a j

m i o . . t a u i i f i * ; t t i o T t ¡ ] B Í

â î w i i « H l ! M T W

J 1 3 1 Ï 5 i l Ä s l i t i s ; 2ÌÌS6-i u n J Î S 9 T i ^ d u b J l í í í

C Í C Í J C r t i i i j L J f lE íh c í c b í c . ¡ w i n c r t r b ï ç H i t ) c C c b ï c M B

C f i í U t ì q i n n h x Í I Í ; o

u r

^ H i i ï U w d r ^ m w u -M- iu iT r . ! í i i i r J m r r t r o



(U) TUNINGFORK o

http5://cnedata-..ata/reposit:ory/ Q ) DIRT5HED - 5EEKEP. 9' QOUD f ABP. - Wikilnfo

rap SECRET//CDMINT//REL TO USA, AUS, CAN, DBR, NZL

I n d e x o f / P r o c e s s e d / D I R T S H E D J

/ d a t a / r e pos i t oi*y \ 2 0 1 1 0 5 - 0 4 / 0 8 1 7 0 0 / o p t / m e 2 si te

N.i ine Last mollified Size Description

éfi Pareli Dire fior-/

• 1 M 06-May-2011 02:02

• 1869 06-May-2011 02:01

• 2421 06-May-2011 02:11

• 2644 06-Mav-2011 01:54

• 3 021 06-May-2011 01:25

Q 3427 06-May-2011 00.47

• 3505 06-May-2011 00 44

• 3537 00-May-2011 01.24

• 3551 06-Mav-2011 02:00

• 3684 06-May-2011 00 45

• 3303 06-May-2011 02:14

• 3949. OG-May-2011 01:54

Q 4 4 9 3 06-May-2011 01.57

• 4617 06-May-2011 0126

• 4653 06-May-2011 02.11

Q 4 S S 5 06-May-2011 01:55

• 5254 06-May-2011 0129

• 5352 06-May-2011 02:11

• 5364 06-Mav-2011 02:13

• 5390 06-May-2011 02:16

• 5426 06-May-2011 01:26

• 5436 06-May-2011 01.56

TDP SECRET//CDMINT//REL TO USA, AUS, CAN, DBR, NZL



(U) TUNINGFORK , Q

largets pr eieren ces help S E E E R t u r n i n g exp lora t ion into k n o w l e d g e o.s

0 ELi UIIIX [621 ]

m E- j etc [6]

M E l IIOSEND [282]

S s op t [94]

H EJ me2srle [93]

HI \L i data [84]

S [_) packed [83]

M Ed default [82]

598 collected 14ncwl

282 coll i : i t id 13 new!

eeted 6 new!

eeted 6 w!

eeted 4new!

ill eeted 4 new!

•I I eeted 4 new!

