Updating generated indicator files and README

README.md

@@ -51,7 +51,7 @@ Files generated automatically from previous IOC files:
 
 ## Stalkerware
 
-This repository includes indicators for 146 applications (133 stalkerware and 13 watchware) and 2886 samples
+This repository includes indicators for 147 applications (134 stalkerware and 13 watchware) and 2886 samples
 
 * AbsoluTrack (`absolutesoftsystem.in` `absolutestoreindia.com` `ass.absolutesoftsystem.in` `geniesoftsystem.com` `onetouchsecurities.com` `smartguardapp.com` `thiefguardbd.com` `www.smartguardapp.com`)
 * Accountable2you (`accountable2you.com`)
@@ -117,6 +117,7 @@ This repository includes indicators for 146 applications (133 stalkerware and 13
 * MonitorUltra (`www.spyequipmentuk.co.uk`)
 * Mrecorder (`mobilerecorder24.com` `mrecorder.com`)
 * MyCellSpy (`mycellspy.com` `cezz.me` `user.mycellspy.com`)
+* MySpyApps (`myspyapps.com`)
 * MzanziSpy (`mzanzispy.co.za`)
 * NemoSpy (`nemospy.com` `admin.nemospy.com`)
 * NeoSpy (`neospy.pro` `neospy.net` `neospy.tech` `ru.neospy.net`)

generated/hosts

@@ -392,6 +392,7 @@ mtf.re
 mtoolapp.biz
 mtoolapp.net
 mxspy.com
+my-spy-a9c92.firebaseio.com
 my.a-spy.com
 my.aispyer.com
 my.copy9.com

generated/hosts_full

@@ -433,6 +433,7 @@ mtoolapp.biz
 mtoolapp.net
 mtracker.fortess.net
 mxspy.com
+my-spy-a9c92.firebaseio.com
 my.a-spy.com
 my.aispyer.com
 my.copy9.com

