Title: Fourth Party Opportunities
Release Date: 2015-01-17
Description: This undated NSA presentation describes the process of Fourth Party collection – “I drink your milkshake”: see the Der Spiegel article The Digital Arms Race: NSA Preps America for Future Battle, 17 January 2015.
Document: TOP SECRET//COMINT//REL TO USA, FVEY
(U) Fourth Party
Opportunities
O
TOP SECRET//COMINT//REL TO USA, FVEY
SECRET//COMINT//REL TO USA, FVEY
(U) What is 4th Party
.........................O.....................-.
• (S//SI//REL) 4th party collection leverages
CCNE accesses to provide Foreign
Intelligence from foreign CNE victims
• (U) Types of 4th Party opportunities
° (U) Passive Acquisition
° (U) Active Acquisition
° (U) Victim Stealing / Sharing
° (U) Re-purposing
SECRET//COMNT//REL TO USA, FVEY
n
SECRET//COMINT//REL TO USA, FVEY
(S//SI//REL) Passive
acquisition utilizes
mid-point collection
to target information
being ex-filtrated
from victims of
foreign CNE activities.
This often involves
CES efforts to decrypt
or de-obfuscate the
collected data.
S//SI//REL
(U) Passive Acquisition
SECRET//COMNT//REL TO USA, FVEY
n
SECRET//COMINT//REL TO USA, FVEY
(S//SI//REL) Active
acquisition utilizes
end-point collection
to target foreign CNE
infrastructure in order
to collect victim
information.
S//SI//REL
(U) Active Acquisition
SECRET//COMNT//REL TO USA, FVEY
SECRET//COMINT//REL TO USA, FVEY
(S//SI//REL) Victim
stealing exploits
weaknesses in foreign
CNE implants and C2
systems to gain
access to victims and
either take control of
the foreign implant or
replace it with our
own. This is NOT a
disruption or CNA
activity. It is solely
used to further CNE
accesses.
S//SI//REL
(U) Victim Stealing / Sharing
SECRET//COMNT//REL TO USA, FVEY
n
SECRET//COMINT//REL TO USA, FVEY
(S//SI//REL) Re-
purposing utilizes
captured foreign CNE
components
(implants, exploits,
etc) to shorten the
development cycle of
our own CNE tools.
v
S//SI//REL
(U) Re-purposing
SECRET//COMNT//REL TO USA, FVEY
SECRET//REL TO USA, FVEY
(U) 4th Party
Decision Tree
(S//REL) The best
sustained outcome is
passive acquisition
of valuable 4th party
collected
information. Where
the 4th party is not
collecting
information of
interest, but the
victim is still of
interest victim
stealing can be
pursued. Where
passive or
cryptographic issues
prevent (or delay)
passive acquisition,
active acquisition will
be pursued.
Passive
Acquisition
S//SI//REL
SECRET//REL TO USA, FVEY
SECRET//REL TO USA, FVEY
Discove
(U) 4th Party
Lifecycle
(S//REL) The
prioritization,
development and
exploitation cycle is
continuous until the
priority is lowered to
standby or the
intelligence value is
being realized
through passive
alone.
Prioritize
J
Develop
Passiv
SECRET//REL TO USA, FVEY
Fourth Party Example
O
VOYEUR
UNCLASSIFIED//FOR OFFICIAL USE ONLY
TOP SECRET//COMINT//REL TO USA, FVEY
(U) VOYEUR Backend
.............O.................
□le Edit View I listory Dookmerk5 Tools JJelp
sa m
0 Hcz Start g MOIS Start
0 Start page M ® Start page
££ 0 Infection Statistics 2? Infection Statistics
Console - Archive - Packed - Upload RunThis - Sysinfo Datamine - Pack All
^ I |ï| nre2 - Console
' me2 - Console
]D
Dl M2 2
D? 2421
□ 3 3782
□ 4 5364
□ 5 44&3
□ 6 1869
n7 5426
□ s 0411
□ 9 5622
□ 10 5443
□ ll 1&1Ï-
□ l2 KIRI
□ l3 6265
□ l4 3549
□ l5 6360
□ l6 =.i;-32
n i7 6223
□ l8 3352
□ 19 6281
□ ?n 5673
□ 21 5S28
□ 22 6513
Syslrto FileMan Keyloq NoninterShell Hide _c
Run~hisEnFlash n 1 UserPass Monitor
■^Previous + Next .Highlight al DMatchcase
*
« *
Logout
Last Connect Platform Actions Datn
34 day(s) acu 4 41 Svslnfo FileMan Kevba NoninterShell Hide ~oMe2a
Run_hisEnFlash EnVer4 UserPass Monitor
34 day(s) aco 4.41 Svslnfo FileMan Keyloq NoninterShell Hide ~oMe2a
Run_hlsEnFlash EnVer4 UserPass Monitor
