Replies

From your link, the KEYSTONE:

1. (U) Introduction
(TS) Angelfire is an implant comprised of 5 components: Solartime, Wolfcreek, Keystone, BadMFS, and the Windows Transitory File system.
Solartime modifies the partition boot sector to load some kernel code. That kernel code then modifies the Windows boot process so that when Windows loads boot time device drivers, an implant device driver can be loaded. The implant driver and Solartime boot code (aside from the partition boot sector modifications) are kept in a small user-specified file on disk. This file is encrypted.

Wolfcreek is the kernel code that Solartime executes. Wolfcreek is a self-loading driver, that once executed, can load other drivers and user-mode applications.

Keystone is responsible for starting user applications. Any application started by MW is done without the implant ever being dropped to the file system. In other words, a process is created and the implant is loaded directly into memory. Currently all processes will be created as svchost. When viewed in task manager (or another process viewing tool) all properties of the process will be consistent with a real instance of svchost.exe including image path and parent process. Furthermore, since the implant code never touches the file system (aside from the possibility of paging) there is very little forensic evidence that the process was ever ran.