generated/misp_event.json

@@ -50963,6 +50963,264 @@
       ],
       "distribution": "5",
       "sharing_group_id": "0"
+    },
+    {
+      "name": "android-app",
+      "meta-category": "file",
+      "template_uuid": "92836f23-4730-4eae-82ac-9f00d5299735",
+      "description": "Indicators related to an Android app",
+      "template_version": "1",
+      "uuid": "44ab18ec-3b54-4e1d-88c9-0b0c5fe8a016",
+      "Attribute": [
+        {
+          "uuid": "ce480e12-8eac-4cf7-aa13-7af76a31b699",
+          "object_relation": "name",
+          "value": "juju",
+          "type": "text",
+          "disable_correlation": false,
+          "to_ids": false,
+          "category": "Other"
+        }
+      ],
+      "distribution": "5",
+      "sharing_group_id": "0"
+    },
+    {
+      "name": "android-app",
+      "meta-category": "file",
+      "template_uuid": "92836f23-4730-4eae-82ac-9f00d5299735",
+      "description": "Indicators related to an Android app",
+      "template_version": "1",
+      "uuid": "deff640d-1723-4624-b3f3-a1aef6ae7a83",
+      "Attribute": [
+        {
+          "uuid": "1ed7a7d0-43c1-4693-92d3-118da133d60d",
+          "object_relation": "name",
+          "value": "mSpyitaly",
+          "type": "text",
+          "disable_correlation": false,
+          "to_ids": false,
+          "category": "Other"
+        }
+      ],
+      "distribution": "5",
+      "sharing_group_id": "0"
+    },
+    {
+      "name": "android-app",
+      "meta-category": "file",
+      "template_uuid": "92836f23-4730-4eae-82ac-9f00d5299735",
+      "description": "Indicators related to an Android app",
+      "template_version": "1",
+      "uuid": "246fb040-f9bb-4a4a-860d-3796f71b9b15",
+      "Attribute": [
+        {
+          "uuid": "4ef01047-c48e-44aa-98be-66aff5022ec7",
+          "object_relation": "name",
+          "value": "KidSecured",
+          "type": "text",
+          "disable_correlation": false,
+          "to_ids": false,
+          "category": "Other"
+        }
+      ],
+      "distribution": "5",
+      "sharing_group_id": "0"
+    },
+    {
+      "name": "android-app",
+      "meta-category": "file",
+      "template_uuid": "92836f23-4730-4eae-82ac-9f00d5299735",
+      "description": "Indicators related to an Android app",
+      "template_version": "1",
+      "uuid": "9df29119-83f4-4b37-92b0-bc4924555871",
+      "Attribute": [
+        {
+          "uuid": "c834465f-f325-466f-b9d8-14d5ef841bf3",
+          "object_relation": "name",
+          "value": "SpyTec",
+          "type": "text",
+          "disable_correlation": false,
+          "to_ids": false,
+          "category": "Other"
+        }
+      ],
+      "distribution": "5",
+      "sharing_group_id": "0"
+    },
+    {
+      "name": "android-app",
+      "meta-category": "file",
+      "template_uuid": "92836f23-4730-4eae-82ac-9f00d5299735",
+      "description": "Indicators related to an Android app",
+      "template_version": "1",
+      "uuid": "0e99ee80-d310-45f3-8226-3be957215aca",
+      "Attribute": [
+        {
+          "uuid": "c7993377-555c-402b-814a-eb3bd2944c02",
+          "object_relation": "name",
+          "value": "SpyTek",
+          "type": "text",
+          "disable_correlation": false,
+          "to_ids": false,
+          "category": "Other"
+        }
+      ],
+      "distribution": "5",
+      "sharing_group_id": "0"
+    },
+    {
+      "name": "android-app",
+      "meta-category": "file",
+      "template_uuid": "92836f23-4730-4eae-82ac-9f00d5299735",
+      "description": "Indicators related to an Android app",
+      "template_version": "1",
+      "uuid": "9f8a0a11-ec6b-4baf-9aac-380fe1a86d69",
+      "Attribute": [
+        {
+          "uuid": "1c92a4b6-0c88-4ac3-98c4-62bcbe7f2174",
+          "object_relation": "name",
+          "value": "Intertel",
+          "type": "text",
+          "disable_correlation": false,
+          "to_ids": false,
+          "category": "Other"
+        }
+      ],
+      "distribution": "5",
+      "sharing_group_id": "0"
+    },
+    {
+      "name": "android-app",
+      "meta-category": "file",
+      "template_uuid": "92836f23-4730-4eae-82ac-9f00d5299735",
+      "description": "Indicators related to an Android app",
+      "template_version": "1",
+      "uuid": "87a3aeed-ff3b-4ec3-ba00-8c900a76974a",
+      "Attribute": [
+        {
+          "uuid": "844fbd80-6b5f-408e-a8d5-11e13c17382f",
+          "object_relation": "name",
+          "value": "SpyFly",
+          "type": "text",
+          "disable_correlation": false,
+          "to_ids": false,
+          "category": "Other"
+        }
+      ],
+      "distribution": "5",
+      "sharing_group_id": "0"
+    },
+    {
+      "name": "android-app",
+      "meta-category": "file",
+      "template_uuid": "92836f23-4730-4eae-82ac-9f00d5299735",
+      "description": "Indicators related to an Android app",
+      "template_version": "1",
+      "uuid": "8688b9ac-da4f-4181-b465-ad1e06d62c9e",
+      "Attribute": [
+        {
+          "uuid": "8436460d-5bff-411b-aa64-b66d3bbc387e",
+          "object_relation": "name",
+          "value": "MocoSpy",
+          "type": "text",
+          "disable_correlation": false,
+          "to_ids": false,
+          "category": "Other"
+        }
+      ],
+      "distribution": "5",
+      "sharing_group_id": "0"
+    },
+    {
+      "name": "android-app",
+      "meta-category": "file",
+      "template_uuid": "92836f23-4730-4eae-82ac-9f00d5299735",
+      "description": "Indicators related to an Android app",
+      "template_version": "1",
+      "uuid": "aaf17749-b08a-477b-86e7-f8e25f85625c",
+      "Attribute": [
+        {
+          "uuid": "8c4f4793-b91a-4013-89be-f5070d89dc8c",
+          "object_relation": "name",
+          "value": "MzanziSpy",
+          "type": "text",
+          "disable_correlation": false,
+          "to_ids": false,
+          "category": "Other"
+        }
+      ],
+      "distribution": "5",
+      "sharing_group_id": "0"
+    },
+    {
+      "name": "android-app",
+      "meta-category": "file",
+      "template_uuid": "92836f23-4730-4eae-82ac-9f00d5299735",
+      "description": "Indicators related to an Android app",
+      "template_version": "1",
+      "uuid": "ec8f1480-236d-4031-bd1b-9010eb4b2978",
+      "Attribute": [
+        {
+          "uuid": "d080831d-51eb-4755-81f9-d4a10d4e88a5",
+          "object_relation": "name",
+          "value": "RecomSpy",
+          "type": "text",
+          "disable_correlation": false,
+          "to_ids": false,
+          "category": "Other"
+        }
+      ],
+      "distribution": "5",
+      "sharing_group_id": "0"
+    },
+    {
+      "name": "android-app",
+      "meta-category": "file",
+      "template_uuid": "92836f23-4730-4eae-82ac-9f00d5299735",
+      "description": "Indicators related to an Android app",
+      "template_version": "1",
+      "uuid": "67d69949-fce7-41e5-b995-b833f440912a",
+      "Attribute": [
+        {
+          "uuid": "3704554f-166a-4992-bd05-8fe521954402",
+          "object_relation": "name",
+          "value": "MySpyApps",
+          "type": "text",
+          "disable_correlation": false,
+          "to_ids": false,
+          "category": "Other"
+        },
+        {
+          "uuid": "f3da049b-277e-4b27-b5ad-713a1849335e",
+          "object_relation": "domain",
+          "value": "my-spy-a9c92.firebaseio.com",
+          "type": "domain",
+          "disable_correlation": false,
+          "to_ids": true,
+          "category": "Network activity"
+        },
+        {
+          "uuid": "7a1228cd-88fa-4106-9935-f80be13dc106",
+          "object_relation": "certificate",
+          "value": "CCCD74B31E53685BFA5A23AD0AE020AF74689085",
+          "type": "sha1",
+          "disable_correlation": false,
+          "to_ids": true,
+          "category": "Payload delivery"
+        },
+        {
+          "uuid": "fe9bcc6d-b3f1-49b9-9eae-2438412699fe",
+          "object_relation": "appid",
+          "value": "com.my.spy.app",
+          "type": "text",
+          "disable_correlation": false,
+          "to_ids": false,
+          "category": "Other"
+        }
+      ],
+      "distribution": "5",
+      "sharing_group_id": "0"
     }
   ],
   "info": "Stalkerware indicators",

