sssnake/vigil
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initial release: Vigil Anti-Surveillance Shield v0.1.0

Browse Source 
KernelSU-Next/Magisk/APatch module providing:
- Threat scanner with 11,000+ IOCs (stalkerware, Pegasus, government spyware)
- FrostGuard file integrity monitor (pseudo-locked-bootloader)
- Encryption key wiper / BFU mode transition
- Forensic Shield (anti-Cellebrite with 71 known binary hashes)
- Silent SMS detection (Type-0, Class-0, WAP Push)
- Network monitor with C2/tracker domain and IP blocking
- vigild daemon with periodic scanning and alert management
- Full CLI interface
This commit is contained in:
sssnake
2026-03-31 03:09:00 -07:00
commit cf00838b6d
27 changed files with 16772 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
.gitignore vendored Normal file
View File

@@ -0,0 +1,7 @@
*.log
*.pid
*.bak
*.tmp
*.swp
*.zip
build/

161
README.md Normal file
View File

@@ -0,0 +1,161 @@
# Vigil — Anti-Surveillance Shield
**KernelSU-Next / Magisk / APatch module for journalists, activists, and at-risk users.**
Vigil detects stalkerware, government spyware (Pegasus, Predator, Hermit), forensic extraction tools (Cellebrite UFED), silent SMS tracking, and IMSI catchers. It provides real-time protection with file integrity monitoring, encryption key eviction, and network-level threat blocking.
Developed by **Setec Labs**.
---
## Features
### Threat Scanner
- Scans installed packages, signing certificates, APK hashes, running processes, accessibility services, and device admins against a curated IOC database
- 11,000+ indicators sourced from CitizenLab, MVT, EFF, Meta Threat Research, and stalkerware-indicators
- Detects Pegasus, Predator, Hermit, Chrysaor, commercial stalkerware, and trojans
### FrostGuard — File Integrity Monitor
- SHA256 baseline of system partitions, boot images, and critical binaries
- Continuous monitoring for unauthorized modifications
- Heuristic detection: SUID anomalies, staging directory implants, SELinux tampering, injection frameworks
- Pseudo-locked-bootloader protection for rooted devices
### Key Wiper / BFU Mode
- Evicts FBE (File-Based Encryption) credential keys from memory
- Moves the device to a "Before First Unlock" equivalent state
- Runs TRIM to prevent NAND flash recovery of deleted data
- Disables ADB, developer settings, and minimizes system logging
- Effectively defeats AFU-mode forensic extraction
### Forensic Shield
- Real-time USB monitoring for forensic tool staging
- 71 known Cellebrite UFED binary hashes
- Exploit binary name detection (dirtycow, zergRush, pingroot, etc.)
- Frida injection detection
- Automatic lockdown on forensic tool detection (opt-in)
### SMS Shield
- Detects Type-0 (silent) and Class-0 (flash) SMS pings used for location tracking
- Monitors RIL/telephony layer via logcat with root access
- WAP Push and binary SMS detection
- Optional delivery receipt suppression
### Network Monitor
- Hosts-based domain blocking (4,400+ C2 and tracker domains)
- iptables IP blocking (139+ known malicious IPs)
- Live connection monitoring against threat indicators
- DNS resolution watchdog
---
## Installation
Flash the ZIP via KernelSU-Next, Magisk, or APatch manager.
Requires:
- Android 9+ (API 28)
- Root access (KernelSU-Next, Magisk, or APatch)
## Usage
```sh
# Show protection status
vigil status
# Run full threat scan
vigil scan
# Run quick scan (packages + processes only)
vigil scan quick
# Enter BFU lockdown mode
vigil lockdown
# Check file integrity
vigil integrity verify
# Create new integrity baseline
vigil integrity baseline
# View alerts
vigil alerts
# Forensic shield scan
vigil forensic scan
# SMS shield status
vigil sms status
# Start SMS monitoring
vigil sms monitor
# Install/update network blocklists
vigil network install
# Update threat indicators
vigil update-ioc
# View logs
vigil log
```
## Configuration
Edit `/data/adb/vigil/vigil.conf` on the device. Key settings:
| Setting | Default | Description |
|---------|---------|-------------|
| `SCANNER_INTERVAL` | 3600 | Seconds between automatic scans |
| `FROSTGUARD_ENABLED` | 1 | File integrity monitoring |
| `FORENSIC_AUTO_LOCKDOWN` | 0 | Auto-lockdown on forensic tool detection |
| `SMS_BLOCK_SILENT` | 1 | Block silent SMS delivery receipts |
| `NETWORK_BLOCK_C2` | 1 | Block known C2 domains |
| `KEYWIPER_TRIM_ON_LOCKDOWN` | 1 | TRIM storage on lockdown |
| `VIGIL_BACKEND_URL` | (empty) | Reporting server URL |
## Threat Indicator Sources
- [CitizenLab Malware Indicators](https://github.com/citizenlab/malware-indicators)
- [AssoEchap Stalkerware Indicators](https://github.com/AssoEchap/stalkerware-indicators)
- [MVT — Mobile Verification Toolkit](https://github.com/mvt-project/mvt)
- [Meta Threat Research](https://github.com/facebook/threat-research)
- [EFF Rayhunter](https://github.com/EFForg/rayhunter)
- [Lockup Anti-Forensics](https://github.com/levlesec/lockup)
- [Costin Raiu Mobile Trackers](https://github.com/craiu/mobiletrackers)
- [Palo Alto Unit42](https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel)
## Architecture
```
vigil/
├── module.prop # KernelSU/Magisk module metadata
├── customize.sh # Installation script
├── service.sh # Boot service (starts vigild)
├── post-fs-data.sh # Early boot (integrity check, lockdown enforcement)
├── vigil/
│ ├── bin/
│ │ ├── vigil # CLI interface
│ │ └── vigild # Main daemon
│ ├── config/
│ │ ├── vigil.conf # Default configuration
│ │ └── exclusions.conf # User exclusions
│ ├── ioc/ # Threat indicator database
│ └── lib/
│ ├── scanner.sh # Threat scanner engine
│ ├── integrity.sh # FrostGuard file integrity
│ ├── key_wiper.sh # BFU mode / key eviction
│ ├── forensic_shield.sh # Anti-Cellebrite
│ ├── sms_shield.sh # Silent SMS detection
│ └── network_monitor.sh # C2/tracker blocking
└── tools/
└── build_ioc_db.py # IOC database builder
```
## License
Copyright (c) 2025 Setec Labs. All rights reserved.
## Disclaimer
This tool is intended for defensive security use by journalists, activists, human rights defenders, and security researchers. It is designed to detect and defend against unauthorized surveillance. Use responsibly and in accordance with applicable laws.

81
customize.sh Executable file
View File

@@ -0,0 +1,81 @@
#!/system/bin/sh
# Vigil — Anti-Surveillance Shield
# KernelSU-Next Module Installation Script
# (c) Setec Labs
SKIPUNZIP=1
ui_print "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
ui_print " Vigil — Anti-Surveillance Shield v0.1.0"
ui_print " by Setec Labs"
ui_print "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
ui_print ""
# Detect environment
if [ "$KSU" = "true" ]; then
ui_print "[*] KernelSU detected (version: $KSU_VER_CODE)"
MODPATH="/data/adb/modules/vigil"
elif [ "$APATCH" = "true" ]; then
ui_print "[*] APatch detected"
MODPATH="/data/adb/modules/vigil"
else
ui_print "[*] Magisk detected (version: $MAGISK_VER_CODE)"
MODPATH="/data/adb/modules/vigil"
fi
# Check Android version
API=$(getprop ro.build.version.sdk)
if [ "$API" -lt 28 ]; then
ui_print "[!] Android 9+ (API 28) required. Aborting."
abort
fi
ui_print "[*] Android API: $API"
# Check architecture
ARCH=$(getprop ro.product.cpu.abi)
ui_print "[*] Architecture: $ARCH"
# Extract module files
ui_print "[*] Extracting module files..."
mkdir -p "$MODPATH"
unzip -o "$ZIPFILE" -d "$MODPATH" >&2
# Set permissions
ui_print "[*] Setting permissions..."
set_perm_recursive "$MODPATH" 0 0 0755 0644
set_perm_recursive "$MODPATH/vigil/bin" 0 0 0755 0755
set_perm_recursive "$MODPATH/vigil/lib" 0 0 0755 0755
# Create runtime directories
mkdir -p "$MODPATH/vigil/logs"
mkdir -p /data/adb/vigil
mkdir -p /data/adb/vigil/baseline
mkdir -p /data/adb/vigil/alerts
mkdir -p /data/adb/vigil/quarantine
# Initialize config if first install
if [ ! -f /data/adb/vigil/vigil.conf ]; then
ui_print "[*] First install — initializing configuration..."
cp "$MODPATH/vigil/config/vigil.conf" /data/adb/vigil/vigil.conf
cp "$MODPATH/vigil/config/exclusions.conf" /data/adb/vigil/exclusions.conf
fi
# Copy IOC database
ui_print "[*] Installing threat indicator database..."
cp -r "$MODPATH/vigil/ioc/"* /data/adb/vigil/ 2>/dev/null
# Generate initial file integrity baseline
ui_print "[*] Generating file integrity baseline..."
"$MODPATH/vigil/lib/integrity.sh" baseline 2>/dev/null
ui_print ""
ui_print "[✓] Vigil installed successfully."
ui_print ""
ui_print " Commands:"
ui_print " vigil scan — Run full threat scan"
ui_print " vigil status — Show protection status"
ui_print " vigil lockdown — Enter lockdown / BFU mode"
ui_print " vigil integrity — Check file integrity"
ui_print " vigil update-ioc — Update threat indicators"
ui_print ""
ui_print "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"

7
module.prop Normal file
View File

@@ -0,0 +1,7 @@
id=vigil
name=Vigil — Anti-Surveillance Shield
version=v0.1.0
versionCode=1
author=Setec Labs
description=Anti-surveillance, anti-stalkerware, and anti-forensic protection for journalists, activists, and at-risk users. Detects Pegasus, stalkerware, IMSI catchers, silent SMS, forensic extraction tools, and more.
updateJson=

45
post-fs-data.sh Executable file
View File

@@ -0,0 +1,45 @@
#!/system/bin/sh
# Vigil — post-fs-data stage (runs before Zygote/apps)
# This is the earliest stage — used for file integrity checks and forensic shield
MODDIR="${0%/*}"
VIGIL_DATA="/data/adb/vigil"
VIGIL_LIB="$MODDIR/vigil/lib"
VIGIL_LOG="$VIGIL_DATA/vigil.log"
log_vigil() {
echo "[$(date '+%Y-%m-%d %H:%M:%S')] [post-fs] $1" >> "$VIGIL_LOG"
}
log_vigil "Vigil post-fs-data stage starting"
# Load config
[ -f "$VIGIL_DATA/vigil.conf" ] && . "$VIGIL_DATA/vigil.conf"
# --- FILE INTEGRITY CHECK (FrostGuard) ---
# Check critical system files before anything else loads
if [ "${FROSTGUARD_ENABLED:-1}" = "1" ]; then
log_vigil "FrostGuard: Running early integrity check"
"$VIGIL_LIB/integrity.sh" verify-critical 2>/dev/null
INTEGRITY_RESULT=$?
if [ $INTEGRITY_RESULT -ne 0 ]; then
log_vigil "FrostGuard: INTEGRITY VIOLATION DETECTED (code: $INTEGRITY_RESULT)"
# Write alert for daemon to pick up
echo "integrity_violation:$(date +%s):post-fs-data" >> "$VIGIL_DATA/alerts/pending"
fi
fi
# --- FORENSIC SHIELD: Early USB monitoring ---
# Disable ADB if forensic shield is in lockdown mode
if [ -f "$VIGIL_DATA/.lockdown" ]; then
log_vigil "LOCKDOWN MODE: Disabling ADB and USB debugging"
settings put global adb_enabled 0 2>/dev/null
setprop persist.sys.usb.config "charging" 2>/dev/null
fi
# --- ANTI-FORENSIC: Disable safe boot if configured ---
if [ "${BLOCK_SAFE_MODE:-1}" = "1" ]; then
settings put global safe_boot_disallowed 1 2>/dev/null
fi
log_vigil "Vigil post-fs-data stage complete"

44
service.sh Executable file
View File

@@ -0,0 +1,44 @@
#!/system/bin/sh
# Vigil — late_start service stage (runs after boot completes)
# Starts the main Vigil daemon
MODDIR="${0%/*}"
VIGIL_DATA="/data/adb/vigil"
VIGIL_BIN="$MODDIR/vigil/bin"
VIGIL_LOG="$VIGIL_DATA/vigil.log"
log_vigil() {
echo "[$(date '+%Y-%m-%d %H:%M:%S')] [service] $1" >> "$VIGIL_LOG"
}
# Wait for boot to complete
while [ "$(getprop sys.boot_completed)" != "1" ]; do
sleep 1
done
# Small delay to let system settle
sleep 5
log_vigil "Vigil service stage starting"
# Symlink CLI to PATH
[ ! -f /data/adb/vigil/bin/vigil ] && {
mkdir -p /data/adb/vigil/bin
ln -sf "$VIGIL_BIN/vigil" /data/adb/vigil/bin/vigil
}
# Make accessible via su
mount --bind "$VIGIL_BIN/vigil" /system/bin/vigil 2>/dev/null || {
# Fallback: create wrapper in a PATH-accessible location
cat > /data/local/tmp/vigil <<WRAPPER
#!/system/bin/sh
exec "$VIGIL_BIN/vigil" "\$@"
WRAPPER
chmod 755 /data/local/tmp/vigil
}
# Start the main daemon
log_vigil "Starting vigild daemon"
nohup "$VIGIL_BIN/vigild" >> "$VIGIL_LOG" 2>&1 &
DAEMON_PID=$!
echo $DAEMON_PID > "$VIGIL_DATA/vigild.pid"
log_vigil "vigild started (PID: $DAEMON_PID)"