$2 co

$2 et

Q 20 1.01.10 clientî-srctwe 7Z.001

• 2» 1.01.12 c l ients i l : I nv _ ' . 'i'M

• ?» 1.01.1t c l ients archive.7z.001

• 311 1.01.22 c l ients 3rcliiue.7z.001

• 2« 1.01.27 c l ients 3rcliiue.7z.001

Q 2« 1.01.» c l ients arcliine.7z.001

• 2« 1.02.01 c l ients arcliine.7z.001

• 2« 1.0207 c l ients arcliine.7z.001

• 2« 1.02.1« c l ients arcliine.7z.001

D 20 1.02.22 c l ients archiHe.7z.001

• 2H 1.02.27 c l ients arcliive.7z.001

• 211 1.03.06 c l ients arcliiHe.7z.001

• 211 1.03.1« c l ients 3rcliiHe.7z.0D1

• 211 1.03.13 c l ients 3rchiHe.7z.001

Q 2« 1.03.19 ¡eiits-arcii ive.7z.001

• 2« 1.03.27 ¡eiits-archive.7z.001 [7T

• 2« 1.0404 ieiïts-archive.7z.001

• 2« 1.041« ¡eiits-arcli ive.7z.001

• 20 1.04,13 clientsMircliive.7z.001

• 2H 1.04,17 ieiits-arcii ive.7z.001

• 211 1.04,2« c l ients archive.7z.001

• clieiit5-3rchiHe-D1-.l<iiiu3ry-2D11.7z.DII1

• clieiits-3rchjue-D1-j3ii i i3rv-2D11.rar.part1.r3r

Q Clients archive 1' 1 J,il im . i l , J '111 ,rar.|)a rt2. ra l

• ciieiits-archive-D1-.laiii iary-2D11.rar.iiart3.rar

UNIX I opt I me2si te | data | packed | default | 2011.01.10-16.22.51-cl ients-archive.7z.001

Collection Info (1 ) Comments (0) Hash Comments

Time Acce

57: 06 E7 : Û2 57: 37 57: 08 57: 33 ES : 08 57: SS: 40 5 8 : 1 2 58: 23 58: 26 58: 28 58: 3 1 5 3 : 1 1 ES: 4 1 58: 44 58 : SS 59: 4£ 5 9 : 1 2 59:2-5 59: 28 0 0 : 1 3 59: 45 00: 02 00:12 00: 44 00: 35 00: 40 00: 44 Ol: 16 00: S7 00: S3 00: £8 O l : 47 O l : 25 02: l ö O l : S7

S i z e Compressed Harne

140 173 140 173 173 140 173 140 173

7775 18248

173 664679

140 76619 £3720

173 140 173

2271 173 140 173 173 173 140 173 173

11712 140 173 173 180

140 173 140 173

1276719708 J i l e H a n / 2 |öl_08_

i l e H a n / 2 _Q1_ 01_0

Ir i l a Hau /2 K e p o r t / 2 Q F i l a K a r i / 2

01_08 :/2011_01

_Q1_08 |rfc/2011_0

01_08 li" i l e Hau /2 01_08_ [01_08_

i r t / 2 0 1 1 | P i l e H a n / £ 0 3 _ 5 9 _ 1 2 _ O l I _Q l_Q8 . 2011_01_0 F i l e H a n / 2 1 1 O l 0

8 09 | l_Ql , I F i l a H a u / 2

01_Q8 0 |£011_01_0

/£011_01_

F i l e H a n / 2 B e p o r t / 2 0 | l_Ql_Q8.

Q1_Q8_ | n i e H a n / 2

/2011_0 | F i l e H a n / 2

i r b / 2 0 1 1

011_01_08 Q8_S6_36 2, S 7 0 2 6 2 . 2 2 0 . 1 1 3 . 1 1 3

011_Ö1_08 08_57_07 2. 57_Q8 8 5 . 1 3 3 . 1 8 9 . 1 !

£7_33 2 1 7 . 2 1 8 . 1 3 3 . 6 ! Q11_01_Q8 Q8_S7_38 2, 11_01_Q8 Q8_57_S6 21: • 1 1 01_08 08_S8_10 2.

SS_11 9 4 . 1 8 3 . 2 2 S . 20 08_£8_22 9 2 . 2 4 2 . :

58 26 9 2 . 2 4 2 . 2 2 2 . 2 8 Q8_58_28 8 9 . 1 6 5

Q8_S8_31 9 5 . 8 2 . 1 0 5 . 2 3 1 Q11_01_Q8 08_58_41 2, _ 5 8 _ 4 1 2 1 7 . 2 1 8 . 1 3 3 . 68 _SS_44 2 1 7 . 2 1 8 . 1 3 3 . 68 01_08 08_58_55 1 1 9 . 2: 011_01_08 08_S9_12 2.

9 1 . 9 3 . 1 8 5 . 1 4 1 9 8 . b i n 0 8 5 9 2 5 9 2 . 2 4 2 . 2 2 2

0 8 S 9 27 9 2 . 2 4 2 . 2 2 ; 0 1 1 _ ö l _ 0 8 08_59_43 2.

