FINFISHER: FinSpy 3.00 User Manual
Contents
1. 16 FFRelay Setup 2 es Installing FFRelay Please wait while the Setup Wizard installs FFRelay Status Cancel i During the installation the installer will open Notepad with the relay cfg file where the relay settings should be done relay cfg Notepad Configuration file for the Relay Module list of ports for incoming target side connections CFG_TARGET_PORTS 2000 Next hops to connect relays proxy CFG_NEXT_HOP_1 hostname 2050 socket read write timeout in seconds CFG_SOCKET_TIMEOUT 10 fr FFRelay Setup Installing FFRelay Please wait while the Setup Wizard installs FFRelay Status Note sometimes the relay cfg file is opened behind the installer FinSpy User Manual E 117 E B relay cfg WordPad jo lS les File Edit View Insert Format Help Cael S amp r B Configuration file for the Relay Module list of ports for incoming target side connections CFG TARGET PORTS Til Lita TELS Next hops to connect relays proxy CFG NEXT HOP 1 192 168 0 49 1111 socket read write timeout in seconds CFG SOCKET TIMEOUT 10 For Help press F1 After editing the relay cfg it needs to be saved and closed The installer continues until the FinSpy Relay is installed 1 FFRelay Setup fo 2 Completed the FFRelay Setup Wizard Click the Finish button to exit the Setup Wizard The relay cfg nee2. FinSpy User Manual ay amp 2 5 4 Update Manual To update the FinSpy Master manually the latest version can be obtained via E Mail from the Gamma support The two files will be finspy_master_2 xx ggi and finspy_proxy_2 xx ggi The files must be copied to a USB Stick or burned to a CD DVD Mount USB Stick or CD DVD on the FinSpy Master CD ROM sudo mount media cdromo USB Stick sudo mount CE Sal mnt usb Both files must be copied to the tmp directory CD ROM cp media cdrom0 tmp USB Stick r op ma USD emp Change the directory and execute the files cd tmp ii of spes 2 SOx ggi SJON Proxy je ty and other qovernment agennes FinSpy User Manual 94 2 5 5 Evidence Protection By default the Evidence Protection feature is disabled To activate it the following configuration switch in the finspy_master cfg needs to be changed to true PENSE IDEEN BER OE TE JOI True To activate the changes the FinSpy Master needs to be restarted Ende EE le GS We scsi SOP SUG ETO ol JG DNS NSKER Skedk FinSpy User Manual N 95 2 5 6 E Mail Notification By default FinSpy Master is using its local MTA Mail Transfer Agent No Auth amp TLS is used Following parameters are necessary IP Address of MTA FIN MX NOTIFY SERVER 127 0 0 1 SMTP Port FIN MX NOTIFY PORT 25 Authentication Mode F
3. Quarter 25 This will result in a percentage resize of the original resolution moe Color Black amp White Interval beginning with 2 seconds and up to 1 hour Automatic Recording Application based Screen Recording can additionally be performed Either the whole screen or just the application window can be recorded if a certain application is running on the FinSpy Target Screen Capture Settings G http ms nmicresoft com en us defi Image Size lormal 80 Mode Est 5 a single frame 88 KB SE MSDN Micrasoft Development MSDN gt Developer Centers R sea D L Recording matic recordings of the appliaction main frente miir regie autor ATDA or sSrreer VU NUO UF SUCE J Application Category Image Size Mode Frequency Coated ose ter conte fr EStumated size foi St e jra FinSpy User Manual 47 2 2 5 17 Configuration VolP The VolP module gives the possibility of recording basically all kinds of applications which are used for Voice over IP communication such as instant messengers or dedicated VolP applications It will trigger and record the audio channel bidirectional if the Microphone and the Speakers are activated at the same time It furthermore captures a snapshot of the screen after a few seconds to see with whom the FinSpy Target is communicating Recording Options Specify applications that should be recorded All Applications Application Category Instant Messenge
4. e General e Download Schedule e Alert Settings e User permissions The following modules are available Module Name Module Icon Available on the following OS Accesses Files Forensics Tools Keylogger FinSpy User Manual 31 Scheduler Skype Screen amp Webcam FinSpy User Manual N 32 2 2 5 1 Configuration General 2 2 5 1 1 Infection Executable Information This information is not changeable e Infection Unique ID An internal ID of the FinSpy Target Installer e Infection Name Given name of the target e Infection Owner Internal user ID of the user who generated the FinSpy Target e Max Infections Maximum number of FinSpy Targets which can be infected by the device or application Infection Executable Information Infection Unique ID 0x4BC46E35 Auto Generated Unique Identifier Infection Name demo MUC v2 20 Descriptive Name of Target Infection Owner 1037 Name UID of Agent Max Infections 3 Maximum number of targets that will be infected FinSpy User Manual 33 2 2 5 1 2 Hiding Techniques It is possible to activate an advanced hiding method which allows the FinSpy Trojan to be more stealth and extremely hidden The following actions are taken if the FinSpy Trojan runs in User Mode e Hides the network connections e Hides the registry entries e Hides the Trojan processes The following actions are taken if the FinSpy Trojan runs in
5. FinSpy User Manual 18 IP address of the FinSpy Target System sm Icon representing the Operating System running on the FinSpy Target machine Operating System including Service Pack which runs on the FinSpy Target machine FinSpy Target local time FinSpy Target time zone and Daylight Saving Indicator am Indicator which shows if an Alert was set Software Version of the FinSpy Target Install Mode This indicates if the FinSpy Target is installed in e MBR Master Boot Record e Kernel Mode as Administrator e User Mode Shows the License ID of the FinSpy Target Online List of FinSpy Targets connected to the internet and FinSpy Master Offline List of FinSpy Targets currently not connected to Internet and FinSpy Master Archived List of FinSpy Targets not infected anymore Clicking on a specific target opens all possible actions Available actions depend on the status of the FinSpy Target offline online Right Clicking on any column header allows the user to choose which columns shall be displayed FinSpy User Manual P 19 2 2 2 1 Target List Online Alex FinSpy 3 00 WOOT SYSTEM Unknown Unknown 94 200 250 1 ES 2 70 O Analyse Data th Visualize Data us Evidence Protection N Configuration KS Live Session update NK Remove Infection Disconnect The possible actions of an online target are Analyse Data Analyzes data which is already downloaded and available on the FinSpy Master Visualize Data Shows the
6. Public Interface Network Mode Manual Static IP Address Gateway 192 168 222 100 Nameserver 1 192 168 0 1 Nameserver 2 FinSpy User Manual 79 2 3 1 4 Configuration Relay Network Configuration The Relay Network Configuration defines a single relay or multiple relays for the connection of the FinSpy Target to the FinSpy Master or FinSpy Relay These settings will be retrieved by the FinSpy Agent during creation of a FinSpy Target and set automatically Relay Configuration Relay IP Address es Relay Port s tiger gamma international de 1111 1112 1113 IP Address Hostname TCP Portis 2 3 1 5 Configuration Email Notification Settings for the Email notification can be set here They can be differentiated in templates e Local MTA the FinSpy Master Mail server e Predefined Free Mailer e Custom Email Notification Server smtp googlemail com Port 465 Username user gmail com Password password Email Address user gmail com From Name fs notifier Auth Type login SSL TLS Every template needs some minor adjustments like sender Email address username password or the From Name FinSpy User Manual 80 2 3 1 6 Configuration Updates Updates of the FinSpy Master Software and the FinSpy Target Modules can be defined here Both can be set to Automatic or Manual Automatic Updates will be checked in a short interval which
7. 0 0 2 2010 8 06 AM 2 2010 8 06 AM 2010 8 06 AM 5 12 2010 8 06 AM 5 12 2010 8 06 AM 5 12 2010 8 06 AM 5 12 2010 8 06 AM 5 12 2010 8 06 AM 5 12 2010 8 06 AM 5 12 2010 8 06 AM Type Text Document META File PKCS 7 Signature META File PKCS 7 Signature Text Document META File PKCS 7 Signature Text Document Text Document META File PKCS 7 Signature 4KB A Evidence Signature Verification Tool 1 0 Select evidence folder Le LS Ex C Users Test Downloads Evidence 4EA24B5A Bako HQ Evidence Evidence Name 048C840A42580071 048C840A30C50070 048C840A62430072 048C840A81930074 Q4BC840A70CB0073 04BC8409C0C2006C Activity log 04BC8409D288006D 04BC8409FODAOO6F 04BC8409D2C9006E 04BC840BD074007B 048C840B53D4007A 04BC840BE253007C 048C840C5322007E 1 04BC840C50AD007D 04BC840AC1460076 048C840AB0840075 04BC840AC1880077 048C840AD2410079 Select the folder where the evidence files are stored Date Time 4 16 2010 12 49 08 PM 4 16 2010 12 49 07 PM 4 16 2010 12 49 10 PM 4 16 2010 12 49 12 PM 4 16 2010 12 49 11 PM 4 16 2010 12 49 00 PM 4 16 2010 12 49 01 PM 4 16 2010 12 49 03 PM 4 16 2010 12 49 01 PM 4 16 2010 12 49 33 PM 4 16 2010 12 49 25 PM 4 16 2010 12 49 34 PM 4 16 2010 12 49 41 PM 4 16 2010 12 49 41 PM 4 16 2010 12 49 16 PM 4 16 2010 12 49 15 PM 4 16 2010 12 49 16 PM 4 16 2010 12 49 17 PM Status Valid Valid v
8. Copy required certificates and the fin target licenses txt from Offline Master to USB Stick mount dev sdXX mnt usb Ge ver local ENE Cees ne Sls co Ge Local Se Eg Lucersee tae 7 mimic els umount noe USD Copy required certificates and the fin target licenses txt from USB Stick to Remote Master mount dev sdXX mnt usb ie Minny Wolly pees mee ollie Usk Noes iy RTT GIS S EE H deres hye Minnie USS iii veger Iiecenses ox use local ius oy mesic Gave umount mnt usb yv and other government agennes FinSpy User Manual aly amp To activate the changes the FinSpy Remote Master needs to be restarted ere one Fs Eee ee PU Fo Cee feed Asper ee Es ee 2 7 2 Offline Master Configuration To setup the Offline Master the following parameter must be added into the finspy master cfg file Set Offline Master Mode FESTER MODET TOFFLINE Assume FIN TARGET PROXY 1 values from Remote Master PINS TARGET PR Same values as Remote Master To activate the changes the FinSpy Offline Master needs to be restarted i BUCO 1 oe eee i SCO Soe ee se yv and other government agennes FinSpy User Manual SV 100 2 7 3 Data Transfer It is necessary to transfer data from the Remote Master to the Offline Master and then it needs to be imported into the database 2 7 3 1 Export Data from Remote Master e Connect Agent to the Remote Master e Please select Data Transfer A F
9. Proxy IP Address es Proxy Ports tiger gamma international de IP Address Hostname TCP Portis 2 2 5 1 6 Application Based Events Defines the behavior of the FinSpy Target if certain applications are running or not running on the FinSpy Target system If Operation Mode is set to Disabled the FinSpy Target communication with the FinSpy Master will not be affected by any running application in the system When Operation Mode is set to Active for Event the FinSpy Target will try to connect the FinSpy Master only if the applications listed in the boxes are currently running Operation Mode set to Inactive for Event suppresses the FinSpy Target communication with the FinSpy Master if one of applications listed in the boxes is currently running Application Based Events Start Stop the communication depending on the currently running applications Operation Mode Arete for event Application Categ Disabled Applications 7 wea M i ros Active for event ha firefox Messenger eee Mozilla Firefox E Mail explore FileShanng Windows Internet Explorer FinSpy User Manual 36 2 2 5 2 Configuration Download Schedule Download schedule will automate downloads of data Automatic downloads can be initiated by time and application based events A new tab will open with the separation of Application Events 1 and Time Events 2 On Add 3 new Time Events can be added Save C
10. can be removed immediately from an online FinSpy Target or can be scheduled for removal from an offline FinSpy Target Either way the license will be freed immediately and allocated to an unlicensed target 2 2 2 5 Target List Recorded Data Availability A star 1 indicates that there is new Data on Master available This means new data was downloaded from the FinSpy Target to FinSpy Master A bullet 2 indicates there is new Data on Target available This means there is new recorded data available on the FinSpy Target e g Keylogger recordings Skype recordings etc which is not transferred to the FinSpy Master yet FinSpy User Manual P 22 Target List ID M T Computer Online demo MUC v2 20 3 LH EEEPC demo IKTRZSGH5020C2M Offline 1 Trial KL vw gt Ws 5J 2 Toshiba NB 100 de WSB3765 Toshiba NB 100 2 ox T WS SJ 1 Test J FinSpy User Manual 23 2 2 3 Analyse Data Analyse Data gives the possibility of showing all the recorded data which was transferred to the FinSpy Master The recorded data can be viewed deleted or exported Analyze Data will show a list of all data recorded of the selected FinSpy Target P a pe lt NUNE Alex FinSpy 3 00 O Analyse Data SYSTEM Unknown Unknown us Evidence Protection All the data of the selected FinSpy Target is displayed as a list All new entries in the list are di
11. taskmgr exe gammagroup 05 1 764K 169K 97 7 TrueCrypt exe gammagroup 00 444K 122K 58 1 TSVNCache exe gammagroup 00 2192K 119K 98 9 o 4 It E End Process Processes 65 CPU Usage 22 Physical Memory 67 Now all the processes running on the machine will be shown including the FFRelayW and FFRelay FinSpy User Manual aly 120 3 3 FinSpy Relay Linux 3 3 1 Prerequisites The software runs out of the box under normal circumstances Hardware e minimal 256 MB RAM e recommended 512 MB RAM Linux Distributions e Ubuntu Debian Software monit should be installed http mmonit com monit Further information can be obtained from the FinSpy Master section FinSpy User Manual N 121 3 3 2 Installation To install the FinSpy Relay in Linux the Installer needs to be executed with root privileges The filename is ffrelay ubuntu 2 xx ggi root localhost ffrelay ubuntu 2 xx ggi Elasvtaller 150 Extracting Installation Files installer ffrelay gg9gi tar Launching Installer CDIR home xaitax TMPDIR tmp selfextract fYCZZ4 Stopping FEReEIay ene T Uae Mork Mo Gossen vo 1 oes jiileid ie OL monit service firelay NESNA E r Extracting SOftware Files S a a use e usr local ffrelay usr local ffrelay lib Ture ocal fe rrela bn usr local ffrelay bin ffrelay usr local ffrelay updates usr local ffrelay data eoe caly r rrela n aa THI
12. 02 AM 2008 AM 5 2008 10 02 AM 5 2009 11 49 AM 2008 AN File lt DIR gt lt DIR gt lt DIR gt lt DIR gt lt DIR gt lt DIR gt lt DIR gt lt DIR gt lt DIR gt lt DIR gt AUTOEXEC BAT CONFIG SYS Documents and Settings f30ebe2213884beablebfs 1386 Intel Program Files SUPPORT Toshiba VALUEADD WINDOWS Works O bytes or 53 5 10 Dir s 110 498 902 016 bytes free C y gt cd Doc cd Doc C Documents and Settings gt dir dir Volume in drive C has no label Volume Serial Number is DC5F C3A9 Directory of C Documents and Settings 08 2009 01 50 PM 08 2009 01 50 PM 1 05 2009 07 08 PM 14 2009 135 PM 0 File s 4 Dir s lt DIR gt lt DIR gt lt DIR gt lt DIR gt All users finfisher 0 bytes 110 498 902 016 bytes free Commands need to be typed into the text box Command and executed by clicking Enter The command and their outputs are displayed FinSpy User Manual SV 52 2 2 6 3 Live Session Forensics Tools The Forensic tools module consists of predefined applications which can be uploaded to a FinSpy Target and then executed Passwords KE Microsoft Product Keys K Email Clients Passwords 2 Windows Updates 2b Internet Messenger Passwords H Opened Files x eo Internet Explorer Passwords 55 USB Devices fr Windows Protected Storage Passwords md Installed Devices and Drivers i amp FireFox Passwords 0 StartUp Applications i