555
tools/build_ioc_db.py Normal file
View File

@@ -0,0 +1,555 @@
#!/usr/bin/env python3
"""
Vigil IOC Database Builder
Extracts Indicators of Compromise from research repositories and writes
unified indicator files for the Vigil anti-surveillance module.
"""
import csv
import io
import os
import re
import sys
from collections import OrderedDict
RESEARCH = "/home/snake/research/repos"
OUT_DIR = "/home/snake/vigil/vigil/ioc"
os.makedirs(OUT_DIR, exist_ok=True)
# ──────────────────────────────────────────────────────────────────────
# Helpers
# ──────────────────────────────────────────────────────────────────────
def dedup_sorted(lines):
"""Return sorted, deduplicated list (case-sensitive)."""
return sorted(set(l for l in lines if l.strip()))
def write_ioc(filename, lines, header=""):
path = os.path.join(OUT_DIR, filename)
lines = dedup_sorted(lines)
with open(path, "w") as f:
if header:
f.write(header + "\n")
for line in lines:
f.write(line + "\n")
return len(lines)
def read_file(path):
if not os.path.isfile(path):
return ""
with open(path, "r", errors="replace") as f:
return f.read()
# ──────────────────────────────────────────────────────────────────────
# YAML parser (no pyyaml dependency -- simple state-machine parser)
# Parses stalkerware-indicators/ioc.yaml
# ──────────────────────────────────────────────────────────────────────
def parse_stalkerware_yaml(path):
"""
Parse the stalkerware-indicators ioc.yaml which has a known structure:
- name: ThreatName
type: stalkerware
packages:
- com.example.pkg
certificates:
- DEADBEEF...
websites:
- example.com
distribution:
- dist.example.com
c2:
ips:
- 1.2.3.4
domains:
- c2.example.com
Returns lists of: packages, certificates, domains (with category), ips
"""
text = read_file(path)
if not text:
return [], [], [], []
packages = [] # (pkg, threat_name, type)
certificates = [] # (hash, threat_name)
domains = [] # (domain, threat_name, category)
ips = [] # (ip, threat_name)
current_name = None
current_type = "stalkerware"
current_section = None # packages, certificates, websites, distribution, c2_ips, c2_domains
in_c2 = False
for line in text.splitlines():
stripped = line.rstrip()
if not stripped or stripped.startswith("#"):
continue
# Top-level entry
m = re.match(r'^- name:\s*(.+)', stripped)
if m:
current_name = m.group(1).strip()
current_section = None
in_c2 = False
continue
# type field
m = re.match(r'^\s+type:\s*(.+)', stripped)
if m:
current_type = m.group(1).strip()
continue
# names field (aliases) -- skip
if re.match(r'^\s+names:\s*$', stripped):
current_section = "names"
continue
# Section headers
if re.match(r'^\s+packages:\s*$', stripped):
current_section = "packages"
in_c2 = False
continue
if re.match(r'^\s+certificates:\s*$', stripped):
current_section = "certificates"
in_c2 = False
continue
if re.match(r'^\s+websites:\s*$', stripped):
current_section = "websites"
in_c2 = False
continue
if re.match(r'^\s+distribution:\s*$', stripped):
current_section = "distribution"
in_c2 = False
continue
if re.match(r'^\s+c2:\s*$', stripped):
in_c2 = True
current_section = None
continue
if in_c2 and re.match(r'^\s+ips:\s*$', stripped):
current_section = "c2_ips"
continue
if in_c2 and re.match(r'^\s+domains:\s*$', stripped):
current_section = "c2_domains"
continue
# List items
m = re.match(r'^\s+- (.+)', stripped)
if m and current_name:
val = m.group(1).strip()
if current_section == "packages":
packages.append((val, current_name, current_type))
elif current_section == "certificates":
certificates.append((val, current_name))
elif current_section == "websites":
domains.append((val, current_name, "tracking"))
elif current_section == "distribution":
domains.append((val, current_name, "distribution"))
elif current_section == "c2_domains":
domains.append((val, current_name, "c2"))
elif current_section == "c2_ips":
ips.append((val, current_name))
# skip "names" items
return packages, certificates, domains, ips
# ──────────────────────────────────────────────────────────────────────
# 1. PACKAGES
# ──────────────────────────────────────────────────────────────────────
def build_packages():
lines = []
# Source 1: stalkerware-indicators
pkgs, _, _, _ = parse_stalkerware_yaml(
os.path.join(RESEARCH, "stalkerware-indicators/ioc.yaml"))
for pkg, name, typ in pkgs:
lines.append(f"{pkg}|{name}|{typ}")
# Source 2: threat-research indicators -- look for android_package_name in CSVs
tr_csv_dir = os.path.join(RESEARCH, "threat-research/indicators/csv")
if os.path.isdir(tr_csv_dir):
for root, dirs, files in os.walk(tr_csv_dir):
for fn in files:
if not fn.endswith(".csv"):
continue
fpath = os.path.join(root, fn)
try:
content = read_file(fpath)
reader = csv.DictReader(io.StringIO(content))
for row in reader:
itype = (row.get("indicator_type") or row.get("type") or "").strip().lower()
val = (row.get("indicator_value") or row.get("value") or "").strip()
comment = (row.get("comment") or "").strip()
if "android" in itype and "package" in itype and val:
threat = comment if comment else os.path.basename(fn).replace(".csv", "")
lines.append(f"{val}|{threat}|spyware")
except Exception:
pass
# Source 3: isdi app-flags.csv -- extract appId where flag is spyware
isdi_path = os.path.join(RESEARCH, "isdi/static_data/app-flags.csv")
if os.path.isfile(isdi_path):
content = read_file(isdi_path)
reader = csv.DictReader(io.StringIO(content))
for row in reader:
flag = (row.get("flag") or "").strip().lower()
app_id = (row.get("appId") or "").strip()
if flag == "spyware" and app_id:
title = (row.get("title") or "").strip()
threat = title.split(",")[0].split("|")[0].strip() if title else "Unknown"
lines.append(f"{app_id}|{threat}|stalkerware")
# Source 4: MVT ROOT_PACKAGES
mvt_utils = os.path.join(RESEARCH, "mvt/src/mvt/android/utils.py")
if os.path.isfile(mvt_utils):
content = read_file(mvt_utils)
# Extract ROOT_PACKAGES list
m = re.search(r'ROOT_PACKAGES.*?\[(.*?)\]', content, re.DOTALL)
if m:
for pkg in re.findall(r'"([^"]+)"', m.group(1)):
lines.append(f"{pkg}|MVT_RootDetection|forensic")
return write_ioc("packages.txt", lines,
"# Vigil IOC: Malicious/stalkerware Android packages\n"
"# Format: package_name|threat_name|category")
# ──────────────────────────────────────────────────────────────────────
# 2. CERTIFICATES
# ──────────────────────────────────────────────────────────────────────
def build_certificates():
lines = []
_, certs, _, _ = parse_stalkerware_yaml(
os.path.join(RESEARCH, "stalkerware-indicators/ioc.yaml"))
for h, name in certs:
# Determine hash type by length
h_clean = h.strip()
if len(h_clean) == 40:
htype = "SHA1"
elif len(h_clean) == 64:
htype = "SHA256"
elif len(h_clean) == 32:
htype = "MD5"
else:
htype = "unknown"
lines.append(f"{h_clean}|{name}|{htype}")
return write_ioc("certificates.txt", lines,
"# Vigil IOC: Malicious signing certificate hashes\n"
"# Format: hash|threat_name|hash_type")
# ──────────────────────────────────────────────────────────────────────
# 3. DOMAINS
# ──────────────────────────────────────────────────────────────────────
def build_domains():
lines = []
# Source 1: stalkerware-indicators
_, _, doms, _ = parse_stalkerware_yaml(
os.path.join(RESEARCH, "stalkerware-indicators/ioc.yaml"))
for d, name, cat in doms:
lines.append(f"{d}|{name}|{cat}")
# Source 2: mobiletrackers list.txt
mt_path = os.path.join(RESEARCH, "mobiletrackers/list.txt")
if os.path.isfile(mt_path):
for line in read_file(mt_path).splitlines():
line = line.strip()
if not line or line.startswith("#"):
continue
# Should be a domain
if re.match(r'^[a-zA-Z0-9][\w.-]+\.[a-zA-Z]{2,}$', line):
lines.append(f"{line}|MobileTracker|tracking")
# Source 3: malware-indicators CSVs -- domain types
mi_dir = os.path.join(RESEARCH, "malware-indicators")
if os.path.isdir(mi_dir):
for root, dirs, files in os.walk(mi_dir):
# Skip .git
dirs[:] = [d for d in dirs if d != ".git"]
for fn in files:
if not fn.endswith(".csv"):
continue
fpath = os.path.join(root, fn)
# Determine threat from directory name
parent = os.path.basename(os.path.dirname(fpath))
try:
content = read_file(fpath)
reader = csv.DictReader(io.StringIO(content))
for row in reader:
itype = (row.get("type") or row.get("indicator_type") or "").strip().lower()
val = (row.get("value") or row.get("indicator_value") or "").strip().strip('"')
if itype == "domain" and val:
lines.append(f"{val}|{parent}|c2")
elif itype == "domain_name" and val:
lines.append(f"{val}|{parent}|c2")
except Exception:
pass
# Source 4: threat-research CSVs -- domain_name types
tr_csv_dir = os.path.join(RESEARCH, "threat-research/indicators/csv")
if os.path.isdir(tr_csv_dir):
for root, dirs, files in os.walk(tr_csv_dir):
for fn in files:
if not fn.endswith(".csv"):
continue
fpath = os.path.join(root, fn)
try:
content = read_file(fpath)
reader = csv.DictReader(io.StringIO(content))
for row in reader:
itype = (row.get("indicator_type") or row.get("type") or "").strip().lower()
val = (row.get("indicator_value") or row.get("value") or "").strip().strip('"')
if itype in ("domain_name", "domain") and val:
threat = os.path.basename(fn).replace(".csv", "")
lines.append(f"{val}|{threat}|c2")
except Exception:
pass
return write_ioc("domains.txt", lines,
"# Vigil IOC: C2 and tracking domains\n"
"# Format: domain|threat_name|category")
# ──────────────────────────────────────────────────────────────────────
# 4. IPS
# ──────────────────────────────────────────────────────────────────────
def build_ips():
lines = []
# Source 1: stalkerware-indicators
_, _, _, ip_list = parse_stalkerware_yaml(
os.path.join(RESEARCH, "stalkerware-indicators/ioc.yaml"))
for ip, name in ip_list:
lines.append(f"{ip}|{name}|c2")
# Source 2: malware-indicators CSVs -- ip-dst types
mi_dir = os.path.join(RESEARCH, "malware-indicators")
if os.path.isdir(mi_dir):
for root, dirs, files in os.walk(mi_dir):
dirs[:] = [d for d in dirs if d != ".git"]
for fn in files:
if not fn.endswith(".csv"):
continue
fpath = os.path.join(root, fn)
parent = os.path.basename(os.path.dirname(fpath))
try:
content = read_file(fpath)
reader = csv.DictReader(io.StringIO(content))
for row in reader:
itype = (row.get("type") or "").strip().lower()
val = (row.get("value") or "").strip().strip('"')
if itype in ("ip-dst", "ip-src") and val:
lines.append(f"{val}|{parent}|c2")
except Exception:
pass
# Source 3: threat-research CSVs
tr_csv_dir = os.path.join(RESEARCH, "threat-research/indicators/csv")
if os.path.isdir(tr_csv_dir):
for root, dirs, files in os.walk(tr_csv_dir):
for fn in files:
if not fn.endswith(".csv"):
continue
fpath = os.path.join(root, fn)
try:
content = read_file(fpath)
reader = csv.DictReader(io.StringIO(content))
for row in reader:
itype = (row.get("indicator_type") or row.get("type") or "").strip().lower()
val = (row.get("indicator_value") or row.get("value") or "").strip().strip('"')
if itype in ("ip_address", "ip-dst", "ip-src") and val:
threat = os.path.basename(fn).replace(".csv", "")
lines.append(f"{val}|{threat}|c2")
except Exception:
pass
return write_ioc("ips.txt", lines,
"# Vigil IOC: Malicious IPs\n"
"# Format: ip|threat_name|category")
# ──────────────────────────────────────────────────────────────────────
# 5. HASHES
# ──────────────────────────────────────────────────────────────────────
def build_hashes():
lines = []
# Source 1: stalkerware-indicators generated -- look for samples/hashes
gen_dir = os.path.join(RESEARCH, "stalkerware-indicators/generated")
if os.path.isdir(gen_dir):
for fn in os.listdir(gen_dir):
if not fn.endswith(".csv"):
continue
fpath = os.path.join(gen_dir, fn)
try:
content = read_file(fpath)
reader = csv.DictReader(io.StringIO(content))
for row in reader:
# Look for hash-like columns
for key in row:
kl = key.lower()
val = (row[key] or "").strip()
if "sha256" in kl and len(val) == 64 and re.match(r'^[0-9a-fA-F]+$', val):
app = row.get("app", row.get("name", fn))
lines.append(f"{val}|{app}|SHA256")
elif "sha1" in kl and len(val) == 40 and re.match(r'^[0-9a-fA-F]+$', val):
app = row.get("app", row.get("name", fn))
lines.append(f"{val}|{app}|SHA1")
elif "md5" in kl and len(val) == 32 and re.match(r'^[0-9a-fA-F]+$', val):
app = row.get("app", row.get("name", fn))
lines.append(f"{val}|{app}|MD5")
except Exception:
pass
# Source 2: malware-indicators CSVs -- sha256, md5 types
mi_dir = os.path.join(RESEARCH, "malware-indicators")
if os.path.isdir(mi_dir):
for root, dirs, files in os.walk(mi_dir):
dirs[:] = [d for d in dirs if d != ".git"]
for fn in files:
if not fn.endswith(".csv"):
continue
fpath = os.path.join(root, fn)
parent = os.path.basename(os.path.dirname(fpath))
try:
content = read_file(fpath)
reader = csv.DictReader(io.StringIO(content))
fields = reader.fieldnames or []
for row in reader:
itype = (row.get("type") or "").strip().lower()
val = (row.get("value") or "").strip().strip('"')
if itype == "sha256" and len(val) == 64:
lines.append(f"{val}|{parent}|SHA256")
elif itype == "md5" and len(val) == 32:
lines.append(f"{val}|{parent}|MD5")
elif itype == "sha1" and len(val) == 40:
lines.append(f"{val}|{parent}|SHA1")
# Also check named columns (like hashes.csv)
if "MD5" in fields:
md5 = (row.get("MD5") or "").strip()
if len(md5) == 32 and re.match(r'^[0-9a-fA-F]+$', md5):
lines.append(f"{md5}|{parent}|MD5")
except Exception:
pass
# Source 3: threat-research CSVs
tr_csv_dir = os.path.join(RESEARCH, "threat-research/indicators/csv")
if os.path.isdir(tr_csv_dir):
for root, dirs, files in os.walk(tr_csv_dir):
for fn in files:
if not fn.endswith(".csv"):
continue
fpath = os.path.join(root, fn)
try:
content = read_file(fpath)
reader = csv.DictReader(io.StringIO(content))
for row in reader:
itype = (row.get("indicator_type") or row.get("type") or "").strip().lower()
val = (row.get("indicator_value") or row.get("value") or "").strip().strip('"')
if itype in ("sha256", "hash_sha256") and len(val) == 64:
threat = os.path.basename(fn).replace(".csv", "")
lines.append(f"{val}|{threat}|SHA256")
elif itype in ("md5", "hash_md5") and len(val) == 32:
threat = os.path.basename(fn).replace(".csv", "")
lines.append(f"{val}|{threat}|MD5")
except Exception:
pass
return write_ioc("hashes.txt", lines,
"# Vigil IOC: Malicious file hashes\n"
"# Format: hash|threat_name|hash_type")
# ──────────────────────────────────────────────────────────────────────
# 6. HOSTS (blocklist format)
# ──────────────────────────────────────────────────────────────────────
def build_hosts():
"""Build hosts file from all domains in domains.txt."""
domains_path = os.path.join(OUT_DIR, "domains.txt")
lines = []
if os.path.isfile(domains_path):
for line in open(domains_path):
line = line.strip()
if not line or line.startswith("#"):
continue
parts = line.split("|")
domain = parts[0].strip()
if domain and re.match(r'^[a-zA-Z0-9][\w.-]+\.[a-zA-Z]{2,}$', domain):
lines.append(f"0.0.0.0 {domain}")
return write_ioc("hosts.txt", lines,
"# Vigil IOC: Hosts blocklist (C2 + tracking domains)\n"
"# Format: 0.0.0.0 domain")
# ──────────────────────────────────────────────────────────────────────
# 7. CELLEBRITE HASHES
# ──────────────────────────────────────────────────────────────────────
def build_cellebrite_hashes():
lines = []
lockup_service = os.path.join(
RESEARCH, "lockup/app/src/main/java/com/lockup/LockUpService.java")
if os.path.isfile(lockup_service):
content = read_file(lockup_service)
# Extract CB_ELEVATOR_HASHES array
m = re.search(r'CB_ELEVATOR_HASHES\s*=\s*new\s+String\[\]\s*\{(.*?)\}', content, re.DOTALL)
if m:
for h in re.findall(r'"([0-9a-fA-F]{64})"', m.group(1)):
lines.append(f"{h}|Cellebrite_UFED_Elevator|SHA256")
# Extract bannedKeys array
m = re.search(r'bannedKeys\s*=\s*new\s+String\[\]\s*\{(.*?)\}', content, re.DOTALL)
if m:
for h in re.findall(r'"([0-9a-fA-F]{64})"', m.group(1)):
lines.append(f"{h}|Cellebrite_BannedKey|SHA256")
return write_ioc("cellebrite_hashes.txt", lines,
"# Vigil IOC: Cellebrite forensic tool hashes\n"
"# Format: hash|threat_name|hash_type")
# ──────────────────────────────────────────────────────────────────────
# Main
# ──────────────────────────────────────────────────────────────────────
def main():
print("=" * 60)
print("Vigil IOC Database Builder")
print("=" * 60)
counts = {}
counts["packages.txt"] = build_packages()
counts["certificates.txt"] = build_certificates()
counts["domains.txt"] = build_domains()
counts["ips.txt"] = build_ips()
counts["hashes.txt"] = build_hashes()
counts["hosts.txt"] = build_hosts()
counts["cellebrite_hashes.txt"] = build_cellebrite_hashes()
print()
total = 0
for fn, count in counts.items():
print(f" {fn:30s} {count:>6d} indicators")
total += count
print(f" {'TOTAL':30s} {total:>6d} indicators")
print()
print(f"Output directory: {OUT_DIR}")
print("Done.")
if __name__ == "__main__":
main()

21
uninstall.sh Executable file
View File

@@ -0,0 +1,21 @@
#!/system/bin/sh
# Vigil — Uninstall cleanup
VIGIL_DATA="/data/adb/vigil"
# Stop daemon
if [ -f "$VIGIL_DATA/vigild.pid" ]; then
kill $(cat "$VIGIL_DATA/vigild.pid") 2>/dev/null
fi
# Remove bind mount
umount /system/bin/vigil 2>/dev/null
# Remove CLI wrapper
rm -f /data/local/tmp/vigil
# Ask user about data retention via prop
# If user set vigil.keep_data=1 before uninstall, preserve data
if [ "$(getprop vigil.keep_data)" != "1" ]; then
rm -rf "$VIGIL_DATA"
fi