08_S9_45 8 9 . 1 4 4 . 1 7 4 . : _00_02 6 2 . 2 2 0 . 1 1 3 . 1 1 3 09_00_12 8 5 . 1 3 3 . 1 8 9 . 1 ! 011_01_08 Q9_QO_14 2,

00_35 2 1 7 . 2 1 8 . 1 3 3 . 09_00_40 92. 242 . 22;

09_00_42 9 2 . £ 4 2 . 2; 011_01_08 09_00_45_ 11_01_08 09_00_S7 09_00_£8 77 . 36.1-53. 21. 9_Ö0_58 7 7 . 3 6 . 1 S 3 . 2 1 _ • 1 1 01_08 09_01 17 2.

Q9_01_29 165 011_Ö1_08 09_01_4S 2. O l 08 09 O l 57 1 1 9 .

Infornati on Owner: 11212 717-3500 Page Publisher: SEEKER Te-arn, T1212 717-3500 DERIVED FROM: NSAyCSSM 1-52 VDATED; 08 Jan uaiy 2007 ; DECLASSIFY ON; 20320103

DYNAMIC PÄSE - HIGHEST POSSIBLE CLASSIFICATION IS TOP SECRETWSltfREL TO USA, AUS. CAN. GBR. NZL



(U) TUNINGFORK O

(TS//SI//REL TO USA, FVEY) Project DIRTSHED File Tjjpe | Hash | Language | Ccne ] Classified | Hitllst ] 0 ve rlaps

S H O C K W A V E 0 0 0 0 * *

8

S O U R C E C O D E _ C _ C P P 0 0 0 2 8 4 0 4 0 1A

S O U R C E C O D E _ J A V A 0 0 0 0 2 2 8 0

S O U R C E C O D E _ J A V A S C R I P T 0 0 0 I 2 5 2 7 3 1

S O U R C E C O D E _ P H P 0 0 0 1 2 7 5 2 1 5 3 7 1 2 8 4

S O U R C E C O D E _ P Y T H O N 0 0 0 1 3 8 5 4 6 5 4 6 5 4 6

S O U R C E C O D E R U B Y 0 0 0 1 9 7 0 7 0 11

S Q L I T E _ D A T A B A S E 0 0 6 6 6 1 5 4 0

T A R 0 0 0 1 1 u 1 3 1 Z

T A R - U N W R A P P E D 0 0 0 2 0 9 2 0 9 2 0 9 3 6 4

T E X T 0 0 1 2 7 8 8 3 3 8 5 9 4 5 2 8

T H U M B S D B 0 0 0 0 4 6 1 1

T I F F 0 0 3 3 3 3 1 4 3

T R U E T Y P E 0 0 0 0 0 0 9 8

U N I X - B A S H - S C R I P T 0 0 0 2 1 9 0 9 0 1 3 3

U N I X - P E R L - S C R I P T 0 0 0 1 i 4 4 3

U N I X - S H - S C R I P T 0 0 0 1 7 7 4 9 0 4 9 0 5 1 3

U N I X _ P A S S W C R D _ F I L E 0 0 0 1 1 2 2 3 8 2 6 0 — '

