OCR of the Document

View the Document >>

National Security Agency, Fourth Party Opportunities. Top Secret//Comint// Rel to USA, 2013. FVEY.

TOP TO USA FVEY TOP TO USA FVEY Targets Branch cm 1 I C swim Le I I ig ryptologlc Center L I C Tailored Access Operations TAO I Requarements Targeting Target Exploitation Load Technical Director for CNO Dlnector for Party Strategist Lead Transgrosslon Branch Emerging Threats Branch Locations Hawai Georgia luxaa UNCLASSIFIEDIIFOR OFFICIAL USE ONLY CES Of ce of Target Pursuit Signals Survey and Analysis Division Fourth Party 52 53 NTOC SSG Partners SECRET COMINT REL TO USA FVEY th U What is 4 Party th o S SI REL 4 party collection leverages CCNE accesses to provide Foreign Intelligence from foreign CNE victims th U Types of 4 Party opportunities o U Passive Acquisition ° U Active Acquisition ° U Victim Stealing Sharing ° U Re-purposing SECRET COMNT REL TO USA FVEY Country A S SI REL Passive acquisition utilizes mid-point collection to target information being ex-filtrated from victims of foreign CNE activities This often involves CES efforts to decrypt or de-obfuscate the collected data Foreign CNE C2 Node Foreign CNE Infrastructure Country Y Countr V Foreign CNE Victims S SI REL U Passive Acquisition SECRET COMNT REL TO USA FVEY SECRET COMINT REL TO USA FVEY S SI REL Active acquisition utilizes end-point collection to target foreign CNE infrastructure in order to collect victim information S SI REL U Active Acquisition SECRET COMNT REL TO USA FVEY SECRET COMINT REL TO USA FVEY S SI REL Victim stealing exploits weaknesses in foreign CNE implants and C2 systems to gain access to victims and either take control of the foreign implant or replace it with our own This is NOT a disruption or CNA activity It is solely used to further CNE accesses S SI REL U Victim Stealing Sharing SECRET COMNT REL TO USA FVEY SECRET COMINT REL TO USA FVEY n S SI REL Repurposing utilizes captured foreign CNE components implants exploits etc to shorten the development cycle of our own CNE tools v S SI REL U Re-purposing SECRET COMNT REL TO USA FVEY a SECRET REL TO USA FVEY U 4th Party Decision Tree S REL The best sustained outcome is passive acquisition of valuable 4th party collected information Where the 4th party is not collecting information of interest but the victim is still of interest victim stealing can be pursued Where passive or cryptographic issues prevent or delay passive acquisition active acquisition will be pursued S SI REL SECRET COMNT REL TO USA FVEY U 4th Party Lifecycle S REL The prioritization development and exploitation cycle is continuous until the priority is lowered to standby or the intelligence value is being realized through passive alone Prioritize Develop I J Passiv Fourth Party Example VOYEUR TOP SECRET COMINT REL TO USA FVEY U VOYEUR Network Map O Iranian MOIS Implant R e d ¡rectors Voyeur C2 S e r v e r s vor EUR VICTIMS XOR I SCZ H E Z B O L L A H DK US K S 0 0 CA » UK a 2 SSL MOIS Listening P o s i IT V i