13. Admin Mode e Hides the network connections e Hides the Trojan processes Hiding Techniques W Active Hiding Use intrusive techniques to hide the infection files folders registry entries and network connections By enabling this feature the infection becomes more suspectible to detection by root kit reveal products If the Active Hiding is activated it is more likely to be discovered by some root kit detectors due to its aggressiveness within the system 2 2 5 1 3 Infection Self removal Computers which never go online may become infected by mistake and spread an infected application through an organization To avoid keeping offline computers infected still recording data the FinSpy Target can remove itself e Scheduled Removal Date on which the FinSpy Target removes itself from the infected computer e Time Out Removal Time after which the FinSpy Target removes itself from the infected computer if communication with the FinSpy Master fails even if there is a functional internet connection This renewal will be disabled once the FinSpy Target contacts the FinSpy Master for the first time Infection Self removal Scheduled Removal Never Specify date when the FinSpy Target will automatically remove itself from the target Time Out Removal 1 Week The FinSpy Target will automatically remove itself from the target if it gt unable to reach the master server within the configured timeframe SV FinSpy User Man
14. Configuring ddclient Please select the dynamic DNS service you are using If the service you use is not listed choose other and you will be asked for the protocol and the server name Dynamic DNS service provider www asydns com www dsLreports com www Zoneedit com other Username which is registered on the service Configuring ddclient Please enter the username to use with the dynamic DNS service Username for dynamic DNS service Mny test FinSpy User Manual 107 Auto retrieval of the IP address Configuring ddclient Please choose whether ddclient should try to find the IP address of this machine via the DynDNS web interface This is recommended for machines that are using Network Address Translation Find public IP using checkip dyndns com Updating host Configuring ddclient You ll have to select which host names to update using ddclient You can select host names to update from a list taken from your DynDNS account or enter them manually Selection method for updated names Manual Ly lt 0k gt After the installation everything should run fine now with the host finspy test dyndns com If some configuration needs to be changed the configuration file is located at etc ddclient conf and should look like this protocol dyndns2 use web web checkip dyndns com web skip IP Address server members dyndns org login finspy test password dfUc 45XfP Username
15. FinSpy Target Recording can be scheduled at a specific date and time and for a given duration Scheduler Configuration Options Time Events Active Module Date Time Time Zone Duration Once Microphone 2010 02 05 10 33 Local 00 30 00 E Screen 2010 02 06 10 33 UTC 00 35 00 Daily This category contains no items Use the add button to add a new item Weekly This category contains no items Use the add button to add a new item Monthly Webcam 2010 02 26 10 34 Target 00 30 00 To create a new scheduler the Add button is used This will start up the scheduled event generation wizard There are three types of events which can be scheduled e Microphone recordings records the primary installed microphone e Screen recordings records screenshots at the configured frequency e Webcam recordings records webcam frames at the configured frequency After selecting the desired event type a new section will appear where the configuration of the selected Event can be defined Following Events are available e Start Event Date The day on which the recording should start e Event Time The time of the already configured day when the recording should start e Time Zone The time zone reference Available options are Local The time refers to the time zone of the FinSpy Master UTC The time is expressed in Coordinated Universal Time Target The time refers to the time zone of the target machine e I
16. To enable an exception select its check box Program or port CO Connect to a Network Projector Core Networking Distributed Transaction Coordinator File and Printer Sharing 1iscsI Service C Media Center Extenders Microsoft Office Outlook I Netlogon Service Network Discovery Performance Logs and Alerts C Remote Administration See also Security Center Network Center Notify me when Window fall blocks a new program a a FinSpy User Manual 113 Enter one of the ports where the FinSpy Relay listens for the Targets or a port used by the FinSpy Relay to send out data P Windows Firewall Settings General Exceptions Advanced Windows Firewall is blocking incoming network connections induding the exceptions selected below Windows Firewall is currently using settings for the public network location Add a Port Use these settings to open a port through Windows Firewall To find the port number and protocol consult the documentation for the program or service you want to use Name Port 1111 Port number 1111 Protocol TCP UDP What are the risks of opening port Change scope Cancel V Notify me when Windows Firewall blocks a new program OK Cancel App Now the ports must be selected in the exception list to activate them Windows Firewall Settings General Exceptions Advanced Win
17. UTC STUART ila United Kingdom Brentwood 92 6 201 131 Online 2011 06 15 12 53 20 UTC STUART ala United Kingdom Brentwood 92 6 201 131 Offline 2011 06 15 13 40 39 UTC STUART la United Kingdom Brentwood 92 6201131 Online 2 2 9 4 Evidence Signature Verification Tool FinSpy User Manual 63 An external tool is also provided to check the digital signature and analyze the exported evidence without the need of a FinSpy Master connection The Evidence Signature Verification Tool can be run from a standalone PC It is not necessary to have either the Evidence Data or the Evidence Signature Verification tool running on any FinSpy related computer The folder of the exported evidence needs to be selected 1 and afterwards simply checked 2 This will lead to a valid or invalid status Name 2010 04 16 12 49 41 04BC840C50AD007D bt _ 2010 04 16 12 49 41 04BC840C50AD007D txt meta E 2010 04 16 12_49_41 04BC840C50AD007D txt p7s _ 2010 04 16 12_48_34 04BC840823920060 txt meta S 2010 04 16 12_48_34 04BC840823920060 txt p7s 2010 04 16 12 49 01 04BC8409D2C9006E bt 2010 04 16 12 49 01 04BC8409D2C9006E bt meta S 2010 04 16 12 49 01 04BC8409D2C9006E txt p7s 2010 04 16 12 48 34 04BC840823920060 tt 2010 04 16 12 48 39 04BC840870C80063 txt _ 2010 04 16 12 48 39 04BC840870C80063 txt meta E 2010 04 16 12 48 39 04BC840870C80063 txt p7s Date modified 5 12 2 0 8 06 AM 0 12 2010 8 06 AM
18. Valid v Valid Valid v Valid v Valid v Valid v Valid Valid v Valid v Valid v Valid v Valid v Valid v Valid Valid v Valid v Valid Comment FinSpy User Manual 64 2 2 10 Disconnect If a session is established and active to a FinSpy Target the session can be stopped gracefully through Disconnect P a Online Alex FinSpy 3 00 WOOT O Analyse Data r r Visualize Data es Evidence Protection Live Session SYSTEM Unknown Unknown Only one FinSpy Agent can connect to a FinSpy Target at a time Therefore the Disconnect allows another FinSpy Agent to connect to the FinSpy Target 2 2 11 Remove Data Purging of data removes all data for the selected FinSpy Target from the FinSpy Master database To initiate purging of recorded data expand the respective FinSpy Target in the tab Target List and click on Remove Data Archived Asus eeePC 901 muc 2 EEEPC 3 A Analyse Data 2 2 12 Remove Infection Remove Infection will irrepealably delete the Infection on the FinSpy Target and a further infection is not possible without a restart of the FinSpy Target computer Pan ht Online Alex FinSpy 3 00 SYSTEM Unknown Unknown EN es Evidence Protection a co a O Analyse Data FinSpy User Manual 65 2 2 13 Create Target A Target is an executable file or Office Document which includes all modules with which a FinSpy Target can b
19. ZA Services n fon ex File Action View Help es HMossl ga r eu 5 Services Local 2 Services Local FFRelayW Name S Description Status Startup Type Log On As i 4 DNS Client The DNS Cli Started Automatic Network Service Stop the RE Extensible Authen The Extensi Manual Local System Pause the service Restart the service Fax Enables you Manual Network Service FFRela ERE Started Automatic Local System s Functi Sar Started Manual Local Service Fimrti Stop Starter Autamatic I nral Servire 7 Z w p Pause E Extended A Standard Restart All Tasks gt Refresh Properties Help If the FinSpy Relay Monitoring service is stopped the Relay is also stopped To start the FinSpy Relay Monitoring the FFRelayW service needs to be right clicked and Start chosen FinSpy User Manual 119 Ok Services io H rsel File Action View Help es Haoss ga r en 18 Services Local Services Local FFRelayW Name Description Status Startup Type Log On As ag i i 4 DNS Client The DNS Cli Started Automatic Network Service Start the service 4 Extensible Authen The Extensi Manual Local System 19 Gh Fax Enables you Manual Network Service 4 FFR elayW Automatic Local System Function D 7 Manual Local Service Funrtinn N Autamatic Lacal Servire Extended A Standard 7 All Tasks Refresh Pro
20. ntuser ini 786 432 Search pa Created 2008 04 25 12 50 57 2010 04 08 09 22 27 2008 04 25 12 50 57 2008 04 25 12 50 57 2008 04 25 12 50 57 2008 04 25 12 50 57 2008 04 25 12 50 57 2008 04 25 12 50 57 2008 04 25 12 50 57 2008 04 25 12 50 57 2008 04 25 12 50 57 2008 04 25 12 50 57 2008 04 25 12 50 57 2008 04 25 05 05 40 2010 04 08 09 22 27 2010 04 08 09 22 27 Attributes iH Refresh pr a ee A single click on a file expands it giving more detailed information To download the file click Download 1 on the right A Progress Bar at the bottom displays the download progress The downloaded file can then be viewed through the Analyse data Furthermore a refresh of the actual directory can be performed via right clicking anywhere and Refresh 2 FinSpy User Manual E 55 2 2 6 4 1 Live Session File Access Upload File It is possible to upload files to the remote host with the Access File Function Target List F5 2 30 Access Files x Remote iias Upload File CAUsers Test Desktop uploaded file txt aginote Path C Acer uploaded_file tet _ K K 69d8a5f0a315f1130ff7 1 Size Created Attributes pe 7 Empowering Technology 2010 01 07 17 22 37 Book ar m Dokumente und Einstellungen s WR Papl E O S 396 2010 01 07 17 15 27 1386 di Intel 4096 2010 05 27 17 28 22 di MSOCache m Programme RECYCLER m Sysinfo pm System Volume Infor
21. opened files from an infected FinSpy Target Due to the nature of Operating Systems a lot of files are opened all the time Therefore enabling and configuration of this module is important and shall be handled with care This module might trigger and copy a lot of files to the FinSpy Master Recording Options Specify folders to watch for file access R All Drives amp Folders HOMEDRIVE HOMEPATH PUBLIC Please provide one folder path or name per line Exceptions PROGRAMFILES ProgramFiles x86 APPDATA WINDIR Please provide one folder path or name per line Supported system defined constants ALLUSERSPROFILE APPDATA HOMEPATH LOCALAPPDATA ProgramData PROGRAMFILES SYSTEMROOT USERPROFILE and WINDIR BB Record image files accessed by explorer exe 9 a EG 7 n S Determine whether image files accessed by explorer exe to be recorded Enabling this option will cause a lot of recordings File Options Specify which file types should be recorded We All Files B Image MM PDF MB Office BB Video R RTML PGP GnuPG W Audio BB Archives Custom file types O O Please provide file extentions separated with semicolon for example mp4 ogv avi FinSpy User Manual s 40 2 2 5 6 Configuration Changed Files The Changed Files Module is in charge of recording the files which were modified while the module is enabled The FinSpy Agent will provide a configuration for the Changed Files Modu
22. recordings on a visual graph Evidence Protection Enables checking of Activity Logging and proofing evidence Configuration Management of the FinSpy Target Opens a live session to monitor a FinSpy Target live Update Will update the FinSpy Target Core and all the modules Remove Infection Removes the FinSpy Infection from the FinSpy Target Disconnect from the FinSpy Target FinSpy User Manual 20 P 2 2 2 2 Target List Offline Alex FinSpy 3 00 WOOT SYSTEM O Analyse Data thy Visualize Data 9 2 Evidence Protection Possible actions for an infected offline target An offline target still collects data locally which can be downloaded any time the FinSpy Target goes online Analyse Data Analyzes data which is already downloaded and available on the FinSpy Master Visualize Data Shows the recordings on a visual graph Evidence Protection Enables checking of Activity Logging and proofing evidence Configuration Management of the FinSpy Target even offline Remove Infection Removes the FinSpy Infection from the FinSpy Target 2 2 2 3 Target List Archived NE JA ATChived Analyse Data the Visualize Data eS Evidence Protection X Remove Data Possible actions for a FinSpy target which is no longer infected The recorded data is still persistent on the FinSpy Master but the FinSpy target is not infected anymore Analyse Data Analyzes data which is already downloaded and available on the FinSpy
23. to do this In the following example a Linksys Router was chosen In this case our FinSpy Master has the IP 192 168 1 102 and should retrieve packets on the Ports 21 25 80 and 443 LINKSYS by Cisco Firmware Version 2 00 00 B05 Simultaneous Dual Band Wireless N Gigabit Router WRT610N Applications amp 7 Access Applications amp nee Gami ng Setup lAfiralasg Security Storage Resirictions Gaming Administration Status Single Port Forwarding Port Range Forwarding single Port Forwarding Application Name Protocol To IP Address Enabled FTP HTTP SMTP one v None v E E EE HTTPS 4168 1 102 FinSpy User Manual N 106 2 10 FinSpy Master Dynamic DNS If the FinSpy Master doesn t have the chance of retrieving a public static IP address a dynamic DNS can be used A dynamic DNS service allows users to have a subdomain that points to a computer with regularly changing IP addresses On the FinSpy Master this can be realized with a small application called ddclient ddclient is used to update dynamic DNS entries for accounts on Dynamic DNS Network Services free DNS service Various free DNS services can be used like DynDNS com To use ddclient a registration is required on the page To install ddclient sudo aptitude install ddclient It will ask several questions during the installation Which service shall be used
24. 0 Front amp Rear View 2x C14 IEC 320 C13 C14 3x Power Cable 220 240 VAC 50 60 Hz p 4 p p APC Smart UPS 1000 ix KVM Cable VGA and USB 1x Power Cable 110 240 VAC 50 60 Hz Avocent 17 LCD 8x KVM Copper RJ45 8P8C Optional 1x 1000BASE T one way to a Monitoring Center TT koder bagen ORG MC Copper RJ45 8P8C 1x 100BASE T I Internet connection Copper RJ45 8P8C L Internet from to Workstations 1x Power Cable 110 240 VAC 50 60 Hz mm ee va x S ee a x 7 P m E Q page HP ProCurve 2124 Type G 4 3 FinSpy Agent Setup The following diagram gives a detailed view into the FinSpy Agent Hardware setup FinSpy Workstation Front View 1x Power Supply 100 240 V AC with cable IEC C8 Type G 1x Stereo Audio 3 5mm Pwr Supply IEC C8 Type G Logitech Headset 1x USB Type A amp B 1x 100BASE T Copper RJ45 8P8C Freecom 500GB HP ProCurve 2124 Type G FinSpy User Manual P 125 5 SUPPORT All customers have access to an after sales website that gives the customers the following capabilities e Download product information Latest user manuals specifications training slides e Access change log and roadmap for products e Report bugs and submit feature requests e Inspect frequently asked questions FAQ The after sales website can be found at e htt