U N K N O W N 0 0 0 0 0 0 1

U N K N O W N - E N O R M O U S 0 0 0 3 5 4 1 4 4 5 6

U N K N O W N - H U G E û o 1 5 8 7 2 9 0 1 5 7 V



(TS//SI//REL) Example: Victim Stealing O

Targeted HTTP POSTÎ / HTTP GET <urE;>

POST Response MRUN_THI8 <Uri>C.nd) T rans fer.exef i le

Unix OP station



(U//FOUO) Repurposing O

E H S I Pile Edit Analysis Graph Navigation Search Select Tools Window Help

E • a S I? m i ..-! CO ! • m a1*<=*o & s a # [•'1-1111=,̂ i ^ - - Q ^ i l X

• -'Lt'iii'1, ̂ l.'LL

0 L L d [ y j ,reloc

.text

,rdata

Program Tree 1

B 5ymbal Tree O - i l x

• O G | o b a |

S1 ( H Irnports

IS Q Exports

& " Q 2 i Functions

ffl- Labels

51 Q 9 Classes

1 Namespaces

oiJData Type Manager

¥ ^ ^ Data Types

Builtln Types

®-^>SDSND32.[>LL

Eh ( f t - wlndows_V59

Listing: SDSND32.DLL - SDSND32.DLL IF1 ±

Edit Analysis Navigation Search Select Tools Help

^ - - 1 » » m m « •

i f . Function Graph: FUN_100O12cO - (5D5ND32.DLL) & I • • • - t - v - a x

%

* EUMCTIQH 1000 lZcO - FUN_100012i:0 C i ' n

j n d e f i n e d _ _ s t d c a l l F l l t r _ 1 0 0 0 1 2 c 0 ( ] Fvsa XSF u n d e f i n e d -3Ec l o c a l _3Ec 3 I

x m d e £ i n e d 4 - 4 0 0 l o c a l _ 4 0 0 l a o i i f c s KOV TBP,|_USTR3i.DLL: 6e «Ka-

F U H _ 1 0 0 0 1 2 c a lOOOlCcf PUSH

1 0 0 0 1 2 c 0 8 1 e c 00

0 4 0 0 00

SUB E S P 0 x 4 0 0 100 0i:(15 XOB AX.EhX te 1

1 0 0 0 1 2 c S 5 3 P U S H E B X ioooi:<ii) HOV m i d P t i [ESP +

1 0 0 0 1 2 c-7 5 5 P U S H EBP l O i C l - I s HOV™ P C X ^ S B 1 0 0 0 1 2 C 8 56 P U S H E S I lOOOilea HOV tI,I'.1.T_X000aSlS 1 0 0 0 1 2 C 9 81) 2 d 0 4 MOV EBP [ _ U S E R 3 2 . D L L : : GetEie lOOOlief STOSD.R

1 0 0 0 1 2 c £

8 1 0 0 1 0

5 7 P U S H E D I

1 0 0 0 1 2 d 0 b9 t t 00 HOV E C X O x f f

1 0 0 0 1 2 d 5 3 3 cO X 0 R E A X E A X

1 0 0 0 l i d ? 8 d 7 c 2 4 1 4 L E A E D I [ E S P -l- l o c a l 3 £ c ] 100012F1 - LAB_100012fl Pj T • ¿ a

1 0 0 0 1 2 d b c 7 4 4 2 4

1 0 0 0 00

00 0 0

HOV d u o r d p t r [ E S P + l o c a l _

10001"f9 CALL [_KEEBEL3:.D1L: : 3 nnr_ioooiido

« p i

1 0 0 0 1 2 e 3 f 3 St S T 0 S D R E P E 5 : E D I

1 0 0 0 1 2 e 5 b9 96 00 HOV E C X 0x96

1 0 0 0 1 2 e a b f 1 8 a 8

00 1 0

HOV E D I D A T _ 1 0 0 0 a 8 1 B

s 1

STQSD.PEP E S i E P I 1000

LAB_100C12 f l 100012C1 1 0 0 0 1 2 f 3

6a 08 f f 15 00 80 00 10

e8 6.2 f e f f f f JV3 _ db

PUSH 0x8 CALL [ _ K E E B E L 3 2 . D I L : : S l e e p ]