302
vigil/bin/vigil Executable file
View File

@@ -0,0 +1,302 @@
#!/system/bin/sh
# vigil — Vigil Anti-Surveillance Shield CLI
# Command-line interface for managing Vigil protection
# (c) Setec Labs
VERSION="0.1.0"
MODDIR=""
VIGIL_DATA="/data/adb/vigil"
# Find module directory
for d in /data/adb/modules/vigil /data/adb/modules_update/vigil; do
[ -d "$d/vigil/lib" ] && MODDIR="$d" && break
done
VIGIL_LIB="${MODDIR:+$MODDIR/vigil/lib}"
VIGIL_LOG="$VIGIL_DATA/vigil.log"
# Colors (if terminal supports it)
if [ -t 1 ]; then
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[0;33m'
CYAN='\033[0;36m'
BOLD='\033[1m'
NC='\033[0m'
else
RED="" GREEN="" YELLOW="" CYAN="" BOLD="" NC=""
fi
print_banner() {
echo "${BOLD}"
echo " ╔══════════════════════════════════════╗"
echo " ║ Vigil — Anti-Surveillance Shield ║"
echo " ║ by Setec Labs v${VERSION} ║"
echo " ╚══════════════════════════════════════╝"
echo "${NC}"
}
check_root() {
if [ "$(id -u)" != "0" ]; then
echo "${RED}Error: Vigil requires root access${NC}"
echo "Run: su -c vigil $*"
exit 1
fi
}
check_module() {
if [ -z "$VIGIL_LIB" ] || [ ! -d "$VIGIL_LIB" ]; then
echo "${RED}Error: Vigil module not found${NC}"
echo "Is the KernelSU module installed and enabled?"
exit 1
fi
}
daemon_running() {
if [ -f "$VIGIL_DATA/vigild.pid" ]; then
local pid=$(cat "$VIGIL_DATA/vigild.pid")
kill -0 "$pid" 2>/dev/null && return 0
fi
return 1
}
# ── COMMANDS ──
cmd_status() {
print_banner
echo "${BOLD}Protection Status${NC}"
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
# Daemon
if daemon_running; then
local pid=$(cat "$VIGIL_DATA/vigild.pid")
echo " Daemon: ${GREEN}RUNNING${NC} (PID: $pid)"
else
echo " Daemon: ${RED}STOPPED${NC}"
fi
# Lockdown
if [ -f "$VIGIL_DATA/.lockdown" ]; then
echo " Mode: ${RED}LOCKDOWN${NC}"
else
echo " Mode: ${GREEN}Normal${NC}"
fi
# Load config for status display
[ -f "$VIGIL_DATA/vigil.conf" ] && . "$VIGIL_DATA/vigil.conf"
echo ""
echo "${BOLD}Modules${NC}"
echo " Threat Scanner: $([ "${SCANNER_ENABLED:-1}" = "1" ] && echo "${GREEN}ON${NC}" || echo "${RED}OFF${NC}")"
echo " FrostGuard: $([ "${FROSTGUARD_ENABLED:-1}" = "1" ] && echo "${GREEN}ON${NC}" || echo "${RED}OFF${NC}")"
echo " Forensic Shield: $([ "${FORENSIC_SHIELD_ENABLED:-1}" = "1" ] && echo "${GREEN}ON${NC}" || echo "${RED}OFF${NC}")"
echo " SMS Shield: $([ "${SMS_SHIELD_ENABLED:-1}" = "1" ] && echo "${GREEN}ON${NC}" || echo "${RED}OFF${NC}")"
echo " Network Monitor: $([ "${NETWORK_MONITOR_ENABLED:-1}" = "1" ] && echo "${GREEN}ON${NC}" || echo "${RED}OFF${NC}")"
echo " Key Wiper: $([ "${KEYWIPER_ENABLED:-1}" = "1" ] && echo "${GREEN}ON${NC}" || echo "${RED}OFF${NC}")"
# IOC stats
echo ""
echo "${BOLD}Threat Database${NC}"
for f in packages.txt certificates.txt domains.txt ips.txt hashes.txt cellebrite_hashes.txt; do
if [ -f "$VIGIL_DATA/$f" ]; then
local count=$(wc -l < "$VIGIL_DATA/$f")
local name=$(echo "$f" | sed 's/\.txt//' | sed 's/_/ /g')
printf " %-18s %s indicators\n" "$name:" "$count"
fi
done
# Recent alerts
echo ""
echo "${BOLD}Recent Alerts${NC}"
if [ -f "$VIGIL_DATA/alerts/history" ]; then
local total=$(wc -l < "$VIGIL_DATA/alerts/history")
echo " Total: $total"
echo ""
tail -5 "$VIGIL_DATA/alerts/history" | while IFS='|' read -r sev ts mod msg; do
local date=$(date -d @"$ts" '+%m/%d %H:%M' 2>/dev/null || echo "$ts")
case "$sev" in
CRITICAL) echo " ${RED}[$sev]${NC} $date $msg" ;;
HIGH) echo " ${YELLOW}[$sev]${NC} $date $msg" ;;
*) echo " [$sev] $date $msg" ;;
esac
done
else
echo " ${GREEN}No alerts${NC}"
fi
echo ""
}
cmd_scan() {
check_module
local scan_type="${1:-full}"
"$VIGIL_LIB/scanner.sh" "$scan_type"
}
cmd_integrity() {
check_module
local subcmd="${1:-verify}"
"$VIGIL_LIB/integrity.sh" "$subcmd"
}
cmd_lockdown() {
check_module
echo "${RED}${BOLD}WARNING: This will enter BFU lockdown mode.${NC}"
echo "Actions: evict encryption keys, disable ADB, TRIM storage, minimize logging"
echo "A reboot is required to restore normal operation."
echo ""
# In non-interactive mode (e.g., from duress trigger), skip confirmation
if [ "$1" = "--force" ] || [ "$1" = "-f" ]; then
"$VIGIL_LIB/key_wiper.sh" lockdown
return
fi
echo -n "Proceed? [y/N] "
read -r confirm
if [ "$confirm" = "y" ] || [ "$confirm" = "Y" ]; then
"$VIGIL_LIB/key_wiper.sh" lockdown
else
echo "Aborted"
fi
}
cmd_unlock() {
check_module
"$VIGIL_LIB/key_wiper.sh" unlock
}
cmd_alerts() {
if [ -f "$VIGIL_DATA/alerts/history" ]; then
local count="${1:-20}"
echo "${BOLD}Alert History${NC} (last $count)"
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
tail -"$count" "$VIGIL_DATA/alerts/history" | while IFS='|' read -r sev ts mod msg; do
local date=$(date -d @"$ts" '+%Y-%m-%d %H:%M:%S' 2>/dev/null || echo "$ts")
case "$sev" in
CRITICAL) echo "${RED}[$sev]${NC} $date [$mod] $msg" ;;
HIGH) echo "${YELLOW}[$sev]${NC} $date [$mod] $msg" ;;
MEDIUM) echo "${CYAN}[$sev]${NC} $date [$mod] $msg" ;;
*) echo "[$sev] $date [$mod] $msg" ;;
esac
done
else
echo "No alerts recorded"
fi
}
cmd_update_ioc() {
check_module
echo "Updating threat indicators..."
if [ -n "$VIGIL_BACKEND_URL" ]; then
# Download from backend
for f in packages.txt certificates.txt domains.txt ips.txt hashes.txt hosts.txt cellebrite_hashes.txt; do
echo -n " $f... "
if curl -sf -o "$VIGIL_DATA/$f.new" "$VIGIL_BACKEND_URL/ioc/$f"; then
mv "$VIGIL_DATA/$f.new" "$VIGIL_DATA/$f"
echo "${GREEN}updated${NC}"
else
rm -f "$VIGIL_DATA/$f.new"
echo "${YELLOW}failed (keeping current)${NC}"
fi
done
# Reinstall hosts blocklist
"$VIGIL_LIB/network_monitor.sh" install
echo "IOC update complete"
else
echo "${YELLOW}No backend URL configured${NC}"
echo "Set VIGIL_BACKEND_URL in /data/adb/vigil/vigil.conf"
echo "Or manually update files in /data/adb/vigil/"
fi
}
cmd_forensic() {
check_module
local subcmd="${1:-scan}"
"$VIGIL_LIB/forensic_shield.sh" "$subcmd"
}
cmd_sms() {
check_module
local subcmd="${1:-status}"
"$VIGIL_LIB/sms_shield.sh" "$subcmd"
}
cmd_network() {
check_module
local subcmd="${1:-status}"
"$VIGIL_LIB/network_monitor.sh" "$subcmd"
}
cmd_log() {
if [ -f "$VIGIL_LOG" ]; then
local lines="${1:-50}"
tail -"$lines" "$VIGIL_LOG"
else
echo "No log file found"
fi
}
cmd_wipe_session() {
check_module
"$VIGIL_LIB/key_wiper.sh" wipe-session
}
cmd_help() {
print_banner
echo "Usage: vigil <command> [options]"
echo ""
echo "${BOLD}Core Commands${NC}"
echo " status Show overall protection status"
echo " scan [full|quick] Run threat scan (default: full)"
echo " alerts [N] Show last N alerts (default: 20)"
echo " log [N] Show last N log lines (default: 50)"
echo ""
echo "${BOLD}Protection${NC}"
echo " lockdown [-f] Enter BFU lockdown mode (evict keys, disable ADB)"
echo " unlock Clear lockdown state (after reboot)"
echo " wipe-session Clear session data (clipboard, caches)"
echo ""
echo "${BOLD}Modules${NC}"
echo " integrity [baseline|verify|heuristic]"
echo " FrostGuard file integrity operations"
echo " forensic [scan|status]"
echo " Forensic Shield (anti-Cellebrite)"
echo " sms [monitor|analyze|status]"
echo " SMS Shield (silent SMS detection)"
echo " network [install|remove|status]"
echo " Network monitor (C2/tracker blocking)"
echo ""
echo "${BOLD}Maintenance${NC}"
echo " update-ioc Update threat indicator database"
echo " version Show version"
echo " help Show this help"
echo ""
}
# ── DISPATCH ──
check_root
case "$1" in
status) cmd_status ;;
scan) shift; cmd_scan "$@" ;;
integrity) shift; cmd_integrity "$@" ;;
lockdown) shift; cmd_lockdown "$@" ;;
unlock) cmd_unlock ;;
wipe-session) cmd_wipe_session ;;
alerts) shift; cmd_alerts "$@" ;;
update-ioc) cmd_update_ioc ;;
forensic) shift; cmd_forensic "$@" ;;
sms) shift; cmd_sms "$@" ;;
network) shift; cmd_network "$@" ;;
log) shift; cmd_log "$@" ;;
version) echo "Vigil v${VERSION}" ;;
help|--help|-h|"") cmd_help ;;
*)
echo "Unknown command: $1"
echo "Run 'vigil help' for usage"
exit 1
;;
esac

181
vigil/bin/vigild Executable file
View File

@@ -0,0 +1,181 @@
#!/system/bin/sh
# vigild — Vigil Anti-Surveillance Daemon
# Main daemon that orchestrates all protection modules
# (c) Setec Labs
MODDIR=$(dirname $(dirname $(dirname $(readlink -f "$0"))))
VIGIL_DATA="/data/adb/vigil"
VIGIL_LIB="$MODDIR/vigil/lib"
VIGIL_LOG="$VIGIL_DATA/vigil.log"
VIGIL_PID="$VIGIL_DATA/vigild.pid"
# Ensure dirs exist
mkdir -p "$VIGIL_DATA/alerts" "$VIGIL_DATA/baseline"
# Load config
[ -f "$VIGIL_DATA/vigil.conf" ] && . "$VIGIL_DATA/vigil.conf"
log() {
local level="$1"
local msg="$2"
local min_level="${VIGIL_LOG_LEVEL:-2}"
case "$level" in
ERROR) lvl=1 ;;
WARN) lvl=2 ;;
INFO) lvl=3 ;;
DEBUG) lvl=4 ;;
*) lvl=3 ;;
esac
[ $lvl -le $min_level ] && \
echo "[$(date '+%Y-%m-%d %H:%M:%S')] [vigild] [$level] $msg" >> "$VIGIL_LOG"
}
rotate_log() {
local max_size="${VIGIL_LOG_MAX_SIZE:-1048576}"
if [ -f "$VIGIL_LOG" ]; then
local size=$(stat -c '%s' "$VIGIL_LOG" 2>/dev/null || echo 0)
if [ "$size" -gt "$max_size" ]; then
mv "$VIGIL_LOG" "$VIGIL_LOG.1"
log INFO "Log rotated"
fi
fi
}
process_alerts() {
local alert_file="$VIGIL_DATA/alerts/pending"
if [ -f "$alert_file" ] && [ -s "$alert_file" ]; then
local count=$(wc -l < "$alert_file")
log WARN "Processing $count pending alerts"
# Archive alerts
cat "$alert_file" >> "$VIGIL_DATA/alerts/history"
# If backend configured, report alerts
if [ -n "$VIGIL_BACKEND_URL" ]; then
# POST alerts to backend server
local payload=$(cat "$alert_file" | while IFS='|' read -r sev ts mod msg; do
echo "{\"severity\":\"$sev\",\"timestamp\":$ts,\"module\":\"$mod\",\"message\":\"$msg\"}"
done | paste -sd',' -)
curl -s -X POST \
-H "Content-Type: application/json" \
-H "X-Vigil-Device: ${VIGIL_DEVICE_ID:-unknown}" \
-d "{\"alerts\":[$payload]}" \
"$VIGIL_BACKEND_URL/api/alerts" \
>> "$VIGIL_LOG" 2>&1 &
fi
# Clear pending
> "$alert_file"
fi
}
generate_device_id() {
if [ -z "$VIGIL_DEVICE_ID" ] || [ "$VIGIL_DEVICE_ID" = "" ]; then
# Generate a pseudorandom device ID (not fingerprinting — just for backend comms)
VIGIL_DEVICE_ID=$(cat /proc/sys/kernel/random/uuid 2>/dev/null | cut -d'-' -f1-2)
if [ -n "$VIGIL_DEVICE_ID" ]; then
sed -i "s/^VIGIL_DEVICE_ID=.*/VIGIL_DEVICE_ID=\"$VIGIL_DEVICE_ID\"/" "$VIGIL_DATA/vigil.conf" 2>/dev/null
fi
fi
}
# ── SIGNAL HANDLERS ──
cleanup() {
log INFO "vigild shutting down (PID: $$)"
# Stop background monitors
kill $(jobs -p) 2>/dev/null
rm -f "$VIGIL_PID"
exit 0
}
trap cleanup TERM INT QUIT
# ── MAIN ──
main() {
echo $$ > "$VIGIL_PID"
log INFO "════════════════════════════════════════"
log INFO "vigild starting (PID: $$)"
log INFO "Module: $MODDIR"
log INFO "Data: $VIGIL_DATA"
log INFO "════════════════════════════════════════"
generate_device_id
# ── Start background monitors ──
# 1. Forensic Shield (continuous USB/process monitoring)
if [ "${FORENSIC_SHIELD_ENABLED:-1}" = "1" ]; then
log INFO "Starting Forensic Shield monitor..."
"$VIGIL_LIB/forensic_shield.sh" monitor >> "$VIGIL_LOG" 2>&1 &
log INFO "Forensic Shield PID: $!"
fi
# 2. SMS Shield (continuous logcat monitoring)
if [ "${SMS_SHIELD_ENABLED:-1}" = "1" ] && [ "${SMS_SILENT_DETECT:-1}" = "1" ]; then
log INFO "Starting SMS Shield monitor..."
"$VIGIL_LIB/sms_shield.sh" monitor >> "$VIGIL_LOG" 2>&1 &
log INFO "SMS Shield PID: $!"
fi
# 3. Network Monitor (continuous connection watching)
if [ "${NETWORK_MONITOR_ENABLED:-1}" = "1" ] && [ "${NETWORK_LOG_SUSPICIOUS:-1}" = "1" ]; then
log INFO "Starting Network monitor..."
"$VIGIL_LIB/network_monitor.sh" monitor >> "$VIGIL_LOG" 2>&1 &
log INFO "Network Monitor PID: $!"
fi
# 4. Install network blocklists
if [ "${NETWORK_BLOCK_C2:-1}" = "1" ] || [ "${NETWORK_BLOCK_TRACKERS:-1}" = "1" ]; then
log INFO "Installing network blocklists..."
"$VIGIL_LIB/network_monitor.sh" install >> "$VIGIL_LOG" 2>&1
fi
# 5. Run initial scan
log INFO "Running initial quick scan..."
"$VIGIL_LIB/scanner.sh" quick >> "$VIGIL_LOG" 2>&1
# ── Main loop ──
local last_scan=$(date +%s)
local last_integrity=$(date +%s)
local scan_interval="${SCANNER_INTERVAL:-3600}"
local integrity_interval="${FROSTGUARD_INTERVAL:-1800}"
log INFO "Entering main loop (scan: ${scan_interval}s, integrity: ${integrity_interval}s)"
while true; do
local now=$(date +%s)
# Periodic threat scan
if [ $((now - last_scan)) -ge "$scan_interval" ]; then
log INFO "Running scheduled threat scan..."
"$VIGIL_LIB/scanner.sh" quick >> "$VIGIL_LOG" 2>&1
last_scan=$now
fi
# Periodic integrity check
if [ "${FROSTGUARD_ENABLED:-1}" = "1" ] && [ $((now - last_integrity)) -ge "$integrity_interval" ]; then
log INFO "Running scheduled integrity check..."
"$VIGIL_LIB/integrity.sh" verify >> "$VIGIL_LOG" 2>&1
last_integrity=$now
fi
# Process any pending alerts
process_alerts
# Rotate log if needed
rotate_log
# Check if we're still supposed to be running
if [ ! -f "$VIGIL_PID" ] || [ "$(cat "$VIGIL_PID" 2>/dev/null)" != "$$" ]; then
log WARN "PID file mismatch — another instance may be running. Exiting."
cleanup
fi
sleep 60
done
}
main

15
vigil/config/exclusions.conf Normal file
View File

@@ -0,0 +1,15 @@
# Vigil — Exclusions Configuration
# Add package names, paths, or domains to exclude from scanning.
# One entry per line. Lines starting with # are comments.
# ── Package Exclusions (won't trigger stalkerware alerts) ──
# Example: com.my.trusted.app
#packages:
# ── Domain Exclusions (won't be blocked by network monitor) ──
# Example: trusted.analytics.com
#domains:
# ── Path Exclusions (won't be checked by FrostGuard) ──
# Example: /system/addon.d
#paths:

63
vigil/config/vigil.conf Normal file
View File

@@ -0,0 +1,63 @@
# Vigil — Anti-Surveillance Shield Configuration
# (c) Setec Labs
#
# This file is sourced by all Vigil components.
# Edit /data/adb/vigil/vigil.conf on your device (not this copy).
# ── General ──────────────────────────────────────────
VIGIL_ENABLED=1
VIGIL_LOG_LEVEL=2 # 0=silent 1=error 2=warn 3=info 4=debug
VIGIL_LOG_MAX_SIZE=1048576 # 1MB, rotated automatically
VIGIL_BACKEND_URL="" # Optional: reporting server URL
VIGIL_DEVICE_ID="" # Auto-generated on first run
# ── Threat Scanner ───────────────────────────────────
SCANNER_ENABLED=1
SCANNER_INTERVAL=3600 # Seconds between automatic scans (3600=1hr)
SCANNER_ON_INSTALL=1 # Scan new app installs immediately
SCANNER_CHECK_PACKAGES=1 # Check installed package names against IOC DB
SCANNER_CHECK_CERTS=1 # Check app signing certificates
SCANNER_CHECK_HASHES=1 # Check APK file hashes
SCANNER_CHECK_PROCESSES=1 # Scan running processes
SCANNER_CHECK_ACCESSIBILITY=1 # Check accessibility service abuse
SCANNER_CHECK_DEVICE_ADMIN=1 # Check device admin abuse
# ── FrostGuard (File Integrity) ─────────────────────
FROSTGUARD_ENABLED=1
FROSTGUARD_INTERVAL=1800 # Seconds between integrity checks
FROSTGUARD_CRITICAL_PATHS="/system/bin /system/xbin /system/lib64 /system/framework /system/app /system/priv-app /vendor/bin /init"
FROSTGUARD_ALERT_ON_VIOLATION=1
FROSTGUARD_BLOCK_ON_VIOLATION=0 # Aggressive: prevent boot if violated
# ── Forensic Shield ─────────────────────────────────
FORENSIC_SHIELD_ENABLED=1
FORENSIC_USB_MONITOR=1 # Monitor USB for forensic tools
FORENSIC_ADB_GUARD=1 # Restrict ADB when threat detected
FORENSIC_AUTO_LOCKDOWN=0 # Auto-enter lockdown on detection (DANGEROUS)
FORENSIC_WIPE_ON_DETECT=0 # Nuclear option: wipe on forensic tool detect
# ── Key Wiper / BFU Mode ────────────────────────────
KEYWIPER_ENABLED=1
KEYWIPER_TRIM_ON_LOCKDOWN=1 # Run TRIM on lockdown to prevent recovery
KEYWIPER_KILL_LOGD=1 # Stop logging daemon on lockdown
KEYWIPER_DISABLE_ADB=1 # Disable ADB on lockdown
KEYWIPER_CLEAR_CLIPBOARD=1 # Clear clipboard on lockdown
# ── SMS Shield ───────────────────────────────────────
SMS_SHIELD_ENABLED=1
SMS_SILENT_DETECT=1 # Detect silent/stealth SMS (Class-0, Type-0)
SMS_BLOCK_SILENT=1 # Block silent SMS from reaching the device
SMS_FAKE_RESPONSE=0 # Respond with fake data to silent SMS probes
SMS_LOG_ALL=0 # Log all SMS metadata (privacy tradeoff)
# ── Network Monitor ─────────────────────────────────
NETWORK_MONITOR_ENABLED=1
NETWORK_BLOCK_C2=1 # Block known C2 domains via hosts file
NETWORK_BLOCK_TRACKERS=1 # Block known tracking domains
NETWORK_LOG_SUSPICIOUS=1 # Log connections to suspicious IPs
NETWORK_IPTABLES_ENABLED=1 # Use iptables for IP-level blocking
# ── Duress / Panic ──────────────────────────────────
DURESS_ENABLED=0 # DISABLED by default — user must opt in
DURESS_PIN="" # Duress PIN triggers emergency lockdown
DURESS_ACTION="lockdown" # lockdown | wipe | wipe-full

73
vigil/ioc/cellebrite_hashes.txt Normal file
View File

@@ -0,0 +1,73 @@
# Vigil IOC: Cellebrite forensic tool hashes
# Format: hash|threat_name|hash_type
0519d111df96968e376a0dc1fb4c37eef35829dd0f472953e71e19d05b15eb47|Cellebrite_UFED_Elevator|SHA256
064af61a468a719291779c2aab1d8fd152e66d422b402ebf112c5d896f268a52|Cellebrite_UFED_Elevator|SHA256
07e3923c52e1c73e6ba314e230605e2ddbb5033aab75495654c131ff8b1b32a6|Cellebrite_UFED_Elevator|SHA256
08853c949bbc98b9e334ae52d6d344f219e225914abaf7e813c81307a8e3bcb5|Cellebrite_UFED_Elevator|SHA256
1226873d2fac892c3187b7a7da3a1c4b2a5c31d7ecdcd0c18f7ecba4197b05f0|Cellebrite_UFED_Elevator|SHA256
17afd50ea379a6669e59af03fa73af816f3947ab0bc979b41e8828916c63dc49|Cellebrite_UFED_Elevator|SHA256
23d9ce4a7df20b28d0b5b24ac320a9643c1716987dd5f29110bff71f775dca8d|Cellebrite_UFED_Elevator|SHA256
2a797d28f44e9865d0dc0a9b7393b62e468fde03a8e1982ddb32142f7570b23b|Cellebrite_UFED_Elevator|SHA256
2db036febbbad09586eac6279a4de4852c353444c4cacb7f926605d174cc7e6e|Cellebrite_UFED_Elevator|SHA256
3254e75112c3d219e1af7bbb7be73d2cea76e4786aa9678683bf8d77f1ffbde2|Cellebrite_UFED_Elevator|SHA256
3541425a729454569dccdf713f84102a8b2efeeb77abd34a6c210dd4b9b61cf4|Cellebrite_UFED_Elevator|SHA256
37178f4d2711fc132b8ef19499c1517a70f73d29dc204116a85f5e6caa025034|Cellebrite_UFED_Elevator|SHA256
39560ebb98e6973c88e4a92fb20e5b216616e4c7f607432329f26538aff77694|Cellebrite_UFED_Elevator|SHA256
3c6dee8fcf4a47c70be5b2b1af6a84c7b54f4941b2a341f23547f1a1db64d034|Cellebrite_UFED_Elevator|SHA256
460ba81b6dc17efe179cf7d0617ff99dc66be3be4375348f1c97a88dfa4f39ea|Cellebrite_UFED_Elevator|SHA256
46a202a88af8c7208d552904cd16d28580a24830011a536c431703848c5739fb|Cellebrite_UFED_Elevator|SHA256
47e7ddbadcb1ec5c228413e93baa029e06f24f44e77a83e817ba48770ffddd10|Cellebrite_UFED_Elevator|SHA256
49b7368bd28c936ac824bf6040101f57f2c42ce4e9e16877dab2f44922683213|Cellebrite_BannedKey|SHA256
49b7368bd28c936ac824bf6040101f57f2c42ce4e9e16877dab2f44922683213|Cellebrite_UFED_Elevator|SHA256
5a14004e4c1a67acfd124ff21703b78ef3710c8e81677013234b4deb6af7da66|Cellebrite_BannedKey|SHA256
5a14004e4c1a67acfd124ff21703b78ef3710c8e81677013234b4deb6af7da66|Cellebrite_UFED_Elevator|SHA256
5c3d38ad5f26606ca19d277ee7392b039555449ac66cc96e9ad2c818857a3b31|Cellebrite_UFED_Elevator|SHA256
5de2e8d08d246a7bb5c8ddd020853dbb5896cec4149527fa9256a786ebf3541d|Cellebrite_UFED_Elevator|SHA256
5e8dce4e63214099c35f342c6c5a548be30ed6341ec9f4655827f28473333b6b|Cellebrite_UFED_Elevator|SHA256
6a14b252b01f7ddc21a20a4a9577cb76c82f459652845959040eae677c0df3ce|Cellebrite_BannedKey|SHA256
6a14b252b01f7ddc21a20a4a9577cb76c82f459652845959040eae677c0df3ce|Cellebrite_UFED_Elevator|SHA256
6a4e49d86f471cd5be05af0737fcc8a7f58922c591c0d03c446bd0cf3bb0d8cb|Cellebrite_UFED_Elevator|SHA256
6bea0ed340e33aa457ca91a986ed266906e3639bccf7ee6cdf1597ba683d25cb|Cellebrite_UFED_Elevator|SHA256
6c66e32cc3c16dca941b9322e21463bb57c99cd7f3909e748fdfa671171cf66d|Cellebrite_UFED_Elevator|SHA256
6c6909839af1076330fdfd64a82d2209030fcfd3f7819acbfccc7697d7d3b5ae|Cellebrite_UFED_Elevator|SHA256
7546f3e3e6bfd3cc3b0d91f7883e39a1c9cd39be7a3a2c72cd76d9ca5378c540|Cellebrite_UFED_Elevator|SHA256
7b6343e560c51c0152af0479a8cd9e7c74b9464f16deaaf07a7263f3b876c6e2|Cellebrite_UFED_Elevator|SHA256
7e898e7d0f04e798954f285d50feb44f9697b47a443bfac27a7bedee52942bf6|Cellebrite_UFED_Elevator|SHA256
7efdbc53f31c24bfe0046452e902be8fd7a500aae1a97d0d554ebe2bf8f2f9d8|Cellebrite_UFED_Elevator|SHA256
829dd6f9fc7b39d16b3f75428b3b8417e3b411a9dbb422030f4a2d0e93dbbe3f|Cellebrite_UFED_Elevator|SHA256
856ef82bb6f1e7d940be20a049a3566842a0c9b2c8635d646fdd487a00bd051a|Cellebrite_BannedKey|SHA256
856ef82bb6f1e7d940be20a049a3566842a0c9b2c8635d646fdd487a00bd051a|Cellebrite_UFED_Elevator|SHA256
859192e3d697a8522a7f9c19088d125b723193ce27df348712701ee78aea286c|Cellebrite_UFED_Elevator|SHA256
872944fcf79fb92eb5f4134d87b6f6caabc5dec919070a1109ee820442942250|Cellebrite_UFED_Elevator|SHA256
8e13aff69bc075116194f9d4e2dc7f2ef38ab502903649b4da8b9fc9ce2347e4|Cellebrite_UFED_Elevator|SHA256
93028ad412cfc3a792614596d5db155470840bb5614eb416d9e3265b959fc95c|Cellebrite_BannedKey|SHA256
93028ad412cfc3a792614596d5db155470840bb5614eb416d9e3265b959fc95c|Cellebrite_UFED_Elevator|SHA256
945a19f4a22daab9cdea1686971a0215f777d3b19f5ee45ffcf846b3a0638cd3|Cellebrite_BannedKey|SHA256
945a19f4a22daab9cdea1686971a0215f777d3b19f5ee45ffcf846b3a0638cd3|Cellebrite_UFED_Elevator|SHA256
962390deb44b84d5781c5f0868aaea7f55d374b2db161598bebe3dd90abc1564|Cellebrite_BannedKey|SHA256
962390deb44b84d5781c5f0868aaea7f55d374b2db161598bebe3dd90abc1564|Cellebrite_UFED_Elevator|SHA256
96ea633fe332a30f65e80e1c48ca9a0158b6e02c33afcb4d05d9d96d62135aab|Cellebrite_UFED_Elevator|SHA256
97496d8bbfb71bff2ea121ae731da8e474d1cdd6aabdb2bf1d592afe3bd649de|Cellebrite_BannedKey|SHA256
97496d8bbfb71bff2ea121ae731da8e474d1cdd6aabdb2bf1d592afe3bd649de|Cellebrite_UFED_Elevator|SHA256
98e2efe999a859531af4940b4fcc63725f9b84f0c14645c32fd7def907e03030|Cellebrite_UFED_Elevator|SHA256
9da883c6999f2f333ab91631946984893fc51163e0c109e8683131b4775accdb|Cellebrite_UFED_Elevator|SHA256
a2ea5e0d94abb55ade88a6ffe40a73f49329347c96d334c58426e1bc0c41e72b|Cellebrite_UFED_Elevator|SHA256
a4ea82cd91d99bf26ca19dfd4b1969c42b5551151f1d3bdb635ebb2567e5a741|Cellebrite_BannedKey|SHA256
a4ea82cd91d99bf26ca19dfd4b1969c42b5551151f1d3bdb635ebb2567e5a741|Cellebrite_UFED_Elevator|SHA256
a75788739e8f97fd9901496f2a69d5b6b24892992c106a1e8ee06faa25076c18|Cellebrite_UFED_Elevator|SHA256
a8212687308d7067af3d25664e84ace7f84fd939914a96a1c47e67c613c7b225|Cellebrite_UFED_Elevator|SHA256
a944fd9e66d6b56bd031a3236b6ae8daee4b90e4689f167c22f7c0d02eaa3a98|Cellebrite_UFED_Elevator|SHA256
ab8130caac25334f2ae46781e4ef625020bd95b215a427785798c729d81fc410|Cellebrite_UFED_Elevator|SHA256
ab9bc4c15b1589e45dcf9c604617eaa67034c388c8b8df3af7c71dc50b29bef5|Cellebrite_UFED_Elevator|SHA256
b5804223bdf91099de465a9cdc3d6bc8aec01f19a8856f6e9bdaec3a2a941035|Cellebrite_UFED_Elevator|SHA256
bbe87d1cd44869ee1ba8dbca4a671965765fcd5818f16efa434bbe972961de1c|Cellebrite_UFED_Elevator|SHA256
c58a06ba1b0be01c564629f76f496fc3b7e2d971c807ab6fe06ade291fafb3cc|Cellebrite_UFED_Elevator|SHA256
ca52579b3ded35fc8337ff9763634c4bf5407a97c85d0c03fb3de16b22d7638b|Cellebrite_UFED_Elevator|SHA256
cac5fdb8be75968291b42ab75dd654b3b21cf5dd1a5539490e6e8e015cb2a4ff|Cellebrite_UFED_Elevator|SHA256
d3aa3c7b75e986d2addf4364f90fb948addee91deade17765a383ec69f582806|Cellebrite_UFED_Elevator|SHA256
df89c654afaad67ac7e85e5d34072b5463ea0849ef3e8462a13e299baa6aa6dc|Cellebrite_BannedKey|SHA256
df89c654afaad67ac7e85e5d34072b5463ea0849ef3e8462a13e299baa6aa6dc|Cellebrite_UFED_Elevator|SHA256
e228cf22fa4934168fbde171e67729c8774df3813c1d31d9e5e206a19097ab87|Cellebrite_UFED_Elevator|SHA256
f9ca7565b557f315a9a4fc0d77571206ba8471713160784b570bebc541a29fac|Cellebrite_BannedKey|SHA256
f9ca7565b557f315a9a4fc0d77571206ba8471713160784b570bebc541a29fac|Cellebrite_UFED_Elevator|SHA256
ffc118fc66a09e5a421f2aa5a036c0b49fb178dc9a18d847592d68ddf21cbd1e|Cellebrite_UFED_Elevator|SHA256