C T I M S H û z b û i l a h L i s t e n i n g IT TOP SECRET COMNT REL TO USA FVEY P d s I TOP SECRET COMINT REL TO USA FVEY U VOYEUR Backend O Jjle C it View ®J Hez Start « Start page I listory Dookmarks Tools JJsIp 3 @MOIS Start K © Start page M @ Infection Statistics K _ © Infection Statistics j i me2 - Console Console - Archive - Packed - Upload RimThis - Sysinfo Datamine - Pack All TOP SECRET COMNT REL TO USA FVEY TOP SECRET COMINT REL TO USA FVEY U VOYEUR SQL Interface O « I file 125 10 42 230 10443 1 l o i a l h o s t me2 S e n d e r L o g p h p M y A d m l n 3 3 2 - Mozilla r i r e f o i Çdit View 1 listory Bookmarks Tools Me p m Google v • • Hez Start • MOIS Start I© Start paga M I® Start page ®J Infection Statistics gjj l o c a l h o s t p dSBHffl B r o w s e ® m e 2 - Consols M j j m e 2 - Console e Infection Statistics structure 5 SQL Search -Tracking -¡-¿Insert PiExport fljlmport Operations H E m p t y vDrop jj 1 - 79 5 CT fi tritai Q i i p r y f o r k Cl 11 M sac SaECT ne2 20 K m e 2 • m S e n d e r L o g 1 nun o • Profiling Edit Explain SQL Create PHP Cade t Refresh Show 30 M HI g g H g ID g S g @ Hj M g g Hj Hj S S @ Alias Allownucs AllowTcMe2a AllovwVersloi4 Attacks DenyRules Events FileManCommands FlashPFrmitt-ptJ-î ForwardLinks Groups Nomnter5hellCommand5 RuriThis SenderLog ShellRequests Sy info-adaptor Syiinfo-arp Sysinfo-info Sysinfo-program Vidms in Sert by key J row s s arting rom r e i o r d # j 30 v I nrode and repeat headers after LOO horizontal » j Page n u m b e r L v cells None • Options AttacklO GraupName Message • X 1 admin 4d4977754675776a63£a 44277 m e h r a b -link8B1Î1 Please use UTF-8 Character t n c o d i n g t o v i e w this e linkPlugin • X 2 admin 69775941306d784239£4 44278 m e h r a b -link8 8 1 7 Please use u t f - 8 c h a r a c t e r FnrnHing f n uìpw this e linkPlugin Id «-T- User FromName FromEmail ToEmail TcName AttackSerial X 3 admin 4'5a58684b7063637032 44279 m e h r a b -link881217 Please usa UTF-8 Character Encoding t o v i e w this e linkPlugin 0 J X 4 admin 7 L38706d4a4d4b4c764a 44280 m e h r a b -link881217 Please use UTF-8 Character EriLudiny Lo view Lhis e linkPlugin • J- X • dmin 5231575fG731 ja713331 4 -281 m e h r a b -link881217 Please usa UTF-8 Character Encoding t o v i e w this e linkPlugin • X 6 admin 3356505a55726c615953 44282 m e h r a b -link881217 Please use UTF-8 Character Encoding t o v i e w this e linkPlugin • J X 7 admin 537575765f4931574132 44283 m e h r a b -link881217 Please usa UTF-8 Character Encoding t o v i e w this e linkPlugin • J' X 8 admin 6c685667305445552d71 44284 m e h r a b link 881217 Please use UTF 8 Character Encoding t o v i e w this e linkPlugin El J X admin 63693578797445463345 4 285 m e h r a b -link881217 Please usa UTF-8 Character Encoding t o v i e w this e linkPlugin • J X 10 admin 757 13441725364496b L 44286 m e h r a b -link881217 Please use UTF-8 Character Encoding t o v i e w this c linkPlugin X LI admin 4a5ad4737574525f34É2 44287 X 12 admin 3331d56a384f52546259 