F w _ 1 0 0 0 1 1 d 0

E ' Q ^

904 H0U ESI, [DAT 100 0S3SB + EE"]

317 JZ 1AB 10001380

1000 1380 - LAB_1000 1B80 s , • S • ,


(U) Current Efforts d



(U) VicDB o

© TAOSui te - Mozi l la F i re fox

Q TAOSuite

TAO Application Suite DYNAMIC PAGE - HIGHESTPOSSIBLE CLASSIFICATION IS: 1 J

l à , & 0 Ö

Deplh: [Monthly M Reset Submit

I t

it- m OS'IO 06/10 07/10 04/10 0.2/10 03./10 10/09 11/09 01/10 09/09 12/09

0 mciee.org 0 saiiidlnwjollnelll.iiet [?[ | transpers.ia.com 0 total

SILVER BOLT

SILVER BOLT

SILVER BOLT

SILVER BOLT

SILVER BOLT

SILVER BOLT

SILVER BOLT

SILVER BOLT

SILVER BOLT

SILVER BOLT

SILVER BOLT

SILVER BOLT

- [st heard Last Heard Callback Count

2010-04-03 06:40:34Z

2010-0+02 02:34:17 Z

12010-04-01 14:03:41 Z

2010-04-13 15:55:53 Z

2010-04-15 04:45:08Z

12010-04-13 0B:23:5£Z

2010-04-24 06:28:43 2

2 0 1 0 M 2 3 04 :3428Z

2010-04-13 04:57:28 Z

2010-04-07 02:19:58Z

2010-04-23 07:01:34Z

12010-04-1S 10:51:38 Z

2010-04-03 07:25:36 Z

2010-04-0212:54:53 Z

2010-04-01 14:03 41 I

2010-04-13 15:55 2SZ

2010-04-16 14:41 1 4 Z

EQ10-Q+13 09:Ë7'49 Z

2010-04-24 07:30 01 Z

2010-0423 12:47 4 4 Z

2010-0+13 06:07 24 Z

2010-0+08 12:12 4 9 Z

2010-0+28 07:14:15 Z

2010-0+1811:00 4 9 Z

4

40

1

1

42

E

B

17

12

51

4

3

IpName country

mcee.org KW

rmcee.org KW

mcee.org KW

mcee.org KW

mcee.org KW

mcee.org KW

mcee.org KW

mcee.org KW

mcee.org KW

mcee.org KW

mcee.org KW

mcee.org KW

DYNAMIC PAGE - HIGHEST POSSIBLE CLASSIFICATION IS:



(S//SI) Survey Data O

S Y S T E M Z I H E T U C R K S E R V I C E

S Ï S T E H 2 Î E I T I L T I W

S Y S T E E 2

S Y S T E H 2

METTJORK S E R V I C E

B U I L T I N

A e m u n t T y p e

5 1 2

5 1 2

5 1 2

5 1 2

5 1 2

I T s e r A c c m m t

C a p t i o n

S Y S T E H 2 \ A d m i n i s t r a t o r

5 YS T E H 2 \ A S P N E T

5 Y S T E H 2 \ G u e s t

S Y S T E H 2 \ H e i p A a s i a t a i i t

S Y S T E H 2 \ STJPPORT 3 8 8 9 1 5 a O

D o i w a i n

S Y S T E H 2

S Y S T E H 2

S Y S T E H 2

S Y S T E H 2

S Y S T E H 2

F u l l N a i t i e

A 3 P . N E T M a c h i n e A c c o u n t

B i a s C a p t i o n

2 1 0 ( G M T + 0 3 : 3 0 ]

- T i m e Za t ie

S e t t i n g T D

d i r "C ! \ D o c u i t f e n t s a n d S e t t i n g s \ A d m i n i s t r â t o r \ d e s k t o p \ rr

V o l u a e i n d r i v e C h a s n o l a b e l .

V o l u a e S e r i a l W u n t o e r i s C 4 3 7 - 1 E 2 D

D i r e c t o r y o f C : U ' o c i m i e n t s a n d S e t t i n g s \ A d m i n i s t r a t o r s d e s k t o p

• 5 / 1 2 / 2 0 1 1 0 5 : 3 1 PH < D I R >

0 5 / 1 2 / 2 0 1 1 0 5 : 3 1 PH - ! D I R >

0 5 / 0 8 / 2 0 1 1 0 8 : 0 8 PH 1 3 1 , 9 1 5 1 2 5 6 6 9 1 9 3 6 [ 1 ] . 3 P S

0 5 / 0 8 / 2 0 1 1 0 8 : 1 5 PH 1 5 5 , 1 6 6 c r o p p e d b u s i n e s s s u c c e s s - g r a p h mp j p g n l s 2 [ 1 ] . j p g

