This repository contains indicators of compromise and scripts related to the report German-made FinSpy spyware found in Egypt, and Mac and Linux versions revealed published by Amnesty Tech in September 2020.
Indicators:
domains.txt: domains identifiedips.txt: IPv4 addresses identifiedsha256.csv: sha256 of samples identifiedrules.yar: Yara rules
Tools in the script folder:
decode_modules.py: decode encrypted modules of Linux and MacOsread_config.py: read FinSpy configurationandroid/extract_config.py: extract configuration from FinSpy Android samplesandroid/java_parser.py: extract obfuscated strings from decompiled java codeandroid/string_decoder.py: decode obfuscated stringslinux/extract_config.py: extract configuration files from a Linux FinSpy installercobaltstrike/cobaltstrike_config.py: extract the configuration of a Cobalt Strike payloadcobaltstrike/cobaltstrike_decode.py: decode an obfuscated Cobalt Strike payload
Additional files:
android_tlv_list.csv: list of TLV values extracted from the Android sample