AssoEchap / stalkerware-indicators

Indicators of stalkerware apps
263 stars 43 forks source link

change IOC on ip format ? #122

Closed fpusersuggest closed 1 year ago

fpusersuggest commented 1 year ago

Hello guys, I'm victim of espionage and I'm trying to find some clue. Because I know I'm spied but I haven't found anything on my devices (pc and phones). In my opinion it's something of very sophisticated and could be something life a file-less tool. For file-less I mean something that is not installed on the disk but it's resident only in ram. The the pc can be infected everytime I connect the browser to the net. Anyway, my problem is that, as I can see all the IOC are in the domain format and not ip. I installed a raspberry with suricata and default free rules but it's not connected to the internet. It's just connected to the mirroring port of the switch, the ethernet port is just sniffing the traffic but can't resolve any domain. Then I'lll try to resolve the hosts file in the ip format but I'll do that from the infected machine after that I'll copy the files in the suricata rpi.. so if you're interested I'll send you the converted files... but to be honest maybe would be better if this work will do by someone else.. or I'll try to write a script to convert all the files and I'll send u the script..

jvoisin commented 1 year ago

Thank you but no thanks: we're only using ip addresses when they're directly used by stalkerware, otherwise, we're using domain names as much as possible.

fpusersuggest commented 1 year ago

do U think that my work could be totally unusefull because basically the ioc are founded on the domain detection ? But is not easy for a software change its c2 address from the domain to the raw ip ?