EXPOSED:House-Republicans-Release-FBI-Report-ORIGINAL DOCUMENT

SUPPORT US AND GET EXCLUSIVE GIFT, REPORTS & DOCS Become a Patron!
True Information is the most valuable resource and we ask you to give back.

http://www.berndpulch.org

THE ONLY WEBSITE WITH THE LICENSE TO SPY!

🚨 FOLLOW US ON TELEGRAM & GAB FOR EVEN MORE ABOVE TOP SECRET INFOS & DOCUMENTS

https://t.me/ABOVETOPSECRETXXL

👉JOIN @ABOVETOPSECRETXXL

https://gab.com/berndpulch

https://gettr.com/user/berndpulch

https://truthbook.social/berndpulch

US Republicans drop 1,000-page report saying FBI is ‘rotted at its core’, manipulated domestic violent extremism statistics for political purposes, and deliberately downplayed ‘serious allegations of wrongdoing’ from Hunter Biden

READ ALL AT:

https://t.me/ABOVETOPSECRETXXL/21742

THIS IS AN EXCERPT – YOU CAN DOWNLOAD THIS INFO IN FULL LENGTH UNREDACTED, OUR FULL VIDEOS, OUR FULL DOCUMENT AND MUCH MORE FOR FREE AT OUR TELEGRAM CHANNEL

https://t.me/ABOVETOPSECRETXXL

👉JOIN @ABOVETOPSECRETXXL

DHS-FBI-NCTC U.S. Violent Extremist Mobilization Indicators 2021 Edition

SUPPORT US AND GET EXCLUSIVE GIFT, REPORTS & DOCS Become a Patron!
True Information is the most valuable resource and we ask you to give back.

http://www.berndpulch.org

THE ONLY WEBSITE WITH THE LICENSE TO SPY!

🚨 FOLLOW US ON TELEGRAM & GAB FOR EVEN MORE ABOVE TOP SECRET INFOS & DOCUMENTS

https://t.me/ABOVETOPSECRETXXL

👉JOIN @ABOVETOPSECRETXXL

https://gab.com/berndpulch

https://gettr.com/user/berndpulch

https://truthbook.social/berndpulch

READ ALL AT:

https://t.me/ABOVETOPSECRETXXL/21299

THIS IS AN EXCERPT – YOU CAN DOWNLOAD THIS INFO IN FULL LENGTH UNREDACTED, OUR FULL VIDEOS, OUR FULL DOCUMENT AND MUCH MORE FOR FREE AT OUR TELEGRAM CHANNEL

https://t.me/ABOVETOPSECRETXXL

👉JOIN @ABOVETOPSECRETXXL

EXPOSED:Full NY State Attorney General Lawsuit Against the Trumps

SUPPORT US AND Become a Patron!

CLICK HERE: https://www.patreon.com/bePatron?u=54250700

True Information is the most valuable resource and we ask you kindly to give back. Thank you!

http://www.berndpulch.org

THE ONLY WEBSITE WITH THE LICENSE TO SPY!

🚨 FOLLOW US ON TELEGRAM & GAB FOR EVEN MORE ABOVE TOP SECRET INFOS & DOCUMENTS

https://t.me/ABOVETOPSECRETXXL

https://gab.com/berndpulch

https://gettr.com/user/berndpulch

https://truthbook.social/berndpulch

READ ALL AT:

https://t.me/ABOVETOPSECRETXXL/21298

THIS IS AN EXCERPT – YOU CAN DOWNLOAD THIS INFO IN FULL LENGTH UNREDACTED, OUR FULL VIDEOS, OUR FULL DOCUMENT AND MUCH MORE FOR FREE AT OUR TELEGRAM CHANNEL

https://t.me/ABOVETOPSECRETXXL

Full Search Warrant And Property Receipt Of Trump Raid

SUPPORT US AND Become a Patron!

CLICK HERE: https://www.patreon.com/bePatron?u=54250700

True Information is the most valuable resource and we ask you kindly to give back. Thank you!

http://www.berndpulch.org

THE ONLY WEBSITE WITH THE LICENSE TO SPY!