34 day(s) aco 4.41 Svslnfo FileMan Kcvloa NoninterShell Hide "oMc2a
Run_hlsEnFlash EnVer4 UserPass Monitor
34 day(s) aco 4.41 Svslnfo FileMan Keyloq NoninterShell Hide _oMe2a
Run-hisEnl .■■hEr 4UserPass Monitor
34 day(s) aco 441 Svslnfo HleMan Keyloq NoninterShell Hide _oMe2a
Run~hisEnFlash EnVer4 UserPass Monitor
34 day(s) aco 441 Svslnfo FileMan Kevloq NoninterShell Hide ~oMe2a Run~hisl FlashEnV* 4UserPass Monitor
34 day(s) aco 4.41 Svslnfo FileMan Keyloq NoninterShell Hide ~oMe2a
RurriiisEnFlash EnVer4UserPass Munilui
34 day(s) aco 4.40 Svslnfo FileMan Kevloa NoninterShell Hide "uMeZa
Run_hlsEnFlash EnVer4 UserPass Monitor
34 day(3) aco 4.41 Svslnfo FileMan Kevloq NoninterShell Hide _oMe2a
Run_hlsEnFlash EnVer4 UserPass Monitor
34 day(s) aco 441 Svslnfo FileMan Kevloq NoninterShell Hide _oMe2a
Run-his Lnl a&hln UserPass Monitor
34 day(3) aco 441 Svslnfo FileMan Kevloa NoninterShell Hide ~oMe2a
Run_hisEnFlash EnVer4 UserPass Monitor
34 rtay(s) aco 4 41 Svslnfo FileMan Keyloq NoninterShell Hide “oMe2a
Run hisi i i i 4 UserPass Monitor
34 day(s) aco 4.41 Svslnlo FileMan KevIJd NuriinLei Shell Hide "oMe2a
Run_hisEnFlash EnVer4 UserPass Monitor
34 day(s) aco 4.41 Sysinfo FileMan Keyloq NoninterShell Hide "oMe2a Run_hlsEnFlash EnVer4 UserPass Monitor
34 day(3) aco 441 Svslnfo FileMan Kevloq NoninterShell Hide _oMe2a
Run_hi3Lnriash EnVer4U3erPa33 Monitor
34 day(3) aco 441 Svslnfo FileMan Kevloa NoninterShell Hide “oMe2a
Run~hisl FlashEnV* 4UserPass Monitor
34 day(s) aco 4 41 Svslnfo FileMan Keyloq NoninterShell Hide ~oMe2a
Run_hisEnFlash EnVer4 UserPass Monitor
34 day(s) aco 4.41 sysmto HleMan Keyloq NoninterShell Hide “oMe2a
Rnn-hlsFnFlash FnVerd UserPass Monitor
34 day(s) aco 4.41 Svslnfo FileMan Kevloa NoninterShell Hide -oMe2a
Run_hlsEnFlash EnVer4 UserPass Monitor
34 day(3) aco 441 Svslnfo FileMan Kevloq NoninterShell Hide _oMe2a
RunTiisEnFlash En 4UserPass Monitor
34 day(3) aco 441 Svslnfo HleMan Kevloa NoninterShell 1 lide ~oMe2a
Run_hisEnFlash EnVer4 UserPass Monitor
TOP SECRET//COMNT//REL TO USA, FVEY
TOP SECRET//COMINT//REL TO USA, FVEY
(U) VOYEUR SQL Interface
..................Q.....................
125.XO.42.238:10443 / localhost / me2 / SenderLog | phpMyAd
Jjle Edit View I listory Dookmarks Tools Me P
- z «
@Hcz Start @MOIS Start
I®] Start page M I©] Start page
~ÿ] [¿1 v | Google
M |©| Infection Statistics ££ j [cl Infection Statistics ^ me2 - Console
I me2 - Console |
§3 localhost t |§l me2 ► mil SenderLog
S3 Browse gf? structure 5|j%SQL >'Search >. T racking »¿Insert jjjExport fjjlmport
^Operations M Empty BlDrop
V? Showing row«; T - ?Q (S.tV fi total. Query fork n 01 54 s?r)
select *
LIBIT r.ir
□ Profiling [ Edit ] [ Explain SQL ] [ Create PHP Cade ] [ Refresh ]
B Alias
@ Allow Rules
m AllowTcMeia
g AiiowversioT4
Hj Attacks
Hj DenyRules
H Events
gj FileManCommands
■ toward Lin ks
IÜ Croups
gj NoninterShellCommand5
m RunThis
gj SenderLog
gj ShellRequests
g Sy»info-adaptor
g] Sy'info-arp
■ Svsinfo-info
■ Sysinfo-program
H Victims
Show : | 130 | row(s) starting from record # 30
in horizontal
Sert by key: None
+ Options
| nrode and repeat headers after | loo | cells
[ > | | » | Page number: L |v
Id User
□ X 1 admin
□ y X 2 admin
n y X 3 admin
a y Y. 4 admin
□ y X 5 admin
□ y Y. 6 admin
□ y Y 7 admin
□ y X 8 admin
a y Y. 9 admin
□ y Y. 10 admin
□ y Y. Ll admin
□ y X 12 admin
a y X 13 admin
□ y Y. 14 admin
□ y X L5 admin
FromName
AttackSerial AttackID GroupName Message EffectivePlugins
4d4977754675776a636a 44277 mehrab -link- 88121/ Please use UTF-8 Character Encoding to view this e... linkPlugin
69775941306d78423944 44278 mehrab -link- 8R1717 Please uss utf-8 character Fnrnding tn view this e linkPlugin
4'5a58684b7063637032 44279 mehrab -link- 881217 Please use UTF-8 Character Encoding to view this e... linkPlugin