44288 m e h r a b -iink881217 X 13 admin 776d a49586848576333 44289 m e h r a b -link881217 X 14 admin 3468624a48726e756b4f 44290 hi X L5 admin 7848536366 f5a345254 4 29 _ hl bri n • • El • • sf hi Please use UTF-8 Character Encoding t o v i e w this e linkPlugin Please usa UTF-8 Character Encoding t o v i e w this e linkPlugin a Find aoou EffectivePlugins • Previous Ne t Highlight all • viatçh case TOP SECRET COMNT REL TO USA FVEY linkPlugin docxpPlugin TOP SECRET COMINT REL TO USA FVEY j£ F i » MS VF 6 W t L-j-d P• kJfi M PtMa FfiUH CWT1RÖL «lll i I 1 Pi i r i d • Perstaili M i€MiF « «h ilïilj CX KEWOTB5 Prrr Do«- Copy CCMLCnSIJli tLhFim-uriÇ LJ Print i- JIS 1 InhanttJ H fr« y blud 5 hiiM b 1 ri- ¡ i n r n i n i N n u 51 i-t «iiti-CTr ú i u I I I i i ú L l T Ú L U ú i b t I n D i ä l f O CS3 - T i M I J s 1 « S 4 • f r - r - j l » h l n - l l l t ì l i r m r p r n ç r a i r i •M-51gil c 5 5 b r i t T ÉC-1 ' '7SC1 ' i ' ' l ' T ' l i 1 1 I » 4 1 p r • H L n M i p n -Bnr t m a i r M 4 p i c - 0 C tE r H 1 p p c - í t l f r C H r t O t O I I f ' b L i J l r I DyZ IS • H t ' O P h o t b i n a p T M i t r i - r L u l H b l r - I Ù x Z Û Û Ë a ï C P O f f M i l I o f T I h d i d n d r à » •r-ID'IDOCD IOl 01'ÎOll lî ïî 0» IQtfOTâC Addfa InOfcilfrt Ç i ï • I l Indo « T l v U W K I D U I l f l D l i tí ¡4« MPlÉvT4 l 'lt«ffU j «b¿i Jpjj j i i » - w t r t r i l l tom» • H t v l 111 1 Ii 5 C m i c r ù i L f t Ih r d » « • V ' 1 ' 1 IrI Û b H H d g j i l l On H W cuii OiïinDûn FlcrninTt Kurd jlHblr-IÛxïlÙtS-ÙJC i l I d i t t a i d d i L ù M d t 1 t f r r t d t a fc2 wkriArtrJ M - I ri ¡ Tirs ri I n i T i i F n lï ts» ij • J - Q14GQAM t j i L - t H l l i M U t l l I I t i t l i t d h r t h i « T H i i » O M U i p i f g i q n i i ss t t h b u i O i W a i H i h ' Jíí - l i m i ïmoo' « n i tur „Jl jli - b C i J t l b l E - I O ' O J f c l c V p r ù ' b t a M L d £ Q X l LLa t l 1 i t a x f i r d í a t m • • T u r I f l ï i ¡ u l M II4 Ú1 i r t l l l ï t í ÍT t m - c i i i ' K ' v B S Î l l l Hflct c P h o t o s h o p i l Ex t e n d e d - S I t i t 4 J J H I L w r r 1 Vpr u i r • • M I d t T é d d b d u d ù b d p h t d d k d p d i J • r i l i n l t r W t l i q K r i U h l l I l î Ï3 T» a g i i p H M t W M l T r b i i i g d i w i j d n - c - 1 i n ¿¿L'ùbB m t ' L i i - f l u i î no L Sp ï - l u « rti pn • ttr t a u it cîéf Photojhoí Ct t tmrftrt Vprù fbta M Ldi 3dGbd 300bd p h A i p £ f f l H t H l H t f p t H l M t 4 0 r U I M 0 L m i mi « » íf H-ttri' « Db - tri ni s V • mtfùï d é c - C t f I L - t m f ' i E X H ' o n p L ' - d P d • « • w 4 l t ' é s • ses j l H b l r - I Û x â Ù T C J d p - d r m M I a f H d d b d u d d b d d d i I n i d L Cr»•Tm-UfaMTÍCinUíl Ulll J 01 t o '•E EllAU'' r m w u -M-iuiTr i if i ¡ B Í « H l â î w i i M T W J131Ï5 l i t i s CÍCÍJC LJflEíh n i f S I H íiiirJmrrtro TOP SECRET COMNT REL TO USA FVEY x í l JJ j w a j m io ttioTt i u n i dub o w n - 1 0 ' O n i 11-1 A d n h r HiiïUwd LMVïFîi i n i ö d i n i i l Ä s 2ÌÌS6JÎS9T Jlííí r t i