🚨 FOLLOW US ON TELEGRAM & GAB FOR EVEN MORE ABOVE TOP SECRET INFOS & DOCUMENTS

https://t.me/ABOVETOPSECRETXXL

https://gab.com/berndpulch

https://gettr.com/user/berndpulch

https://truthbook.social/berndpulch

THIS IS AN EXCERPT – YOU CAN DOWNLOAD THIS INFO IN FULL LENGTH UNREDACTED, OUR FULL VIDEOS, OUR FULL DOCUMENT AND MUCH MORE FOR FREE AT OUR TELEGRAM CHANNEL

https://t.me/ABOVETOPSECRETXXL

Feds Who Raided Mar-a-Lago Are Under Investigation by John Durham . . . for Russiagate Hoax

SUPPORT US AND Become a Patron!

CLICK HERE: https://www.patreon.com/bePatron?u=54250700

True Information is the most valuable resource and we ask you kindly to give back. Thank you!

http://www.berndpulch.org

THE ONLY WEBSITE WITH THE LICENSE TO SPY!

🚨 FOLLOW US ON TELEGRAM & GAB FOR EVEN MORE ABOVE TOP SECRET INFOS & DOCUMENTS

https://t.me/ABOVETOPSECRETXXL

https://gab.com/berndpulch

https://gettr.com/user/berndpulch

https://truthbook.social/berndpulch

THIS IS AN EXCERPT – YOU CAN DOWNLOAD THIS INFO IN FULL LENGTH UNREDACTED, OUR FULL VIDEOS, OUR FULL DOCUMENT AND MUCH MORE FOR FREE AT OUR TELEGRAM CHANNEL

https://t.me/ABOVETOPSECRETXXL

FBI Admits to Planting Evidence in Michigan Whitmer Kidnapping Plot Retrial

SUPPORT US AND Become a Patron!

CLICK HERE: https://www.patreon.com/bePatron?u=54250700

True Information is the most valuable resource and we ask you kindly to give back. Thank you!

http://www.berndpulch.org

THE ONLY WEBSITE WITH THE LICENSE TO SPY!

🚨 FOLLOW US ON TELEGRAM & GAB FOR EVEN MORE ABOVE TOP SECRET INFOS & DOCUMENTS

https://t.me/ABOVETOPSECRETXXL

https://gab.com/berndpulch

https://gettr.com/user/berndpulch

https://truthbook.social/berndpulch

GRAND RAPIDS, Michigan – The USA vs Fox, et al aka the Michigan Whitmer Kidnapping Plot retrial began on August 9, 2022 with Jury selection. Many of the prospective jurors talked about a general distrust of the government. The previous trial ended with no convictions, with two men Brandon Caserta and Daniel Harris acquitted (found entrapped by the FBI) by a Michigan jury and a mistrial declared as to defendants Adam Fox and Barry Croft.

https://radixverum.substack.com/p/fbi-admits-to-planting-evidence-in

THIS IS AN EXCERPT – YOU CAN DOWNLOAD THIS INFO IN FULL LENGTH UNREDACTED, OUR FULL VIDEOS, OUR FULL DOCUMENT AND MUCH MORE FOR FREE AT OUR TELEGRAM CHANNEL

https://t.me/ABOVETOPSECRETXXL

Adam Fox And First Discussion With FBI Informant – ORIGINAL DOCUMENT

SUPPORT US AND Become a Patron!
True Information is the most valuable resource and we ask you kindly to give back.

http://www.berndpulch.org

THE ONLY WEBSITE WITH THE LICENSE TO SPY!

🚨 FOLLOW US ON TELEGRAM & GAB FOR EVEN MORE ABOVE TOP SECRET INFOS & DOCUMENTS

https://t.me/ABOVETOPSECRETXXL

https://gab.com/berndpulch

https://gettr.com/user/berndpulch

https://truthbook.social/berndpulch

https://www.bitchute.com/channel/R55w1IXstR3h/

https://www.youtube.com/channel/UCdoKPR_qNWDyJwtCK484A6A

ADAM FOX
Continue reading “Adam Fox And First Discussion With FBI Informant – ORIGINAL DOCUMENT”

FBI v. Fazaga: Supreme Court Examines Interplay of State Secrets Privilege & the Foreign Intelligence Surveillance Act – Original Document

SUPPORT US AND GET EXCLUSIVE GIFT, REPORTS & DOCS Become a Patron!
True Information is the most valuable resource and we ask you to give back.

http://www.berndpulch.org

THE ONLY WEBSITE WITH THE LICENSE TO SPY!