7 L38706d4a4d4b4c764a 44280 mehrab -link- 881217 Please uss UTF-8 Character Encodiny Lu view Lliis e... linkPlugin
5231575fG7315a713331 44281 mehrab -link- 881217 Please use UTF-8 Character Encoding to view this e... linkPlugin
3356505a55726c615953 44282 mehrab -link- 881217 Please uss UTF-8 Character Encoding to view this e... linkPlugin
597575765f493L574132 44283 mehrab -link- 881217 Please use UTF-8 Character Encoding to view this e... linkPlugin
6(685667305445552d71 44284 mehrab link 881217 Please use UTF 8 Character Encoding to view this e... linkPlugin
65693578797445463345 44285 mehrab -link- 881217 Please use UTF-8 Character Encoding to view this e... linkPlugin
75713441726364496b?1 44286 mehrab -link- 881217 Please uss UTF-8 Character Encoding to view this c... linkPlugin
4a 5a44737574525f34E2 44287 hi
3331456a384f5254S259 44288 mehrab -link- 881217 Please usa UTF-8 Character Encoding to view this e... linkPlugin
776d5a49586848576333 44289 mehrab -link- 881217 Please use UTF-8 Character Encoding to view this e... linkPlugin
3468624a48726e756b4f 44290 hi
78485363666f53345234 44291 hicbr />
K Find: aaou
4* Previous +Next Highlight all □ v|ateh case
TOP SECRET//COMNT//REL TO USA, FVEY
TOP SECRET//COMINT//REL TO USA, FVEY
(U) UIS
O
|jS [MS ^vf
t) 'Q C
L-s-i Far;jr. M Fri»
Drifia Pin D« Cepy
cownwL iCiKR CK wewwcfl täMMSgfy
irrita.a »o íp
♦»TifceilDrîlDPSOJOi/ai/ÏOll 12 3< 11+
MSf>è£-Cti'1-CM+Fùiiu£-|Q.>.eCl?aC|iliijùti4 InCi*£Tiii CS3 - [1 l AM 4 1&Ä!*
PTul»hlP»|0iPCItpt IC \prpçrn* fl j vxXvdgfceliVdpfe« lnft|i|ii *#11fcí*|CxBD7BCl04/0L/7Q11 1? 3< *2*
**SprE -t'EL í 1 '.+**■ pnc-flaç^ïpirF+a+ipnç-OeirÉ ft*i*'ipiC"OÍL£ ff **frH..FflS-0£U If • i. ‘j*»1 c* ■: «íisirrti h*iS prc »Ctr
OC4JÏ-IÜK2DDBB219 ■ He^o Photo3nap Yiege-r*
**í i r'Lulnbl c“ I Ûi2 ÛÛBB2J £ Vpi-üir ai r i ¡ rï\ahrad-¡n* i ú phú (ú-.r: ip'.pf-ÆÏ6-Jrip--f «vt r ci-r*
**Ti«e-IDîc2D0BBÏ]0*/ôl/2011 12 33 30+
lüiôtiTBC] Adune Inttesífn Cíi ■ |i mao 9 7Sä|*
xecut+bleMOxOOTOCic \pro|™« M I «'.adobe^dofcie indesifn csï*tnd&es»fn «■*+
+4l 1 ht> |9?.BD7BC] D4/DL/2 Üll 12 39 34+
♦iiHïMÏme^lÙïSTÙAÏ#]^^ JfMt ^iXUi - Ptsireifliïl ¥gr**A4ttfTl ti t-1DX&7DAÏ61 Hl CfOSü ft Mo 'd*
rwl 1 *- ¡ 0ïÏ> 0B30J Hi ergi-p f t Mn n d+
C***■ ? tiulftb 1 r- I Üi21 ÜDS-tl 11.. \pr ü(r am f l I riAa I £ rú-Lú f E ù 111 tc'.'jP f1 tm 12 '. vt r.v*r-J ei-r*
+*T1«e*lf)xïMïDSD]Di/Pl/ÎDll 12 33 32+
f+Fi'GUÏ- I £'.■ J ËÛAAA] LrL;__ii'.+
xeOJÎ+bleMÔXÏGOiiMJc Ipro^rsa ri Lcs%iqz1 L l3 f1 t* fw^M-re «g* «.«+
*4l i kir I Ï) < 3 t-ÜJ.f 4 I IJl.' Û1/2 Ui 1 12 59 EE#
•Kfaevf-HinCMCaij,^^ xo. ^ , T#h++i **n ■ *y>,
tc*jt*blt-|0xCCr9CB]c ‘■.proem’s* fi Ies\»öiiLLa fl retfo«\f i ref+a
♦*1ipr.|íiC0?tej(l4/ÍIÍ/J0l3 1Î » i?*
'+DUÏ-I-0XBD2 Hl Adobe Photoshop C33 Extended ■ ISA ti f 9 33 3* +*l,rulBblr- .|Ü?EÜ2lÄ.|t Vpr ú[r ni r i I vi\jdubr'i. jdübr ph+liihdp £Ü\pfc*!ö-dM+ tht*
" »e* I0■BOZ141 0*-''P1/2011 12 S3 37+
+*F octii- |Dï.*iDôfiflJ Tr-ùfiscerni (J ■+
ïtClfti&leMOï+iOSGOÏC ^i*indOM3^CKPICíi*
+4lï tat- IDX44D9ËB ! 04/Q1/2Ú11 13 ÚÚ ÛE #
I0S-B021A] Adot»e Photoshop ÊJÏ ÈS tendí d+
fcCiit*blt-|DxBD21fc]c Vproffafc fi Ies'1,adobe'1,aoobe phoroshop cs3'\piVM&sfwp e»e+
**T1*r-iCreeï3Ajo*/oi/ïeji n eo □■*+
irwcrcH**i ndPBf '*mr: pec«C tr | + z+#*PaasMO ro+MCnoPjj s+t+3pec t I«Bk t sr>K«+w
? ri! u I olí I r*-1 Ù? ÚLlTÚL I c \pr u[r ni M I riX jduhP'.BslOhP Indiiljn CJ S I rvfr« d I tr. fic4
**Ti#e-lf!xBD7Bn!Ji/01/mi U OJ 0»
fr I II • • • ' ■ „r-rmf ff I >7M4\n*|i.iih 1/MMtW .rill. 'Ui-,- .-T-.l
■Í PK-Ctrl - :+**5 Dtc-CtFl
-■■C • ' - Mi
JirF
UWVÎRSA !RWf¥0
Ttttwti 2 ) JiSii.
eeld73 îïîïc*
taiflTi 2 ÏÎÏ#
eeld73 n±n
iDlM ütïi-
Í19I33 2itT7»
<13133 1 J€4fl
<19133 2 3tî6“
ladSïb 23S9J
I-id-L-h i»*«™1
c€cb3c , Ï4232.
c4cbJc... u:
Lvj32l
c«5cb3c 2Î2SÏ*jJ
CÎïbSç í +îtt
cicb3c 242 S3.
