SHOW:
|
|
- or go back to the newest paste.
1 | Whats in the torrent: | |
2 | ||
3 | The qateam/ folder is a copy of what appeared to be a QA server with copies of | |
4 | all their Finspy Mobile malware. | |
5 | ||
6 | The www/FinFisher folder is a dump of https://www.gamma-international.de/FinFisher/ | |
7 | That's where their customers went to download whatever they had purchased. | |
8 | Unfortunately, the downloads are all either encrypted zip or gpg files. But, on | |
9 | the chance that the encryption can be cracked (throw enough GPU at the zip | |
10 | files), it'll have everything. The only unencrypted thing in that part is | |
11 | FinFisher/Sales, which does have some semi-interesting stuff like a price list. | |
12 | ||
13 | The www/GGI folder is a copy of http://finsupport.finfisher.com/ | |
14 | A dump of it's database is in Database.sql | |
15 | That's where all their customers went for support questions. Often the | |
16 | finfisher staff would reply over e-mail, and unfortunately I wasn't able to | |
17 | get the mail servers. The most interesting things there are the support_request | |
18 | and feedback tables in the database combined with the Support/Attachments | |
19 | folder. There's also some decent stuff in Product/Documents and Product/Updates. | |
20 | ||
21 | The www/conf folder has the webalizer stats on their visitors | |
22 | ||
23 | The www/ffw folder has their FinFly-Web demo site. | |
24 | ||
25 | ||
26 | Customers I've identified: | |
27 | ||
28 | 29 - the Bahraini group, in support requests they ask for help setting up a | |
29 | website targetting activists in 14 Feb, and in another support request they | |
30 | attach their C&C server logs. The names of people with admin access to the | |
31 | FinSpy server are in the server logs, grep for "user name:" | |
32 | Abdulla Husain, Ahmad, Abdulla Al Eid, Yousif Al Sadiq, Rizwan Saleem, Sayed | |
33 | Ansar Husain, Humayun, and Mohammed Al Majed | |
34 | ||
35 | From metadata in attached word documents. | |
36 | 69 - PCS Security Pte Ltd | |
37 | 49 - Cliff Harris | |
38 | ||
39 | From text in support_request or feedback table: | |
40 | 21 - Nasser Alnuaimi Qatar state security bureau | |
41 | 82 - Sanjin Custovic, Intelligence-Security Agency of Bosnia and Herzegovina | |
42 | 73 - Peter Balogh, SSNS - NBSZ hungary secret service | |
43 | 61 - Wim Bordeyne, gives work e-mail of h.isrd@skynet.be although skynet.be is | |
44 | an ISP? | |
45 | 48 - Vietnam | |
46 | 65 - Nigeria | |
47 | 18 - Mongolia, and their email odmagnai@gmail.com appears in this whois record: | |
48 | http://wq.apnic.net/apnic-bin/whois.pl?searchtext=MAINT-MN-NITSYSTEM&form_type=advanced | |
49 | ||
50 | From their username in customer table: | |
51 | 34 - Dyplex | |
52 | 9 - Trovicor | |
53 | 10 - Elaman | |
54 | 23 - Cobham | |
55 | ||
56 | From gpg key used for their product download: | |
57 | 68 - Jochen van der Wal, technical engineer for KLPD (dutch police) | |
58 | ||
59 | other customer gpg keys that are on keyservers but it doesn't identify them: | |
60 | 43 - USB on Fire <usbonfire@gmail.com> | |
61 | 14 - campo@campinator.com | |
62 | ||
63 | Employees identified from gpg keys: | |
64 | (1) Alfons Rauscher <alfons.rauscher@vervis.de> | |
65 | 1024 bit DSA key 66878388, created: 2013-04-17 | |
66 | (1) Hari Purnama (pgp) <hp@gammagroup.com> | |
67 | 2048 bit RSA key A7A4AC21, created: 2013-03-05 | |
68 | (1) Melvin Teoh (Gamma Group) <mt@gammmagroup.com> | |
69 | 2048 bit RSA key D81082F4, created: 2012-03-08 | |
70 | (1) Alexander Hagenah <ah@primepage.de> | |
71 | - | 2048 bit RSA key 3F895273, created: 2013-03-05 |
71 | + | 2048 bit RSA key 3F895273, created: 2013-03-05 |
72 | ||
73 | # From support.hackingteam.com.tar.gz's /root/.bash_history | |
74 | ./generate_client.sh FBI | |
75 | ./generate_client.sh CSDN | |
76 | ./generate_client.sh ALFAHAD | |
77 | ./generate_client.sh CNI | |
78 | ./generate_client.sh GIP | |
79 | ./generate_client.sh GNSE | |
80 | ./generate_client.sh IDA | |
81 | ./generate_client.sh INTECH | |
82 | ./generate_client.sh MACC | |
83 | ./generate_client.sh MKIH | |
84 | ./generate_client.sh MOI | |
85 | ./generate_client.sh NSS | |
86 | ./generate_client.sh ORF | |
87 | ./generate_client.sh PANP | |
88 | ./generate_client.sh PGJ | |
89 | ./generate_client.sh PP | |
90 | ./generate_client.sh SKA | |
91 | ./generate_client.sh SSNS | |
92 | ./generate_client.sh TNP | |
93 | ./generate_client.sh UAEAF | |
94 | ./generate_client.sh UZC |