🚨 FOLLOW US ON TELEGRAM & GAB FOR EVEN MORE ABOVE TOP SECRET INFOS & DOCUMENTS

https://t.me/ABOVETOPSECRETXXL

👉JOIN @ABOVETOPSECRETXXL

https://gab.com/berndpulch

https://www.bitchute.com/channel/R55w1IXstR3h/

Big Business to Supreme Court: Defend LGBTQ People From ...
Continue reading “FBI v. Fazaga: Supreme Court Examines Interplay of State Secrets Privilege & the Foreign Intelligence Surveillance Act – Original Document”

CHEMICAL ALI’S FBI DOSSIER – ORIGINAL DOCUMENT

SUPPORT US AND GET EXCLUSIVE GIFT, REPORTS & DOCS Become a Patron!
True Information is the most valuable resource and we ask you to give back.

http://www.berndpulch.org

THE ONLY WEBSITE WITH THE LICENSE TO SPY!

🚨 FOLLOW US ON TELEGRAM & GAB FOR EVEN MORE ABOVE TOP SECRET INFOS & DOCUMENTS

https://t.me/ABOVETOPSECRETXXL

👉JOIN @ABOVETOPSECRETXXL

https://gab.com/berndpulch

https://www.bitchute.com/channel/R55w1IXstR3h/

Chemical Ali hanged for gassing 5,000 - Mirror Online
CHEMICAL ALI
Continue reading “CHEMICAL ALI’S FBI DOSSIER – ORIGINAL DOCUMENT”

INTELLIGENCE, FBI, CAN SPY ON YOU IN REAL TIME – ORIGINAL DOCUMENT

SUPPORT US AND Become a Patron!
True Information is the most valuable resource and we ask you to give back.

http://www.berndpulch.org

THE ONLY WEBSITE WITH THE LICENSE TO SPY!

YOU CAN TRANSLATE EVERYTHING WITH THE GOOGLE TOOL TOP RIGHT,PUEDES TRADUCIR TODO CON LA HERRAMIENTA DE GOOGLE ARRIBA A LA DERECHA,VOUS POUVEZ TOUT TRADUIRE AVEC L’OUTIL GOOGLE EN HAUT À DROITE,SIE KÖNNEN ALLES MIT DEM GOOGLE-TOOL OBEN RECHTS ÜBERSETZEN, ВЫ МОЖЕТЕ ПЕРЕВЕСТИ ВСЕ С ПОМОЩЬЮ ИНСТРУМЕНТА GOOGLE СПРАВА ВВЕРХУ,你可以用谷歌右上方的工具来翻译所有内容,PUOI TRADURRE TUTTO CON LO STRUMENTO DI GOOGLE IN ALTO A DESTRA,DU KAN ÖVERSÄTTA ALLT MED GOOGLE-VERKTYGET UPPE TILL HÖGER,VOCÊ PODE TRADUZIR TUDO COM A FERRAMENTA GOOGLE TOP RIGHT,右上のグーグルツールで全て翻訳できます。

🚨 FOLLOW US ON TELEGRAM & GAB FOR EVEN MORE ABOVE TOP SECRET INFOS & DOCUMENTS

JOIN https://t.me/ABOVETOPSECRETXXL

JOIN https://gab.com/berndpulch

JOIN https://gettr.com/user/berndpulch

THIS IS AN EXCERPT – YOU CAN DOWNLOAD THE FULL VIDEOS & DOCUMENTS AND MANY MORE FOR FREE AT OUR TELEGRAM CHANNEL

JOIN https://t.me/ABOVETOPSECRETXXL

FBI DIRECTOR TO FBI PHILADELPHIA – ORIGINAL DOCUMENT

SUPPORT US AND Become a Patron!
True Information is the most valuable resource and we ask you to give back.

http://www.berndpulch.org

THE ONLY WEBSITE WITH THE LICENSE TO SPY!