25. 2 2 2 4 Target List Target LICENSING cccccccsecseccseccseccescceucceucceucceuccauceeeeeeeeeueeseeeeeesseenaeenes 21 2 2 2 5 Target List Recorded Data Availability sss 22 2 2 3 PG Ds ken EEE ER 23 2 2 4 VE 27 2 2 5 COTTET oe ES 29 2 2 5 1 Cs FP vr 32 2 2 5 2 Configuration Download Schedule sss sss sss sese 36 2253 Configuration Met Settings arve 38 2 2 5 4 Configuration User PermissionsS rrnnnnnnrnnnnnnrnnnnnnrrnnnnnernnnnnsvnnnnnernnnnnnennnnnneensnnesennnneee 39 2 2 5 5 Configuration Accessed Files sss sese esen 39 2 2 5 6 Configuration Changed Files sss eee eee 40 FinSpy User Manual P 7 225 7 eo Command ETT 40 2258 ENE ee 41 2259 NENNE 41 2 2 5 10 Configuration Forensics TOOolS r erorervoraravroranrerevnnrerevnersnrennnsenevnnverennnversenensenevnnsenenee 41 225 11 Configuration 192 E E sreo 42 2 2 5 12 configuration resis eT 42 2 2 5 13 Eos TIN 42 2 2 5 14 Configuration R en Tee IB OM sewnciesiciiedsiasvsientsanvcdiodanevebanicosotacaivestwelincresthidtsinaitbeddsoiwiveasusenbens 43 2 2 5 15 ENN Ear 45 2 2 5 16 Configuration Screen amp WeDCAM ccccscsssccssssssessonssectenssscuenssscnecssrestoussscuenesseneues 46 2 2 5 17 Eos VP 47 2 2 5 18 Configuration Add amp Remove Module rrrrvrrrnnnnnrrrnnnnrrnnrnnrrrnrnnnrrnnnnnerrnnnnnernnnnsssennnn 48 2 2 5 19 Configuration Activate amp Deactivate Module rrrrnranrrnnnnnrrrnnnnnrrrnnnnrrrnrnnsrrnnn
26. 3 Target Activity 1 Activity Loggings 2 Target History Target Information Target Name SJ Target Unique Identifier Target UID 0xF0407E63 Agent Name FinFisher Sales 02 Agent Unique Identifier Agent UID 1024 Infection Date 2011 06 17 02 55 22 UTC Infection Removal Date Operating System Windows XP Service Pack 3 32bit Hostname WS SJ 1 Username SYSTEM back to top Collected Evidence ka Keylogger Start End Type Size File 2011 06 17 10 22 47 UTC 2011 06 17 10 22 47 UTC Recording 530 B File 11 NA 1704 99 48 TIT 011 NA 17 1095 47 ITTF TT ra 754 R Fita FinSpy User Manual SV 62 2 2 9 3 Evidence Protection History This gives an overview about historical information of a FinSpy Target such as Timestamp with the FinSpy Master time represented in UTC we The Username of the logged in user In which country was the Target In which city was the Target Which Public IP the Target connected from Brief description of the event Target History Public IP Activity 2011 05 27 15 40 10 UTC STUART Unknown Unknown 92 6 207 32 Online a 2011 05 27 15 40 10 UTC STUART Unknown Unknown 92 6 207 32 Online BE 2011 05 27 15 40 34 UTC STUART la United Kingdom London 92 6 207 32 Archived Bereng 2011 06 15 11 02 36 UTC STUART Gla United Kingdom London 92 6 207 32 Online 2011 06 15 11 27 05 UTC STUART ila United Kingdom Brentwood 92 6 201131 Offline 2011 06 15 11 29 59
27. 3 3 Agent List FinSpy User Manual 83 If the Administrator of the FinSpy System wants to have an overview about all Agents the Agent List can be used It will show all necessary information about an Agent like connection information Username Login Group Agent UID Login Time Logoff Time Version Connected To Target user 1 devl System Administrator user 2 dev system Administrator 0 user 3 devs System Administrator 0 lucian lh System Administrator U alex alex System Administrator 2096151718 2010 07 12 11 41 57 stilloggedin 217 165 148 226 2 36 lh devel vmware xp Name Agent UID Logoff Time Version Connected To Target Description Description of the User Username which is used to login Group to which the User belongs Unique ID of each FinSpy Agent Software Since when is the user logged in When the user logged off From which IP the user logged in Which client version is the user using To which target is the user currently connected N FinSpy User Manual w amp 2 3 4 License Information Licenses can be imported through the FinSpy Agent directly and will be active immediately Information given for the license e Machine UID e Software UID e Software Name e Customer UID e Valid From e Valid Until e Number of Targets e Number of Agents e Version Type e Status FINSPY Machine UID Software UID Software Name FinSpyV2 Customer UID C71
28. 59182 Valid From 8 13 2009 9 31 AM Valid Until 12 12 2012 7 21 PM Number of Targets 50 13 in use Number of Agents 30 Version Type Demo Status Valid 556 days left Import License FinSpy User Manual 85 2 3 5 LEMF Data Management The LEMF Data Management feature allows the user to take control over the data flow from the FinSpy System to the configured monitoring centre Data is collected on the FinSpy System into sessions Once the configured time threshold is reached or the configured data quantity threshold is reached the session is finalized and the data is transmitted to the configured Monitoring Centre All the transmitted sessions are archived and keep on the FinSpy system for the configured period of time Through the LEMF Data Management the user is able to review all the transmitted sessions and has the capability to resend full sessions or just specific data from a certain session id lass Target List LEMF Data Management S xX Transmitted Data Statistics Transmitted Sessions 0 containing 0 files with a total of 0 B Current open session 0 files with a total of 0 B Last Transmission 1 1 1970 12 00 00 AM Target R Data Analysis Retransmitted Sessions 0 containing 0 files with a total of 0 B fl Create Target Data Retransmission Archived Sessions Administration 1 lt lt lt Lar B Configuration Session ID Session Start Session End Size Files Recording Descriptio
29. C Chrome Passwords f Opera Passwords vb bb E ob x x Outlook Personal Folder Passwords Network Internet d Current Opened Ports Cc Internet Explorer History bU Wireless Networks Keys FireFox History gt DialUp and VPN Credentials l 2 Last Internet Searches al Network Passwords A Browser Favontes and Bookmarks Currently the following applications exist and are divided into different categories System Microsoft Product Keys Windows Updates Opened Files USB devices Installed Devices and Drivers Current Opened Ports Wireless Networks Keys DialUp and VPN Credentials Network Passwords Passwords Email Clients Passwords Internet Messenger Passwords FinSpy User Manual P 53 Windows Protected Storage Passwords Internet Explorer Passwords Firefox Passwords Chrome Passwords Opera Passwords Outlook Personal Folder Passwords Internet Explorer History Firefox History Last Internet Searches Browser Favourites and Bookmarks Installed Devices and Drivers Each item additionally gives a short description about its functionality as soon as the mouse is hovering the item For example Network Passwords gives the following description aL Network Passwords Retrieve network shares and NET Passports accounts If an application is uploaded to the FinSpy Target it resides on the system until it is deleted For further executions it will not be necessary to upload it again The statuse
30. ESSION TIME MASTER 2010 07 21 11 17 04 MasterRefTimeStart 2010 07 21 11 03 02 1 The overview is divided by modules 2 Amount of recording per module is shown Additionally the options Change Importance Export Record and Remove Record can be selected 3 Meta Information for each recording can be viewed if a recording is selected To navigate through date and time the mouse can be used either via mouse wheel up down or by dragging the scrollbar FinSpy User Manual 29 2 2 5 Configuration To access the configuration of an infected FinSpy Target the target needs to be selected and Configuration clicked Online Alex FinSpy 3 00 Analyse Data SYSTEM Unknown Unknown es Evidence Protection A new window opens within the FinSpy Agent The following image illustrates the layout of the FinSpy target configuration TE 0 i 9 2 L P Microphone RA Changed Files Command Shell c Deleted Files d File Access amp Forensics Tools b Keylogger fn Printer ld Eg Scheduler v Skype 9 Screen amp Webcam Alex FinSpy 2 50 Configuration General Configuration Options Infection Executable Information Infection Unique ID Ox4CAC3BCF Auto Generated Unique Identifier Infection Name Alex FinSpy 2 50 Descriptive Name of Target Infection Owner alex 1014 Name UID of Agent Max Infections 3 Maximum num
31. Evidence Verification tool in order to ensure the integrity of the exported Evidence Import Certificate enables you to use a custom Certificate for the signing of acquired Evidence Activity Logging Level Configure the verbosity of the activity log file FinSpy User Manual N 81 2 3 1 8 Configuration LEMF Interface For the integration of an external LEMF Interface this option must be enabled The FinSpy Master server has a dedicated network interface eth2 for those interactions To specify the external database the following options can be given e Server e Port e Interval Limit e Datasize Limit e Archive Lifetime LEMP Interface Data submission Disabled E Js ta m T CEE a Kr Emma 3 y l rJ e E eee ped rT i Ef a dC ete oe i 4 bar Enable the Submission Interface in order to transmit all recerved Data over the dedicated network interface to an external Database FinSpy User Manual D 82 2 3 2 Show Logfiles The Logfile viewer lets you monitor the Logs of the FinSpy Master very comfortably This Logfile can be divided into three categories e Info e Warning e Error All data will then be shown with its Date Category and Event Description Additionally all the data can be exported to view the log files offline or with some other editor Master Logfile Event Description Wed Jun 23 17 01 08 2010 INFO Software Info Wed Jun 23 17 01 08 2010 INFO Maste
32. FINFISHER WWW GAMMAGROUP COM IT INTRUSION FinSpy User Manual A Copyright 2011 by Gamma Group International UK Date 2011 06 05 Release information 1 0 2010 05 13 Initial version 2010 05 26 Change licensing 2010 05 27 2010 07 21 hl Update to FinSpy 2 40 Add Remote and Offline Master configuration FinSpy Agent Almost complete Screenshot Replacement FinSpy Master Change Remote and Offline Master FinSpy Master Add manual update Misc Minor changes on different Locations FinSpy Agent Added section Visualized Data 2011 06 05 Update to FinSpy 3 00 2010 08 02 FinSpy Agent Added section Target Licensing 1 1 HT 1 2 AH 1 3 AH 1 4 LH 1 5 AH 1 6 AH 1 7 AH 1 8 AH g H 1 FinSpy User Manual 3 Table of Content EE EEE NE ERE 5 ED NN 6 2 1 SIT ae oe NG e ao EEE EE 10 2 2 ND Agent User NNN 15 2 3 FinSpy Agent Administration css sss sees sese eee eee eee eee 74 SE Stes SA SEE NE NM RE ora 86 3 1 FIN SOY Master Insta ee EEE STAO 88 3 2 FinSpy Master Configuration EE EEE gece oon cerntee seca eceateerreae 90 3 3 FinSpy Master Proxy Configuration cccccccsssccccssececesececceseccceeesececauseceseuecessueeceessusecetsuaeess 97 3 4 FinSpy Master Remote and Offline Master Configuration sss sees eee eee eee eee eee 98 3 5 ae AE ke ve ss EE iat eaverne taverns 104 3 6 FINSDY Master Port forwarding an artea TTNET aT Raag S 105 3 7 FinSpy Master Dynami
33. IN MX NOTIFY AUTH plain RO PRO EE SEE NS MP Domain case sensilivel FIN MX NOTIFY SENDER fs FinSpy MP Alias arbitrary FIN MX NOTIFY ALIAS fs notifier FinSpy Master can also use a free webmail service e g Gmail to transport all notification messages Most of them need pre authentication amp TLS Hostname SMTP Server Gmail SOON ILE STE RV IGIR eines gjoOS Sms I Som SMTP Port FIN MX NOTIFY PORT GMAIL Username FIN MX NOTIFY USER user gmail com GMAIL Password PEN DNO EN EEA S top secret GMAIL required TLS FIN MX NOTIFY TLS ENABLE yes pe UPS Auth type login FIN MX NOTIFY AUTH login Sender GMAIL Username FIN MX NOTIFY SENDER user gmail com Alias arbitrary FIN MX NOTIFY ALIAS fs notifier Exclusive suppbed to and authorized use by police intelligence security and other government agennes FinSpy User Manual 96 The FIN MX NOTIFY ALIAS will act as the Sender Name ror Alias fs notifier Finspy MP gt subject finspy MTA check To activate the changes the FinSpy Master needs to be restarted i Sule ee Wit el isso ies cee Sines i SUC Ere Wine Cl Liissow mesteis Siceier FinSpy User Manual aly amp 2 6 FinSpy Master Proxy Configuration The FinSpy Proxy needs a minimal setup as almost everything is already preconfigured The FinSpy Proxy needs to know on which ports it will listen The main configuration fi
34. Master FinSpy User Manual 21 Visualize Data Shows the recordings on a visual graph Evidence Protection Enables checking of Activity Logging and proofing evidence Remove Data Removes the recorded data from the FinSpy Master 2 2 2 4 Target List Target Licensing The number of FinSpy Targets which can be monitored on the system is part of the license information which is imported on the FinSpy Master during the installation After infection the FinSpy Target has no associated license and all its collecting data features are disabled The FinSpy Master will allocate a license to the newly infected FinSpy Target if available If there is no license available the FinSpy Agent can still see the FinSpy Target in the Target List and can only work limited with it until an existing infection is removed Previously gathered data can still be analyzed Once the license is installed on the FinSpy Target all the features become available and the user gains full control over the FinSpy Target If all the licenses are used the new infected FinSpy Targets will be shown as disabled until a new license is available gt UTCT 07 vor M AR omo test Q VISIA DSFZ AGSO SYSTEI LAN O Analyse Data us Evidence Protection hy Visualize Data Beta IK Remove Infection Target Actions are La due to licensing limitation To free a license an existing infection has to be removed from a licensed FinSpy Target The infection
35. Spy Target and other parties will be recorded e File Transfers All file transfers between the FinSpy Target and other parties will be recorded e Contact List The contact list of the FinSpy Target will be recorded Sound Quality 2 Decreasing the quality of voice recording may save 80 percent of space The selected sound quality can be tested under Listen to Sample A sample of the selected sound quality is played File Options 3 To record file transfers via Skype file recording can be enabled or disabled for specific or all file types Custom file types can be entered as well Skype Configuration Options File Transfer Recording Options Phone Calls File Transfers 1 Text Messaging Contact List Phone Calls Recording Options Sound Quality Listen to Sample 2 Estimated encoding size for 1 minute recordings 90 KB File Options specify which file types should be recorded 3 All Files Custom file types FV ee PI f nra vd La T Ch Lurt F Lr v PHR P 1 J eo G C rr N fa 1 a d P C LE a h go PIEGSE provide NE EXTENTIONS separadi HT SETLCOLDM Dr ENGMTIDLE FinSpy User Manual E 46 2 2 5 16 Configuration Screen amp Webcam Recording the Screen of the FinSpy target and the Webcam if available is possible with this module Both Screen amp Webcam have the same settings which can be applied separately Best High Normal Low Image Size Original 100 Normal 80 Half 50
36. Time Zone Which time zone should the event refer to e Target e Local e UTC 2 2 5 3 Configuration Alert Settings The FinSpy Master can alert via E Mail if a target status changes Alert messages are generated by the FinSpy Master Alerts can be triggered on the following events Target Online An alert will be triggered if a FinSpy Target changes its status from Offline to Online Data Available An alert will be triggered if a FinSpy Target has new data recorded which is not transferred to the FinSpy Master yet Data Downloaded An alert will be triggered if the FinSpy Master downloaded new data from the FinSpy Target Target List Alex FinSpy 2 50 Alert Settings EmailAddress Target Online Data Available Data Downloaded john doe hotmail com Fi Fi x FinSpy User Manual 39 2 2 5 4 Configuration User Permissions Within this configuration ADMINISTRATOR and SYSTEM ADMINISTRATOR can define rules to allow certain users to fulfil certain actions on the FinSpy Target The user management within a target looks like the following User Permissions Username Analyse Data Live Session Configuration Update Remove Infection Delete Data lucian da 2nd user Ih da user James Tester Add Users Note Only regular users can be added or removed adminstrators will always have full permissions 2 2 5 5 Configuration Accessed Files The Accessed Files Module records