476
vigil/ioc/certificates.txt Normal file
View File

@@ -0,0 +1,476 @@
# Vigil IOC: Malicious signing certificate hashes
# Format: hash|threat_name|hash_type
002DD372C94E80600C7C60192CBD701A3C3B87EE|RealtimeSpy|SHA1
00F618C4C43C28B107DAB8F5641AD00D3A774AFD|Buhsam|SHA1
018D06B4A5679892572CB9DA44BA1A8C1E3B68A5|MeuSpy|SHA1
01E49C220A9776D4978C1D28D6C32F86D145B8AE|ShadowSpy|SHA1
01EFA0C8FAE43215125ACA78308EFB1768FB4049|AndroidPolice|SHA1
021985CEA754D8E58D538D2FEDFF6B1565A6B45B|mSpy|SHA1
021A3F097EDA780798DF5ECB16EF338C08236847|MobileTrackerFree|SHA1
0387135D057AEAA0F8BCFCE2AFA84D9BD1FA6F30|AndroidPolice|SHA1
0568E0400308CBFC58E11A324EA233F5B2E923BF|MobileTrackerFree|SHA1
05B23C7E9156A4C55768DA27936FF2D7AF09BB8F|Spymie|SHA1
06A49FE1347C7D2E596DF2F08B8C235C00975AF8|XDSpy|SHA1
07525D7D2E83CE865F98E1B9C0F6095B1C29D48A|AppSpy|SHA1
07906D1FA933730B8EB44F03910C88FDAC2C0135|EasyLogger|SHA1
08ACB92D02487EBC0CEA42B672A631BA7EA59ADF|TalkLog|SHA1
09273A6004A46078991F3FBA2A4868DA26DBB508|MobileTrackerFree|SHA1
09DCBFDB7C7262F143089C5493435AB07564FD67|MobileTrackerFree|SHA1
0AD33649F0D0532B5EB0A36A81712962AA79BF54|AppSpy|SHA1
0AF3219D3A9525CB4A618215DB7A29CBFD9FFE78|MeuSpy|SHA1
0B6C1B010FBEA4316EB01602F71CDD6A8F365023|FlexiSpy|SHA1
0C01AEB7346C700D02613EBA513BD40E87A182F8|CallSMSTracker|SHA1
0C422F0025F866C311DF61A7549FCD519683898D|iKeyMonitor|SHA1
0C5AB4D05A2C804D3A4D0472CEAC50B89833E6E4|AndroidPolice|SHA1
0D025A887A1546585D9BBA6F023F42B8BE0274E1|AndroidPolice|SHA1
0DCD7C9CC6A76AD28D7D992C4EF3DF2F768EA473|MonitorUltra|SHA1
0E0BE37D31CA21F19095FC38F9F1BEF310CE227C|Hoverwatch|SHA1
0ECD5FD80682776D804715AB5B8504DAF59A4B54|Ahmyth|SHA1
0F64B6EBB49849AC685FE5DF605908594623368E|AndroidPolice|SHA1
0FB6108D34289681BA0181ED9A4350514EB07665|MobileTrackerFree|SHA1
0FB6643902E891C230F6E6662083442EEA1F16CE|OneSpy|SHA1
1128939E0D8B8BAEAB14C41AEBFAA100C319AD8F|MobileTrackerFree|SHA1
114C4DC0F254EFD81F0AC7F41DBE882FFDB2E127|MeuSpy|SHA1
123C09B261DFA0F67D817E9BA079942830C31D54|Spyone|SHA1
14A071616D4BC37F08BE865D375101F4C963777A|OwnSpy|SHA1
14EE7779B2E84A0FF1309DEA72881670D78E98AB|AndroidPolice|SHA1
159B64B29BC8842ACDF8022B70730B13E288044B|BrunoEspiao|SHA1
16226330EBB138A5D47913151827A86567AD9CD4|AndroidPolice|SHA1
16254E7CBDFEC82B6CCE599DFCE6A6E84CF25504|MobileTrackerFree|SHA1
18C94FAB82F77F89546600F84D2D2B48A0C0B927|MeuSpy|SHA1
18CD402CC43DF0BC03E9951B0F843DC4B1552DC6|CouplerTracker|SHA1
1988EDEA389D42983CEC8B5F8A9C27AE49F800F9|Snoopza|SHA1
1A6D10E15280C6A938EED9BEF53A31DA0CEBA45A|AndroidPolice|SHA1
1BB7F1E962C35F00BE2EF97A64C753CCA0993637|AndroidPolice|SHA1
1C6E171D3A6E51947DF9E83946BB115ED4A41C6A|AbsoluTrack|SHA1
1CD94B411B5D4D2F5F525D775876FF0993B4B716|AndroidPolice|SHA1
1CE722F401C3FA8FE498FF824669C0007A200AA9|MobileTrackerFree|SHA1
1DB0D66C1D21DD4B185D03B13D6CF620E4FACBAA|TrackingSmartphone|SHA1
1E15B0D27C0551061885340A3990D52A93F646B8|SMSForward|SHA1
1EBFFD9FE9463B2ED24582D2846990A5ABEF79B9|HelloSpy|SHA1
1ECC7F67BBD1BFAB97ADDCB05A496BCA7B6B135F|mSpy|SHA1
20948233C3EF1662E79850AE0AB959C4760114C2|AndroidPolice|SHA1
20AB40ACC2822A34EC199622CDCA9D7A63BB302B|Unisafe|SHA1
20C940625B322C487A89B1FEBF6C090845B040C1|FlexiSpy|SHA1
20F092BEC76C406223A7943371A1DBBB5BF66C13|pcTattletale|SHA1
219D2D7FEC2B2DA6E25693A75FC15D2C6F4F6E67|AllTracker|SHA1
219D542F901D8DB85C729B0F7AE32410096077CB|SpyNote|SHA1
230E35A26E471352DF5DBDBCF9834E0711500CB0|Reptilicus|SHA1
240E97A0587BF99441787EA3BCB2B2D8827564FE|Snoopza|SHA1
2441F6D331D6CFD8624346ED4B1987EAE6534FA3|Spyone|SHA1
24D3251C7A1184649211B9068820545397B112C9|EasyLogger|SHA1
26AF8554EE338D6969FAC51BF4DAC3186098056E|SpyPhoneApp|SHA1
26DDA9B261169FB0A63A6CEA5B682B7A190328B6|AndroidPolice|SHA1
26FC20C25AF99E4B6C16ABAD8E8D76AFA55973BB|AndroidPolice|SHA1
271CA9A77AF56B94F942EDA8F517E4B0FD44206C|AndroidPolice|SHA1
272CD0BC357FA03AF87940644CB8FFDECD2FDDC6|AndroidPolice|SHA1
28393DBA55F5B08294D1E54962BE1648C1EFB4A2|AbsoluTrack|SHA1
284E4AF2E92E8E49EDC2C8792D7008759813CB68|FlexiSpy|SHA1
28AFF3C41C0D42ACBB6B73C6C08868C442088640|Spyone|SHA1
2919FF38F04D757BA6FE344F1729275739F43E89|AndroidPolice|SHA1
29FFFE437675D2B55512953759C40776E547592D|MobileTrackerFree|SHA1
2A1C74FFFE33C7D867C7B284FFDBBA4DDD024450|AndroidPolice|SHA1
2A84B79A7E17E1F49642E8D5EA9828CFEA763E8C|MobileTrackerFree|SHA1
2B02F9708FAD9017D9F709AB2C5C8B5BD0D29394|AndroidPolice|SHA1
2C08279BCC8EB16B2B31ACFBD7E1D4BB28E49A87|Reptilicus|SHA1
2CF347EA59967F7799AA2C1FDB5D711B2B93D586|AndroidPolice|SHA1
2E104C33C8DA4DB32E59A45701D8E0C4CAD16BD3|VIPTrack|SHA1
2F033070A8CD93CEAC60F9E203BA33C9A9A3D226|MobileTrackerFree|SHA1
2FD8BEF4081F126D4DA655B40E9FC63F116DD857|Reptilicus|SHA1
317A9577A5B2D0930D06E0D8D7427E2F8FCAD29D|Spyone|SHA1
31A6ECECD97CF39BC4126B8745CD94A7C30BF81C|TheTruthSpy|SHA1
32570AD62B2DF951A67251ACB49E39E96B8A43BA|BosSpy|SHA1
32F6E28DD3E2E61ED94446591E31F89AEE3A9BD2|Spyone|SHA1
3397C095EAD93B13CC5B9979D1F3B4FAEF1D194C|AndroidPolice|SHA1
339B5C1746A1CDEA945D51BBE967C1320AE73CC4|AndroidPolice|SHA1
340E571CB1A64E6EE384D3F8A544681459CF3F5F|LetMeSpy|SHA1
340FE1F4AA4A401AD8E326907E35FB9E0C2486BD|FlashKeylogger|SHA1
34B791B5D35A874D189202EEA1FA99188F58A4C1|RealtimeSpy|SHA1
35B05ACC96D02849E20D9ED3BA9CEA41C2B83FFA|MeuSpy|SHA1
35CD797D1736484786152A231920575FABC5C12A|MobileTrackerFree|SHA1
35D1DB3904A84793394FE5DF7B678E263B1B33A0|AndroidPolice|SHA1
35D7CF057BFA5023CE739A725ADA0DA1FD34D1FF|EasyLogger|SHA1
35E90A29262F1E6CC25B6E483DEC67161513DE30|AndroidPolice|SHA1
36E6671BC4397F475A350905D9A649A5ADE97BB2|TheTruthSpy|SHA1
377223C40330F7925BB238E3A2AC6E1BE1A05749|MobileTrackerFree|SHA1
37ACE0321E8833F25BDDB363AB395C81354E88A0|TrackMyPhones|SHA1
38819265668EEAE6AC3C6C80D1A6530EAE99AD0E|SpyApp|SHA1
3930B621F30D13D24692CBBBBC67C59F92F1C9BD|mSpy|SHA1
3935E474CD6EDACB19F24192809B337D376656F6|MobileTrackerFree|SHA1
39DDEFD8261C1946E4F3160F6A9E200F59F06C11|AndroidPolice|SHA1
3A041A8B1CF12E01AD4AA14779C1FCCA0701FE5C|AndroidPolice|SHA1
3BA583488F36C708025C078D9EB4BEDC3918B098|AndroidPolice|SHA1
3D4D65F3584201E74B186A90C3333C468D3C6A09|Observer|SHA1
3E1A6646C93A7423A25104A88DA5BECE2F35EFF0|mSpy|SHA1
3E4E5813CA5B9D9BB50B70FAD3C201FAA54B4FD5|AndroidPolice|SHA1
3E929DB5941C185EA4FAC2B0D7BA7589D40A379E|MeuSpy|SHA1
3E9B3E5190F64BA9A952B7F57942AA21FFDA50BA|MobileTool|SHA1
3EA68714AE224B0C0EEED64A14B11D3983C3D6F8|iMonitorSpy|SHA1
40159690AF08A01670E3FA07A021F7B1C1437042|AbsoluTrack|SHA1
409B589FDEAE073A94D609E2B41A6C0EA952B35A|Cerberus|SHA1
4140120093B5655CF559B2A786269CF3F82E3AE9|AndroidPolice|SHA1
41862C48D4BBC2A83DB3CE6EBA0D0C53E3D882B6|Unisafe|SHA1
437940A417B58B1C2CDB85EDE4D37C3DE6EFDC95|VIPTrack|SHA1
43D45CE7BEE36E449434C14973B7D285209414C7|AllTracker|SHA1
4474D3395029E6C6744A470EE5F2107DBAEF16A0|AndroidPolice|SHA1
4569A62308FA134A33A5DDCC065D6FDAE5653435|AndroidPolice|SHA1
4579E9E02465DAC399B7A47682813F5104E5D914|AndroidPolice|SHA1
457D2470CA3E635178D224C14C0D743B7C7F9F80|MobileTrackerFree|SHA1
4591BD0E4CBE86FD7510F1427BA6538BB269AE4D|AndroidPolice|SHA1
45DECBF059864164A4BC644D3EAB8127FC98238A|FlexiSpy|SHA1
473F919A69BBAD3457AF2F0E3AFC34E513F103F1|bark|SHA1
483716998F0C092FE82B0B12B1A4BA399D941318|TheTruthSpy|SHA1
48A2190050B80F31E1E3CCFAF9909FAD238D9849|HighsterMobile|SHA1
492FF617A79F6C8D80B453815CFE6586E21C5F72|AppSpy|SHA1
493812991A9A1CC7BEEFD45F2180CD2FC0AF8913|MeuSpy|SHA1
4A3742E0C96AFB91954D613AAA637076750E5A0B|EasyPhoneTrack|SHA1
4AF16661FC885F7CC84358CCB8F272308436D5E3|RealtimeSpy|SHA1
4CACA12EB37B7A7F07AE380C7E1741D2C36531DF|BlurSpy|SHA1
4DAD108F915E237CA2834FAC70C077AD8105E804|iKeyMonitor|SHA1
4E6B680EF3B588EF53097BC7CEFB778833B8A475|AndroidPolice|SHA1
4F6AD2383DADACCF93EA5BE4300571C315DBDF5B|Hoverwatch|SHA1
4FF0174BEDC1D16BE55AC53B98599398AC461F82|TheTruthSpy|SHA1
5037E917539B4F31E0B92EBB7A9089C5DC567518|CatWatchful|SHA1
5051413BB7C4931F5CD25260FFF173739CBE0F3A|AndroidPolice|SHA1
50CADBA5487E7C00D67C8FF0D3A952D7B62BEE9A|MeuSpy|SHA1
523C42BF2F6CBAFC78BE41043E8E3E3BB311CBA2|CatWatchful|SHA1
5284272445CE993DE601BB23CAE6BA9E43E4589C|Hoverwatch|SHA1
52B12772C6558D6A44A2DAF9E18FFAE48C577CA7|Cerberus|SHA1
53486B8F8790D1848E0842F37B5C6DFA15CD3EBB|MeuSpy|SHA1
53FADDAF873B7BD00E5AD9F5F05E7888A398CE70|EasyLogger|SHA1
5407E1CC26F28D6024E0384693045AEA2B24C5DA|AndroidPolice|SHA1
54E4D1ACDA9E3071D27AA7B6470E23F75BF1380B|AndroidPolice|SHA1
554137DEE63BE07CE9687C5886244954277227F5|TrackMyPhones|SHA1
558765849658A3821FE4054ED2C1FF6E28B4B8A0|AndroidMonitor|SHA1
56BD8EB8A20904E4766D99F6D38D87466C44B114|RealtimeSpy|SHA1
56C8FA19250EDBA1A91A37F500DA91FBC0657B1F|SpyMug|SHA1
56EF5244378FB6B4EF82D2B9E99BF41F7B97D93A|TheTruthSpy|SHA1
57178BA7BE0677C3143C24362FD35A9CF0E311A8|MobileTrackerFree|SHA1
575A730BC2411897A318DEB23B3C3CC4F63422F5|MobileTrackerFree|SHA1
575F8E8A04A5967E78BC5B5A3E31FDACF42F4FB1|uMobix|SHA1
597C0169D8C27DE7C6B62C2C252F9ECAC0E562C4|SpyHuman|SHA1
5A73C8FE7CBA5C9E70B0DF69B3A111C42A10B215|VIPTrack|SHA1
5AD2ACB089F8BE5112FF5125D94036983DE3E8D5|MobiStealth|SHA1
5C5EF3DFE98B02251A6EC82609F22A092562AFEE|iMonitorSpy|SHA1
5C77395F77E17F293CC8C4E3E1FDD48296EE4B28|AndroidPolice|SHA1
5C9031E2340478521630198F3F90E5C8D38D3B64|AndroidPolice|SHA1
5D655F30DE8B8BDABCCDF660582C6369145E7A5A|AbsoluTrack|SHA1
5D7B59F3AFB74D86CCD56440F99CA2FC83A23F22|TheTruthSpy|SHA1