3ÏOe*e Z419T*
LrJi.L ji. 24252;
32deae 24. a
Ein
IPnpi
■jHüvOond ripi-iWAAit+inPiTe.i
All*g»mrtï O H^*ÿtïQ î*^çhMfcf&
[■w_i-*rí oafdÉrf oHtÿfeHire leund)
TOP SECRET//COMNT//REL TO USA, FVEY
TOP SECRET//COMINT//REL TO USA, FVEY
(U) UIS
a,
à US: lúui Píttünlúr (PW YA/Ul lüCMl J3D4300021 J0/203
*' UB¡ I «idar
ES®.
TOP ffiCBÎTl CQMOTT
||£ [et*. r
tí úí Z
Lud R.Kjn « Fûfcta
L J ?h»rfd
L . PfrsiMl
^3 Print ftwt
O-0-#S#teiíiíi)3i'^I]
□-m£+- Pm Doc Copr
to CflüTÉ 100 SefeÆlM fe
HflP ’ GCIWjKtL ICNXR C2C HIWpOPDS COMMENTS(DO
HTtm 0 ÄC ÈK
J.MimSMOT jff
CHUMT-lf f +
I«*s ïiewwï [yrt
3 1
firfow«! fnn#fl 1
# IcervPE m>
Jj * MÍE
40 V KKF
Si rhtiE
Sï ïHkE
4Î thkjE
>< Y H HE
« THKqS
S6 VttKE
£7 T» ra
« 4
S3 rhfiE
CO THKÎ
qL VHKE
6Î YHKï
CS FHKÉ
64 Y H HE
55 ïHht
cc THWE
67 Y H HI
AK THfc>
Cl 1
ftwin aril*’ I «f i 4* ^ A A i£*\ LIUS "£ *
3m*Vy OS«l 1«W PWi^U.|JHl Wtalçir^tO
[v:«w( adpati* cotftMíirci ítgfágfcs icrjétkï'^
"jpitvERSa R«*'-]
eeïtiï, . 23
lldrF 24
«■cldîi ïï:
«WTÎ n:
fiSdîi n.
€713«: îï:
ïj;
■a? ci-aï ïï:
H9ÍII îi^
c^L-aJÍ ---
i-rïaîi 2 ii*—1
419IÏ5 ïï!
4È*ISÏ ïïi
i'.v Sïi ïïl
4 i ?ï 55 ÏJI
L kdS2b ïïl
k+TÎJ!t ÏÏL—i
PiEi
TOP SECRET//COMNT//REL TO USA, FVEY
TOP SECRET//COMINT//REL TO USA, FVEY
(U) TUNINGFORK
..................................................................O.
[3 h t tps: //cnedata... .ata/rep ository / y } DIRT5HED - SEEKER | M- CLOUD t ABR - WikilnFo
TOP SECRET / / CD MINT / / REL TO USA, AUS, CAN, GBR, Nr11
Index of /Piocessed/DIRTSHED,^^^^®201105-04/081700/opt/me2site
/ d ata/re pos if ory
Name Last modified Size Description
4^ Parent Direstory
□ 1654/ (ifi-May-2011 02:02
□ 186?/ 06-May-2011 02:01
□ 2421/ 06-May-2011 02:11
Q 2644/ 06-May-2011 01:54
Q 3027/ 06-May-2011 01:25
Q 3427/ 06-May-2011 00:47
□ 3505/ 06-May-2011 00:44
□ 3537/ (ifi-May-2011 01:24
□ 3551/ 06-May-2011 02:00
□ 368-4/ 06-May-2011 00:45
□ 3303/ 06-May-2011 02:14
□ 3349/ 06-May-2011 01:54
Q 4493/ 06-May-2011 01:57
□ 4617/ 06-May-2011 01:26
□ 4683/ 06-May-2011 02:11
□ 4365/ (ifi-May-2011 01:55
□ 525-4/ 06-May-2011 01:29
□ 5352/ 06-May-2011 02:11
□ 5364/ 06-May-2011 02:13
□ 5390/ 06-May-2011 02:16
□ 5426/ 06-May-2011 01:26
□ 5436/ 06-May-2011 01:56
TOP SECRET / / CD MINT / / REL TO USA, AUS, CAN, GBR, Nr11
TOP SECRET//COMNT//REL TO USA, FVEY
DYNAMIC PAGE - HIGHEST POSSIBLE CLASSIFICATION IS TOP SECRETWSWREL TO USA, AUS. CAN, GBR. NZL
TOP SECRET//COMINT//REL TO USA, FVEY
(U)SEEKER
o
Targets
preferences
^ r - -m
W r Tk W
Q DIRTSHED
SEE ER turning exploration into knowledge os
I Qj UIIIX [621 ]
M &l et« [6] f collected
M Ell IIOSEHD [282] 282 collected 13 new!
M Si opt [94] 86 collected 6 new!
H El me2site [S3] 86 collected 6 new!
