Analysis of Shadow Brokers Release – Operation Center

We have always been curious to know about what goes on inside the state sponsored security agencies like NSA (National Security Agency). Since the agency is known to operate on multiple spying operations in the past for tracking criminals and terrorists, it might sometimes need the use of zero day exploits to get into targeted systems.

Last week a hacker group named “Shadow Brokers” released some malicious programs and tools that were actually used by the Equation Group of NSA for spying. The most popular release was FuzzBunch (FB) and Operation Center (OC).  

We have analyzed these tools and these are sophisticated frameworks. The frameworks are fully modular and very well designed. The comments in the code suggests that the initial development of the components started around year 2006.

Operation Center is core component to control the compromised machine after exploitation with FuzzBunch. Operation Center has around seven kernel components and supports more than hundred commands. Some of the advanced features of OC are:

  • Bypass authentication for oracle servers and provides commands to interact with databases.
  • Network traffic capture/manipulation
  • NTFS MFT parsing and analysis
  • Encryption of network communication and log files
  • Memory dump and analysis
  • Installation of other backdoors with persistence and stealth techniques
  • Disabling of AV (Anti-Virus) and other security products
  • Advanced framework to load and unload kernel mode drivers
  • Advanced search abilities in files and processes.
  • Authentication and force login provider
  • Advanced RAT (remote administration) functionalities


Download Full Report from here.




Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.