37. ack3 2 20 Kernel Mode Local IP demo gt JKTRZSGH5020C2M Public Indonesia Jakarta 202 77 118 2 a Windows XP Service Pack 2 2 15 User Mode OS egy test3 JOHN SMITH SYSTEM Germany Leipzig 195 16 80 12 AY Windows XP Service Pack3 2 17 User Mode v OS Details ELEPHANT WS83765 SYSTEM 513 United Kingdom Saint Albans 92 2 203 122 Windows XP Service Pack3 2 20 Kernel Mode Target Time Pretoria Test 2 YOUR 6A27BCA44F SYSTEM South Africa Pretoria 41 19 48 196 a Windows XP Service Pack3 2 15 User Mode T me DN test indo FRONTDESK SYSTEM Indonesia 118 99 65 11 r Windows Vista Service Pack2 220 KemelMode tnd Toshiba NB 100 gt LH MINI SYSTEM Malaysia Petaling Jaya 175 144 48 73 AY Windows XP Service Pack3 2 20 Kernel Mode Install Mode Toshiba NB 100 WS83765 SYSTEM Malaysia 175 137 114 131 Windows XP Service Pack3 2 20 User Mode SEE The following information of infected FinSpy Targets is available M Data on Master Name of FinSpy Installer Package changeable after FinSpy Infection New downloaded data available on FinSpy Master T Data on Target New data available on FinSpy Target data is ready to download FinSpy Target Unique Identifier System Name of Target System Username under which the FinSpy Infection operates Global IP Country in which the FinSpy Target is located detected by public IP City where the FinSpy Target is located detected by public IP Public IP address of the FinSpy Target
38. and Password can easily be edited FinSpy User Manual P 108 3 FINSPY RELAY FONN 108 4 1 FinSpy Relay Configuration OOtIOnS sss sss sss sees seene enen 110 4 2 DNV 111 4 2 1 PCOS EE EE nnn ceuseyie hin A E mince 111 4 2 2 Tee ACION EE EE EE NE EE 114 4 2 3 MT 118 4 3 SS GE A Br REN 120 4 3 1 PS SOS SS REE EE EE 120 4 3 2 faste LE 1 e EEE EE 121 FinSpy User Manual 109 The FinSpy Relay will handle and relay all connections from the FinSpy Target to the FinSpy Master The FinSpy Relay acts as a proxy between those two endpoints This will help by not having a direct connection from the FinSpy Target to the FinSpy Master Instead the FinSpy Relay can reside in any place in the world The FinSpy Relay is a small program which can be installed on most Windows and Linux Operating Systems E FinSpy Target 1 E FinSpy Target 2 E FinSpy Relay 1 E FinSpy Relay 2 E FinSpy Relay 3 E FinSpy Relay 4 E FinSpy Master FinSpy User Manual A 110 3 1 FinSpy Relay Configuration Options The FinSpy Relay runs according to the settings from the relay cfg file which can be found in the following directories Windows In the same directory of the binaries where FinSpy Relay was installed Linux usr local ffrelay data The relay cfg file contains the following settings CFG_TARGET_PORTS Contains the ports where the FinSpy Relay listens for incomin
39. anized Crime FinSpy was coverth deployed on the mobile phones of several members of an Organized Crime Group Using the GPS tracking data and silent calls essential information could be gathered from every meeting that was done by this group Download Catalog 352 KB Download Specifications 2 38 MB Download Video 4 68 MB Copyright 2010 Gamma International GmbH All Rights Reserved Site Map GAMMA INTERNATIONAL United Kingdom Tel 44 1264 332 411 Fax 44 1264 332 422 WWW GAMMAGROUP CGOM info gammagqroup com
40. as Annodex It is released under a BSD license so they can be used by both open source and commercial applications Contact History Bugs WebM support is based on versioned snapshots from WebM Project News Support us Version 0 85 17766 GOE 19 December 2010 Updates VP8 Theora and Vorbis codecs ActiveX video player gains controls attribute support Various bugfixes Fore more information see the News page Downloads S Windows 32 64 bit Installer opencodecs 0 85 17766 exe 2 53MB For more information see the Downloads page Just follow the instructions of the installation steps No further changes need to be done All Audio and Video can now be played within Windows Media Player FinSpy User Manual N 13 2 1 1 3 Disable AutoPlay AutoPlay feature enable Windows to pop up the default options fl AutoPlay when a removable drives like USB flash drive or CD ROM is inserted E Removable Disk G AutoPlay feature is by default disabled in Windows 7 due to security ER reasons To check if Autorun is disabled on the installation follow the ie a l pan sii and videos steps ae General options tt ices jo on ee To disable Autorun ee Vika Use this drive for backup 1 Go to Control Panel Hardware and Sound AutoPlay es pint redi NE View more AutoPlay options in Control Panel 2 Uncheck Use AutoPlay for all media and devices 3 Click Save OW nd Hardwar
41. at must be doc or xls and NOT docx or xIsx Any file e g jpg avi ppt can be used to merge with the FinSpy Target The file extension will change to filename extension exe In case Infected File was chosen another technique can be used to be even more covert The filename makes use of an RTL right to left technique The filename will now be exe filename jpg With this infection technique a bootable CD or DVD will be created with which the Target system will be infected on boot FinSpy User Manual 73 Infection Dongle MB Bootable Infection Dongle met mm hae i 6 r utabl sr d n a Pa De dre s m be m KE ep IMSTOLL BOOTED XECUTODIE WEN booting irom UME GEVIKE Runtime Infection Dongle fa ebes lf ho T ea rrn el La ter al j Le rm VED maur Lhe m d j bie install the larget Executable on the USG device that depioys the Fo 1 I Ip EL rik nd L 7 FT FT l Per fee da x ia ry HAR A rary LO ugh UME ALOU EU Bootable Infection Creates an USB Infection which allows infecting the Target System during boot Dongle Runtime Infection Creates an USB Infection Dongle with automatic execution Dongle FinSpy User Manual 74 2 3 FinSpy Agent Administration The Administration on the left pane of the FinSpy Agent gives the possibility to make changes to the FinSpy Master viewing Log files or displaying who is currently using the system To view and change these setting
42. ber of targets that will be infected Hiding Techniques R Active Hiding Use intrusive techniques to hide the infection files folders registry entries and network connections By enabling this feature the infection becomes more suspectible to detection by root kit reveal products Infection Self removal Scheduled Removal Never Specify a date when the FinSpy Target will automatically remove itself from the target Time Out Removal 1 Week The FinSpy Target will automatically remove itself from the target if it is unable to reach the master server within the configured timeframe Target Settings Alex FinSpy 2 50 Descriptive Name of Target Target Name 5 30 seconds 120 ea gt S Delay between call backs from Target to Master server Heartbeat Interval 1024 kb s unlimited 4 Download Speed Limit Limit the bandwidth usage to a maximum tranfer rate Proxy Settings Proxy IP Address es tiger gamma international de Proxy Port s 1111 1112 1113 IP Address Hostname TCP Port s Application Based Events Start Stop the communication depending on the currently running applications Operation Mode This Workspace is divided in two parts The first part is on the left which contains the modules and different configuration options and the second is one the right where module specific configuration options can be set FinSpy User Manual 30 Configuration Options
43. c DNS sse ees eee eee eee 106 TFS 108 4 1 FinSpy Relay Configuration OptiOnS rrrrrurrrnnnnnernnnnnnrrnnnnnernnnnnernnnnnernnnnnnsrnnnnneennnnnesennnneseeennn 110 4 2 FinSpy ENG OE EEE EE 111 4 3 FinSpy Reay UNN 120 3 1 Hardware SetuP REE 123 5 1 SI TANN ph 123 5 2 Se AG ss o TEEN TE 124 5 3 FinSpy FAN oun ieranesseernerndetmavnenennein 124 EE 91 s 0 8 NE EN EN EEE 125 FinSpy User Manual 4 FinSpy User Manual E 5 1 OVERVIEW FinSpy is designed to help Law Enforcement and Intelligence Agencies to remotely monitor computer systems and get full access to Online Communication Skype Messengers VolP E Mail Browsing and more Internet Activity Discussion Boards Blogs File Sharing and more Stored Data Remote access to hard disk deleted files crypto containers and more Surveillance Devices Integrated webcams microphones and more Location Trace computer system and monitor locations Tactical IT Intrusion Portfolio IT Intrusion Training Program FinSpy User Manual P D 2 FINSPY AGENT 2 1 FinSpy H me 06 IE 0 EEE EEE ee ee ee ee oer 10 21 1 FinSpy Agent Additional Software sss sse eee 12 2 1 1 1 Microsoft NET Framework sese sees eee e eee eee 12 112 ET 12 TE DNR Fee a IY gee oe ere eee 13 21 14 Microsoft NN 14 2 2 FinSpy Agent User Manuals sees sees sees 15 2 2 1 QUICK Start and eT 15 2 2 2 TN 17 22 RENN NNN 19 P NVE 20 2720 NNN NNN 20
44. cutable Options The Operating System of the Target has to be chosen This will result in a different FinSpy Trojan with different modules FinSpy User Manual 67 Target Operating System Windows Mac OS X Linux Beta re A Currently supported are the following Operating Systems Microsoft Windows Microsoft Windows 2000 Clean SP1 SP2 SP3 SP4 Microsoft Windows XP Clean SP1 SP2 SP3 Microsoft Windows Vista Clean SP1 SP2 SP3 32 Bit amp 64 Bit Microsoft Windows 7 Clean SP1 32 Bit amp 64 Bit Apple MacOS Mac OS X 10 6 0 10 6 8 Intel Linux Ubuntu Debian Fedora RedHat BackTrack SuSE FinSpy User Manual 2 2 13 2 Network Configuration These settings are explained in chapter Proxy Settings amp Application Based Events Relay Configuration Relay IP Address es Relay Portis tiger gamma international de 1111 1112 1113 IP Address Hostname Additional Options 30 seconds 5 ame Heartbeat Interval um Delay between call backs from target to Master server 1024 kb s unlimited 4 Download Speed Limit Limit the bandwidth usage to maximum tranfer rate Application Based Events Start Stop the communication depending on the currently running applications Operation Mode Application Category Browser Messenger E Mail FileShanng 2 2 13 3 Self Removal Infection Limit specifies the numbe
45. dia cdromo USB Stick sudo mount dev sdb1 mnt usb Copy the license archive to usr local finspy master data license CD ROM i ee edda eder CERT RTN OEN GS FOM ND MAG GE INO BAS ae IN ere Me En ee USB Stick Hep me usp CERTS CERTS EINSPYV2 Customer ID Manne AE uer ee ely Se Je gt yv and other government agennes FinSpy User Manual 89 Change the directory and unzip license file joe dey ve KN PEN gt unzip CERIS FINSEYV se ID Machine ID XX DAYO ZIP Remove license zip file rm GLESNES EE NSO DENE varte The license is now successfully installed FinSpy User Manual 90 2 5 FinSpy Master Configuration This chapter will guide through the steps how the FinSpy Master needs to be configured correctly to work The main configuration file for the FinSpy Master is the finspy master cfg 2 5 1 General The default template needs to be renamed to activate the changes cd usr local finspy master data je CJS SON ME SEE Ge ene lecS ewido a a a To edit the file the text editor nano can be used ile Wom US Moe on pe Je Minos Bo lane ia Now the following parameters need to be activated and or edited FIN AGENT NETWORK INTERFACE eth ere E E USS lis O e oa E E E E TT TE ET ARGEN ER TTE PROXY IP HOSTNAME PROXYPORTS could be changed to another mount point e g mnt data The internal HW RAID shall be used FIN REPOSITORY VOLUME m
46. dows Firewall is blocking incoming network connections induding the exceptions selected below Windows Firewall is currently using settings for the public network location What are the risks of unblocking program To enable an exception select its check box Program or port File and Printer Sharing LJ iSCSI Service Media Center Extenders Microsoft Office Outlook C Netogon Service Network Discovery Performance Logs and Alerts Port 1111 Remote Administration C Remote Assistance C Remote Desktop Remote Event Log Management ln nae ke Chadi dad Tankin Mananamant Ww Add program Add port Properties Delete V Notify me when Windows Firewall blocks a new program nl Cancel App Redo the steps in order to add all the ports used by the FinSpy Relay for incoming and outgoing ports FinSpy User Manual 114 3 2 2 Installation To install the FinSpy Relay in Windows the Installer needs to be executed The filename is Relaylnstaller 2 xx x msi This will start the installation fo a Welcome to the FFRelay Setup Wizard The Setup Wizard will install FFRelay on your computer Click Next to continue or Cancel to exit the Setup Wizard ea At the License Agreement I accept the terms in the License Agreement must be selected 2 FFRelay Setup la e x End User License Agreement Please read the following license agreeme
47. ds to be changed according to FinSpy Relay Configuration Options FinSpy User Manual E 118 3 2 3 Monitoring Along with FinSpy Relay comes also a FinSpy Relay Monitoring which takes care of starting stopping the Relay If the FinSpy Relay crashes then the FinSpy Relay Monitoring will restart it The FinSpy Relay Monitoring is a Windows Service If the FinSpy Relay Monitoring service is stopped the service will then also stop the FinSpy Relay If the FinSpy Relay Monitoring is started it will start the Relay The FinSpy Relay Monitoring binary and service name is FFRelayW exe The FinSpy Relay binary name is FFRelay exe To control the FinSpy Relay Monitoring open the Services window Control Panell Administrative Tools Services Z Services RGB E File Action View Help es EE a rtan p E Services Local lt Services Local FFRelayW Name Description Status Startup Type Log On As i amp DNS Client The DNS Cli Started Automatic Network Service Stop the EE amp Extensible Authen The Extensi Manual Local System Pause the service 7 Restart the service Fax Enables you Manual Network Service e FFR elayW Started Automatic Local System Function Discover Host proces Started Manual Local Service Finrtinn Niscnver Dithlichec th Started Aurttamatic Local Servire a We p N Extended Standard 7 Right click on the Service and chose whatever action is needed e g Stop
48. e and Sound AutoPlay Use AutoPlay for all media and devices Audio CD AE fe Enhanced audio CD Choose a default EE DVD movie Choose a default h LE Enhanced DVD movie Choose 0 default M Fi Software and games 9 Ask me every time E Pictures Choose a default EE Video files PE et Audio files Choose a default c Blank CD Choose a default 9 Blank DVD EP Blank BD Choose a default h Mixed content Choose a defauit r gr FinSpy User Manual N 14 2 1 1 4 Microsoft Office To be able to use the FinSpy Agent Office Document infection it is mandatory to change the Trust Center settings within Microsoft Word 2003 or 2007 After clicking on the Ribbon of word there is Word Options 1 in below corner which will open a new dialog On the left side is the option Trust Center 2 and Trust Center Settings 3 Again a dialog will open On Macro settings 4 and Trust access to the VBA project object model 5 must be checked If not FinSpy Agent will not be able to infect Microsoft Word doc documents Word Options me Popular AV F New pe E Help keep your documents safe and your computer secure and healthy en Display P Open Proofing Protecting your privacy Save Microsoft cares about your privacy For more information about how Microsoft Office Word helps to protect your privacy pleas
49. e monitored B Data Analysis fl Create Target Click Create Target on the left navigation pane of the FinSpy Agent This will open the Target Creation Wizard Within the wizard to navigate between the dialogs for configuration Next or Previous buttons can be used or clicking on the items on the left navigation pane is possible OG Create Target Infection Executable Options Infection Unique ID 0x4DEB79E FINSPY Infection Name E General Network Options Infection Owner Self Removal Select Modules Target Operating System Target Options Windows User Permissions Summary Generate wv Infection General Next FinSpy User Manual aly amp The following dialogs consist of sm Name and heartbeat of FinSpy Installer Package Network Options Settings retrieved by the FinSpy Master Self Removal Criteria when the infection removes itself from the FinSpy Target Select Modules Defining which modules should be integrated with their settings Target Options Advanced configuration of the behaviour of the FinSpy Trojan on the FinSpy Target User Permissions Assigning users to the FinSpy Trojan Generate Infection Media or executable with which a FinSpy Target will be infected 2 2 13 1 General General settings configure the behaviour and identification of a FinSpy Installer Package Some parameters are changeable after infection of a FinSpy Target Infection Exe