M El data [84] 82 collected 4new!
ID [J packed [S3] 82 collected 4new!
@ IJ default [82] 82 collected 4new!
D 2oii .oi.ioM ■c-l ients-a r chi ve. 7z .001 SI
D 2011.M1.12
IJ 2*11.01.1*
IJ 2*11.Ml .22 J
J 2*11.01.27
J 2*11.01 .M
D 2011.02.01
IJ 2*11.02.07
J 2*11.02.16|
J 2*11.02.
IJ 2OII.O2.27I
IJ 2*11.03.06
IJ 2*11.03.1*
J 2*11.03.13
J 2*11.03.19
D 2011.03.?7|
J 2G11.Û4JÜU
J 2*11.04,1«)
J 2*11.04,13
IJ 2*11.04,17
IJ 2*11.04,?*)
J clie-nts-archive-MI-
I 1 clie-iit$-Archiue-M1-
|J clteiii$-archiue-M1-
|J clienfs-archiue-MI-
«lierrts
ardiive.7z.*M1
.irchive.7z.001
■arcliive.7z.001
-archive.7z.001
¡-arcliive.7z.0M1
¡-arcliive.7z.041
¡■arcliive.7z.001
¡-arcliive.7z.001
-arcliive.7z.001
aicliive.7z.00l
-arcliive.7z.001
■arcliive.7z.001
-archive.7z.001
Il i ente -a rc hiwe.7z.001
lients-a r« h ive.7z.O 01
lients-a rchive.7z.O 01
lients-a re 11 hre.7z.fl 01
«lienls-arcIiive.7z.0M1
lients-a re hive.7z.00l
|clienls-archive.7z.001
J ai ill Aiy-2011.7 z.* 01
J ai in ary-2011 .rar.pa rt1. ra r
J a i hi ary-2011 .rar.pa rt2. ra r
Jai hi ary-2011 .rar.pa rt3. ra r
«lients-a
client-:-.i
clients-;*
clients-s
«lieiïts-ü
«lients-a
clients-a
clients-a
clients-a
«lients-a
client i
clients-.i
UNIX | opt | me2site | data | packed | default | 2011.01 10-1 B.22.51 -clients-archive.7r:.DD1
Collection Info (1 )
Hash Comments
Sise Compressed Name
8;57;OS
8:57:02
8:57:37
8:57:08
8:57:33
8: 58: 08
8:57:56
8:58:40
8:53:12
S:SS:23
S:SS:26
S:SS:28
8:53:31
8;53;11
8:53:41
8:53:44
8:58:55
8:59:42
8:59:12
8:59:25
8:59:23
9:00:13
S:59:45
9:00:02
9:00:12
9:00:44
9:00:35
9:00:40
9:00:44
9:01:16
9:00:57
9:00:59
9:00:58
9:01:47
9:01:29
9:02:18
9:01:57
140
173
140
173
173
140
173
140
173
7775
18243
173
664679
140
76619
£3720
173
140
173
2271
173
140
173
173
173
140
173
173
11712
140
173
173
180
140
173
140
173
1276719703
FileHan/2
01_08.
[FileHan/2
0i_08
0i_08i
|F i le Han/ 2
Eeporc/20
|FileHsn/2
oijoe
:/2011_01_
_CI1_03
|m/20ii
Q1_Q8
FileHan/2
01_08___0
[01_08__0
¡rt/2011
|FileHan/£
08_E9_12_
011_01_08_
2011_01_0
FileHan/2
11_01_0
01_08___
l_01_08i
¡FileHan/2
01_0 8__0
|£011_01_0
/£011_01_
FileHan/2
Report./ 20
|l_°l_08.
Q1_Q8_
|FileHsn/2
,/2011_0
|FileHan/2
irb/2011
011_01_0 8_0 3_56_36__2.
S7_0£__62.220.113.113,
011_01_03__0 8_57_07__2.
03_57_08__85.133.189.1:
8_57_33__217.218.133. 6:
Q11_01_Q3__08_S7_38___2.
110108____0 8_E7 56__21 :
011_01_08__08_SS_10___2.
SS 11 94.193.22S.20.
:2__92.242. :
03_58_26__92.242.222. 2_
1_08__08_S3_28__89.165
08_58_31__95.82.105.23;
Q11_01_Q8__03_SS_41__2.
_S8_41__217.213.133. 68
_SS_44__217.213.133. 68
01_08__0 8_S 8_5S_119. 2 :
011_01_03__Q3_S9_12__2.
91.99.185.141___98.bin
08 59 25__92.242. 222
__0S_£9_27___92.242.22:
011_ül_03__03_59_43__2.
_08_59_45___89.144.174. :
_00_02__62.220.113.113_
09_00_i2__SS.133.189.II
Q11_01_Q8___09_00_14_2.
Q0_35__217.218.133. 6:
_09_00_4 0__92.242.22:
__09_00_42__92.£4£_ 2:
011_01_0 3_0 9_00_4 5_2.
11_01_08__0 9_Q0_S7__21 :
09_00_58__77.36.153. 21,
9 00 58__77.36.15-3. 21_
Oil 01_08___09_01_17_2.
09_01_29__S9.165
011_ül_03___09_01_4S_2.