i i j cícbíc crtrbïç ¡ w i n H i t cCcbïc M CfiíUt ì q i n n h x ÍIÍ B o ur AElhzl OJOJ clOJ TOP SECRET COMINT REL TO USA FVEY U TUNINGFORK o http5 cnedata- ata reposit ory Q DIRT5HED - 5EEKEP 9' QOUD f ABP - Wikilnfo rap SECRET CDMINT REL TO USA AUS CAN DBR NZL Index of Processed DIRT S H E D J 2 0 1 1 0 5 - 0 4 0 8 1 7 0 0 o p t m e 2 site d a t a r e pos i t oi y N i ine Last mollified Size Description éfi Pareli Dire fior- • 1 M 06-May-2011 02 02 • 1869 06-May-2011 02 01 • 2421 06-May-2011 02 11 • 2644 06-Mav-2011 01 54 • 3021 06-May-2011 01 25 Q 3427 06-May-2011 00 47 • 3505 06-May-2011 00 44 • 3537 00-May-2011 01 24 • 3551 06-Mav-2011 02 00 • 3684 06-May-2011 00 45 • 3303 06-May-2011 02 14 • 3949 OG-May-2011 01 54 Q4493 06-May-2011 01 57 • 4617 06-May-2011 0126 • 4653 06-May-2011 02 11 Q4SS5 06-May-2011 01 55 • 5254 06-May-2011 0 1 2 9 • 5352 06-May-2011 02 11 • 5364 06-Mav-2011 02 13 • 5390 06-May-2011 02 16 • 5426 06-May-2011 01 26 • 5436 06-May-2011 01 56 TDP SECRET CDMINT REL TO USA AUS CAN DBR NZL TOP SECRET COMNT REL TO USA FVEY TOP SECRET COMINT REL TO USA FVEY U TUNINGFORK Q largets pr eieren ces help SEE ER t u r n i n g exploration into k n o w l e d g e o s UNIX I opt I m e 2 s i t e data p a c k e d default 2011 01 10-16 22 51-clients-archive 7z 001 598 collected 14ncwl 0 ELi UIIIX 621 m E - j etc 6 S s eeted 6 new o p t 94 eeted 6 H EJ me2srle 93 $2 coill eeted 4 new S _ packed 83 $2 et•I I eeted 4 new M Ed default 82 • • • • Q • • • D • • • • Q • • • • • • • • Q • Infornati on Owner 20 1 01 10 clientî-srctwe 7Z 001 2» 1 01 12 c l i e n t s i l I nv _ ' 'i'M » 1 01 1t c l i e n t s archive 7z 001 311 1 01 22 c l i e n t s 3rcliiue 7z 001 2« 1 01 27 c l i e n t s 3rcliiue 7z 001 2« 1 0 1 » c l i e n t s arcliine 7z 001 2« 1 02 01 c l i e n t s arcliine 7z 001 2« 1 0207 c l i e n t s arcliine 7z 001 2« 1 02 1« c l i e n t s arcliine 7z 001 20 1 02 22 c l i e n t s archiHe 7z 001 2H 1 02 27 c l i e n t s arcliive 7z 001 211 1 03 06 c l i e n t s arcliiHe 7z 001 211 1 03 1« c l i e n t s 3rcliiHe 7z 0D1 211 1 03 13 c l i e n t s 3rchiHe 7z 001 2« 1 03 19 ¡eiits-arciiive 7z 001 2« 1 03 27 ¡eiits-archive 7z 001 2« 1 0 4 0 4 ieiïts-archive 7z 001 2« 1 041« ¡eiits-arcliive 7z 001 20 1 04 13 clientsMircliive 7z 001 2H 1 04 17 ieiits-arciiive 7z 001 211 1 04 2« c l i e n t s archive 7z 001 Time Acce Comments 0 Size Compressed 140 173 140 173 173 140 173 140 173 7775 18248 173 664679 140 76619 £3720 173 140 173 2271 173 140 173 173 173 140 173 173 11712 140 173 173 180 140 173 140 173 1276719708 Hash Comments Harne w eeted 4new HI L i data 84 Q Collection Info 1 282 colli itid 13 new M E l IIOSEND 282 7T clieiit5-3rchiHe-D1- l iiiu3ry-2D11 7z DII1 clieiits-3rchjue-D1-j3iiii3rv-2D11 rar part1 r3r Clients archive 1' 1 J il im i l J ' 1 11 rar a rt2 ra l 57 06 E7 Û2 57 37 57 08 57 33 ES 0 8 57 SS 4 0 58 12 58 23 58 26 58 28 58 3 1 53 11 ES 4 1 5 8 44 58 SS 5 9 4£ 59 12 59 2-5 59 28 00 13 59 45 00 02 00 12 00 44 00 35 00 40 0 0 44 Ol 1 6 0 0 S7 00 S3 