50. e registered accordingly The Unique Identifier associated with the user AgentUID The Data Collection module the action was associated with If the action does not concern a data collection module this column is left blank Brief description of the event Unique Identifier associated with the Agent Since any user can connect from any FinSpy Agent software to the FinSpy Master this information pinpoints the machine used for the activity Event Description Target List demo MUC v2 20 Evidence Protection as Target Activity a User UID AgentUID Module Event Description _ Evidence K 2010 04 13 13 32 49 UTC FinSpyMaster 0 0x0 Master request Download recorded file C WL 2010 04 13 13 33 03 UTC FinSpyMaster 0 0x0 Master request Delete recorded file C WIND f D 2010 04 13 13 49 10 UTC FinSpyMaster 0 0x0 Target comes online 2010 04 13 14 36 05 UTC markus 1021 Ox7870CESA Agent request Start Live WebCam Session 2010 04 13 14 36 06 UTC FinSpyMaster 0 0x0 Screen amp W Start Live WebCam session 2010 04 13 14 36 10 UTC markus 1021 0x7870CE5A Agent request Stop Live WebCam Session 2010 04 13 14 36 10 UTC FinSpyMaster 0 0x0 Screen amp W Stopped Live WebCam session Screen amp W 2010 04 13 14 36 11 UTC FinSpyMaster 0x0 Storing of live Video data record 0000000092 FinSpy User Manual s 61 2 2 9 2 Evidence Protection Evide
51. e see the privagy statements Advanced lal sl Save As gt Print b Ca Prepare gt KS Send gt U F Publish gt au Show the Microsoft Office Word privacy statement Customize Microsoft Office Online privacy statement Customer Experience Improvement Program Add Ins Security amp more Learn more about protecting your privacy and security from Microsoft Office Online Resources 2 Microsoft Trustworthy Computing Microsoft Office Word Trust Center The Trust Center contains security and privacy settings These settings help keep your computer 7 secure We recommend that you do not change these settings 4 Trust Center Settings P 3 f K P Close X Exit Word Trust Center Trusted Publishers Macro Settings Trusted Locations i i For macros in documents not in a trusted location Add ins Disable all macros without notification OK Cancel Disable all macros with notification ActiveX Settings Disable all macros except digitally signed macros Enable all macros not recommended potentially dangerous code can run Message Bar Developer Macro Setting Privacy Options E S W Trust access to the VBA project object model 5 FinSpy User Manual P 15 2 2 FinSpy Agent User Manual 2 2 1 Quick Start and Overview This chapter describes the handling and layout of FinSpy Agent user interface To star
52. e session expand a target and select Live Session Alex FinSpy 3 00 WOOT SYSTEM Unknown Unknown O Analyse Data ga Visualize Data us Evidence Protection P lt e TTT Rss 2 The possible modules are obtained and shown in a new dialog P command Shel 35 More than one live session per time is possible Forensics Tools v270 ES File Access v 2 70 lt Keylogger v2 70 Webcam v 2 70 UD screen v 270 Double click to start the live observation of the target SEE Establishes a live session to the Target s Microphone Command Shell Commands can be entered into the Target s command shell Forensics Tools Enables uploading and execution of applications on the target machine meer Will show a live File Browser of the Target s computer Keylogger Will show a live session of the Target s keys pressed Establishes a live session to the Target s Webcam soem Establishes a live session to the Target s Desktop FinSpy User Manual 50 Online i x FS 2 30 ye gt ALEX TARGET SYSTEM United Arab Emirates Each Live Session IS opened IN a HEN tab inside the O Analyse Data Live Session 73 Download Schedule MK Remove Infection FinSpy Agent After closing the live SESSIONS the L aua now ZE Configuration C Aleit Settings C update connection to the target computer can be ended by e Y clicking Disconnect inside the expanded FinSpy Target of tab Target List The following chapter
53. ection features will be available only after a target machine restart FinSpy User Manual 59 2 2 9 Evidence Protection This feature helps protecting the collected evidence by using digital signatures and by logging the actions taken to collect the evidence from a FinSpy Target To use the Evidence Protection it can be selected via Evidence Protection on each FinSpy Target Alex FinSpy 3 00 WOOT SYSTEM Unknown Unknown el Analyse Data thy Visualize Data us Evidence Protection S Configuration CS Live Session C Update 1K Remove Infection Disconnect oS ee ee ben o The Evidence Protection Tab contains the following sections Activity All the activity which concerns the FinSpy Target is presented since the recording started va All the collected evidence is listed and the user can check if the signature is valid A history of the FinSpy Target activity can be shown FinSpy User Manual S 60 2 2 9 1 Evidence Protection Activity In the activity logging section all the interactions from FinSpy Master the FinSpy Target are presented as well as all the actions actively taken by a user through the FinSpy Agent software to access the target The information recorded for each action is Name Description Timestamp with the FinSpy Master time represented in UTC The name of the user which participated in the activity If the participant was the FinSpy Master this will b
54. eduler KA Schedule background recordings of several modules Module Size 7 KB Set Printer RA Records the printed documents Module Size 12 KB t Skype M Record all Skype call e d Module Size 179 KB Screen amp Webcam Ei Record images from the webcam and screen Module Size 12 KB chats and file transfers L VoIP E Record all VolP application calls Module Size 158 KB For detailed description how to configure each Module see the following chapters e Configuration Accessed Files e Configuration Microphone e Configuration Changed Files e Configuration Deleted Files e Configuration Keylogger e Configuration Scheduler e Configuration Skype e Configuration Screen amp Webcam e Configuration VoIP FinSpy User Manual 70 2 2 13 5 Target Options Different Installer options can be defined e Install in Master Boot Record of hard disk With this infection the FinSpy Trojan writes itself to the Master Boot Record of the Target system This requires Administrative privileges on the Target system But once installed this infection makes the Trojan resistant against Software like e g Deepfreeze amp Norton Ghost e Vista and Windows 7 usermode infection Using the usermode infection will not result to a so called UAC popup within Windows asking for administrative privileges A covert method for the installation but also not as powerful as the Trojan w
55. ee usr local ffrelay data version etc ere nen etc monit d ffrelay ete init d ete 1nit lt d f amp frelay Role e Post Installation See SE Starting FFRelay monit service trrellay done EE FFRelay Installer done authorized use by police Intelligence security and other government agennes FinSpy User Manual A 122 The only thing which needs to be done after installation is to rename the configuration file so that it is accepted by the FinSpy Relay cd usr local ffrelay data g GP a 00 vemSlare a The relay cfg needs to be changed according to FinSpy Relay Configuration Options FinSpy User Manual SV 123 4 FINSPY HARDWARE SETUP It is necessary to know how the FinSpy Setup needs to be configured in detail The following chapter will give an inside view into the FinSpy periphery 4 1 FinSpy Total Setup The following diagram gives a detailed view into the FinSpy Hardware setup GU Transport Case ip ai Monitoring Center Internet optional A Se ae 9 lt Switch 24 ports 17 LCD KVM FinSpy HQ Server Spare HQ Server UPS x T C FinSpy Workstation 1 Workstation 23 maximum Type G Workstation 6 Type G FinSpy User Manual 124 4 2 FinSpy Master Setup The following diagram gives a detailed view into the FinSpy Master Hardware setup FinSpy HQ Server IEC 32
56. evels is displayed FinSpy Target Name we Unique internal reference to the FinSpy Target Size of the data set in bytes The date when the data was recorded Possible actions for the data entries can be shown and additional information are displayed E Screen Recording QT 1122 win OxAGFEEI29 44 1 KE 2010 03 25 nn Critical Target OxA6FEE129 us Description Screen Record Severe Acquired at 2010 03 25 High Module Screen amp Wek Normal a N SESSION TYPE Live Low QUALITY yes l s x v RESOLUTION 640 x 480 Comments ORIGINAL RESOLUTION 800 x 600 Opens the recorded data In case of streaming data video sound an external player is opened Deletes the data set from the FinSpy Master The data is exported to the FinSpy Agent computer A folder will open where the data is saved in and the downloaded file selected FinSpy User Manual N 25 Comments Opens a window where comments to the data can be stored Every change of the Importance Level is also logged as a comment If Show is selected a popup may appear which will ask for a confirmation to display the file File Download Do you want to open this file Name 04BBJ9DB63DEOLAE ogg Type Ogg File From Target 92198733 7 Always ask before opening this type of file While files from the Intemet can be useful some files ca
57. g FinSpy Target connections e g CFG TARGET PORTS 1111 1112 1113 CFG_NEXT_HOP_1 Contains the Hostname and ports where the Relay should connect to next FinSpy Relay or FinSpy Master Proxy e g CFG_NEXT_HOP_1 192 168 0 49 1111 CFG SOCKET TIMEOUT Contains the socket read write timeout in seconds e g CFG SOCKET TIMEOUT 10 The default template of the relay cfg which comes with the FinSpy Relay Configuration file for the Relay Module dist Of ports for Incoming target side connections GE MILNE IN SOUS 1 2000 Next hops to connect relays proxy CEG NEXT SHORT hostname 2050 socket read write timeout in seconds CHCES OCE ET O 10 FinSpy User Manual E 111 3 2 FinSpy Relay Windows 3 2 1 Prerequisites Name Windows Firewall Description To operate a Windows Computer as a FinSpy Relay the following preparation must be made The Windows Firewall should be instructed to let the FinSpy Relay accept and forward data The Windows Firewall is enabled by default on every Windows Computer Programs 1 Pe Windows Firewall with Advanced Security r Windows Firewall BAJ a progransserfugh Windows Firewall Windows Firewall Set firewall security options to help protect your computer from hackers and malicious software windows firewall x Shutdown FinSpy User Manual 112 Click Allow a program through Windows Firewall P T
58. ger Advanced Options In case a specific module is selected additional filters can be applied depending on the module e g All targets of a certain time zone FinSpy User Manual 27 2 2 4 Visualize Data Visualize Data enables the FinSpy Agent to display recorded data in a graphical way Online Alex FinSpy 3 00 WOOT SYSTEM Unknown Unknown O Analyse Data us Evidence Protection N Configuration Live Session A typical overview will look like the following FinSpy Agent Sr ordet List devel target Visualize Data FINS pY l FinSpy Target 3 B Target List fl Data Analysis fl Create Target Administration R Configuration B Show Logfiles loading BB Agent List Help fl About fl Online Help Logoff alex FinSpy Agent Version 2 38 1 The type of visualization It will give two different graphs It can be chosen between a Detailed view per day default b Detailed view per hour 2 The recorded data on that day Each data is displayed with the amount of recordings for each module per day 3 The importance level can be set FinSpy User Manual 28 Detailed view per hour A Target List devel target Visualize Data S X dill amp 2010 07 21 11 08 Details Target OxFCE24454 Descnption Captured keystrokes Acquired at 2010 07 21 11 17 04 Module Keylogger 3 Bs START SESSION TIME TARGET 2010 07 21 11 03 11 END S
59. ging is only active if the applications listed in the boxes are currently running Operation Mode set to Inactive for Event suppresses the keylogging if one of the applications listed in the boxes is currently running Application Based Events Record Ignore the keystrokes pressed within the configured applications Operation Mode Active for event Application Categ Disabled Applications Browser Active for event WINWORD Inactive far event Microsoft Word E Mail EXCEL Fi Messenger Microsoft Excel 2 2 5 12 Configuration Microphone In order to define the size of a microphone recording the quality can be defined Depending on increasing or decreasing the quality the amount of data for a recording will change Decreasing the quality of recordings can save 80 percent of memory used The selected sound quality can be tested under Listen to Sample as a sample of the selected sound quality is played Microphone Configuration Options Quality Sound Quality M rmal Listen to Sample for I minute recordings 120 KB Best High Normal Phone Low 2 2 5 13 Configuration Printer Ko This module is not configurable but enables the functionality of capturing all printed on the FinSpy Target system and places a copy as a PDF on the FinSpy Master FinSpy User Manual 43 2 2 5 14 Configuration Scheduler The Scheduler Module is responsible for time based data recording on the
60. gt W583765 SYSTEM Germany Hanover 213 61 75 86 AY Windows XP Service Pack3 2 20 User Mode Help Bako HQ 0 ACER 36D0BD61CF SYSTEM I INigeria Lagos 196 46 245 21 a Windows XP Service Pack3 2 20 Kernel Mode B About demo w gt JKTRZSGHS020C2M Public Fl Indonesia Jakarta 202 77 118 2 a Windows XP Service Pack 2 2 15 User Mode R Online Help egy test3 JOHN SMITH SYSTEM Germany Leipzig 195 16 80 12 Windows XP Service Pack3 2 17 User Mode ELEPHANT gt WS83765 SYSTEM United Kingdom Saint Albans 92 2 203 122 am Windows XP Service Pack 3 2 20 Kernel Mode Pretoria Test 2 YOUR 6A27BCA44F SYSTEM South Africa Pretoria 41 19 48 196 r Windows XP Service Pack3 2 15 User Mode test indo FRONTDESK SYSTEM Indonesia 118 99 65 11 r Windows Vista Service Pack 2 2 20 Kernel Mode Toshiba NB 100 gt LH MIN SYSTEM Malaysia Petaling Jaya 175 144 48 73 AY Windows XP Service Pack3 2 20 Kernel Mode Toshiba NB 100 WS83765 SYSTEM Malaysia 175 137 114 131 Windows XP Service Pack3 2 20 User Mode Trial KL gt WS SJ 2 SYSTEM Malaysia Kuala Lumpur 60 54 172 130 AY Windows Vista Service Pack1 2 20 User Mode Trojan gt WS83765 n a tala United Kingdom Moreton In Marsh 84 92 81 241 AY Windows XP Service Pack3 2 20 User Mode ta Logoff alex FinSpy Agent Version 2 30 Monitors and analyzes data of a selected FinSpy Target or all FinSpy Targets It will open a wizard which guides easily through the creation of a FinSpy Target Configuration Basic Settings for the FinS
61. hanges 4 will save all settings for the FinSpy target Target List Alex FinSpy 2 50 Download Schedule S x Application Events R Data Available Screen Locked Screensaver Active Time Events Date Time Time fone Once This category contains no items Use the add button to add new item Daily This category contains no items Use the add button to add a new item Weekly This category contains no items Use the add button to add a new item Manthly This category contains no items Use the add button to add a new item 4 save Changes A download of data will be initiated if one of the configured events occurs FinSpy User Manual E 37 Application Events pe Data Available Screen Locked Screensaver Active Data Available As soon as new recorded data is available the data will be transferred to the FinSpy Master Screensaver Active New recorded data will be downloaded to the FinSpy Master if the Screensaver of the target computer is active Screen Locked New recorded data will be downloaded to the FinSpy Master if the Computer of the target gets locked If a new time event is added a new tab opens in which all parameters of the new time event can be set Configure Event FinSpy User Manual 38 Start Event Date The first day on which the download starts At which time the download starts Interval between the downloads Once Daily Weekly Monthly