01 08 09 01 57 119.2:
I nfoimati on Owner: T12t2 717-3600 Page Publisher: SEEKER Team, 11212 717-3600 DERIVED FROM: NSWCSSM 1-52 V DATED: 08 January 2007 J DECLASSIFY ON: 20320108
DYNAMIC PAGE - HIGHEST POSSIBLE CLASSIFICATION IS TOP SECRETWSIV/REL TO USA, AUS. CAN. GBR. NZL
TOP SECRET//COMNT//REL TO USA, FVEY
TOP SECRET//COMINT//REL TO USA, FVEY
(U) Cloud/ABR
iQ
(TS//SI//REL TO USA, FVEY) Project DIRTSHED (E>
File Type | Hash | Language] Ccne | Classified] H itlist | Overlaps]
SHOCKWAVE 0 0 0 0 2 2 8
SOURCECODE_C_CPP 0 0 0 28 40 40 74
SOURCECQDE_JAVA 0 0 0 0 2 2 80
SOURCECODE_JAVA SCRIPT 0 0 0 1 15 27 n
SOURCECODE_PHP 0 0 0 127 521 537 1284
SOURCECODE_PYTHON 0 0 0 138 546 546 546
SOURCECODE_RUBY 0 0 0 H 70 70 H
SQLITE.DATABASE 0 0 6 6 6 15 40
TAR 0 0 0 n u n 12
TAR-UN WRAPPED 0 0 0 209 209 209 364
TEXT 0 0 1 278 833 859 4528
THUMBS_DB 0 0 0 0 4 6 il
TIFF 0 0 3 3 3 3 143
TRUETYPE 0 0 0 0 0 0 98
UNIX-BASH-SCRIPT 0 0 0 11 90 90 133
UNIX-PERL-SCRIPT 0 0 0 1 4 4 43
UNIX-SH-SCRIPT 0 0 0 177 490 490 513
UNIX_PASSWORD_FILE 0 0 0 u 21 38 260
UNKNOWN 0 0 0 0 0 0 1
UNKNOWN-ENORMOUS 0 0 0 35 41 44 56
IINKNOWN-HIIFIF 1 57
TOP SECRET//COMNT//REL TO USA, FVEY
TOP SECRET//COMINT//REL TO USA, FVEY
(U//FOUO) Repurposing
..............Q.................
muss
¡2311
Pile Edit Analysis Graph Navigation Search Select Tools Window help
y ^ - it'Kt T s ï ffi F is dH
v'Bü.Cf.hoaia#
Function Graph: FUN_lO0012c0 [CodeBrowser: sdsnd32_dll:/SDSND32.DLL]
Edit Analysis Navigation Search Select Tools help
Program Trees Q ^ cÇ-j | X
B 5D5NF32,DLL
.text
m
m
m
13 relot
F7| .rdata
fvj .data
Program Tree ¡
'i;x, 5ymbol Tree EU X
Eh <3 Global
& ij] Imports
® Q Exports
El- PIT Functions
ffl- Labels
EE pQ Classes
Sh-Fai Namespaces
afj Data Type Manager
3F
^1 ^ Data Types
If]BuiltlnTypes
ÍhI^S D5ND32.DLL
0-lfr wlndows_V59
j~| Listing: SDSND32.DLL - SDSND32.DLL
IF ¿
□H
, FOMCTIOH 1000 12(0 - FUN_109Q12(0 Ei • ■ ; - ;Q ¡eà
**** ******** *************************** 100 oi2c 0 sirs SP, 0x40 0
jndefined stdcall FIIH_10a012cO() 1990i:c7 PUSH EBP
undefined -3fc local 3Ec 199 012 c 9 PUSH 31
unde£ined4 -400 local 400 199012c? h;v IBP,[ USIRSi.DLL ; EecEt-
run 100O12CO 190 Ol^cf PUSH El
% ioaoi2co 81 ec 00 SUB ESP,0x400 199912dS X0R
04 00 00 10001237 LE * DI, [ESP + local_ 3ft:]
10ûûl2cS S3 PUSH EBX 100012 A> H0U mid ptrr [ESP + 0 c al
1Q0Q12c7 55 PUSH ESP ^,u,aiJK
100012CB 56 PUSH ESI lOOOlCea MOV EE I iI'.-.T 1000 aîIS
100012C9 83a 2d 04 HOV EBP, [JJSER32 .DLL: : GetKe 199012«£ ST OSD. S:EBI
81 00 10
100012CE 57 PUSH EDI
100012d0 b9 ff 00 MOV ECX,Oxff
00 00
100012d5 33 cO X0R EAX,EAX
10QQ12d7 8d 7c 24 14 LEA EDI, [ESP +■ local 3£c] 1090 Hfl - LAB IOOOI2EI Zi T
100012db c7 44 24 HOV duord ptE [ESP + local 100 012 £1 PUSH xO
10 00 00 [_KEEHEL32.DLL: : S leep]
00 00 bxTebx
10a012e5 b9 96 00 MOV ECX,0x96
00 00
100012ea bf 18 a8 MOV EDI,DAT lOOOaSlS
00 10 I 1
10QQ12e£ £3 at STQSD.EEP EiJiEPI 10901309 - LAB_10901309 S ’ tP Si
LAB 100C12Ê1 100 01300 PUSH BP = > TJSXP.32 .DLL : OecKe...