🚨 FOLLOW US ON TELEGRAM FOR EVEN MORE ABOVE TOP SECRET INFOS & DOCUMENTS

https://t.me/ABOVETOPSECRETXXL

Continue reading “FBI DIRECTOR TO FBI PHILADELPHIA – ORIGINAL DOCUMENT”

UNVEILED – US v RODRIGUEZ – Blame Trump – ORIGINAL DOCUMENTS

Become a Patron!
True Information is the most valuable resource and we ask you to give back.

http://www.berndpulch.org

THE ONLY WEBSITE WITH THE LICENSE TO SPY!

🚨 FOLLOW US ON TELEGRAM FOR MORE ABOVE TOP SECRET INFOS

https://t.me/ABOVETOPSECRETXXL

There you can get the documents plus the attachment (transcription)

Continue reading “UNVEILED – US v RODRIGUEZ – Blame Trump – ORIGINAL DOCUMENTS”

UNVEILED – FBI Conspiracy Theory Redacted – Original Document

Become a Patron!
True Information is the most valuable resource and we ask you to give back.

http://www.berndpulch.org

THE ONLY WEBSITE WITH THE LICENSE TO SPY!

Page 1 of 420379775 FBI Conspiracy Theory Redacted
Continue reading “UNVEILED – FBI Conspiracy Theory Redacted – Original Document”

Revealed – Governor Of Michigan Kidnapping Conspiracy – Original FBI – Court Document

Become a Patron!
True Information is the most valuable resource and we ask you to give back.

http://www.berndpulch.org

THE ONLY WEBSITE WITH THE LICENSE TO SPY!

Judge sets trial date in alleged Whitmer kidnapping plot case
Page 1 of Michigan Kidnapping Conspiracy
Continue reading “Revealed – Governor Of Michigan Kidnapping Conspiracy – Original FBI – Court Document”

FBI Email Warning of Far-Right Chatter Re Election Results – Original Document

Become a Patron!
True Information is the most valuable resource and we ask you to give back.

http://www.berndpulch.org

THE ONLY WEBSITE WITH THE LICENSE TO SPY!

Continue reading “FBI Email Warning of Far-Right Chatter Re Election Results – Original Document”

FBI Document Re Boogaloo Bois Using Amazon Ring Doorbells For Protection From Agents

Become a Patron!
True Information is the most valuable resource and we ask you to give back.

http://www.berndpulch.org

THE ONLY WEBSITE WITH THE LICENSE TO SPY!

Continue reading “FBI Document Re Boogaloo Bois Using Amazon Ring Doorbells For Protection From Agents”

FBI Bulletin On PRC/Uyghurs – Original Document

Become a Patron!
True Information is the most valuable resource and we ask you to give back.

http://www.berndpulch.org

THE ONLY WEBSITE WITH THE LICENSE TO SPY!

PRC points to massacre as justification for Uighur crackdown
Continue reading “FBI Bulletin On PRC/Uyghurs – Original Document”

DHS-FBI-NCTC Bulletin – First Responder Awareness of Privately Made Firearms May Prevent Illicit Activities – Original Document

Become a Patron!
True Information is the most valuable resource and we ask you to give back.

http://www.berndpulch.org

THE ONLY WEBSITE WITH THE LICENSE TO SPY!

Continue reading “DHS-FBI-NCTC Bulletin – First Responder Awareness of Privately Made Firearms May Prevent Illicit Activities – Original Document”

Justice Department Inspector General Recovered Missing Text From Investigations About Hillary Clinton & Donald Trump

Become a Patron!
True Information is the most valuable resource and we ask you to give back.

http://www.berndpulch.org

THE ONLY WEBSITE WITH THE LICENSE TO SPY!

Hillary Clinton on Trump's delay of Biden transition: 'It's going to cost  lives' – POLITICO
Page 1 of Read the Justice Dept. inspector general?s letter saying he has recovered missing FBI texts
Continue reading “Justice Department Inspector General Recovered Missing Text From Investigations About Hillary Clinton & Donald Trump”

FBI’s Investigation Into Hillary Clinton’s Private Email Server – Original Document

Become a Patron!
True Information is the most valuable resource and we ask you to give back.

