SHOW:
|
|
- or go back to the newest paste.
| 1 | Whats in the torrent: | |
| 2 | ||
| 3 | The qateam/ folder is a copy of what appeared to be a QA server with copies of | |
| 4 | all their Finspy Mobile malware. | |
| 5 | ||
| 6 | The www/FinFisher folder is a dump of https://www.gamma-international.de/FinFisher/ | |
| 7 | That's where their customers went to download whatever they had purchased. | |
| 8 | Unfortunately, the downloads are all either encrypted zip or gpg files. But, on | |
| 9 | the chance that the encryption can be cracked (throw enough GPU at the zip | |
| 10 | files), it'll have everything. The only unencrypted thing in that part is | |
| 11 | FinFisher/Sales, which does have some semi-interesting stuff like a price list. | |
| 12 | ||
| 13 | The www/GGI folder is a copy of http://finsupport.finfisher.com/ | |
| 14 | A dump of it's database is in Database.sql | |
| 15 | That's where all their customers went for support questions. Often the | |
| 16 | finfisher staff would reply over e-mail, and unfortunately I wasn't able to | |
| 17 | get the mail servers. The most interesting things there are the support_request | |
| 18 | and feedback tables in the database combined with the Support/Attachments | |
| 19 | folder. There's also some decent stuff in Product/Documents and Product/Updates. | |
| 20 | ||
| 21 | The www/conf folder has the webalizer stats on their visitors | |
| 22 | ||
| 23 | The www/ffw folder has their FinFly-Web demo site. | |
| 24 | ||
| 25 | ||
| 26 | Customers I've identified: | |
| 27 | ||
| 28 | 29 - the Bahraini group, in support requests they ask for help setting up a | |
| 29 | website targetting activists in 14 Feb, and in another support request they | |
| 30 | attach their C&C server logs. The names of people with admin access to the | |
| 31 | FinSpy server are in the server logs, grep for "user name:" | |
| 32 | Abdulla Husain, Ahmad, Abdulla Al Eid, Yousif Al Sadiq, Rizwan Saleem, Sayed | |
| 33 | Ansar Husain, Humayun, and Mohammed Al Majed | |
| 34 | ||
| 35 | From metadata in attached word documents. | |
| 36 | 69 - PCS Security Pte Ltd | |
| 37 | 49 - Cliff Harris | |
| 38 | ||
| 39 | From text in support_request or feedback table: | |
| 40 | 21 - Nasser Alnuaimi Qatar state security bureau | |
| 41 | 82 - Sanjin Custovic, Intelligence-Security Agency of Bosnia and Herzegovina | |
| 42 | 73 - Peter Balogh, SSNS - NBSZ hungary secret service | |
| 43 | 61 - Wim Bordeyne, gives work e-mail of h.isrd@skynet.be although skynet.be is | |
| 44 | an ISP? | |
| 45 | 48 - Vietnam | |
| 46 | 65 - Nigeria | |
| 47 | 18 - Mongolia, and their email odmagnai@gmail.com appears in this whois record: | |
| 48 | http://wq.apnic.net/apnic-bin/whois.pl?searchtext=MAINT-MN-NITSYSTEM&form_type=advanced | |
| 49 | ||
| 50 | From their username in customer table: | |
| 51 | 34 - Dyplex | |
| 52 | 9 - Trovicor | |
| 53 | 10 - Elaman | |
| 54 | 23 - Cobham | |
| 55 | ||
| 56 | From gpg key used for their product download: | |
| 57 | 68 - Jochen van der Wal, technical engineer for KLPD (dutch police) | |
| 58 | ||
| 59 | other customer gpg keys that are on keyservers but it doesn't identify them: | |
| 60 | 43 - USB on Fire <usbonfire@gmail.com> | |
| 61 | 14 - campo@campinator.com | |
| 62 | ||
| 63 | Employees identified from gpg keys: | |
| 64 | (1) Alfons Rauscher <alfons.rauscher@vervis.de> | |
| 65 | 1024 bit DSA key 66878388, created: 2013-04-17 | |
| 66 | (1) Hari Purnama (pgp) <hp@gammagroup.com> | |
| 67 | 2048 bit RSA key A7A4AC21, created: 2013-03-05 | |
| 68 | (1) Melvin Teoh (Gamma Group) <mt@gammmagroup.com> | |
| 69 | 2048 bit RSA key D81082F4, created: 2012-03-08 | |
| 70 | (1) Alexander Hagenah <ah@primepage.de> | |
| 71 | - | 2048 bit RSA key 3F895273, created: 2013-03-05 |
| 71 | + | 2048 bit RSA key 3F895273, created: 2013-03-05 |
| 72 | ||
| 73 | # From support.hackingteam.com.tar.gz's /root/.bash_history | |
| 74 | ./generate_client.sh FBI | |
| 75 | ./generate_client.sh CSDN | |
| 76 | ./generate_client.sh ALFAHAD | |
| 77 | ./generate_client.sh CNI | |
| 78 | ./generate_client.sh GIP | |
| 79 | ./generate_client.sh GNSE | |
| 80 | ./generate_client.sh IDA | |
| 81 | ./generate_client.sh INTECH | |
| 82 | ./generate_client.sh MACC | |
| 83 | ./generate_client.sh MKIH | |
| 84 | ./generate_client.sh MOI | |
| 85 | ./generate_client.sh NSS | |
| 86 | ./generate_client.sh ORF | |
| 87 | ./generate_client.sh PANP | |
| 88 | ./generate_client.sh PGJ | |
| 89 | ./generate_client.sh PP | |
| 90 | ./generate_client.sh SKA | |
| 91 | ./generate_client.sh SSNS | |
| 92 | ./generate_client.sh TNP | |
| 93 | ./generate_client.sh UAEAF | |
| 94 | ./generate_client.sh UZC |