100012E1 6a 08 PUSH Ox; 8 19901904 HOV IS I, [DAT_100 9SÎÏ8 + IEX]
100012E3 ff IS 00 CALL [_KEEBEL32.DLL::Sleep] - 199013Ob MO USX n. !V
80 00 10 —' 1900130e CALL U3EEÏ2 .DLL : : Se-t AsyncK.,
100012E9 e8 d2 fe CALL FUIT lOOOlldO 199013L4 TEST hH. 0x90
1 1 fuTiT 1 2f p .3 3 ri.h vnij FF;'/ -FRY
Ip Console
1 f
1000 1380 - LAB_1Q00 1380 5« ' icS
10001300 MOU . ‘i --
19991904 TEST EDMiEDX
-ln I xi
IS ‘ - - • ED- B- Bt t , • •
|c" Function Graph: FUN_100012(0 - (5D5ND32.DLL) Ô |VJ - Q. - Si X
Í1G00121
TOP SECRET//COMNT//REL TO USA, FVEY
UNCLASSIFIED//FOR OFFICIAL USE ONLY
(U) Current Efforts
O
UNCLASSIFIED//FOR OFFICIAL USE ONLY
TOP SECRET//COMINT//REL TO USA, FVEY
(U) VicDB
o
Ö TAQSuite - Mozilla Firefox
Q TA05uite
TAO Application Suite
DYNAMIC PAGE - NIGHEST POSSIBLE CLASSIFICATION IS:
I
Implant Type:
SILVERBOLT '
Depth: | Monthly |T|
E
][Wi
[ Callback Density || Victim Density |
V
*
*
05>'10 06/10 07/10 04/10 02/10 03/10 10,'03 11/03 01/10 03,'03 12/03
0
driogoline-lli.net ^ || transfers is.g
0 total
SILVERBOLT
SILVERBOLT
SILVERBOLT
SILVERBOLT
SILVERBOLT
SILVERBOLT
SILVERBOLT
SILVERBOLT
SILVERBOLT
SILVERBOLT
SILVERBOLT
SILVERBOLT
First Heard
Last Heard
Callback Count
|2010-04-03 06:40:34 Z
2010-04-02 02:34:17Z
12010-04-01 14:03:41 Z
2010-04-13 12:25:28 Z
2010-04-15 04:45:08 Z
2010-04-13 08:23:52Z
2010-04-24 06:28:43Z
|2010-04-23 04:34:28 Z
2010-04-13 04:57:29Z
2010-04-07 02:19:58 Z
2010-04-20 07:01:34Z
12010-04-1B 10:51:39Z
2010-04-03 07:25:35 Z
2010-04-0212:54:53 Z
2010-04-01 14:0341 Z
2010-04-1312:25:28 Z
2010-04-16 14:41 14 Z
2010-04-13 09:27:43 Z
2010-04-24 07:30:01 Z
2010-04-23 12:47:44 Z
2010-04-13 06:07:24 Z
2010-04-08 12:12:43 Z
2010-04-28 07:14:16 Z
2010-04-18 11:00:49 Z
4
40
1
1
43
2
6
17
12
51
4
3
IpName
country
mcee.org KW
mcee.org KW
mcee.org KW
mcee.org KW
mcee.org KW
mcee.org KW
mcee.org KW
mcee.org KW
mcee.org KW
mcee.org KW
mcee.org KW
mcee.org KW
DYNAMIC PAGE - HIGHEST POSSIBLE CLASSIFICATION IS:
TOP SECRET//COMNT//REL TO USA, FVEY
TOP SECRET//COMINT//REL TO USA, FVEY
(S//SI) Survey Data
o.................,
SYSTEH2'\WETWORK SERVICE
SYSTE M2'\ BUTLTIN
SYSTEH2
SYSTEH2
NETWORK SERVICE
BUILTIW
S-1-5-20
----------------------------UserAccount --------
AccountType Caption Domain
512 SYSTEH2\AdminiStrator SYSTEH2
512 SYS TE H2 \ AS P N E T S YSTE H 2
512 SYS TE H2 \ Gue s t S YSTE H 2
512 SYSTEH2\HelpAssistant SYSTEH2
512 SYSTEM2\ SUPPORT 388915a0 SYSTEH2
FullName
ASP.NE T Hach ine Account
Remote Desktop Help Assistant Account
CN=Hicrosoft Corporation, L = Redmond,S=Washingtc
B las
2 10
Caption
(GHT+03:30)
---Time Zone
SettingID
----------------------------dir rrC : \ Documents and. Sett ings\ Administrât or \ de stet op\ rr
Volume in drive C has no label.
Volume Serial Number is C437-1E2D
Directory of C:\Documentes and Settings\Administrator\desktop
05/12/2011 05:31 PH
05/12/2011 05:31 PH
05/08/2011 08:08 PH 131,915 1256691986[1].jpg
05/08/2011 08:15 PH 155,166 croppedbusiness success - graph nip jpg nls2[l] .jpg
04/08/2011 09:48 PH 606 GetFLV.lnk
05/03/2011 07:40 PH Hardware
05/03/2011 08:03 PH 2,473 Microsoft Office Excel 2007. Ink
05/09/2011 06:40 PH 2,497 Hicrosoft Office Word 2003.Ink
05/11/2011 11:24 AH 2,515 Hicrosoft Office Word 2007.ink
04/22/2011 01:15 PH 1,515 Paint.Ink
7 File Js) 2 99, 687 bytes
3 Dir (s) 51,504,803,340 bytes free
------------------------------dir ""C : \Documents and Settings'^ Administrator'^ Ky Documents\"
Volume in drive C has no label.
Volume Serial Number is C437-1E2D
Connection-specific DNS Suffix . : MyDslDomain
Description..............: Broadcom NctXtrcme Gigabit Ethernet
Physical Address...........: 00-0E-7F-62-5C-49
Dhcp Enabled...............: Yes
Autoconfigur ation Enabled . . . . Yes
IP Address
Subnet Mask
Default Gateway
DHCP Server
DNS Serv ers
Lease Obtained.............: Thursday, May 19, 2011 11:39:16 AM
Lease Expires.............: Saturday, May 21, 2011 11:39:16 AM
These Windows sendees are stalled:
Automatic Updates
Background Intelligent Transfer Sendee
Client Sendee for NetWare
COM+ Event System
Computer Browser
Cryptographic Sendees
DCOM Server Process Launcher
DHCP Client
Distributed Link Tracking Client
DNS Client
TOP SECRET//COMNT//REL TO USA, FVEY
TOP SECRET//COMINT//REL TO USA, FVEY
(U)DEADSEA
o
a Home Q*. Search îî" Workflow Central
TOP SECRET//COMINT//RELTO USA, AUS, CAM, GBR, and IMZL//2Ü3201D8
X KEYS CORE Welcome JJUJgWarning: your password has expired!