Watch the FBI refute Clinton email claims - CNN Video
Former FBI Director Comey & Hillary Clinton
Page 1 of FBI documents from investigation into Hillary Clinton's private email server
Continue reading “FBI’s Investigation Into Hillary Clinton’s Private Email Server – Original Document”

FBI Director James B. Comey’s Termination – Letters From The White House, Attorney General – Original Documents

Become a Patron!
True Information is the most valuable resource and we ask you to give back.

James Comey: Der Mann, der niemandem mehr traut | STERN.de
Page 2 of FBI Director James B. Comey's termination: Letters from the White House, Attorney General
Continue reading “FBI Director James B. Comey’s Termination – Letters From The White House, Attorney General – Original Documents”

Apple’s Attorneys Defend Against The FBI’s Request To Access The iPhone – Original Document

Become a Patron!
True Information is the most valuable resource and we ask you to give back.

Apple vs. FBI: Different Judge Says Apple Is Right
Page 1 of Apple-s-Motion-to-Vacate
Continue reading “Apple’s Attorneys Defend Against The FBI’s Request To Access The iPhone – Original Document”

J Edgar Hoover’s Secret Memo After Jack Ruby Shot Oswald – Original Document

Become a Patron!

True Information is the most valuable resource and we ask you to give back.

J. Edgar Hoover said in a memo two days after John F. Kennedy’s assassination that the public must be led to believe that Lee Harvey Oswald acted alone.

There is nothing further on the Oswald case except that he is dead.”

FBI Director J. Edgar Hoover dictated that line in a memo he issued on Nov. 24, 1963, the day Jack Ruby killed Lee Harvey Oswald as the gunman was being transported to the Dallas County Jail after the assassination of President John F. Kennedy.

Page 1 of FBI sent agent to hospital before Oswald's death
Continue reading “J Edgar Hoover’s Secret Memo After Jack Ruby Shot Oswald – Original Document”

FBI – Intelligence Division – Cuba – Panama – Secret Warning – Original Document

Become a Patron!
True Information is the most valuable resource and we ask you to give back.

Page 1 of ESP-CUBA-PANAMA; RA-CUBA-PANAMA
Continue reading “FBI – Intelligence Division – Cuba – Panama – Secret Warning – Original Document”

Internal FBI Memo Regarding The Rosseli Murder & Letelier Assassination – Original Document

Become a Patron!
True Information is the most valuable resource and we ask you to give back.

Orlando Letelier
Page 1 of LETELIER ASSASSINATION - ROSSELLI TRACES
Continue reading “Internal FBI Memo Regarding The Rosseli Murder & Letelier Assassination – Original Document”

The FBI Investigation Of Deep Throat And The Devil In Mrs. Jones – Original Document

Become a Patron!
True Information is the most valuable resource and we ask you to give back.

Continue reading “The FBI Investigation Of Deep Throat And The Devil In Mrs. Jones – Original Document”

CISA & FBI – DarkSide Ransomware – Best Practices For Preventing Business Disruption From Ransomware Attacks – Original Document

Become a Patron!
True Information is the most valuable resource and we ask you to give back.

Lazarus Group Brings APT Tactics to Ransomware | Threatpost
Continue reading “CISA & FBI – DarkSide Ransomware – Best Practices For Preventing Business Disruption From Ransomware Attacks – Original Document”

Revealed – FBI Headquarters Backdoors, Washington, DC, US

Become a Patron!
True Information is the most valuable resource and we ask you to give back.

38°53’41.01″ N 77°01’29.50″ W[Image]

[Image]

[Image]

[Image]

[Image]

[Image]

[Image]

[Image]

[Image]Become a Patron!
True Information is the most valuable resource and we ask you to give back.

Unveiled – As done by “GoMoPa” – Cyber Bulletin: Korean Malware Potentially Used in Sony Pictures Attack

Become a Patron!
True Information is the most valuable resource and we ask you to give back.