generated/network.csv

@@ -991,3 +991,4 @@ domain,x.pgv4.com,SpyApp
 domain,pgv4.com,SpyApp
 domain,www.pgv4.com,SpyApp
 domain,m.pgv4.com,SpyApp
+domain,my-spy-a9c92.firebaseio.com,MySpyApps

generated/quad9_blocklist.txt

@@ -862,3 +862,4 @@ x.pgv4.com
 pgv4.com
 www.pgv4.com
 m.pgv4.com
+my-spy-a9c92.firebaseio.com

generated/suricata.rules

@@ -968,3 +968,4 @@ alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE XDSpy (app[.]xdspy[.]ap
 alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE SpyApp (x[.]pgv4[.]com)"; metdata: type stalkerware; dns.query; content:"x.pgv4.com"; depth:10; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000967; rev:1;)
 alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE SpyApp (pgv4[.]com)"; metdata: type stalkerware; dns.query; content:"pgv4.com"; depth:8; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000968; rev:1;)
 alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE SpyApp (www[.]pgv4[.]com)"; metdata: type stalkerware; dns.query; content:"www.pgv4.com"; depth:12; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000969; rev:1;)
+alert dns $HOME_NET any -> any any (msg:"PTS STALKERWARE MySpyApps (my-spy-a9c92[.]firebaseio[.]com)"; metdata: type stalkerware; dns.query; content:"my-spy-a9c92.firebaseio.com"; depth:27; nocase; endswith; fast_pattern; reference:url,github.com/AssoEchap/stalkerware-indicators; classtype:targeted-activity; sid:1000970; rev:1;)

ioc.yaml

@@ -3940,3 +3940,15 @@
     - x.pgv4.com
     - pgv4.com
     - www.pgv4.com
+
+- name: MySpyApps
+  type: stalkerware
+  websites:
+  - myspyapps.com
+  certificates:
+  - CCCD74B31E53685BFA5A23AD0AE020AF74689085
+  packages:
+  - com.my.spy.app
+  c2:
+    domains:
+    - my-spy-a9c92.firebaseio.com