, Results ^ Fingerprints £31 Statistics Map My Account ?i£.XK Forum
Log Out
I» Help
Navigation Filter | * |I=J |tv]
^~l iwLiie pyx-aiimic n.fl|Jiui nsycuiuz
^ Ccne Byzantine Ftapior Rolex
^Ccne Byzantine Raptor Trajan 3
pJCcne F'laiddiana Command Packet
^3 Ccne Traffic
21 Ccne Victim id
3 Ccne Zebedee Parse
21 Cdrna A11 Metadata
21 Computer Serial Numbers-
21 DNS High Entropy
21 D a t a FI u rryP h o n e I nfo Extra c.to r
13 D i a rn eter AVP Meta data
21 Diameter Header Metadata
2] Dynamic DNS Updates
21 E Ticket
O ESP SPI
21 Eclectic-plot
21 Electronic Attack Heuristics
21 Email
33 Encryption Steg Camo
33 Encryption Steg JSTEG
33 Exit'Metadata
21 Expression Engine
33FACEBOOK
21 Face-book Chat Jabber
^ Fourth Party CNE_DE AD SEA_
21 Generic IDirect
21 Google Analytics
!3 Google StreetView
21 Google Street View Thumb
21 Google StreetView Tile
=3 Gtp Pdp Context
21 HAWALA
21 Happyfoot
21 IE Cookies
Help
Show/Hide Fields*^ Advanced Features t ShowHidden Search Fields Clear Search Values Reload Last Search Values There are hidden Fields.
Search: Fourth Party CNE _DEADSEA_ «
Query Name: asmaestO
Justification:
Additional Justification:
Miranda Number;
Datetime:
activity:
attributes a me:
attribute_value:
bluesmoke_id:
computer_id:
direction:
implant_command:
Recent Justifications
Current Time: 2011-05-13 13;33:l& GMT
I 1 Day 1 start: 12011-05-12 JO| 100:00 j-y Stop: 12011-05-14JH] 100:00 |0|
TOP SECRET//COMNT//REL TO USA, FVEY
TOP SECRET//COMINT//REL TO USA, FVEY
(S//SI) Discovery for 4th Party
Q......................
DYNAMIC PAGE ■ HIGHEST POSSIBLE CLASSIFICATION IS TOP SECRET flCOMIN T>OR CO MAN O FORN
CROSSBONES2
LOGGED IN AS|
S ft i v ft ? ft) ft i i ft) bftrs t
Home j Entries Reports Activity Groups User Groups Tasking Tags Profile
Navigation
home
Entries
New Journal Entry
List Snippets
New Snippet
List Personas
New Individual
New Organization
List Events
Reports
Activity Groups
User Groups
Tasking
Tags
Profile
(TS//SI//REL) Perefect Key logger Activity
XBJEft/16d9&05Æ0f f
TOP SECRET,JI/GQMfNTA/REL TO USA FVEY
9ISIA
May06, 20If
Warning: There are no diamond model events defined on this journal entry.
Content Enrichments
author___________________
project i user group
CYBERQUEST - MHS
Events History
intrusion sets
UNKNOWN
access
PUBLIC
source
SIQINT:FORNSAT
source site J source signal
USJ-759 /
source classification
TOP SECRETffOO MINTtfREL TO USA, FVEY
source date
2011-05-06 00:00:00 UTC
source description
New Journal Entry
Attach File
|f,a-i New Association
'.¿New Signature
\_j Like This
^Followthis Entry
Rescan for Data Facets-
Export Events
Add a Link
CROSSBONES JOURNAL ENTRIES
(UÜFOUO) This entry may contain
information not fully assessed
arid is intended for analytic
collaboration only. The recipient
may not use, report or further
disseminate this information
unless or until it is published in a
report.
Perfect Keylogger is installed on hostname DQM (Russian, for 'home'), private IP address
|for user 'Home*. ETebsites surfing information and screenshots have been stored at an
account at Russian IP inbox.ru mail server, and are being delivered to a U.S. IP.
A. courtesy copy of Che logs is delivered to user a Moscow-based
software services company, member of a leading Russian technology grcupi - probably
Apparently, the victim(sj of the keylegging are members of the |
possibly wife to the referented above, as well as |
...Keylogger is probably installed to monitor children's and wife's activity
| is well-connected. Her email is |
Linked in. And her Fa c ebook password was sniffed as
and have been captured. Possibly is
I Moscow.
She has a presence on
Several other passwords for both
Head of PR and Advertising at
Assigned Tags
o direction
o intent
o result
O methodology
G phase
O actor
Q victim
o capability
O infrastructure
Q geopolitical environment
o technology
q other: positive correlations
Q other: negative correlations
director for Corporate Development at I
probably husband.
@[
Upload / Attach File
TOP SECRET//COMNT//REL TO USA, FVEY
UNCLASSIFIED//FOR OFFICIAL USE ONLY
Contact us
EMAIL: DL 4THPARTY
N SAN ET: GO 4TH PARTY
JABBER: S2 CYBER ANALYSIS
UNCLASSIFIED//FOR OFFICIAL USE ONLY