 

The following bulletin was posted on the document sharing website Scribd by Politico Cybersecurity Editor Shaun Waterman.  The bulletin refers to Korean malware used by “unknown computer network exploitation (CNE) operators” that is believed to have been used in the recent attack on Sony Pictures Entertainment.  These actions ressemble to the “GoMoPa” cyber-attacks. The bulletin was first reported by Reuters on December 1, 2014.

FBI-KoreanMalware

FBI Liaison Alert System #A-000044-mw

  • 5 pages
  • TLP: GREEN
  • December 1, 2014

Download

The FBI is providing the following information with HIGH confidence:

Destructive malware used by unknown computer network exploitation (CNE) operators has been identified. This malware has the capability to overwrite a victim host’s master boot record (MBR) and all data files. The overwriting of the data files will make it extremely difficult and costly, if not impossible, to recover the data using standard forensic methods. Analysis of this malware is presented to provide the computer network defense (CND) community with indicators of this malware.

TECHNICAL DETAILS

The FBI is providing the following information with HIGH confidence:

This group uses some custom tools that should be immediately flagged if detected, reported to FBI CYWATCH, and given highest priority for enhanced mitigation.
The aforementioned actors have used identified domains names and IP addresses as both source and/or destination IPs. The FBI is distributing the indicators associated with this attack to enable network defense activities and reduce the risk of similar attacks in the future. The FBI has high confidence that these indicators are being used by CNE operators for further network exploitation. The FBI recommends that your organization help victims identify and remove the malicious code.

Below are descriptions of malware and associated malware signatures:

The malware has the following characteristics:

File: d1c27ee7ce18675974edf42d4eea25c6.bin
Size: 268579 bytes (262.3 KB)
MD5: D1C27EE7CE18675974EDF42D4EEA25C6
PE Compile Time: 2014-11-22 00:06:54
Language pack of resource section: Korean

The original filename of this file is unknown, but it was likely “diskpartmg16.exe”. This file serves as a dropper. It drops destructive malware, “igfxtrayex.exe”. When the dropper file was executed, it started a second instance of itself with “-i” as an argument, then terminated.

The second instance of the dropper file installed itself as the “WinsSchMgmt” service with “-k” as a command line argument, started the service, then terminated.

The “WinsSchMgmt” service executed the file with “-k” as an argument, which started another instance of the file using “-s” as an argument.

The “-s” instance dropped and executed “igfxtrayex.exe”, created “net_ver.dat”, and began generating network traffic over TCP ports 445 and 139 to victim IP addresses.

The following files were added:
C:\Documents and Settings\User\Desktop\igfxtrayex.exe
C:\WINDOWS\system32\net_ver.dat

The following strings of interest were in this dropper file:

– – – BEGIN STRINGS – – –
recdiscm32.exe
taskhosts64.exe
taskchg16.exe
rdpshellex32.exe
mobsynclm64.exe
comon32.exe
diskpartmg16.exe
dpnsvr16.exe
expandmn32.exe
hwrcompsvc64.exe
cmd.exe /q /c net share shared$ /delete
\\%\admin$\syswow64
\\%s\admin$\system32
cmd.exe /q /c net share shared$=%SystemRoot%
cmd.exe /q /c net share shared$=%SystemRoot% /GRANT:everyone, FULL
RasSecurity
RasMgrp
cmd.exe /c wmic.exe /node: ”%s” /password: “%s” PROCESS CALL CREATE “%s” >
%s
WinsSchMgmt
Windows Schedule Management Service
– – -END STRINGS – – –

File: net_ver.dat
Size: 4572 bytes (4.5 KB)
MD5: 93BC819011B2B3DA8487F964F29EB934

This is a configuration file containing what appear to be hostnames, IP addresses, and the number 2. Entries in the file have the structure “HOSTNAME | IP Address | 2”. The victim IP addresses in this file correspond with the victim IP addresses listed under the file with MD5 hash D1C27EE7CE18675974EDF42D4EEA25C6 (noted above).