00 £ 8 O l 47 O l 25 02 l ö O l S7 ciieiits-archive-D1- laiiiiary-2D11 rar iiart3 rar 11212 717-3500 Page Publisher SEEKER Te-arn T1212 717-3500 DERIVED FROM NSAyCSSM 1-52 VDATED 08 Jan uaiy 2007 DECLASSIFY ON 20320103 DYNAMIC PÄSE - HIGHEST POSSIBLE CLASSIFICATION IS TOP SECRETWSltfREL TO USA AUS CAN GBR NZL TOP SECRET COMNT REL TO USA FVEY J i l e H a n 2 011_01_08 Q8_S6_36 2 öl_08_ S702 62 220 113 113 i l e H a n 2 011_Ö1_08 08_57_07 2 _Q1_ 57_Q8 85 133 189 1 01_0 £7_33 217 218 133 6 Ir i l a H a u 2 Q11_01_Q8 Q8_S7_38 2 K e p o r t 2 Q 11_01_Q8 Q8_57_S6 21 F i l a K a r i 2 • 1 1 01_08 08_S8_10 2 01_08 S S _ 1 1 9 4 1 8 3 2 2 S 20 2011_01 08_£8_22 92 242 _Q1_08 5 8 26 92 242 222 2 rfc 2011_0 8 Q8_58_28 89 165 01_08 Q8_S8_31 95 82 105 231 li i l e H a u 2 Q11_01_Q8 08_58_41 2 01_08_ _ 5 8 _ 4 1 2 1 7 2 1 8 1 3 3 68 01_08_ _SS_44 2 1 7 2 1 8 1 3 3 68 i r t 2 0 1 1 01_08 08_58_55 1 1 9 2 P i l e H a n £ 011_01_08 08_S9_12 2 03_59_12_ 9 1 9 3 1 8 5 1 4 1 98 bin OlI_Ql_Q8 0 8 5 9 2 5 92 242 222 2011_01_0 0 8 S 9 27 92 242 22 F i l e H a n 2 011_öl_08 08_59_43 2 1 1 Ol 0 08_S9_45 89 144 174 8 09_ 0 0 _ 0 2 62 220 113 113 09_00_12 85 133 189 1 l_Ql I F i l a H a u 20 1 1 _ 0 1 _ 0 8 Q9_QO_14 2 217 218 133 01_Q8 0 00_35 09_00_40 9 2 2 4 2 22 £011_01_0 £011_01_ 09_00_42 9 2 £ 4 2 2 F i l e H a n 2 011_01_08 09_00_45_ B e p o r t 2 0 11_01_08 09_00_S7 l_Ql_Q8 0 9 _ 0 0 _ £ 8 7 7 3 6 1 - 5 3 21 77 36 1S3 21_ Q1_Q8_ 9_Ö0_58 09_01 17 2 n i e H a n 2 • 1 1 01_08 Q9_01_29 165 2011_0 F i l e H a n 2 011_Ö1_08 09_01_4S 2 i r b 2 0 1 1 Ol 08 09 O l 57 119 TOP SECRET COMINT REL TO USA FVEY U TUNINGFORK O TS SI REL TO USA FVEY Project DIRTSHED File Tjjpe Hash Language Ccne Classified Hitllst 0 ve rlaps SHOCKWAVE 0 0 0 0 SOURCECODE_C_CPP 0 0 0 SOURCECODE_JAVA 0 0 0 SOURCECODE_PHP 8 28 40 40 1A 0 0 2 2 80 0 0 I 25 27 31 0 0 0 127 521 537 1284 SOURCECODE_PYTHON 0 0 0 138 546 546 546 SOURCECODERUBY 0 0 0 19 70 70 11 SQLITE_DATABASE 0 0 6 6 6 15 40 T A R 0 0 0 1 1 u 13 1Z 0 0 0 209 209 209 364 TEXT 0 0 1 278 833 859 4528 T H U M B S D B 0 0 0 0 4 6 11 TIFF 0 0 3 3 3 3 143 TRUETYPE 0 0 0 0 0 0 98 UNIX-BASH-SCRIPT 0 0 0 2 1 90 90 133 UNIX-PERL-SCRIPT 0 0 0 1 4 43 UNIX-SH-SCRIPT 0 0 0 177 490 490 513 UNIX_PASSWCRD_FILE 0 0 0 1 1 2 2 38 260 UNKNOWN 0 0 0 0 0 0 1 UNKNOWN-ENORMOUS 0 0 0 35 4 1 44 56 UNKNOWN-HUGE û o 1 58 72 90 157 S OURCECODE_JAVA TAR-UN SCRIPT WRAPPED i TOP SECRET COMNT REL TO USA FVEY — ' V TOP SECRET COMINT REL TO USA FVEY TS SI REL Example Victim Stealing O Targeted HTTP POSTÎ HTTP G E T urE POST Response MRUN_THI8 Uri C nd Unix OP station TOP SECRET COMNT REL TO USA FVEY Transfer exefile TOP SECRET COMINT REL TO USA FVEY U FOUO Repurposing O E H S I Pile Edit Analysis E Graph Navigation • Search a Select S Tools Window Help • m a1 o s a # I m i - CO Edit - •'1-1111 i - - Q il X IF1 ± Listing SDSND32 DLL - SDSND32 DLL Analysis Navigation -1 » » m Search Select m « Tools Help • i f Function Graph FUN_100O12cO - 5D5ND32 DLL -'Lt'iii' 1 l 'LL • 0 text LL rdata