62. ieves the data from the FinSpy Target and the FinSpy Relay connections The default setup should look like this GAMMIA Update Server Default Port 42562 FinSpy Target Default Hostname update garmme internationalde Sends Heartbeat to FinSpy Praxy Router GWV Provides an ip address via DHCP far FinSpy Proxy FinSpy Proxy Default IP via DHCP from Router Default GY Default Ports arbitrary e g 22 53 BO 41 1 71 Default Interface i ethO FinSpy Master Default IP 10 727 7 7 1 Default Ports 5119 Default Interface eth 4 FinSpy Agent gt 10 77 77 0 24 P DHOO ME or Data Forwarding Interface Default IP 172 16 77 1 Default Ports Default Interface eth2 Monitoring Center enn gg 172 16 77 0 24 Static FinSpy User Manual aly amp 2 4 FinSpy Master Installation Except the License the FinSpy Master software is preinstalled on the FinSpy Master hardware This means only the license needs to be generated and installed via a Machine ID This Machine ID must be sent to your GAMMA sales contact to request the license package which contains the valid license The following command will generate the Machine ID JOE uer ME se oll generee meclaime WC x If you retrieved the license package from the GAMMA support don t unpack it Copy the archive to a USB stick or burn it to a CD ROM Mount USB Stick or CD DVD on the FinSpy Master CD ROM sudo mount me
63. ill be restricted to the infected user account on the Windows Target W Install in Master Boot Record of hard disk L r rte r if m te D red gac nas Installing the infection in Master Boot Record ensures Deep Freez d Van i Master Boot Record infection installation is currently supported MIOSTET GOOL ECC LIE CIO MSTOLOLLON E CUTTER SUPRON E Administrator privileges are required for installation in Master Boot R R Vista and Windows 7 usermode infection r a VE T T ON a Er DP lede sm Create Vista and Windows 7 usermode TETT WHCN Will MO Hiding Techniques R Active Hiding on Target TE L A RA aL RE Fler E USE UTUTUSIVE LETNMIGUES LO MOE ME IMECNON PLES POLES FET D Pr ef E I va U ml A I a apenas m I AE EE e K a e a 3 By enabling this feature the infection becomes more suspectible to detection by root kit detectors A detailed explanation of Hiding Techniques e Hiding Techniques FinSpy User Manual 71 2 2 13 6 User Permissions Each creation of a FinSpy Trojan allows assigning users to work with it Multiple users can be chosen 1 Furthermore it is possible to give special rights to each user like establishing a Live Session or configuring the FinSpy Target 2 User Permissions Choose users to add to the permissions of this Target James Tester Ih da user lucian da 2nd user blah the user Double click the user to add it to the permission list Click out
64. inSpy Agent l E lO x Target List x FINSPY target devel 4 gt XP SP3 XB6 SYSTEM LAN 192 168 0 145 2 48 Archived B Target List target 1 gt XP SP3 XB6 SYSTEM LAN 192 168 0 145 2 48 B Data Analysis ma Create Target fl Configuration fl Show Logfiles BB Agent List W Data Transfer KIRS Global IP OS Version Online target devel 6 gt XP SP3 X86 SYSTEM LAN 192 168 0 145 2 48 Help BB about B Online Help B Logof user1 EEE gt FinSpy Agent Version 2 48 Connected to Remote Master FinSpy User Manual 101 e Select Export gt FinSpy Agent i 19 24 Target List Remote Master Data Transfer S x Offline MasterConfiguration Archive C Users ht Documents FinSpyAgent Choose the file exported from the Offline Master which contains the offline Target configuration The data will be pushed to the Targets as soon as they are comming online Remote MasterData Archive C Users ht Documents FinSpyAgent 2010 10 14 14 03 48 rmda am Choose location where to export Evidence Protection information information about the Target status new targets removed targets as well as Target TEN w Create Target Administration fl Configuration fl Show Logfiles BB Agent List fl Data Transfer B Online Help fl Logoff user1 FinSpy Agent Version 2 48 Connected to Remote Master A FinSpy User Manual 102 2 7 3 2 Import Data to the Off
65. is normally 24 hours for a newer version on the Update Server provided by Gamma International With Vi Manual an update check will be performed only on user request Master Update Update Mode Set to Automatic to enable regular update checks by the Master In case an update is available it will be automatically installed Target Update Set to Automatic to automatically update the Target software on each Target System whenever an update is available 2 3 1 7 Configuration Evidence Protection To access this feature on the FinSpy Agent it must be enabled on the FinSpy Master first Therefore Evidence Protection has to be set to Full 1 In the case that only the Activity on a Target should be logged this option can also be set to ActivityLog only Once the feature is activated on the FinSpy Master all the new collected evidence will be digitally signed using a FinSpy Master self generated key The capability of importing an own key into the FinSpy Master is also given 2 Furthermore the Logging Level 3 can be defined to Minimal Normal Verbose or completely disabled Evidence Protection Evidence Protection nable full logging of all performed operations and digital signing of all acquired evidence Protection Certificate fenal EOAF99FODIB41F19 subject TN FinSpyMaster notAfter Mar 14 13 28 29 2020 GMT Get Certificate allows you to extract the Certificate required by the
66. le for the FinSpy Master is the finspy proxy cfg The default template needs to be renamed to activate the changes cd usn local finspy proxy data GDS PEO CEO ELSE rie PN To edit the file the text editor nano can be used i lee USA Noe I EH E Sox cle eel FN Ne Now the following parameters need to be activated and or edited FIN MASTER NETWORK INTERFACE lo FIN TARGET NETWORK INTERFACE eth0 prekener or 22 53 80 443 49111 To activate the changes the FinSpy Master needs to be restarted Hado to nie bilspy PLoxy stop iP SCO SEC ed ee ee yv and other government agennes FinSpy User Manual wy amp 2 7 FinSpy Master Remote and Offline Master Configuration It is possible to setup a Remote Mode and Offline Mode They basically split the FinSpy Master functionalities in two FinSpy Masters with complementary limited functionalities The Offline Master has the recorded files in the database and the FinSpy Agent can process data while the Remote Master is contacted by the targets and stores the received encrypted recordings The recorded files have to be imported with the Agent to the Offline Master This gives a higher security to the Offline Master if remote attacks are conducted 2 7 1 Remote Master Configuration To setup the Remote Master the following parameter must be added into the finspy_master cfg file Set Remote Master Mode ETN MASTER MODE REMOTE
67. le where the user can filter the location and file types which have to be monitored by the FinSpy Target module Additional information such as the event accessed newly created changed and the time when the event occurred will be provided together with the recorded file Changed Files Configuration Options Recording Options Specify folders to watch for file changes Eg All Drives amp Folders HOMEDRIVE HOMEPATH PUBLIC Exceptions PROGRAMFILES SAPPDATA WINDIR ProgramData Please provide one folder path or name per line Supported system defined constants ALLUSERSPROFILE APPDATA HOMEPATH LOCALAPPDATA ProgramData PROGRAMFILES SYSTEMROOT USERPROFILE and WINDIR File Options Specify which file types should be recorded R All Files Fi Image PDF Fj Office Fj Video HTML PGP GnuPG EG Audio Archives Custom file types Please provide file extentions separated with semicolon for example mp4 ogv avi 2 2 5 7 Configuration Command Shell This module is not configurable but enables the functionality of interacting with the FinSpy Target via a Command Shell FinSpy User Manual N 41 2 2 5 8 Configuration Deleted Files The Deleted Files module enables the FinSpy Target to collect deleted files from the infected system The Deleted Files module is able to collect all the deleted files namely the files which are deleted moved to Recycle Bin as well as the files removed
68. line Master e Connect Agent to the Offline Master e Select Data Transfer FinSpy Agent Oj x Target List v X Gty GlobalIP OS Version ll Online target devel 6 gt XP SP3 X86 SYSTEM LAN 192 168 0 145 2 48 FINSPY target devel 4 XP SP3 X86 SYSTEM LAN 192 168 0 145 2 48 Archived B Target List target 1 gt XP SP3 X86 SYSTEM LAN 192 168 0 145 2 48 BB Data Analysis fl Create Target 1 B Configuration BB Show Logfiles B Agent List Help BB About BB Online Help B Logoff user1 amp FinSpy Agent Version 2 48 Connected to Remote Master SV FinSpy User Manual 103 e Select Import EN FinSpy Agent K iD g E Target List Offline Master Data Transfer S xX Remote MasterData Archive C Users ht Documents FinSpyAgent 2010 10 14 17 11 58 rmda Choose the file which contains the data exported from the Offline Master The Archive contains updated Evidence Protection information information about the Target Status new targets removed targets as well as Target recorded data FinSpy Target m Target List fl Data Analysis Offline MasterConfiguration Archive C Users ht Documents FinSpyAgent 2010 10 14 17 13 17 omca B Create Target Choose location where to save the Target Offline configuration information This information should be imported on the Remote Master which will push it to the Targets fl Configuration fl Show Logfiles BB Agent List fl Data Transfe
69. mation Test VALUEADD i WINDOWS r Fr FF 3 E 5 5 F A file from the local file system needs to be selected and also a remote path defined This will be by default the current working directory 1 Click to start file upload 2 will then put the file on the FinSpy target This file will now be in the selected remote directory 3 FinSpy User Manual 56 2 2 6 5 Live Session Keylogger To start recording keystrokes click the Start button Recorded keystrokes are displayed with the following information Target List Alex FinSpy 2 50 Record Keystrokes Recorded Keystrokes wn f iexplore exe T 2010 10 06 14 25 09 14 25 00 cnn co m lt Enter gt The Process Name where the keystrokes are entered Date and time of the keystroke recording The Application Name amp Windows Title where the keystrokes were done e g Notepad Internet Explorer Firefox 4 Special chars can be enabled or disabled e g Enter Backspace Tab etc The actual keystrokes can be seen in the main window To stop the recording the Stop button needs to be clicked FinSpy User Manual 57 2 2 7 Download Now To perform a manual download of new recorded data to the FinSpy Master expand FinSpy Target in the Target List and click on the Download Now notification for new available data when the bullet appears Online Alex FinSpy 2 50 D ALEX TARGET SYSTEM United A
70. n Sze B Show Logfil 07000002 2011 07 01 17 46 0 2011 07 01 17 46 0 191B 1 2011 07 31 17 46 0 Command Shell Recordi 191B ow Logfiles T B Agent List BB License Information LEMF W Data Management B About R Online Help Resend Selected Resend All FinSpy User Manual P 86 FINSPY MASTER 3 1 FINSDY Master T eT eT 88 3 2 STT oa Master COMI UG 19 EE NE tusecticsareeeceaes 90 3 2 1 GONE al EE 90 3 2 2 ESN NPE 91 3 2 3 Upale Resin earar EEEE E E EEE 92 3 2 4 Veke ed IG 00 EE E 93 3 2 5 Evidence s e e TT 94 3 2 6 EMNENE E E TE 95 3 3 FinSpy Master Proxy Configuration rrrrnnnnnnnnnnnrnnnnnernnnnnnrnnnnnnernnnnnnvnnnnnnsnnnnnnsnnnnnnssennnnesennnnene 97 3 4 FinSpy Master Remote and Offline Master Configuration sss sees eee eee eee eee eee 98 3 4 1 FEN 98 3 4 2 Oline Master NN 99 3 4 3 BELE TT E EE REE NE 100 3431 Export Data from Remote MasehLuanvasiavasska enl 100 3 4 3 2 Import Data to the Offline Master sss 102 3 5 FIMO OV Master MOn ONE EN EE EE 104 3 6 FinSpy Master Port forwarding rarvorarnvroranrerevnnrernonnnsvnennnverevnnsennenensnnennnserevnnsensenensnsevnnsenenee 105 3 7 FINS OY Master Dynamic DNS vr 106 FinSpy User Manual SV 87 This chapter will cover the installation and configuration of the FinSpy Master The FinSpy Master is the central data collector and manages the data The FinSpy Master includes the FinSpy Proxy The FinSpy Proxy retr
71. n potentially ham your computer T you do not trust the source do not open this file What s the risk Comments which are once done for a specific data cannot be edited or deleted The Comments are ordered by time in descending order which means that the last introduced comment is displayed on top lt Recordi 3 22 Cre Agent Comments for Screen Recording Screen Recording 2010 04 08 09 50 15 Ih an a Screen recording contents illegal sites law 17 2005 chapter 5 MSN conversation which might prove subject involvement in case 00129334 2010 A 2010 04 08 11 30 37 lh J 1 Changed the Importance to Severe amp Screen Recording 19 L Screen Recording 23 Screen Recordin 3 25 g Screen Recordin 3 25 g Screen Recordin 3 25 g Screen Recording 225 E cna pe E Tarnat 21172 win7 NvARFEFI 0 AA 1 Vp ININ N2 35 FinSpy User Manual E 26 There is also the possibility define the search by using filters Target List Star Analyse Data 7 x Choose Target Choose Module Start Date End Date N 1 26 2010 2 2 2010 a Advanced options lni f SESSION TYPE UID oor Acquired QUALITY FRAMES PER SECOND BITS PER FRAME ar2 0xD0F100D0 114 B 2010 02 02 The following filters are available Start End Date From which data to which date should be searched Module by which the data was recorded e g Webcam Microphone Keylog
72. nce The digital signature can be checked by clicking in the Check now 1 field Upon a signature was verified successfully the field text will change to Valid 2 The signature can be checked for all the collected evidence at a time or by selecting all the entries Ctrl A Exporting of all or certain evidence is possible 3 The folder where the evidence is exported will be opened in a Windows Explorer once the downloaded is finished A progress dialog will monitor the download of the evidence since this could be a lengthy operation demo MUC v2 20 Evidence Protection v X Collected Evidence Description Acquired Signature gt Captured keystrokes 4068 2010 05 05 A Microphone recording 521KB 2010 04 15 v Valid C bla txt 8B 2010 04 18 Target 0x92198733 scription CA bla bt Activity Checking Signature 1 11 nina Checking 341341113097847233 a DOWNLOAD TII i S Refresh A Microphone recordi 2010 04 15 Check r a CAxyz txt 2010 04 13 Check Export Evidence A Microphone recording 31MB 2010 04 28 Check now _ C dir txt Q 954B 2010 05 07 Check now PN The exported evidence is accompanied by a report Report html which looks similar to the pictures below Exported Evidence Report 2011 07 04 11 33 31 UTC Contents 1 Target Information 2 Collected Evidence 1 Keylogger 2 Screen amp Webcam 3 Skype
73. nssrnnnnn 48 2 2 6 ESN 49 2 2 6 1 Live Session Microphone Webcam Screen rsrnnunnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnrnnnnnnnnnenenn 50 2 2 6 2 Live SCSSION Command SINE lin ciucicascsusasnssateernrsonlvensedaciwncetarsnceolots eatielavvesbeastsnsvdasasvsenbess 51 2265 WAVE Session Forensics T Ne 52 2264 TIVE SCSSION FIERE S Lae deres 54 2205 DENN NN 56 2 2 7 DNI 57 2 2 8 Var eT 58 2 2 9 Evidence eaae 59 229 1 BENN NNN 60 2 2 9 2 Evidence Protection Evidence arnanarurnrnrnnnnnnrnrnennnnnnenenennnnenenennennnenenerneneneneveeneneneneneen 61 FinSpy User Manual P 8 2295 Evidence Protechion NN seccion hani EEA 62 2 2 9 4 Evidence Signature Verification Tool aneso Yana groa TERE aZ Na SZ ae nZ AOE 63 2210 DATE 64 E N REMOVE Dala O 64 TENNE 64 2215 VPN 65 2 2 13 1 Ge EEE EE 66 2 2 13 2 Network COM BUA TON jens esnelsaenedn 68 2 2 13 3 SEEL SE EE ME NE 68 NN ENN 69 2 2 13 5 LE e T 70 2 2 13 6 User PENN Nr 71 2 2 13 7 NN 71 2 2 13 8 EE ENE EE 72 2 3 FINSOY Agent AMMAR EE 74 2 3 1 EN 74 2 3 1 1 Configuration User Management rrerennnrennnnnrennonnnsenennnvennnnnvennnnnnsnnennnsenennnvernenensnnenenee 76 2 3 1 2 Configuration Agent Configuration cssesecsosssccsosssscnsosssescoussscuenssscneusssensousvessonsnss 78 2315 eean 3 Tez g ST O Neas 78 2 3 1 4 Configuration Relay Network Configuration sss esse eee ee eee eee eee 79 2315 Contiguration Email NOUMCATON c evsgos essea v