0 4 / 0 8 / 2 0 1 1 0 9 : 1 8 PH 6 0 6 G e t F L V . l n k

0 5 / 0 3 / 2 0 1 1 0 7 : 1 0 PH < D I R > H a r d w a r e

0 5 / 0 3 / 2 0 1 1 0 8 : 0 3 PH 2 , 1 7 3 H i c r c s c f t O f f i c e E x c e l 2 0 0 7 . I n k

0 5 / 0 9 / 2 0 1 1 0 6 : 1 0 PH 2 , 1 9 7 H i c r o s o f t O f f i c e T J o r d 2 0 0 3 . I n k

0 5 / 1 1 / 2 0 1 1 1 1 : 2 1 AH 2 , 5 1 5 M i c r o s o f t O f f i c e ttord 2 0 0 7 . I n k

0 4 / 2 2 / 2 0 1 1 0 1 : 1 5 PH 1 , 5 1 5 P a i n t . I n k

1 T i l e ¡ 3 ) 2 9 9 , 6 3 7 b y t e s

3 D i r ( s ) 5 1 , 5 0 4 , 3 0 3 , 0 4 0 b y t e s f r e e

d i r rrC : \ D o c u m e n t s a n d S e t t i n g s \ A d m i n i s t r a t o r s H y D o c u i t i e n t s \ "

V o l u m e i n d r i v e C h a s n o l a b e l .

V o l u m e S e r i a l N u m b e r i s C 4 3 7 - 1 E 2 L

Connection-specific DNS Suffix : MyDslDomain Desciiption . . : Broadcom NetXtreme Gigabit Ethernet Physical Address : 00-0E-7F-62-5C-49 Dhcp Enabled : Yes

R e m o t e D e s k t o p H e l p A s s l e t a n t A c c o u n t

C N = H i c i : a s o f t C o t r p o r a t i o n , L = R e d m o n d , S = U a s h i n g t c

¿ 1 , 1 M A ' V U l l l l ^ l U t i 1 1 v l l J—d.J .ClU 'J .V lR- •

IP Address Subnet Mask Default Gateway DHCP Server DNS Servers Lease Obtained Thursday, May 19, 2011 11:39:16 AM Lease Expires : Saturday, May 21, 2011 11:39:1CS AM These Windows sendees are started

Automatic Updates Background Intelligent Transfer Service Client Service for NetWare COM+ Event System Computer Browser Cryptographic Services DCOM Server Process Launcher DHCP Client Distributed Link Tracking Client DNS Client r r , T > „ „ C1



(U)DEADSEA o

X K E Y S C O R E W e l c o m e

G B R , a n d N Z L / / 2 0 3 2 0 1 0 8

^ H q i t i b Search Ì T Workflow Central . ResuHs ^ Fingerprints [ j Statistics

U J M frlllAWJIMMl [Warning: your password has exp i red!

Map ® My Account ! £ X K F o rum

Log Out

f * Help

I Navigati on Filter x .1- j Ifry] pyx-. i imin.«|JLUi r,e-y e-uucz

^ Ccne Byzantine Raptor Rolex l ^ C c n e Byzantine RaptorTrojan3 3 Gene Piaiddiana Command Packet

Cone Traffic Cone Victim Id Ccne Zebedee Parse

=3cdmaA11 Metadata ^ J Computer Serial Numbers ^ DNS High Entropy ¡ 3 DataFlurryPhonelnfoEstractor 33 Diameter AVP Metadata ^ Diameter Header Metadata

Dynamic DNS Updates 3 E Ticket = 3 e s p s p i

^Eclect icplot

^ J Electronic Attack Heuristics

¡ 3 Email i^cl Encryption Steg Ca mo ^ Encryption Steg J STEG ^ Esif Metadata

Express ion Engine

^ F A C E B O O K

3 Facebook Chat Jabber ^ Fourth Party CNE_DEADSEA_

Generic IDirect 2 Google Analytics 5 Google StreetView

Google Street View Thumb Google StreetView Tile

=3 Gtp Pdp Contest =3 HAWALA ^ H a p p v i o o t

IE Cookies

Help

Show/Hide Fields*"- Advanced Features » ShowHidden Search Fields Clear Search Values Reload Last Search Values "There are hi tlden Fields.