File: igfxtrayex.exe
Size: 249856 bytes (244.0 KB)
MD5: 760c35a80d758f032d02cf4db12d3e55
PE Compile Time: 2014-11-24 04:11:08
Language pack of resource section: Korean

This file is destructive malware: a disk wiper with network beacon capabilities. If “igfxtrayex.exe” is run with no parameters, it creates and starts a copy of itself with the “–i” argument. After 10 minutes, the “igfxtrayex.exe” makes three copies of itself and places them in the same directory it was executed from. These copies are named according to the format “taskhostXX.exe” (where X is a randomly generated ASCII character). These copies are then executed, each with a different argument (one being “-m”, one being “-d” and the other “-w”). Network connection attempts are made to one of three hard-coded IP addresses in a random order to either port 8080 or 8000. If a connection to the IP address cannot be made, it attempts to connect to another of the three IP addresses, until connections to all three IP addresses have been attempted. The following command-line string is then executed: “cmd.exe /c net stop MSExchangeIS /y”. A 120 minute (2 hour) sleep command is issued after which the computer is shutdown and rebooted.

File: iissvr.exe
Size: 114688 bytes (112.0 KB)
MD5: e1864a55d5ccb76af4bf7a0ae16279ba
PE Compile Time: 2014-11-13 02:05:35
Language pack of resource section: Korean

This file when executed starts a listener on localhost port 80. It has 3 files contained in the resource section, all xor’d with 0x63.

File: usbdrv3_32bit.sys
Size: 24280 bytes (23.7 KB)
MD5: 6AEAC618E29980B69721158044C2E544
PE Compile Time: 2009-08-21 06:05:32

This SYS file is a commercially available tool that allows read/write access to files and raw disk sectors for user mode applications in Windows 2000, XP, 2003, Vista, 2008 (32-bit). It is dropped from resource ID 0x81 of “igfxtrayex.exe”.

File usbdrv3_64bit.sys
Size: 28120 bytes (27.5 KB)
MD5: 86E212B7FC20FC406C692400294073FF
PE Compile Time: 2009-08-21 06:05:35

This SYS file is a also a commercially available tool that allows read/write access to files and raw disk sectors for user mode applications in Windows 2000, XP, 2003, Vista, 2008 (64-bit). It is dropped from resource ID 0x83 of “igfxtrayex.exe”.

RECOMMENDED STEPS FOR INITIAL MITIGATION

The following Snort signature can be used to detect the beacon traffic, though by the time the beacons occur, the destructive process of wiping the files has begun:

Alert tcp any any – > [88.53.215.64, 217.96.33.164, 203.131.222.102] [8080, 8000] (msg: “wiper_callout”; dsize:42; content: “|ff ff ff ff|”; offset: 26; depth: 4; sid: 314;)

The following YARA signatures will detect this malware on the host:

rule unknown_wiper_str{

meta: unique string in wiper malware

strings:

$STR1 = “#99E2428CCA4309C68AAF8C616EF3306582A64513E55C786A864BC83DAFE0C78585B692047273B0E55275102C66” fullword nocase

$MZ = “MZ”

condition:

$MZ at 0 and $STR1

}

rule unknown_wiper_IPs{

meta: unique IPs in wiper malware

strings:

$IP1 = “203.131.222.102” fullword nocase
$IP2 = “217.96.33.164” fullword nocase
$IP3 = “88.53.215.64” fullword nocase
$MZ = “MZ”

condition:

$MZ at 0 and all of them

}

rule unknown_wiper_error_strings{

meta: unique custom error debug strings discovered in the wiper malware

strings:

$ERR1 = “$MFT Record read failed.” fullword nocase
$ERR2 = “Drive Boot Sector read failed.” fullword nocase
$ERR3 = “SetFilePointer failed.” fullword nocase
$MZ = “MZ”

condition:

$MZ at 0 and all of them

}

Reporting Notice

The FBI encourages recipients who identify the use of tool(s) or techniques discussed in this document to report information to their local FBI field office or the FBI’s 24/7 Cyber Watch (CyWatch). Field office contacts can be identified at http://www.fbi.gov/contact-us/field. CyWatch can be contacted by phone at 855-292-3937 or by e-mail at CyWatch@ic.fbi.gov. When available, each report submitted should include the date, time, location, type of activity, number of people, and type of equipment used for the activity, the name of the submitting company or organization, and a designated point of contact.

Korean Malware, North Korea Malware, South Korea Malware Attack, South Korea Malware Attack, North Korea Malware, South Korea Malware Attack,