5E16BA998632C1C3E4D4AE707D6EE2454ED2AEB5|Snoopza|SHA1
5E3C376B52C672C81439358DE6348F25F96EAAA4|TheTruthSpy|SHA1
5EC970BC602D0EBB2F3C7A5135E24C330B71DE59|PhoneSpy|SHA1
5EEC898F0DBBD70A9B33DD16EE5FF06B6DE26EA6|mSpy|SHA1
5EF38D0143F601FD01AA39BFE9079E9927920208|AndroidPolice|SHA1
5F2DCC133AF3E19D3935A85A3E2871856602A21D|Fenced|SHA1
5F43A60BFC663FB37F419A40015495431649310B|MobileTrackerFree|SHA1
5F61BEB9591ADBDF9DA5B141A1EF35CDC0944C8C|SpyphoneMobileTracker|SHA1
6000C3F6A35C81C0AE6ACA73DBF7B7D19DCDB7BC|MobileTrackerFree|SHA1
60277E8CE202D8023F2ECC86F1726A50D9990576|AndroidPolice|SHA1
603881E46350999FF7A5CBD68FE6A5897C50CEDE|TrackingSmartphone|SHA1
6041F01561EC43309CCC8452719C4F515C32F3C2|BrunoEspiao|SHA1
60DA6A5B04C0100DFCE1213C850EFBDEB0D1E8D7|EspiaoAndroid|SHA1
6144ED2E25B6F3A5FAFCF914965CA071A685674B|Hoverwatch|SHA1
6156DB551938BB4560D4643B54527E4F169ED44F|GPSTrackerLoki|SHA1
630BB83172B184A6571126229E2B2DCA2EB4123F|SpyLive360|SHA1
636F6FE622D3059B569C9989F3CD491607F23A5D|FlexiSpy|SHA1
64403A61F41848F987D6FD0BE00392E9561A0EF7|Hoverwatch|SHA1
64AC17A447EB4BCAF556B57C5C66F232C489C7A7|Observer|SHA1
656CD7890ED79CE8570D1B7156C31958D5AC1606|HelloSpy|SHA1
665D624FD53E4D538DFE9F7A87087C513CB40506|TrackingSmartphone|SHA1
6696449AA96EBA57CDF4707F0F84274958BE4523|uMobix|SHA1
683722A1C629AD5734B93E08ADFAA61775AD196F|HighsterMobile|SHA1
68AC78A7CD660ED204B4BC3C73A3F91DA1AE45FC|TrackMyPhones|SHA1
68E4A16FD2B8D41E817CC5A06BA95B9CED9BD9F9|CatWatchful|SHA1
69B327860EDB531DDFFB1B5DBF0C24245A75F3E4|FlexiSpy|SHA1
69C28343A4D0F2156D7B56AE4616E1386173A047|Cerberus|SHA1
69EE83CB3E0968B49E33849D40F7D91B0592C7DB|LetMeSpy|SHA1
6A610D0211E543113EFE1A82CC4D270B6A45C526|AndroidPolice|SHA1
6B1DC3EAE0E8C59E7769A6E0A1BAA1938620A191|MeuSpy|SHA1
6B660EAAEBA47793B7A1278D714669A6612BCA5B|HelloSpy|SHA1
6C0B8CF7F47DB7A82A2C06D410690935FDD912DF|MeuSpy|SHA1
6C4E74FD002AEC131F8D05852566055C349E0A54|AllTracker|SHA1
6CA8C06D7DAC5F5685E014AE5C4D2062F77B42D6|AndroidPolice|SHA1
6CC6FB667F4D178DF4E9111FE96BE9AEAEE485EF|AndroidPolice|SHA1
6D0FF787BF4534F1077D1E4BF2E18BA381D97061|Reptilicus|SHA1
6DB1F33668AA745163DFB6C5614C3800BCA8D693|TrackMyPhones|SHA1
6DFB725019C7784B400D940DAAEDAED18C5B898B|RealtimeSpy|SHA1
6EB49E72D6138B4210D1CA60247D419E5660315C|HelloSpy|SHA1
6EF8C27EBCF808FFA377A391DB9892B997AF16C9|AllTracker|SHA1
6F1CE95315749AC6F377B310C0B831CF05B04C68|MobileTrackerFree|SHA1
6F1FDA1889463BFA646A950E49E121B7829A884D|AndroidPolice|SHA1
6F93929AB60AC760000E873CD7C56BA79A9E6CAD|SpyToApp|SHA1
718F3191938DA39D3A4EAC0EF0F44C70F32B0989|Mrecorder|SHA1
71AD1F579C3DCF32AA1E00E02245D359F80C260B|AndroidPolice|SHA1
71BE35691A181E1524DDF83F931FBC62DC4E7EC6|Cocospy|SHA1
724C6500F11737C12C0B89185A60427989656697|Cerberus|SHA1
73BF44A503427F7682C7136B109631E3BE4114DE|SpyLive360|SHA1
757DB1C635344324B665BAF056DC3E4B1D0CC39B|CatWatchful|SHA1
7688EA09EE353ED077E0A90D401881B63F115A3F|CatWatchful|SHA1
76A90B5E41FA2AFE14478CDA24A0CA6B4F7FC5F3|AndroidPolice|SHA1
76F6C302533751BED738D40882AC219BAAD65E7B|SpyHuman|SHA1
77032E80CC0ECEE49B8F2F58F9999330026E0DB3|CatWatchful|SHA1
77142DA3A865C256FCDD24E187FDCEBA1B4EC587|Mrecorder|SHA1
77C411957F307F6B971C7C07825CA5EA06F0E36D|AndroidPolice|SHA1
77E86A5C583256B5A52A5AEEB70542CD1BE34A99|MeuSpy|SHA1
783B1880ECDC5E75620A4C484E3BDBE08D6D4397|CatWatchful|SHA1
786325AB3E614F868CA2A7F2F0E75EC76A047311|iKeyMonitor|SHA1
789A24C1605F1BF2B6D64580C697BD38D9446A7E|AndroidPolice|SHA1
795C30FAD432EE48EDF52B0748BA2749F0915CA3|SwiftMobileSpy|SHA1
79C395148C34F0826E04B37A6632A53A7977A1AA|Spy24|SHA1
7A22EB86FD8D817ED7BFAA03E7A280A03AF20779|XDSpy|SHA1
7A55C057800823F710BF32A7D9865B300777E2D5|AndroidPolice|SHA1
7AFD651F96C7C938351396A53895C3C0704F6B96|HelloSpy|SHA1
7D0F4308B87223AEEFFA65060F0F752E84D363BE|AndroidPolice|SHA1
7D9EDDE23B4D3D7AC459B06ECEBE8EA1350D4F8F|AndroidPolice|SHA1
7DED7756C3DBE351A23BE061E989273888414FE6|AndroidPolice|SHA1
7F11358AC560C5E90B735A21B907F1C8143353DF|MobileTool|SHA1
7F5C0D54A813BA9B87A91420CA2C3DE5E7948F09|HelloSpy|SHA1
7FFE6DA96346FEE822E1F791176CD6970A1DC770|mSpy|SHA1
813A3AD37D87AA36120DFEC64146C311DB5F4CA9|SpyEra|SHA1
839FBBE6F3DF8153BB6582247DBBC2A42864A87D|RealtimeSpy|SHA1
8418703221A74C73405AD273C28CBC12444D7520|Cocospy|SHA1
842676B67005E6561808B650152F598035D12800|SmartKeylogger|SHA1
845705FB0FE177970768CE3F5241AEBD99F3BEEE|MobileTrackerFree|SHA1
849D181E1BEE5084CBE1BACBA8442996A8B1F8C6|TrackMyPhones|SHA1
8508603AE680C3BCDE91E6F909BF400F6DC878B4|MeuSpy|SHA1
854F7978408EA58C5B792C1C1EF9733FC2D5E813|Snoopza|SHA1
85A4C4F357A99888725862C351119FBB12C45695|AndroidPolice|SHA1
85AF7A95F8A95541F6B6DE88A8EBC24FF1658E98|Observer|SHA1
85F12B25CEB58B8376F83209D8D128841132DC51|MobileTrackerFree|SHA1
8698564FBEC700167FCC53D1AED00FFADF6BED6C|EasyLogger|SHA1
86D94A8CE736F82D834FA588F34106AE7B69D325|TrackingSmartphone|SHA1
87EF370B8D6E3089E7F8CDDD6E830B5E4C8CF60B|TrackMyPhones|SHA1
8851279B5177EF52B0B8540EE1FCED4BABDFB318|AbsoluTrack|SHA1
892C4F172AD3262EC398B40BBF8130C6421040A1|EasyPhoneTrack|SHA1
8A718113C6EDE9473FE4BF1F29E2E807B7EB7B56|MobileTrackerFree|SHA1
8A92A4F6F9FC52BC8788F17704944614C744716C|MobileTrackerFree|SHA1
8AD595A53B76014B7B919ED231DB372096D358E7|SpyMasterPro|SHA1
8AE2267AEEA0DBFF7D7CC1C82E54343B1B0CFA22|AndroidPolice|SHA1
8B187B3EBEF7D1BC8E32BEC78D36CBF95505A1C1|AndroidPolice|SHA1
8B9540311C46184984B48BF9CB51F1742A8AFB42|MobileTrackerFree|SHA1
8C017FDB2A81807EC879A8E30F4AB05D5CA02034|SpyPhoneApp|SHA1
8C76B4444DAE08ECF578AF51D295836F0D9BADC6|AndroidPolice|SHA1
8CD8FB235EA7F9B0FC308C1A59AB561C3869878C|RealtimeSpy|SHA1
8CED75E875A2F11B3327A73A6DBD0B25E26533F2|MobileTrackerFree|SHA1
8D7FEC36654F6B35FA89E079685D637CCEE27755|AndroidPolice|SHA1
8E352F2EE18054DF97C238915C0375AA13305DEC|CatWatchful|SHA1
8E38D577187544D4E0F747CAEF32B47FD15B07E5|BrunoEspiao|SHA1
8F0EAD4F1DA5DAAF8C0F7A51096CECEEF81D0C76|LetMeSpy|SHA1
8F23E1457ADC6189F6ED504A60DF8896FEC6D970|EasyLogger|SHA1
8F576BEEB71EA74E5F27764917BFF5B508017B68|CallSMSTracker|SHA1
917BB5B2D40EC40018541784A06285DE0F50F60F|TheTruthSpy|SHA1
91ED4F75A763A63471E1D1D39BA012DF867550D4|ShadySpy|SHA1
9225C8FD380154467908AE344FBE75CE7EF996B8|MobileTrackerFree|SHA1
9256E291823DA741B64CB23F7E371D0940E5272E|Reptilicus|SHA1
927CA44949D7788AA86F9D7F04D7FDACECD1DFB9|MobileTrackerFree|SHA1
9284CB43B87E9F9C77DA509F1672E884BD6CA876|iKeyMonitor|SHA1
92DF71DB15BEEAB77DF36FD879A89E5E0DEF4617|CatWatchful|SHA1
92EBDB7D7C18A34705A6918B5F327DDB0E8C8452|AndroidMonitor|SHA1
93135ABA6FF4B6CFE9B06153B9BDF769AEBC1D87|CatWatchful|SHA1
9329632A70D41158EBAB6EED27B12D8CB0D47579|AndroidPolice|SHA1
93385A087BB5CAB96EAE83A1AF874E0E39B2990F|FlexiSpy|SHA1
933C19015525266982AC6D830CB6B3D25079777B|RealtimeSpy|SHA1
934A3C0DC8912C4F2F8620F666FC7621BD7B97B8|pcTattletale|SHA1
9427212B33E9D3636970EAB73E2845E0DC59B5AA|AndroidPolice|SHA1
9442F1D40FBAAD7053D130986C4487D0BA5C079F|MobileTrackerFree|SHA1
9477420001BC79500623374EC586B054AAC97BF9|SpyPhoneApp|SHA1
95D589A90971992A2038E5961B39C8B6BC77CF19|AndroidPolice|SHA1
96A1F635F940D8D154FD42D550B6201B60692744|TrackView|SHA1
970B463F5103B36326AF8C8349A4106F6932835B|AndroidPolice|SHA1
98140CAE57F4D4CA53EF81F6521E7A0FD601F6E9|AndroidPolice|SHA1
984F8786102D9BF26E5244BBC93733D3609948F4|FlexiSpy|SHA1
986E5892EFB97E807772698BAC701F49CE9CAEA8|AndroidPolice|SHA1
98E76043B54DD7CB76E0E6E384A83646F1865BAE|AndroidPolice|SHA1
98ED5841256A44FB1525FE154C0516ACED82FFF3|iKeyMonitor|SHA1
9B07A93BC509C0AE614AEAFFCD6B56797CD02166|SpyMasterPro|SHA1
9B48840CBF93379410172B4B85989624D2B33D59|FindMyKids|SHA1
9B48840CBF93379410172B4B85989624D2B33D59|WiseMo|SHA1
9BCE25527FF174A4AD6CDE233B17038641A5EEF9|Xnore|SHA1
9BD494107EFED96F630D29D6E18AE4DCC47149E2|Reptilicus|SHA1
9DE8D6C6757152EC819C1A09F5665B77F72493A2|TheOneSpy|SHA1
9E09874197988F20DB51EB6A34BFD908AC42C35B|AppSpy|SHA1
9ED8DD944D3EB545E1EEEEEC1D8174772CF37C07|NeoSpy|SHA1
9EECE9B4ECF4DC0C5981FEACFB271E1C0A2967FF|AndroidLost|SHA1
9F6F25AB4EB39CA27BBB22465E6FDC1FC3791C85|RealtimeSpy|SHA1
9FE876AF76CDCB685102A38528A3A732B0872DC6|CatWatchful|SHA1
A1AA4CD5B6CDBD906E3B27A7D1FA42EA2416ADC3|BrunoEspiao|SHA1
A2CD01EE20E3C25575D2D9B9645A52A1FA8C36C6|AndroidPolice|SHA1
A2CE290D98B66B577880F3D7807DC01EB7FCE01B|AndroidPolice|SHA1
A2EBDD14E2AE17F52363BCB751CCBE15BE5A2F8D|AndroidPolice|SHA1
A36C70833A8A796F94CCD56B810D2A123F4F0485|AndroidPolice|SHA1
A40D8FDC7953AD69D970FF00658EB0F58B3A052A|HelloSpy|SHA1
A4817668612688754B4905C44AB9F70C58C25CB2|MobileTrackerFree|SHA1
A4E169AAF0068A1FC5F7900B7F59A438B833364C|NetSpy|SHA1
A519EF2B8C4E73A097065B322687C9D38DED610C|Unisafe|SHA1
A759EC34A1144DC3443A9D4C3286F9F3A4F23FB1|Traccar|SHA1
A75B340A58545B28B7E837582259C1CC2CE21512|MobileTrackerFree|SHA1
A7E75010B3709D54D52CCE914AF06946744F5F67|MeuSpy|SHA1
A93266E83B136CBC220062898D308213263E793A|TrackMyPhones|SHA1
A9A302C9606AF4BE4468A4FC74F7873DDADA2AB0|AndroidPolice|SHA1
AA0458B6C035E767E61DB7456CBCA89CC4D42090|RealtimeSpy|SHA1
AA4F85CD7C24116BB51FA733BE59290B7BB8C204|AndroidPolice|SHA1
AA752803419B66BC6D5CFCD61A7C88935FFE5511|Traccar|SHA1
ACB2CA50376456FD81B5C6C19CF6D717CFBB888B|iKeyMonitor|SHA1
AD231A7CD57E2CEF8162F4D341C3573DE2B8F443|ShadowSpy|SHA1
AD62CBB4BD298CF69CDA40997C3E5D70112D7161|AndroidPolice|SHA1