EUMCTIQH 1000 lZcO - FUN_100012i 0 Ci ' n d yj reloc jndefined __ s t d c a l l Flltr_100012c0 undefined -3Ec l o c a l _3Ec xmde£ined4 -400 l o c a l _400 Fvsa l a o i i f c s KOV lOOOlCcf PUSH FUH_100012ca % 100012c0 81 ec 00 SUB ESP PUSH EBX PUSH EBP 0x400 XSF 3I TBP _USTR3i DLL 6e «Ka- 100 0i 15 XOB AX EhX ioooi ii HOV mid l O i C l - I s HOV™ P lOOOilea HOV lOOOlief STOSD R CX SB tI I' 1 T_X000aSlS te 1 0 4 0 0 00 Program Tree 1 B • 5ymbal Tree 100012cS 53 1 0 0 0 1 2 c-7 55 100012C8 56 100012C9 81 2 d 8 1 00 O-il x 04 PUSH ESI MOV EBP _ U S E R 3 2 D L L GetEie P t i ESP 10 100012c£ 57 100012d0 b9 t t 100012d5 3 3 cO 1000 l i d 8d 7 c 2 4 14 100012db c7 4 4 24 ST0SD REP E5 EDI 00 PUSH EDI HOV ECX Oxff X0R EAX EAX LEA EDI HOV duord p t r OG oba 1 S H Irnports IS Q Exports Q 2 i Functions ffl- ESP 3£c 10001 f9 CALL 00 0 0 51 Q 9 Classes 100012e3 f3 100012e5 b 9 9 6 00 HOV E C X 0x96 100012ea bf 18 HOV EDI DAT_1000a81B 00 St a8 Pj T 100012F1 - LAB_100012fl local_ 1 0 0 0 00 Labels 1 Namespaces E S P -l- l o c a l 10 • ¿a _KEEBEL3 D1L 3 « p i nnr_ioooiido s 1 STQSD PEP E S i E P I 1000 E ' Q LAB_100C12fl oiJData Type Manager ¥ Data Types Builtln Types 100012C1 6a 08 100012f3 ff 15 00 PUSH 0x8 CALL _KEEBEL32 DIL Sleep 904 H0U ESI DAT 100 0S3SB EE 317 JZ 1AB 10001380 80 00 10 e8 6 2 f e ff ff Fw_100011d0 JV3 _ d b ®- SDSND32 LL E h f t - wlndows_V59 1000 1380 - LAB_1000 1B80 s • S TOP SECRET COMNT REL TO USA FVEY • I ••• - t - v - a x U Current Efforts TOP SECRET COMINT REL TO USA FVEY U VicDB © o TAOSuite - Mozilla Firefox Q TAOSuite DYNAMIC PAGE - HIGHESTPOSSIBLE CLASSIFICATION IS 1 TAO Application J Suite là Deplh Monthly M Reset Submit I t it- OS'IO 0 mciee org 06 10 0 07 10 04 10 saiiidlnwjollnelll iiet 0 2 10 03 10 11 09 transpers ia com - st h e a r d SILVER BOLT 10 09 01 10 0 09 09 total Last Heard 2010-04-03 06 40 34Z m 12 09 Callback Count IpName country 2010-04-03 07 25 36 Z 4 mcee org KW SILVER BOLT 2 0 1 0 - 0 0 2 02 34 17 Z 2010-04-0212 54 53 Z 40 rmcee org KW SILVER BOLT 12010-04-01 14 03 41 Z 2010-04-01 14 03 41 I 1 mcee org KW SILVER BOLT 2010-04-13 15 55 53 Z 2010-04-13 15 55 2 S Z 1 mcee org KW SILVER BOLT 2010-04-15 04 45 08Z 2010-04-16 14 41 1 4 Z 42 mcee org KW SILVER BOLT 12010-04-13 0B 23 5£Z EQ10-Q 13 09 Ë7'49 Z E mcee org KW SILVER BOLT 2010-04-24 06 28 43 2 2010-04-24 07 30 01 Z B mcee org KW SILVER BOLT 2 0 1 0 M 2 3 04 3428Z 2 0 1 0 - 0 4 2 3 12 47 4 4 Z 17 mcee org KW SILVER BOLT 2010-04-13 04 57 28 Z 2 0 1 0 - 0 1 3 06 07 24 Z 12 mcee org KW SILVER BOLT 2010-04-07 02 19 58Z 2010-0 08 12 12 4 9 Z 51 mcee org KW SILVER BOLT 2010-04-23 07 01 34Z 2 0 1 0 - 0 2 8 07 14 15 Z 4 mcee org KW SILVER BOLT 12010-04-1S 10 51 38 Z 2010-0 1811 00 4 9 Z 3 mcee org KW DYNAMIC PAGE - HIGHEST POSSIBLE CLASSIFICATION IS TOP SECRET COMNT REL TO USA FVEY 0 Ö TOP SECRET COMINT REL TO USA FVEY S SI Survey Data O SYSTEMZIHETUCRK SERVICE SÏSTEH2ÎEITILTIW SYSTEE2 METTJORK SYSTEH2 BUILTIN SERVICE FullNaitie Connection-specific DNS Suffix MyDslDomain