74. nt carefully RS Relay License treer pretor erre rer mm Cm Ce Cas Now the directory where the FinSpy Relay will be installed can be chosen FinSpy User Manual 115 15 FFRelay Setup Destination Folder Click Next to install to the default folder or dick Change to choose another Install FFRelay to C Program Files FFRelay Change Cancel After choosing the directory click OK and the following dialog will be shown JE FFRelay Setup lo amp Ready to install FFRelay Click Install to begin the installation Click Back to review or change any of your installation settings Click Cancel to exit the wizard Cancel Once the Install button is clicked on Windows Vista and Windows 7 the UAC user account control popup will be shown and this needs to be allowed 7 gt J User Account Control Don t run the program unless you know where it s from or you ve used it before a X share Work TestInstaller NEW e RelaylInstaller_220_V1 msi Unidentified Publisher gt Cancel I don t know where this program is from or what it s for gt Allow I trust this program I know where it s from or I ve used it before PN vw Details User Account Control helps stop unauthorized changes to your computer N FinSpy User Manual N 116 Once Allow is clicked the installation starts
75. nt xyz intellige CE SE 3 FinSpy User Manual 91 2 5 2 Users Management In the first step it is necessary to create users which are able to connect to the FinSpy Master cd usr local finspy master data i SUC ep Fm passud T fm passuK Open the fin passwd to create change or delete user accounts sudo nano fin passwd This will show the template data in the following structure userid groupid login name user description password database permission file permission The following parameters can be changed userid login name user description password Dy Note login name and password have a maximum length of 16 characters where is not allowed as a character All other values are reserved for future releases and should not be changed X FinSpy User Manual 92 2 5 3 Update Automatic The configurations for the Updates are also stored in the finspy_master cfg and should not be changed FINUM SERVER update gamma international de EINUM PORIS 42662 FINUM DESTINATION PATH updates To force an update request the FinSpy Master needs to be stopped and started which will make the FinSpy Master automatically connect to the GAMMA Update server Ende Sees GS Ne susie SECS i SUC STE Wisi ool IIs oy ies kee Skar To check for the currently installed version you can use the following command ee ve MN tins pn alice SN cm mol
76. nterval Defines the interval of the recording The available options are FinSpy User Manual 44 Once The recording is executed only once at the configured date and time Daily The recording is executed every day at the configured time starting with the configured date There is no end date Weekly The recording is executed every week on the same week day and time configured Monthly The recording is executed monthly at the same month day as configured at the same hour as configured There is no end date If the recording is scheduled for a day which exists only in certain months e g February 31 then the recording is executed only in the months which contain day 31 e Duration The duration of the recording Scheduler Configuration Options New Time Event 1 Select what you want to schedule Microphone Screen Webcam Event Configuration 2 Configure time and duration of event Start Event Date April 2010 We Th Duration 30 31 1 2 3 7 8 38 Oh 30m Os 14 15 16 17 18 21 22 23 24 2 10 15 30 y P 28 29 2 Time Zone FinSpy User Manual E amp 2 2 5 15 Configuration Skype There are different possibilities of enabling the Skype Monitoring The quality of recording and type of communication within Skype is configurable Recording Options 1 e Phone Calls All calls between the FinSpy Target and other parties will be recorded e Test Messaging All chats between the Fin
77. otar onv azi gay ET ER RS gK R en 79 216 NNN 80 23 17 Configuration Evidence Protection sss sees s sees sees seene 80 2 3 1 8 Configuration LEMF Interface rerarrerernnrernvneravnonnnvenernnvenennnvernennnsnrennnserennnsennnnensnsenenee 81 FinSpy User Manual 9 P 2 3 2 SNOW Eee EEE EE R 82 2 3 3 PRCT RR EEE eps EE ET 83 FinSpy User Manual 10 2 1 FinSpy Agent Installation To install FinSpy Agent software run the setup and follow the steps as shown Click Install and Finish No further settings are necessary is FinSpy Agent Setup o E me Welcome to the FinSpy Agent Setup Wizard The Setup Wizard allows you to change the way FinSpy Agent features are installed on your computer or to remove it from your computer Click Next to continue or Cancel to exit the Setup Wizard Confirm the license agreement is FinSpy Agent Setup End User License Agreement Please read the following license agreement carefully JE L CUSTOMER SOFTWARE LICENCE DO NOT NAVIGATE BEYOND THIS PAGE TO OPEN THE FINFISHER APPLICATION UNTIL YOU HAVE CONFIRMED AS INDICATED BELOW THAT HAVE READ AND ACCEPTED ALL THE TERMS OF THIS LICENCE WHICH ARE AVAILABLE WITH THE UNK BELOW AND WISH TO BECOME THE LICENSEE OF THE SOFTWARE ACCEPTANCE SHALL BIND YOU AND ALL OF YOUR EMPLOYEES TO THE TERMS OF THE LICENCE YOUR OPENING OF THIS APPLICATION WILL BE DEEMED TO BE YOUR ACCEPTANCE OF THE FOLLOWING TERMS E FinS
78. perties Help To check if FFRelayW and FFRelay are running the Task Manager needs to be opened and the Processes Tab must be active The FFRelayW process is running in the SYSTEM context as it is a service and because the FFRelay is started by the service it runs also in the SYSTEM context meaning none of them run as the current user In order to see all the processes running on a machine click Show processes from all users 18 Windows Task Manager 2 foe File Options View Help Applications Processes Services Performance Networking Users Image Name User Name CPU Memory Private Paged Pool Handles Threads USE FACTOR ENO OO C T TT T AP AdobeARM exe gammagroup 00 768 K 167K 366 8 avp exe gammagroup 00 1 920K 123K 163 8 csrss exe 02 980 K 424K 543 10 dwm exe gammagroup 00 668 K 99K 77 3 ehmsas exe gammagroup 00 128K 93K 59 4 ehtray exe gammagroup 00 240K 137K 93 3 explorer exe gammagroup 00 31 868 K 464K 1 693 43 1E FinAgent exe gammagroup 00 23 508 K 363K 519 12 firefox exe gammagroup 00 35 164K 236K 438 24 klwtblfs exe gammagroup 00 636K 86K 64 4 mmc exe gammagroup 00 3 184K 207K 221 3 mspaint exe gammagroup 00 9 644 K 199 K 214 5 msseces exe gammagroup 00 644K 191K 274 9 OEMO2Mon exe gammagroup 00 404K 101K 72 2 regedit exe gammagroup 00 1 492K 114K 70 1 SSScheduler exe gammagroup 00 148K 92K 51 1 taskeng exe gammagroup 00 2 028K 142K 314 13
79. ps www gamma international de o Username o Password FinSpy User Manual 126 FINFISHER IT INTRUSION Knowledge Base Contact Us Generic Information 5 FinSpy FinSpy is a field proven Remote Monitoring QUICK INFORMATION Solution that enables Governments to face nowadays challenges of monitoring Mobile and Security Aware Targets that regularly change location use encrypted and anonymous communication channels and reside in foreign countries Traditional Lawful Interception solutions face new challenges that can only be solved using active systems like FinSpy Data not transmitted over any network Encrypted Communication Targets in foreign countries FinSpy has been proven successful in operations around the world since many years and valuable intelligence has been acquired about Target Individuals and Organizations When FinSpy is installed on a computer system or mobile phone it can be remotely controlled and accessed as soon as it is connected to the internet network no matter where in the world the Target System is based Usage Example 1 Intelligence Agency FinSpy was installed on several computer systems inside Internet Cafe s in critical areas in order to moniter them for suspicious activity especially Skype communication to foreign individuals Using the Webcam pictures of the Targets were done while they were using the system Usage Example 2 Org
80. py User Manual Insert the destination folder for the installation H FinSpy Agent Setup Destination Folder Install FinSpy Agent to IC Program Files FinSpyAgent Change Back Cancel e FinSpy Agent Setup fo IS Completed the FinSpy Agent Setup Wizard Click the Finish button to exit the Setup Wizard Finish 11 E FinSpy User Manual N 12 2 1 1 FinSpy Agent Additional Software To operate a computer as a FinSpy Agent the following preparations must be done 2 1 1 1 Microsoft NET Framework The Microsoft NET Framework is a software framework that can be installed on computers running Microsoft Windows operating systems It is necessary to have the NET Framework gt 3 5 SP1 installed to run the FinSpy Agent software The framework can be downloaded and installed from http msdn microsoft com en us netframework default aspx 2 1 1 2 OGG Theora Codec Theora is a free and open video compression format It must be installed to play Audio and Video The codec can be downloaded and installed from http www xiph org dshow the xiph open source community gt xiph org Home News Downloads Directshow Filters for Ogg Vorbis Speex Theora FLAC and WebM The aim of this project is to provide the most complete implementation of the Xiph org codecs for Windows and DirectShow This includes decoders and encoders for all the Xiph org formats as well
81. py Agent and FinSpy Master can be defined Gives the possibility of viewing the FinSpy Master system logfiles Information about FinSpy users their user rights logins and current connections License Information Displays information regarding the license Shows the FinSpy Agent version and software agreement Online Help Connects to online help on the Gamma Group homepage via internet 2 2 2 Target List FinSpy User Manual N 17 The Target List contains all actions to manage data and FinSpy Infection of a FinSpy Target All FinSpy Targets are listed in two tables under the following categories Target List MIT Computer User Country City Global IP OS OS Details Version Install Mode Online v Name v Data on Master r FS 2 30 gt ALEX TARGET SYSTEM United Arab Emir Dubai 94 200 250 24 AY Windows XP Service Pack3 2 30 Kernel Mode v Data on Target Lambada gt TAINA PC Taina 139 Malaysia Petaling Jaya 175 144 48 73 AY Windows Vista Service Pack1 2 20 User Mode UID Mex1 gt WS83765 SYSTEM Mexico Mexico 8 14 252 221 w Windows XP Service Pack 3 2 20 Kernel Mode Computer toshiba NB100 demo MUC gt LH EEEPC SYSTEM LAN 192 168 0 51 AY Windows XP Service Pack3 2 30 MBR v User Offline vc 2 untry gt W583765 SYSTEM Germany Hanover 213 61 75 86 AY Windows XP Service Pack3 2 20 User Mode dl iP Bako HQ ACER 36D08D61CF SYSTEM B INigeria Lagos 196 46 245 21 AY Windows XP Service P
82. r BB About B Online Help R Logoff finspy FinSpy Agent Version 2 48 Connected to Offline Maste pr FinSpy User Manual A 104 2 8 FinSpy Master Monitoring There is a monitoring daemon installed on the system which checks and if necessary restarts applications like FinSpy Master and FinSpy Proxy The software being used is monit Monit automatically checks if the defined services are running FinSpy Master and FinSpy Proxy need to be configured first In the following finspy xxx is mentioned which stands for both commands e finspy master e finspy proxy Configure monit daemon to monitor finspy_xxx sudo monit monitor finspy xxx See ere Tinie eiere restart Check if finspy xxx is running sudo monit summary The following results may appear Successful Process finspy_proxy running Failed Process finspy_proxy not monitored Process finspy_proxy Does not exist FinSpy User Manual 105 2 9 FinSpy Master Port forwarding It is necessary that the FinSpy Master is able to retrieve packets from the internet through a Router or Firewall Normally Router or Firewalls will block TCP packets which come from outside That means that some ports on the Router or Firewall must be forwarded to the internal network This is a so called Port Forwarding Every Router or Firewall handles this differently Please check the corresponding manual on how
83. r Module Release 2 36 Wed Jun 23 17 01 08 2010 INFO Master ts running in DEFAULT operation mode Wed Jun 23 17 01 08 2010 ERROR Target OxEE34B 729 has already a Target License 37063170 7eb7 11df Wed Jun 23 17 01 08 2010 ERROR Error allocating memory reading the Target License File Wed Jun 23 17 01 54 2010 INFO software Info Wed Jun 23 17 01 54 2010 INFO Master Module Release 2 36 Wed Jun 23 17 01 54 2010 INFO Master is running in DEFAULT operation mode Wed Jun 23 17 01 54 2010 INFO Error opening Target License File usr local finspy master devel data f Wed Jun 23 17 01 54 7010 IN gbl socket listen All interfaces port 1119 Wed Jun 23 17 01 54 2010 IN gbl socket listen returns 0 socket id 3 port 1119 errno 0 Wed Jun 23 17 01 54 2010 IN Trying to create new thread 1 Wed Jun 23 17 01 54 2010 INI Created new update thread a5809b70 Wed Jun 23 17 01 54 2010 IN Trying to connect to Proxy localhost port 1118 Wed Jun 23 17 01 54 2010 IN Trying to create new thread 2 Wed Jun 23 17 01 54 2010 IN Created new update thread addftb 0 Wed Jun 23 17 01 54 2010 INI Trying to create new thread 3 Wed Jun 23 17 01 54 2010 INI Created new update thread a45feb 0 Wed Jun 23 17 02 00 2010 IN Master terminates Wed Jun 23 17 02 09 2010 IN Software Info AP md Ven TI ATA TA NKI ea Eih BA mm HV Mil mm TTV Show Category Info Warning Error Export Logfile 2
84. r of FinSpy Targets which can be infected Infection Self Removal is explained in chapter Infection Self removal Infection Limit Maximum number of targets that will be infected After this number is reached no new target infections will be accepted by the master server Infection Self Removal Scheduled Removal Specify a date when the FinSpy Target will automatically remove itself from the target The FinSpy Target will automatically remove itself from the target if it is unable to reach the master server within the configured timeframe 68 2 2 13 4 Select Modules Th o d K Th n O tU Accessed Files F Record files when they are being accessed Module Size 12 KB yt Changed Files E d aai VE er T IY Record files when they are being modified Check the boxes of respective necessary modules G LC mh ty Th C FinSpy User Manual NW Microphone Fi Enable microphone recordings on Target System Module Size 167 KB ca Command Shell h l Remotely access the command shell 69 Module Size 10 KB Module Size 7 KB Ka 7 5 Deleted Files M Record files that are being deleted Module Size 10 KB File Access E Provide live access to the Target filesystem Module Size 12 KB w Forensics Tools gt Keylogger E Record all keys that are pressed on the Module Size 22 KB N Provide tools to gather information from the target Module Size 11 KB j Sch
85. rab Emirates Dubai 94 200 250 2 2 48 O Analyse Data th Visualize Data as Evidence Protection se Configuration 7 Download Schedule gt a Alert Settings Qe Permissions A list with all the possible recordings can be chosen They are separated in categories to give a better overview Target List dev target 2010 04 19 Recordings List Recording Description Video Recordings a 2 2010 04 21 10 48 30 40KB X Skype Recordings MO Skype recording 2010 04 21 10 48 30 4 0KB X MOG Skype recording 2010 04 21 10 48 30 40KB X K ey logg er Recordings Captured keystrokes 2010 04 21 10 48 30 40KB Select All FinSpy User Manual 58 2 2 8 Update Modules If a new version of FinSpy is released and deployed it is possible to update a FinSpy Target from an old version to the latest one Online Alex FinSpy 2 50 ALEX TARGET SYSTEM United Arab Emirates Dubai 94 200 250 2 Z 2 48 el Analyse Data the Visualize Data as Evidence Protection SE Configuration Download Schedule Ler ET JE Alert Settings Permissions Updating Target Modules Updating Target Modules Updating core module Updating Keylogger Cancel Cancel At the end it will pop up a message saying the update process was complete To activate the new core and the new modules the FinSpy Target needs to be restarted ME Uodaice lag EEE D The infection was successfully updated However er the new inf