ADF393A6628366341BA488B85A5AE738793BFD17|AndroidPolice|SHA1
AF113D18054A6B8DE74644BCE3F0AE41206B16AC|MeuSpy|SHA1
AF821DD021558AEDF49730D2892063BD502DEA14|TalkLog|SHA1
AFC457A96258490FBC284EE889634B5F3E325B8E|Hoverwatch|SHA1
AwamiSolution|SmartKeylogger|unknown
B0A100360B029E0B2105F60E2C8EEB9053998A7E|MeuSpy|SHA1
B0B09157DC34E3D20DF6A92EBA0014D36A27C451|MobileTrackerFree|SHA1
B0F639B67819EDBADC73B9FEFF2582FC58B8F115|TheTruthSpy|SHA1
B1336A5F3A017394186563E84AE0D2649FC1697D|TheTruthSpy|SHA1
B14E50E56D5D483031137FD247D4A5466D0E61B4|TrackView|SHA1
B374A75F87F992A6F57CF99A24197ABCEB17A1E7|SpyAdvice|SHA1
B4A1513C2C71F08D2EE763CD3FAE585F71F268A9|Cocospy|SHA1
B4ED5FA9E2A9176DA53324717A9B10F57191859C|Cerberus|SHA1
B5075AB201EE483C8ECADE1BC4FC711293D6932B|MobiSpy|SHA1
B57FAAB701E26B4C92972442D3A428881E18441A|AndroidPolice|SHA1
B5895930053256D408DE74B66BA132B73CB21527|Unisafe|SHA1
B61326887306E5A65726AE6BFD1D720D2760CEFF|Reptilicus|SHA1
B6A744B0E8AE049AC0C20402EBC137B1192699A9|AllTracker|SHA1
B6B58148F1B2198C94BDE546FD2E0734EC7838D6|Hoverwatch|SHA1
B6D2D36C75931CCA18538B79C5DE3A04EF4AF777|TheOneSpy|SHA1
B7285348B05EDAEFF7F032384E4F90182E1C1F27|TrackMyPhones|SHA1
B7322B2126B2C4F4DED940D719FE1E63FD233D35|MobileTrackerFree|SHA1
B7B561250288C8BB44932B591B5451D852A95109|eagleSPY|SHA1
B7BB744C68FD6EB4C49298E7506BED53DC4773FF|RealtimeSpy|SHA1
B8C908630D7D1ED52FA4E5AEC2A2BDA0414F8B3F|AndroidPolice|SHA1
B8CA103D22C39282D7A1E8028D93333E481CCA83|MeuSpy|SHA1
B8D8C25B1CFE2829D397C8FB166895A6791A43D5|MobileTrackerFree|SHA1
B8F5FDFAE5920C4CFB6ACE214D39327F299FA76D|iKeyMonitor|SHA1
B8FCBCA563B1CD0E79CAC595002422C2E54072B7|RealtimeSpy|SHA1
B927DACA3BB3876523E2E8B1BDB56CE84B0DFFF7|CatWatchful|SHA1
B9D5BAEDCF0C711317E8B6E54D60F0A5EDEE9517|AndroidPolice|SHA1
B9F546776987F0F2FF893325D2CCDF7F62F0D56E|MeuSpy|SHA1
BB59FC701EAC40C51C9274EA6A8EE623F5002802|AndroidPolice|SHA1
BB5E2C0E8DFDC54730C1E9B48754977E7DBCCCF9|WtSpy|SHA1
BC53CC2A9996DE47BF72348F2A592DC0EBDAF06B|CouplerTracker|SHA1
BC682A41C2AA1EFFFD65CE42BBE3FA967A561EEC|AndroidPolice|SHA1
BC693B48B7EC988E275CF9E1CDAA1447A31717D9|Cerberus|SHA1
BCA2BCB87F6E28FB403CED643311B135CA0DC0A2|AiSpyer|SHA1
BD3986483D9B962B029D65BF34BF4B7C568FF204|AndroidPolice|SHA1
BEF28CC19ADFBEADC95137A2BD5035B6046666E9|AndroidPolice|SHA1
BFC4C15E35E3506095B42E2B428E4016B1FFA1AB|iMonitorSpy|SHA1
BFF94895A64AEB38B5278BC41B1DB242CD82DA62|TheWiSpy|SHA1
C1D83F5FFE3EC319FF103EC7346CDDF218B5634D|iKeyMonitor|SHA1
C270531A6D75EB4EA2AA0F4D6DF2980AFB494CB3|SpyHuman|SHA1
C276C3B087207C9D3CEEDA766C01E0BDEF7EAC71|XNSpy|SHA1
C377ADFF5DF116AB7297D32850ADE8A8FC3F8FB9|Cocospy|SHA1
C44894EE63F2E861A6960834A21EB27169150722|ShadySpy|SHA1
C4B56E3768543190FDBE0AA01DD628E579F5514C|Spyone|SHA1
C51C36FE4F1DFC0C5B8CD55F74773135C1C1E1E5|AppMia|SHA1
C656605BDB536B842319AC008FBB249D8B0A7422|MobileTrackerFree|SHA1
C7FBC97C3BD3949A6C19FF332E6CF2F2E5CEE561|AndroidPolice|SHA1
C863D800B89648724CD483911FBF756F36497CC9|RealtimeSpy|SHA1
C87A87F7F5EDE2D279DDA0CCDE55E6AB85549D70|Cerberus|SHA1
C8BAE63357CA1DCD9B084BCC99399C96A5B67D49|SpyMasterPro|SHA1
C9BE6C42B975258DEA10EB6946A7986E4FE955E2|AbsoluTrack|SHA1
CA5304E94F4BC97DA9D147E76858DBF70AB8B4E6|OwnSpy|SHA1
CA6F27DDCBE5D7929C82F42F63FF24703A352756|AndroidPolice|SHA1
CB28ADFD818FBFFDF5542F2EFC5140D596EE957E|mSpy|SHA1
CB6E6DEB296275EDF70DC71A62A75AB7B9C8DB89|MobileTrackerFree|SHA1
CB97E71AFA4665D6D28697B9197046C81E5E5D6C|TrackView|SHA1
CBDA86758FBE8E5A6AB805F493AA151B1F2B95F4|TheTruthSpy|SHA1
CC4A78DBE96AC1FA5977E03C97052A9A334113B4|Hoverwatch|SHA1
CC866E79BDAD431A2B1E07229B92E64808221610|Cocospy|SHA1
CCCD74B31E53685BFA5A23AD0AE020AF74689085|MySpyApps|SHA1
CCD5678FF73D6ECF4E74317166422AFE67D77406|PanSpy|SHA1
CCE55D4C3E844E8A7542036D40BFBB4AA98B89D7|ClevGuard|SHA1
CD5724426B602C1CD0BF3BD65EF75B9021C0EC3A|MobileTrackerFree|SHA1
CD8F39DAECC7793F33D8D847A598373B8F25A7B7|HelloSpy|SHA1
CE3BB9701274C15D26A92C1D7D34110961EB73F1|MobileTrackerFree|SHA1
CE94B8512390676F62F3EC61BECEDDDE9AB5519F|AntiFurtoDroid|SHA1
CF627144481D3F1DCFBB6CF12291C540AE325FBE|RealtimeSpy|SHA1
D09EE9D79FF75E737429DDE34FD13EDFDDA34E78|AndroidPolice|SHA1
D15A276F181C839E0390672A43065E8D97F140E9|EasyLogger|SHA1
D1BB66A93F621A66094F28856988C7A2AE9972D0|AbsoluTrack|SHA1
D244AA1DD3D4296CE875EDA2E1B0332459F7DACE|MobileTrackerFree|SHA1
D2A84922F8F747FD7582EFEF4189E06897FA8839|Spyone|SHA1
D3A7E0E542A3E1112741806AC31F341C4200FBA1|Reptilicus|SHA1
D3E6A092741CBA59BE9308FBA72DF887EAB184FD|RealtimeSpy|SHA1
D44524FA0D7866F1798C41C28953DA899B46BE65|Observer|SHA1
D46492F02F25877E9F5D6CFFA4CE99DAC64D981A|TheOneSpy|SHA1
D667A33203776F2285EBA3E826CD286356EF05D0|TheTruthSpy|SHA1
D8418B279414687729D37B34E53AB75D502B9F73|RealtimeSpy|SHA1
D943998AEC15B3D70DA3BF00FF7BF580A41F6E4B|MobileTrackerFree|SHA1
D98C69B50C1092FE21F7CF748DC8B2F91BE56B64|AppSpy|SHA1
DAE17DA900E269741688CEA3DAF929A8D896536D|Traccar|SHA1
DBA6211533A354E4BBF685A2EA458AC372C4ECE4|Trackji|SHA1
DBC4B607C3B07C48F40F9D184DE443D651436CA5|AndroidPolice|SHA1
DD34B4E5125F07BA50738192FBE7B745785FC15A|MeuSpy|SHA1
DDCF7F1032E7D9DA4E3D245A5145363F69F9C393|MobileTrackerFree|SHA1
DDE822BAF53EF55C49096E866A995464CECB8B1C|AndroidPolice|SHA1
DE648A3253C16692AF71141C069D15C87C3E5495|TheTruthSpy|SHA1
E0103BF20E95E826920A3F0F7B3BD03A899127D7|FreeAndroidSpy|SHA1
E023517B163AAAE209CBD97E312752960F575D38|Snoopza|SHA1
E0E02AD30F042E096A7A5654217B846EA08C02D1|MeuSpy|SHA1
E0FCD3E782FB859F7388E4F44A44A5D694114968|AndroidPolice|SHA1
E169250B134E5C46C3064F166E457CDBFCC16524|SpyHuman|SHA1
E2AC495C52B9FBD49B83CFAE0C167878A2F796A5|SpyHuman|SHA1
E3620714FB24A45614A456DF1176D482BCD1B032|SpyApp|SHA1
E401C172FE10C4893A13B38B1FABAA43473E2900|AndroidPolice|SHA1
E43B5671CBA3F48619BF00D6E380BBC2F02A5DCA|OneLocator|SHA1
E458DC7CD8928A41865F502A884F0D51309E0BEF|OneSpy|SHA1
E48C6714DBFD2AB6E5CF85C87EFD05BD8E11E6FB|ClevGuard|SHA1
E6502D8A870C3F3910EA34F5B46D20D923047580|TheTruthSpy|SHA1
E689432F7C2A39379BD64CB0BD2A6028F3A666DD|AndroidPolice|SHA1
E6F85CAB3903304DC16197B7EDA8F67ED6D65A1A|AndroidPolice|SHA1
E7D395DF3B8077C733D9BE67D841FDF271F49406|OneSpy|SHA1
E8395BE2A32B62C1BA21E37663E3BF1583E00FAA|MobileTrackerFree|SHA1
E871393054ED858ACB5854C0DB9F674C42160344|AndroidPolice|SHA1
E8FF1077D207E47AB4B53F275C437C0889579658|Hoverwatch|SHA1
E906D462FA05007DE06423A10539C7E7EAB041CD|Observer|SHA1
EA35FC50B3B0E0A9E5405BAC2D7E58D7F9559FD0|AndroidPolice|SHA1
EAD44242A3C0A73DEF7976C56AC10A4530E8F67A|AndroidPolice|SHA1
EBD3713DFB02D79ADC90C88DE1E0B547882F5A42|TrackMyPhones|SHA1
ED5BADBC20B1B027F5858D29DAFBF66535C46DB9|AndroidPolice|SHA1
EE35E2740576480486307C991C762A3FBA8DA46D|RealtimeSpy|SHA1
EF6BC4C13FE455CD98192E56D96317069BDF7658|LetMeSpy|SHA1
EF8006163D09D176083936CFB068BB07A8918118|AndroidPolice|SHA1
F038CD90AFEA9C037A801FFAE67DF55A870879C4|AiSpyer|SHA1
F18B3369F152EC3C74EC884BE977B3CA0E0C996D|CatWatchful|SHA1
F1912CEE4B5D6C1EA4070B53B440E2F660FFCBBD|AllTracker|SHA1
F21ECAFCFF000686E8EC090F1ECDAECE08798BFF|Hoverwatch|SHA1
F25D72FCCB84BAF7F73467FC9571024B7E274CA3|Cocospy|SHA1
F2633353631EE72F7B7A7B946FABE1EF0A339041|Cerberus|SHA1
F28F3A97D25E51AB266E56D3B80F04747D242E50|PhoneSheriff|SHA1
F3E17DFDB98B1F7774A16967FD1D84D3D9D59389|SpyApp|SHA1
F4E6DA34F0071AEB70010EBB69875E5212D69140|uMobix|SHA1
F4F16BDEB31AED018276B47CAD9007063029FD22|Traccar|SHA1
F575CA9980D3075CF728F2081D9EC5F910CC17E8|AndroidPolice|SHA1
F57CACB890BE22907709DDE69ED3887F6943734E|RealtimeSpy|SHA1
F57CBB4CBB9834A14AF675222CECA6A0D26D838E|PhoneSheriff|SHA1
F5A5336B28456208EF357B4630A93A91206CF21A|TrackMyPhones|SHA1
F5C25A3B800311E8053295676ADB112753E03F0B|Spy24|SHA1
F5EAEFDECAD39B93134E859BEDC7D3ED42FBE2B3|AndroidPolice|SHA1
F6422B9D4DD3C7370E3ED2879EA4DC8F463CD2A2|FlexiSpy|SHA1
F6914F044B9385D6005DC9C50A9AECDC2349F413|HelloSpy|SHA1
F747F0BBEF33FFEE6AFC4E7CFA03B28215985F24|iKeyMonitor|SHA1
F7871F09D6E58B9BEA5913FB2FA879E5427725E3|AllTracker|SHA1
F8FC21D0709C3C0A3E4FBA81D24AB50979F25C19|WheresMyDroid|SHA1
F9181C6CF9AACB3AB1092F5338C3198A8D833431|TheTruthSpy|SHA1
F9265164219A1C5DEE4A76D66BEA0C35A1FD6032|SpyHuman|SHA1
FB2EEA183C183B486B3001EC5FC4E8C906593356|MobileTrackerFree|SHA1
FB8F23C57D0AFD255FD255B290B2EF6DBB2EAFD8|AndroidPolice|SHA1
FB926CF2937331BB8A46E2C5280233C04DA2342E|AppSpy|SHA1
FBC83FD67E3B534B8B03D3B341249DB3186374E2|PhoneSpy|SHA1
FC5A4AD10F0686AA8EAE2C08BA13CC451CBD6037|EasyPhoneTrack|SHA1
FC786B8F918655D45245C685A471BD57F02FB366|AndroidPolice|SHA1
FCB6F780EA8F2FE7249F66C6348572BDBD54F576|Unisafe|SHA1
FD4C2144DF6E431378A46EAEACC696AF94DE9D56|AndroidPolice|SHA1
FD5E1BBC94E5609F366DD4816C975C1CF4003F40|AndroidPolice|SHA1
FD84821C80C1499A2446F6F7E13BF8BDA6A66402|AndroidPolice|SHA1
FE7626A8D3C38FD78EA2A729B39B943BA814F014|ShadowSpy|SHA1
FE821A533BDC31822D9EB5F98243EB16917C8EE7|mSpy|SHA1
FED69D6F09AE8C98DD4053C1934CCAF57D31824D|MobiStealth|SHA1
FEEF07EA18BA2EF7B75AD311F45A45AB4C1E8F0E|AndroidPolice|SHA1
FF8CCD9816B0524A58FBDE1809FB227DBCDFD692|TheTruthSpy|SHA1
H20201128|AndroidPolice|unknown
MobileRecorder|Mrecorder|unknown
Tesline-Service SRL|AndroidPolice|unknown
^Kids\WSafety\W[0-9]{2}-[0-9]{2}-[0-9]{2,4}\W[0-9]{2}:[0-9]{2}:[0-9]{2}$|AndroidPolice|unknown
mobizim|MobiStealth|unknown
mrecorder2|Mrecorder|unknown