Desciiption Broadcom NetXtreme Gigabit Ethernet Physical Address 00-0E-7F-62-5C-49 Dhcp Enabled Yes ITserAccmmt AemuntType Caption Doiwain 512 SYSTEH2 Administrator SYSTEH2 512 5 YS T E H 2 A S P N E T SYSTEH2 512 5 YSTEH2 Guest SYSTEH2 512 SYSTEH2 H e i p A a s i a t a i i t SYSTEH2 Remote 512 S Y S T E H 2 STJPPORT SYSTEH2 CN Hici asof t 388915aO A3P NET Machine Account ¿ 1 1 M A ' V U l l l l l U t i 1 1v l l Desktop Help Ass l e t a n t Account C o t r p o r a t i o n L Redmond S U a s h i n g t c - T i m e Za t i e Sett Bias Caption 2 10 GMT 03 30 ingTD d i r Voluae i n Voluae Serial Directory drive of C has Wuntoer no is 05 31 05 12 2011 05 08 2011 and S e t t i n g s A d m i n i s t r â t o r d e s k t op and Set t i n g s A d m i n i s t r a t o r s desktop PH DIR 05 31 PH - DIR 08 08 PH 131 915 1256691936 1 05 08 2011 08 15 PH 155 166 croppedbusiness 04 08 2011 09 18 PH 606 05 03 2011 07 10 PH 05 03 2011 08 03 PH 2 173 Hicrcscft Office Excel 05 09 2011 06 10 PH 2 197 Hicrosoft Office TJord 2003 Ink Microsoft Office ttord 2007 Ink DIR 11 21 AH 2 515 04 22 2011 01 15 PH 1 515 Tile¡3 3 Dir s 299 637 51 504 303 040 dir Volume i n drive Volume Serial C has Number no is 3PS success - graph mp jpg n l s 2 1 j p g GetFLV lnk Hardware 05 11 2011 1 rr • C437-1E2D C U'ocimients • 5 12 2011 C D o c u i t f e n t s label J—d J ClU'J VlR- IP Address Subnet Mask Default Gateway DHCP Server DNS Servers Lease Obtained Thursday May 19 2011 11 39 16 AM Lease Expires Saturday May 21 2011 11 39 1CS AM These Windows sendees are started rr Paint Ink bytes bytes C Document s label C437-1E2L 2007 Ink free and S e t t i n g s A d m i n i s t r a t o r s Hy Docuitients Automatic Updates Background Intelligent Transfer Service Client Service for NetWare COM Event System Computer Browser Cryptographic Services DCOM Server Process Launcher DHCP Client Distributed Link Tracking Client DNS Client r r T „ „ C1 TOP SECRET COMNT REL TO USA FVEY TOP SECRET COMINT REL TO USA FVEY U DEADSEA o UJ M XKEYSCORE Hqitib Search Ì T Workflow Central I Navigati o n Filter ResuHs NZL 20320108 Log Out Map ® My Account £ X K F o rum f Help x 1- j Ifry pyx- iimin « JLUi r e-y e-uucz Help Ccne Byzantine Raptor Rolex l C c n e Byzantine RaptorTrojan3 3 Fingerprints j Statistics frlllAWJIMMlG B R a n d Warning y o u r p a s s w o r d h a s e x p i r e d Welcome Gene Piaiddiana Command Packet Show Hide Fields - Advanced Features » ShowHidden Search Fields Clear Search Values Reload Last Search Values There are hi tlden Fields Cone Traffic Cone Victim Id Search Fourth Party CNE _DEADSEA_ Ccne Zebedee Parse 3cdmaA11 Metadata Query Name asmaest_D J Computer Serial Numbers DNS High Entropy ¡ 3 DataFlurryPhonelnfoEstractor Justification Recent Justifications 3 3 Diameter AVP Metadata Diameter Header Metadata Dynamic DNS Updates 3 Additional Justification E Ticket 3espspi Miranda Number Eclecticplot Current Time 2 0 1 1 - 0 5 - 1 3 1 3 3 3 l GMT J Electronic Attack Heuristics ¡ 3 Email I 1 Day Start 2011-05-12 • i cl Encryption Steg Ca mo Encryption Steg J STEG Esif Metadata Expression Engine FACEBOOK 3 Facebook Chat Jabber Fourth Party CNE_DEADSEA_ Generic IDirect 2 5 Google Analytics Google StreetView Google Street View Thumb Google StreetView Tile 3 Gtp Pdp Contest 3 HAWALA Happvioot IE Cookies TOP SECRET COMNT REL TO USA FVEY 00 00 Stop 12011-05-14 • 00 00 0 TOP SECRET COMINT REL TO USA FVEY th S SI Discovery for 4 Party O DYNAMIC PAGE HIGHEST POSSIBLE CLASSIFICATION IS TOP SECRETiiCOWINTjORCONJjNOFORN LOGGED IN MSI CROSSBONES2 Home J Entries Sbiv r Reports NAVIGATION Activity Groups User Groups Tasking Tags TS SI REL Perefect Keylogger Activity New Journal Entry XBJE f 1689 0 201 TOP SECRET COMNT REL Í TO USA FVEY May06 Entries New Organization List Events J Content Enrichments Events O Like This History jj Follow ihis Entry author source SIGIIMT FORNSAT project y user group CYBERQUEST- MHS source site J source signal USJ-759 intrusion sets UNKNOWN source classification TOP SECRETffCOMINTtfRELTO USA FVEY access source date Reports Activity Groups PUBLIC 2011-05-06 00 00 00 UTC User Groups source description Tasking Tags Profile CROSSBONES JOURNAL ENTRIES UOFOUO This entry may contain information not fully assessed and Is Intended for analytic collaboration only The recipient may not use report or further disseminate this Information unless or until it is published in a report kaiNew Association ' ¿New Signature List Snippets New Individual 20if d Attach File Warning There are no d i a m o n d m o d e l e v e n t s d e f i n e d on this j o u r n a l entry New Journal Entry List Person as t¡n b rá' Profile home New Snippet m6 Rescan for Data Facets Export Events ASSIGNED TAGS o direction o intent o result O methodology Perfect Key-Logger is installed on hostname DOM Russian for one' private IF address for user 'Home ET elisi te s surfing information and screenshots have been stored at an account at Russian IP iiibox ru mail server and ace being delivered to a U S IP A courtesy copy of the logs is delivered to user J i s a Ho 3 cow-based software se evie eg company member of a leading Russian technology g r o u p l H is probably Apparently the victim s of the keylogging are meati era of the possibly wife to the referenced above as well as Keylogger is probably installed to monitor children's and wife's activity is well-connected Her email is Linked in And her Facebook password was sniffed as H and have been captured Possibly is I Moscow She has a presence on Several other passwords for both Head of PR and Advertising at O phase o actor O victim o capability infrastructure O geopolitical environment Q technology o other positive correlations O other negative correlations DATA ELEMENTS Director for Corporate Development at I probably husband email addresses TOP SECRET COMNT REL TO USA FVEY UP L OAD I ATTAC H F IL E UNCLASSIFIED FOR OFFICIAL USE ONLY Contact us G EMAIL DL 4THPARTY N SAN ET GO 4TH PARTY JABBER S2 CYBER ANALYSIS UNCLASSIFIED FOR OFFICIAL USE ONLY