Search: Fourth Party CNE _DEADSEA_

Q u e r y N a m e : | a s m a e s t _ D

Justification:

Additional Just i f icat ion:

Miranda Number;

Recent Just i f icat ions

Current Time: 2011-05 -13 1 3 ; 3 3 : l & GMT

I 1 Day Star t ; | 2011-05-12"]• [ | 00:00 Stop: 12011-05-14"[•[ |00;00 | 0 |



(S//SI) Discovery for 4th Party O

DYNAMIC PAGE . HIGHEST POSSIBLE CLASSIFICATION IS TOP SECRETiiCOWINTjORCONJjNOFORN

CROSSBONES2 LOGGED IN MSI

Sbiv&r m 6 t¡n>b&rá'

Home J Entries [ Reports Activity Groups User Groups Tasking Tags Profile

NAVIGATION

home

Entries

New Journal Entry

List Snippets

New Snippet

List Person as

New Individual

New Organization

List Events

Reports

Activity Groups

User Groups

Tasking

Tags

Profile

(TS//SI//REL) Perefect Keylogger Activity

XBJE/f/1689^0^201 Í TOP SECRET//COMNT//REL TO USA, FVEY May06, 20if

J Content | Enr ichments

author

W a r n i n g : T h e r e a re no d i a m o n d m o d e l e v e n t s d e f i n e d o n t h i s j o u r n a l e n t r y .

Events History

project y user group CYBERQUEST- MHS

intrusion sets UNKNOWN

access PUBLIC

source SIGIIMT:FORNSAT

source site J source signal USJ-759/

source classification TOP SECRETffCOMINTtfRELTO USA, FVEY

source date 2011-05-06 00:00:00 UTC

source description

New Journal Entry

d? Attach File kaiNew Association '...¿New Signature O Like This j j? Follow ihis Entry ^Rescan for Data Facets <> Export Events

CROSSBONES JOURNAL ENTRIES

(UOFOUO) This entry may contain information not fully assessed and Is Intended for analytic collaboration only. The recipient may not use, report or further disseminate this Information unless or until it is published in a report.

Perfect Key-Logger is installed on hostname DOM (Russian. for ^one' ], private IF address

| for user 'Home". ET elisi te s surfing information and screenshots have been stored at an

account at Russian IP iiibox.ru mail server, and ace being delivered to a U.S. IP.

A courtesy copy of the logs is delivered to user . ^ ^ ^ ^ ^ ^ ^ ^ J i s a Ho 3 cow-based

software se evie eg company, member of a leading Russian technology g r o u p ^ ^ ^ ^ ^ ^ l ^ ^ ^ H is probably

Apparently, the victim(s) of the keylogging are meati era of the | possibly wife to the referenced above, as well as |

...Keylogger is probably installed to monitor children's and wife's activity

| is well-connected. Her email is |

Linked in. And her Facebook password was sniffed as ^ ^ H

and have been captured. Possibly is

I Moscow.

DATA ELEMENTS

email addresses

She has a presence on Several other passwords for both

^ ^ ^^^^^^^^ Head of PR and Advertising at

ASSIGNED TAGS

o direction

o intent

o result

O methodology

O phase

o actor

O victim

o capability

& infrastructure

O geopolitical environment

Q technology

o other: positive correlations

O other: negative correlations

Director for Corporate Development at I

probably husband. UP L OAD I ATTAC H F IL E



Contact us G

EMAIL: DL 4THPARTY

N SAN ET: GO 4TH PARTY

JABBER: S2 CYBER ANALYSIS


(u) fourth party opportunities...2015/01/28 · top secret//comint//re to usal fve, y (u) voyeur...

Documents