86. rs plP Chents Screen Capture Create a screenshot when a call i initiated to get additional call information Sound Quality en vi Listen to Sample 2 2 5 18 Configuration Add amp Remove Module FinSpy User Manual N 48 To add amp remove modules it is not required to create a new FinSpy Target Package This can be done easily through the Configuration dialog The modules will then immediately be removed from the FinSpy Target or immediately downloaded from the FinSpy Master to the FinSpy Target if added Removing a module Target List demo MUC v2 20 Configuration E General General Fj Command Shell Command me Shell Add New Module 2 2 5 19 Configuration Activate amp Deactivate Module Modules can also be activated and deactivated live on the FinSpy Target Removing the check from the checkbox 1 will deactivate the module Setting the check in the checkbox 2 will activate the module Adding a module Choose module to activate on the target Keylogger A Microphone i File Access Ed Scheduler Skype a Screen amp Webcam Double click the module to add it to the target Click outside to close and return to configuration Target List demo MUC v2 20 Configuration General FinSpy User Manual E 49 2 2 6 Live Session Available live access depends on the installed modules on the target To establish a liv
87. s an Administrator user must be logged in Administration B Configuration B Show Logfiles B Agent List B License Information 2 3 1 Configuration Within the Configuration settings can all important changes made to the FinSpy Master remotely If the Master is not reachable for any reason the changes need to be done manually See FinSpy Master Configuration User Management Users can be added edited and deleted through the User Management DI ra Agent Configuration Specify where all exported Data will be saved Network Configuration of the Internal and External Network Interfaces S Relay Network Configuration Configuration of connection details for the FinSpy Targets Email Notification 3 p Updates XT Evidence Protection 9 2 N LEMF Interface A FinSpy User Manual 75 Configuration of the Email server user and password for Email notification Configuration of the FinSpy Master and FinSpy Target Updates Configuration of the Evidence Protection certificates logging activity and functionality LEMF database configuration FinSpy User Manual A amp 2 3 1 1 Configuration User Management Inside the User Management System Administrators and Administrators can perform very granulated User Management There are three different types of Users 1 System Administrator 2 Administrator 3 User The following rights are given to each u
88. s describe live access of each module in more detail 2 2 6 1 Live Session Microphone Webcam Screen For a live session of the FinSpy Target s Display Webcam or Microphone use the Start button inside the FinSpy Agent The quality of the recording depends on the predefined configuration FX Target List demo MUC v2 20 Record Display Target List demo MUC v2 20 Record Display Watch the target s computer screen Watch the target s computer screen Acquiring images To stop recording live images or microphone move the mouse over the image and click the Stop button Target List demo muc Record Display Watch the target s computer screen Se Skype HI Janos b Dunt Skype Contacts Cal Yew Took Heb ar James bhlurnt a EB Poor S re O 2 a L t3 t 9 9 Lp U te i7 18 ow is 2t 223 a S m Coment ome cone N Europe Shansard Time L ON IT Cool SV FinSpy User Manual 51 2 2 6 2 Live Session Command Shell This displays a live command shell session of the Target s computer The command shell runs with the user rights under which the FinSpy Target is running Target List demo muc Command Shell dl x Remote Command Sheil br V gt LU Cc cd c c C gt dir dir volume in drive C has no lab Volume Serial Number is DC5F C3A9 Directory of C 2008 07 27 AM 2008 7 27 AM 2009 2009 PM 5 2008 157 AM 5 2008 57 AM 4 2009 116 PM 5 2008 10
89. s of the applications are indicated by the following icons Name Description gt a This icon indicates that the application is currently not uploaded to the FinSpy Target For execution it needs to be uploaded first The icon indicates that the application is currently uploaded to the FinSpy Target and just needs to be executed Furthermore it can be removed from the FinSpy Target by clicking this icon If any application is executed on the FinSpy Target it will retrieve the results in a CSV file This can be opened for example with Microsoft Excel 2 2 6 4 Live Session File Access FinSpy User Manual 54 To establish a live session to the targets computer and browse files Browsing is possible through double clicks on left tree or by double clicks on a folder in the right work pane Target List devel target Access Files Remote filesystem on devel target Upload File Remote Path Scan ka di Documents and Settings K i All Users K BY Default User b di LocalService E BY NetworkService K L Test3 di Intel di Program Files L RECYCLER di System Volume Information J WINDOWS D Fr Tr or F F hl r Folder View ri rd RO RI RO RO RIRI NSS Last Accessed 2010 04 08 09 Filename Application Data Bluetooth Software Cookies Desktop Favorites Local Settings My Documents NetHood PrintHood Recent SendTo Start Menu Templates NTUSER DAT rarka ntuser dat LOG
90. ser System Administrator Create Delete Modify ALL Users Including System Administrators Configure FinSpy Master Network Evidence Protection Updates etc Full functionality of FinSpy Administrator Full Target Control of all Targets Target Creation Assign regular Users to Targets Install FinSpy Agent updates All Data Analysis related functionality Functionality depends on what was assigned to the user Note The upgrade from 2 40 to 2 50 will convert all users to System Administrators by default FinSpy User Manual SV 17 By selecting User Management all users on the system will be listed Fullname Usemame user 1 System Administrato user 2 System Administrato user 3 System Administrato lucian System Administrato alex System Administrato pierre pk System Administrato James Tester james User alfa alfa System Administrato Alex da Mac MAN ab System Administrato lh da user Ih1i User lucian da 2nd user User bsdfsds User viviana System Administrato omega System Administrato test3 User test User test2 User test4 User test5 User werner test System Administrato Administrator b LLI LEITE It is possible from here to select add 1 or delete 2 users If a user is added another box below is displayed A Username and a Password is required Account Information Username LC Fullname Confirm Password In the last step one or multiple targe
91. side to close and return to configuration 2 2 13 7 Summary A Summary of the generated infection can be reviewed Listed is the name of the infection some configuration settings and also all chosen modules Infection Executable Summary Infection name Alex FinSpy 3 00 Infection Unique ID Ox4DEB 9E2 Selected Target Operating System Windows The heartbeat interval is set to 30 seconds Infected targets will connect to tiger gamma international de on ports 1111 1112 1113 1234 maximum of 3 targets can be infected Self removal will be done when no connection to proxy can be established within 1 Week Preinstalled and configured Modules LY A p IC Va og ES G ad ot FinSpy User Manual N 72 2 2 13 8 Generate Infection On this final dialogue the infection paths can be selected Additional Infection Paths B Infected Application L elect rn lrer Fi owel uk LE bl AEE ferie fer s pa C Infected Screensaver Select Screensaver sc VET Infected Office Document Infected Application Infected Screensaver Infected Office Document Infected File Advanced File Name Conversion Bootable ISO Image Any executable exe can be used to merge with the FinSpy Target Executable Any screensaver scr can be used to merge with the FinSpy Target Executable Any Microsoft Word or Microsoft Excel document can be used to merge with the FinSpy Target Executable The form
92. splayed with bold characters This indicates that the data was not processed yet Once the data is viewed or exported the data will not be displayed in bold anymore dl Target list Target 1123 win7 Analyse Data Choose Target Choose Module Start Date End Date All Module R 1 13 2010 4 8 2010 F Advanced options Description TY Name JT Size Acquired K Screen Recording Target 1123 win OxAGFEEL29 44 1 KB 2010 03 22 E Screen Recording Target 1123 win OxAGFEE129 44 2 KB 2010 03 22 E Screen Recording Tarrat HA win OxA6FEEL29 44 1 KB 2010 03 25 Target OxAGFEE129 dekan Description Screen Record Severe s Acquired at 2010 03 25 High Delete Module Screen amp Web Normal SES SIO N TYPE Live Low QUALITY yes R HE E N 640 x 480 Comments mg L screen Recording Target 1123 win7 OxA6FEEI29 524KB 2010 03 19 A Screen Recording Target 1123 win7 OxA6FEE129 31 2 KB 2010 03 25 1 2 Screen Recording Target 1123 win OxAGFEE129 441KB 2010 03 25 Target 1123 win OxAGFEEL29 44 1 KB 2010 03 25 1 2 Screen Recording FinSpy User Manual Identifies the module device application of the recorded data set I Importance An importance level can be associated to the collected evidence and can be used as ordering criteria To change the Importance Level right click in the importance level column of an evidence entry and a popup with all the available importance l
93. t Kina the FinSpy Agent there will be an icon on the Desktop which needs to be clicked and which will start the main interface FinSpy Agent FinSpy Agent Amme Target List S X FINSPY Fi i E ser Authentication ae username Password a Connection Options 1 Username and password 2 Address and port of FinSpy Master to which the FinSpy Agent connects This data will be remembered after the first successful login 3 Logoff from the FinSpy Master FinSpy User Manual N 16 After a successful login the main interface will open It shows the main interface of the FinSpy Agent amp FinSpy Agent Cole se Target List zx IM TT Computer User Country City Global IP los OS Details Version Install Mode 4 Online FiNSPyY FS 2 30 ye gt ALEX TARGET SYSTEM S United Arab Em Dubai 94 200 250 24 Z Windows XP Service Pack 3 2 30 Kernel Mode o Analyse Data amp Live Session Download Schedule K Remove Infection gt Ti Download Now J Configuration v Alert Settings s Update B Data Analysis E Evidence Protection Disconnect I Create Target Lambada gt TAINA PC Taina 199 Malaysia Petaling Jaya 175 144 48 73 Windows Vista Service Pack 1 2 20 User Mode Mexi gt WS83765 SYSTEM Mexico Mexico 8 14 252 221 Windows XP Service Pack3 2 20 Kernel Mode Administration toshiba NB100 demo MUC x gt LH EEEPC SYSTEM LAN 192 168 0 51 AY Windows XP Service Pack3 2 30 MBR
94. ts can be assigned for each user FinSpy User Manual DN amp 8 2 3 1 2 Configuration Agent Configuration Inside the Agent Configuration the Export folder is defined This will include all created FinSpy Targets exported Evidence and updated FinSpy Agent version installers Export Options Export Folder CAUsers Test Documents FinS Specify the folder where all exported Data will be saved 2 3 1 3 Configuration Network The network configuration is divided into two parts One is for the FinSpy Agent and one for the FinSpy Target Connection The Agent interface can be configured to also be reachable not only from the internal LAN but also from the Internet These settings must be used with caution as it allows connection from outside to the FinSpy Master If this setting is activated the FinSpy Agent needs to have the external IP of the FinSpy Master to connect to it even though it might be in the same LAN Agent Interface Agent Listener Port 1119 Allow External Access Enabled Allow Agents to connect to the Master remotely over the public interface Note This is a potential security risk as it enables remote connections to the Master Public interface controls the network settings given by the provider to establish a connection to the internet and being reachable from the internet This can be either set manually Manual Static or retrieved via DHCP from a Router connected to the internet
95. ual DN amp 2 2 5 1 4 Target Settings Behaviour and identification of the FinSpy Target e Target Name FinSpy Installer may infect different targets To separate the FinSpy Targets the previous Target ID of the infected media can be changed e Heartbeat Interval The FinSpy target will send alive packets in a defined interval to the FinSpy Master The time of these packets is given in seconds This is used to update the online offline status of the FinSpy Target e Download Speed Limit This option can define the download speed with which the data shall be transferred to the FinSpy Master This is useful if only a small amount of bandwidth shall be used Target Settings Target Name Alex FinSpy 2 50 Descriptive Name of Target 3 30 seconds Heartbeat Interval Delay between call backs from Target to Master server 4 1024 kb limited Download Speed Limit E gg _ Limit the bandwidth usage to a maximum tranfer rate FinSpy User Manual DN amp 2 2 5 1 5 Relay Settings The settings of the network configuration between FinSpy Target and FinSpy Master are e Relay IP Address Pre configured with connected FinSpy Master This must be the external IP or Hostname address of the FinSpy Master or of the FinSpy Relay Several IP or hosts can be defined The infected computer will connect to one of the configured addresses e Relay Port Pre configured with settings retrieved by the FinSpy Master Proxy Settings
96. urn Windows Firewall on or z Windows Firewall Windows Firewall can help prevent hackers or malicious software from gaining access to your computer through the Allow program through Internet or nehork Windows Firewall G Windows Firewall is helping to protect your computer Windows Firewall is on f Change settings All inbound connections are blocked Display a notification when a program is blocked Yes Network location Public network What are network locations See also Security Center Network Center At the Exceptions Tab click Add Port in order to add the ports the FinSpy Relay will be working with r Windows Firewall le lex o Turn Windows Firewall on or er Windows Firewall Windows Firewall can help prevent hackers or malicious software from gaining access to your computer through the C Allow program through Internet or network Windows Firewall How does a firewall help protect my computer iv Windows Firewall is helping to protect your computer Windows Firewall is on Change settings All inbound connections Windows Firewall Settings Display a notification whe Network location Windows Firewall is blocking incoming network connections induding the What are network locatio exceptions selected below General Exceptions Advanced Windows Firewall is currently using settings for the public network location What are the risks of unblocking a program
97. using Shift Delete The configuration provides the module with filtering capabilities based on location and file type Additional information such as the time of deletion will be provided together with the recorded data Recording Options Specify folders to watch for file deletions Fj All Drives amp Folders Exceptions WINDIR PROGRAMFILES Please provide one folder path or name per line Supported system defined constants ALLUSERSPROFILE APPDATA HOMEPATH LOCALAPPDATA ProgramData PROGRAMFILES SYSTEMROOT USERPROFILE and WINDIR File Type Specify which file types should be recorded B All Files Custom file types 2 2 5 9 Configuration File Access This module is not configurable but enables the functionality of interacting with the 8 file system of the FinSpy Target 2 2 5 10 Configuration Forensics Tools G This module is not configurable but enables the functionality of interacting with the file system of the FinSpy Target FinSpy User Manual ay amp 2 2 5 11 Configuration Keylogger Application based events can be used to tune the keylogging process The mechanism used for FinSpy Target communication is adapted for the Keylogger Module to allow suppress the keylogging for certain applications If Operation Mode is set to Disabled the keylogging will not be affected by any running application in the system When Operation Mode is set to Active for Event the keylog
Download Pdf Manuals
Related Search