4668
vigil/ioc/domains.txt Normal file
View File

File diff suppressed because it is too large Load Diff

298
vigil/ioc/hashes.txt Normal file
View File

@@ -0,0 +1,298 @@
# Vigil IOC: Malicious file hashes
# Format: hash|threat_name|hash_type
001316808aa7108b467e8ecc06139c2e|201803_BadTraffic|MD5
01dec1b1d0760d5a1a562edcfeb478d1|201512_PackRAT|MD5
01fe88068e43c2276f7d8bbf54824f0f|2021_03_taking_action_against_hackers_in_china|MD5
029ba5f0f6997bc36a094e86848a5b82|201707_InsiderInfo|MD5
03de278ec4c4855b885520a377f8b1df462a1d8a4b57b492b3b052aafe509793|2021_04_taking_action_against_hackers_in_palestine|SHA256
05320c7348c156f0a98907d2b1527ff080eae36437d58735f2822d9f42f5d273|2021_04_taking_action_against_hackers_in_palestine|SHA256
0540051935145fb1e3f9361ec55b62a759ce6796c1f355249805d186046328dc|2021_04_taking_action_against_hackers_in_palestine|SHA256
054bad7ec0e19cec931078d45382fee6|201808_FamiliarFeeling|MD5
058a5d47f8834fccfff8971f0544e387|201808_FamiliarFeeling|MD5
07532dea34c87ea2c91d2e035ed5dc87|2022_08_metas_adversarial_threat_report_q2|MD5
07d495245814c5c4996422b4b2f52473|201905_EndlessMayfly|MD5
087bffa8a570079948310dc9731c5709|201611_KeyBoy|MD5
08a3bb5b220eb1e0dc2ecccbbc6859f5|201512_PackRAT|MD5
08b8b4787f3ce90c6c1483cc127b1cdc|201803_BadTraffic|MD5
08d971f5f4707ae6ea56ed2f243c38b7|201803_BadTraffic|MD5
09ddd70517cb48a46d9f93644b29c72f|201604_UP007_SLServer|MD5
0ae0038ffe8cf5c3170734a71ff2213d|201512_PackRAT|MD5
0c7e55509e0b6d4277b3facf864af018|201611_KeyBoy|MD5
0d13e403303b52edae6beb76a6fe7ed454f340aae1246b9a3f55ca728da2d6aa|201909_MissingLink|SHA256
0d2ee9ade24163613772fdda201af985d852ab506e3d3e7f07fb3fa8b0853560|201909_MissingLink|SHA256
10748ca7648d26316b4857b6139ca93d|2021_03_taking_action_against_hackers_in_china|MD5
10c1f38305792a0f925e8a2cf9482ce3|2021_03_taking_action_against_hackers_in_china|MD5
11e0f3e1c7d8855ed7f1dcfce4b7702a|201808_FamiliarFeeling|MD5
11f47a0f3f1b7e08886a4b6719668ad68405ef0c58fc793efacc778304716cc5|2023_05_malware_iocs|SHA256
124c475d67aa8391f5220efcc64ca5b3|201808_FamiliarFeeling|MD5
13b148aead5e844f7262da768873cec0|201707_InsiderInfo|MD5
13d939b2412c6adbab3cc1b539166671|201512_PackRAT|MD5
1507f7ecc5fe8ef4c90c853d64e1a9f9|2021_04_taking_action_against_hackers_in_palestine|MD5
154cb010e8ac4c50a47f4b218c133b5c7d059f5aff4c2820486e0ae511966e89|2021_04_taking_action_against_hackers_in_palestine|SHA256
15ebe16cd9500de534d5bfd5eeceaf73|201512_PackRAT|MD5
17fe7554e6ca20fde635a7ae1e265f4a23ece32baa7cc8f573e11dce95bd5ed9|2023_05_malware_iocs|SHA256
185062606b168f04b8b583045d300be5|2021_11_action_against_hackers_in_pakistan_and_syria|MD5
19c5f8829444956ba30e023aaaec6408|201707_InsiderInfo|MD5
1b2ada321e2a88d32386efb175787b07dd2098076859a35f715ab1452ada8046|2023_05_malware_iocs|SHA256
1bf438b5744db73eea58379a3b9f30e5|201603_Shifting_Tactics|MD5
1c16ee8b2f0dff7280e1d97522ee7e3f|2021_11_action_against_hackers_in_pakistan_and_syria|MD5
1c3757006f972ca957d925accf8bbb3023550d1b|201605_Stealth_Falcon|SHA1
1e4265a0c37773c2372b97bb6630ae57|201512_PackRAT|MD5
1e6d0b59d4fb7650453c207688385f3a|201512_PackRAT|MD5
205a5502ff0da4a471c4dad0e06c6c57|201803_BadTraffic|MD5
20755b98d7c094747b75b157413e3422|201803_BadTraffic|MD5
2332aa40d15399179c068ab205a5303d|201707_InsiderInfo|MD5
23d284245e53ae4fe05c517d807ffccf|201611_KeyBoy|MD5
250da45d3c509420836958547c8496ab|2021_04_taking_action_against_hackers_in_palestine|MD5
2580f7afb4746b223b14aceab76bd8bc2e4366bfa55ebf203de2715176032525|2021_04_taking_action_against_hackers_in_palestine|SHA256
2827450763b55c5e71fda3caaf8e75f9|201512_PackRAT|MD5
2FC276E1C06C3C78C6D7B66A141213BE|201608_Group5|MD5
2d722592a4e3c8030410dccccb221ce4|201512_PackRAT|MD5
2de51e74fd571319bbf763ec62781096|201512_PackRAT|MD5
2fc276e1c06c3c78c6d7b66a141213be|201608_Group5|MD5
2fcdcc996ef9cbec970dbd2f63edd9fe6bbfd1270e430917f97bec8a0049a800|2023_05_malware_iocs|SHA256
3080cf68721343564e903ca40bf86494cfe8d609d626e7f68ea5feb9b0af947a|2023_05_malware_iocs|SHA256
30BB678DB3AD0140FC33ACD9803385C3|201608_Group5|MD5
30bb678db3ad0140fc33acd9803385c3|201608_Group5|MD5
32bc51088953377d601c6b27ca7484a9|201803_BadTraffic|MD5
33042636a2f9e7e9cecf3ac2f4b6674f9b80338359196a1066a717407887434f|2023_05_malware_iocs|SHA256
35cd9b4f01e643bf367523572fed2e134d69891e4ce4ea1134156bd23e11afd3|2023_05_malware_iocs|SHA256
3632fb080545d3518d57320466f96cb3|201803_BadTraffic|MD5
366908F6C5C4F4329478D60586ECA5BC|201608_Group5|MD5
366908f6c5c4f4329478d60586eca5bc|201608_Group5|MD5
371bc132499f455f06fa80696db0df27|201611_KeyBoy|MD5
3729531c71163cddcded7e70c02a3004|201803_BadTraffic|MD5
397021af7c0284c28db65297a6711235|201604_UP007_SLServer|MD5
3a61d64986ee6529cee271ab6754faa5|201512_PackRAT|MD5
3b869c8e23d66ad0527882fc79ff7237|201603_Shifting_Tactics|MD5
3c0a20f0726032ad816e670971509b2d|2021_03_taking_action_against_hackers_in_china|MD5
3c21c0f64ef7b606abb73b9574d0d66895e180e6d1cf2ad21addd5ade79b69fb|2021_04_taking_action_against_hackers_in_palestine|SHA256
3fda7b2bc654c71f123d6856c7c303a44ecc344ec894bf8d910d67d276be6239|2023_05_malware_iocs|SHA256
40383bee9846ecbd78581402e3379051|201803_BadTraffic|MD5
4320204d577ef8b939115d16110e97ff04cb4f7d1e77ba5ce011d43f74abc7be|201605_Stealth_Falcon|SHA256
43535540e94b39279af925e9548dce7f|2022_04_metas_adversarial_threat_report_q1|MD5
43b39fd4ddc386092372da19f6278c25|201803_BadTraffic|MD5
4461c1d286d4237d61b7a66b228d3983c26f6810e66304f068fada5761d5bc1f|2023_05_malware_iocs|SHA256
449ba12127133ecd0440a558b083468c|201803_BadTraffic|MD5
44ccafb69e61139d9107a87f58133c43b8586931faf620c38c1824057d66d614|2021_04_taking_action_against_hackers_in_palestine|SHA256
461446151be0033a668782c2d7ba58cb|201803_BadTraffic|MD5
494BAB7FD0B42B0B14051ED9ABBD651F|201608_Group5|MD5
494bab7fd0b42b0b14051ed9abbd651f|201608_Group5|MD5
495adb1b9777002ecfe22aaf52fcee93|201611_KeyBoy|MD5
49ceba3347d39870f15f2ab0391af234|201510_NGO_Burma|MD5
4a23a1d6779d199aaa582cf0a5868ad1|201512_PackRAT|MD5
4a3ba18ecc4b74d4321912882e175976|2021_04_taking_action_against_hackers_in_palestine|MD5
4b740be3b607687b0db472504dd734a87ed7be63b26211454cd58cf67b0874fb|2023_05_malware_iocs|SHA256
4ce92da8928a8d1d72289d126a9fe2f4|2021_11_action_against_hackers_in_pakistan_and_syria|MD5
4d85904b15c0adc8664f71bc2c5496bf|201808_FamiliarFeeling|MD5
4ddf012d8a42ad2666e06ad2f0a8410e|201707_InsiderInfo|MD5
4fe4094302c26e7ea2c58f5ca9f7f993|201803_BadTraffic|MD5
53ab0aecf4f91a7ce0c391cc6507f79f669bac033c7b3be2517406426f7f37f0|2023_05_malware_iocs|SHA256
53f81415ccedf453d6e3ebcdc142b966|201510_NGO_Burma|MD5
542c85fda8df8510c1b66a122e459aac8c0919f1fe9fa2c43fd87899cffa05bf|201611_KeyBoy|SHA256
56bc314bc0d4a0a230a4de2bf978b5ae|201803_BadTraffic|MD5
56f0e67d981024ddcc215543698f44fb|201510_NGO_Burma|MD5
5710d567d98a8f4a6682859ce3a35336|201510_NGO_Burma|MD5
5739ece4966904d0c683ed00ac14681075d0e2e35dfc4ceb870d3839ff4b3c62|2023_05_malware_iocs|SHA256
57ffde3504934e25904bcc57d27f9217|201808_FamiliarFeeling|MD5
58239ea5747d3375278ce7c04db22c1b|201803_BadTraffic|MD5
58333095cd9c36b7388901ce997baa0c|2021_04_taking_action_against_hackers_in_palestine|MD5
5C4EC3D93A664E4BFA1CE6286CCF0249|201608_Group5|MD5
5a372b45285fe6f3df3ba277ee2de55d4a30fc8ef05de729cf464103632db40f|201605_Stealth_Falcon|SHA256
5a8975873f52436377d8fb0b5ab0d87a|201512_PackRAT|MD5
5b920c6cd1d8de54463f07965b8c43f3|201905_EndlessMayfly|MD5
5c030802ad411fea059cc9cc4c118125|201603_Shifting_Tactics|MD5
5c053d98c4281cbf6910029ccb4b02e30dad20c9ddbd72cb6c7c6caf6e609330|2023_05_malware_iocs|SHA256
5c3f0dcf4aaa699b50154aa245923c86|201803_BadTraffic|MD5
5c917492368a341811e4c559fc5e5e742620b98a42960a5f74ecf8fa1d85dba5|2023_05_malware_iocs|SHA256
5d885fd9b896c8d59dbdc6b3ae4068662544f401d98a7eba757b329714d87c45|2022_08_metas_adversarial_threat_report_q2|SHA256
5d9027c76306efd5fb57f42dbbaa26f976657a523c32d8fd3fa628ee1417d0aa|2022_08_metas_adversarial_threat_report_q2|SHA256
5da2f14c382d7cac8dfa6c86e528a646a81f0b40cfee9611c8cfb4b5d589aa88|201611_KeyBoy|SHA256
5f24a5ee9ecfd4a8e5f967ffcf24580a83942cd7b09d310b9525962ed2614a49|201611_KeyBoy|SHA256
60e0279b7cff89ec8bc1c892244989d73f45c6fcc3e432eaca5ae113f71f38c5|2023_05_malware_iocs|SHA256
6161083021B695814434450C1882F9F3|201608_Group5|MD5
6161083021b695814434450c1882f9f3|201608_Group5|MD5
6356d55c79a82829c949a46c762f9bb4ca53da01a304b13b362a8a9cab20d4d2|2021_04_taking_action_against_hackers_in_palestine|SHA256
639c7239f40d95f677a99abb059e8338|201604_UP007_SLServer|MD5
64034ca28c0844690f0a195534fff168|2021_04_taking_action_against_hackers_in_palestine|MD5
6491df10c766be9c487fb9495d04df6e|201803_BadTraffic|MD5
6701662097e274f3cd089ceec35471d2|201510_NGO_Burma|MD5
670a389a93b82ccf198dd7789a865096|2021_03_taking_action_against_hackers_in_china|MD5
67e866c461c285853b225d2b2c850c4f|201808_FamiliarFeeling|MD5
67e8f9312c8db3b958b189417be4301dcdbaef70b5b102c23bf5ea909b1e44b7|2023_05_malware_iocs|SHA256
695db7dd3b1daf89f2c56d59faecc088|201512_PackRAT|MD5
69730f2c2bb9668a17f8dfa1f1523e0e1e997ba98f027ce98f5cbaa869347383|2020_12_taking_action_against_hackers_in_bangladesh_and_vietnam|SHA256
6977e6098815cd91016be9d76f194ed4622640d03c6cdd66b1032306a2190af7|201909_MissingLink|SHA256
699b3d90b050cae37f65c855ec7f616a|201510_NGO_Burma|MD5
6a442a610c047a7a306a12f423978bfb|201803_BadTraffic|MD5
6a541de84074a2c4ff99eb43252d9030|201604_UP007_SLServer|MD5
6b2970664cac51054906983f97bd5419|2021_04_taking_action_against_hackers_in_palestine|MD5
6c34d4296126679d9c6a0bc2660dc453|201512_PackRAT|MD5
6ce947913231bd968c86a2737bae7bba|201803_BadTraffic|MD5
6e0ec6bd0bef489c83c2dce4876de5c8|2022_04_metas_adversarial_threat_report_q1|MD5
6e7b5c71f7ea462c47dc992090cd4d58|2021_04_taking_action_against_hackers_in_palestine|MD5
70875705e8bc3887cec4ef1873cdb152|2022_04_metas_adversarial_threat_report_q1|MD5
718f26ac95a9605f3b25ffbd3ab152f7438e0f3fca1c07a2e211471c14d31d2f|2023_05_malware_iocs|SHA256
72b3fa74db4a1dd7cbf86a82f2ac6a657724f503e12675721be12e0c6c0de55b|2023_05_malware_iocs|SHA256
72c88c4a9d2316b266a6702374411a99|201808_FamiliarFeeling|MD5
74613eae84347183b4ca61b912a4573f|201512_PackRAT|MD5
75b86a01196854919626e87d5bd45a38|201808_FamiliarFeeling|MD5
762acdd53eb35cd48686b72811ba9f3c|2021_11_action_against_hackers_in_pakistan_and_syria|MD5
768510fa9eb807bba9c3dcb3c7f87b771e20fa3d81247539e9ea4349205e39eb|2020_12_taking_action_against_hackers_in_bangladesh_and_vietnam|SHA256
76F8142B4E52C671871B3DF87F10C30C|201608_Group5|MD5
76f8142b4e52c671871b3df87f10c30c|201608_Group5|MD5
7735e571d0450e2a31e97e4f8e0f66fa|201603_Shifting_Tactics|MD5
779a79c11f581b84e7c81f321fd8d743|201512_PackRAT|MD5
7804aa608d73e7a9447ae177c31856fe|2021_11_action_against_hackers_in_pakistan_and_syria|MD5
7833c0f413c1611f7281ac303bcef4b3|2021_04_taking_action_against_hackers_in_palestine|MD5
7999f5af42e6a825db56aa800a6b957c19d609225cc339f12cf85dde06af3b74|2022_08_metas_adversarial_threat_report_q2|SHA256
7D898530D2E77F15F5BADCE8D7DF215E|201608_Group5|MD5
7ad8ad340c084f8185e2bb18cbfde891|201803_BadTraffic|MD5
7b2cb5249d704cb1df8d4210e7c3d553|201512_PackRAT|MD5
7bef7a2a6ba1b2aceb84ff3adb5db8b3|2021_11_action_against_hackers_in_pakistan_and_syria|MD5
7d898530d2e77f15f5badce8d7df215e|201608_Group5|MD5
7e0081fba718fcd71753d3199a290f03|201510_NGO_Burma|MD5
7e9e8c5dd9cb02a35a0e7004e7952b52e4a1029e71ce4fdc3bd4af18cd0905dd|2023_05_malware_iocs|SHA256
7ea20c7c999bbd59e9b90309c0afa972|2021_04_taking_action_against_hackers_in_palestine|MD5
7fd98d6bb1e9d6bcf2e1984e812c1e46|201803_BadTraffic|MD5
80e8ef78b9e28015cde4205aaa65da97|201605_Stealth_Falcon|MD5
82254d20e63491be3dfcdc0ad9a9dc6b|2021_04_taking_action_against_hackers_in_palestine|MD5
84d8671e8dc8a12fd1d4ef376cba900b0d5fd785a942ce8d4bc43cb0325c814a|2023_05_malware_iocs|SHA256
8522c77e48c846c2c026b6e16501a3b2|201905_EndlessMayfly|MD5
87e1df6f36b96b56186444e37e2a1ef5|201605_Stealth_Falcon|MD5
884d46c01c762ad6ddd2759fd921bf71|201510_NGO_Burma|MD5
88e027b1ef7b2da1766e6b6819bba0f0|201707_InsiderInfo|MD5
88e85fb6074ae50a3ccc9b410805ffe5|201808_FamiliarFeeling|MD5
88f43fe753e64d9c536fca16979984ef|201707_InsiderInfo|MD5
89180820b47bb11ccf0c8505371e98d1|201803_BadTraffic|MD5
8EBEB3F91CDA8E985A9C61BEB8CDDE9D|201608_Group5|MD5
8b074a0c693d287fca74231d2d6d3a99|2021_04_taking_action_against_hackers_in_palestine|MD5
8b48cec7cb30ff0f02b06c51aa15f24f|2021_04_taking_action_against_hackers_in_palestine|MD5
8b83fc5d3a6a80281269f9e337fe3fff|201603_Shifting_Tactics|MD5
8bb2ba6f1cfa3bd99146688cd1e76bb0|201803_BadTraffic|MD5
8c8eb5cfc5642a773c5f2b5f59148aa3|201803_BadTraffic|MD5
8e0f021dcbbfa586a1c6780e77ac0fb6|201512_PackRAT|MD5
8ebeb3f91cda8e985a9c61beb8cdde9d|201608_Group5|MD5
8fb96dfab7e4c0acb1eb9f4e950ba4b9|201512_PackRAT|MD5
8fea3de31a58415c3fec2e6dd4095575|201803_BadTraffic|MD5
90373539c60529153d0d6b0cc857e845|201803_BadTraffic|MD5
91e976f76cc027931fed4cf70702efff|201808_FamiliarFeeling|MD5
93b630891db21a4a2350280a360c713d|201512_PackRAT|MD5
945de4d3a046a698aec222fc90a148ba|201707_InsiderInfo|MD5
947e28ba5ddcce733fa1749c7dc50d12942531ce39c4c89a1981c5a935714f84|2023_05_malware_iocs|SHA256
95efa51b52f121cec239980127b7f96b|201707_InsiderInfo|MD5
969fe5597a44bf4eb66ebdc7b09ef2c8|2021_11_action_against_hackers_in_pakistan_and_syria|MD5
979db48c0c797db1feb7914447646667248b6083a807d04e2c8bcdfd4c52725b|2023_05_malware_iocs|SHA256
98977426d544bd145979f65f0322ae30|201611_KeyBoy|MD5
9a53506c429fa4ff9113b2cbd37d96c708b4ebb8f3424c1b7f6b05ef678f2230|2021_04_taking_action_against_hackers_in_palestine|SHA256
9a55577d357922711ab0821bf5379289293c8517ae1d94d48c389f306af57a04|201611_KeyBoy|SHA256
9b0de56f7f862db73e223f41099fc74c|201803_BadTraffic|MD5
9b91427d195b8b7e75fbbc29a798bede|2022_04_metas_adversarial_threat_report_q1|MD5
9bc5fec740bdb4d93f2da9b2db75dc3f|2021_03_taking_action_against_hackers_in_china|MD5
9fd4b37cbaf0d44795319977118d439d|2021_11_action_against_hackers_in_pakistan_and_syria|MD5
A4F1F4921BB11FF9D22FAD89B19B155D|201608_Group5|MD5
B4121C3A1892332402000EF0D587C0EE|201608_Group5|MD5
DD5BEDD915967C5EFE00733CF7478CB4|201608_Group5|MD5
F1F84EA3229DCA0CCACB7381A2F49F99|201608_Group5|MD5
a070fd2cce434a6f0b0d0fa6d3278d22|201803_BadTraffic|MD5
a09f100ddc7cf29f8a93a3d7a79c58b9|201512_PackRAT|MD5
a3d18021cd444e8fe23fffc1a6140071|2022_08_metas_adversarial_threat_report_q2|MD5
a4f104e2058261c7dbfc1c69e1de8bce|2021_11_action_against_hackers_in_pakistan_and_syria|MD5
a4f1f4921bb11ff9d22fad89b19b155d|201608_Group5|MD5
a5199e6f1904f5a532a562fbb9d5abc6|2021_03_taking_action_against_hackers_in_china|MD5
a53c74fa923edce0fa5919d11f945bcc|2021_11_action_against_hackers_in_pakistan_and_syria|MD5
a5ae6e0d74052d4f889f2538fdd7cb9b|201803_BadTraffic|MD5
a73351623577f44a2b578fed1e78e37e|201512_PackRAT|MD5
a74ef893b1bf21c9df6d8e31285db981|201512_PackRAT|MD5
a7a07b5c9d606fbc5480ebd5acd2cf1d|2021_04_taking_action_against_hackers_in_palestine|MD5
a80a1b022fdcaa171e454086711dcf35|2021_11_action_against_hackers_in_pakistan_and_syria|MD5
a913d9d9dfc7670df5f3a235b1398be8|2021_04_taking_action_against_hackers_in_palestine|MD5
a988235ad7d47acbeca5ccb4ea5a1ed5|201512_PackRAT|MD5
aa7330d2d360cac61394843d8af730bb|2022_04_metas_adversarial_threat_report_q1|MD5
aaa55f1e48aba8856661fedc0074e81a|2022_04_metas_adversarial_threat_report_q1|MD5
ab533be4ff9c99e8a03bc4cd413badb6|2022_04_metas_adversarial_threat_report_q1|MD5
abb02750c3801e1ef5c1617adac2d014ba8e3d2538c0ef7fceea768b7bc68691|2023_05_malware_iocs|SHA256
ac5763000ae435875f3b709a5f23ecc0|201707_InsiderInfo|MD5
adf1b8a1b5b9f2d36ce716b39f478fffd0bbf823449bb1c972cad539619e8f27|2023_05_malware_iocs|SHA256
aeb0c38219e714ab881d0065b9fc1915ba84ad5b86916a82814d056f1dfaf66d|2021_04_taking_action_against_hackers_in_palestine|SHA256
b06e2f95ecf7012138bee314be9baed9|2022_08_metas_adversarial_threat_report_q2|MD5
b1c114ae9172a3bacc5c6b30c410f354|201808_FamiliarFeeling|MD5
b3510e0a8775d9ab5c8409510041dc1e7da47923d5bf3e8f0848a4a3970ffca7|2022_08_metas_adversarial_threat_report_q2|SHA256
b4121c3a1892332402000ef0d587c0ee|201608_Group5|MD5
b85fe634f3c5b1022a1adbc21f3b85b58451ca2b89e9380fc5f22b9340a18b88|201909_MissingLink|SHA256
bb080489dbc98a59cac130475e019fb2|201707_InsiderInfo|MD5
bbe4dddc09dcef160db0fd4c24c4f052|2021_04_taking_action_against_hackers_in_palestine|MD5
bc31493e996db7fe45b7ed7aaa51fd54|201905_EndlessMayfly|MD5
bc97437fec7e7e8634c2eabae3cc4832|201512_PackRAT|MD5
be6f2a03dfddbaf1166854730961d13c|201803_BadTraffic|MD5
be8a344487bcfea66de8e0f0f14d869e|201803_BadTraffic|MD5
bf61c078157dd7523cb580672273190de5de3d41577f5d66c5afcdfeade09213|2021_04_taking_action_against_hackers_in_palestine|SHA256
c1dabd54a672cbc2747c53a8041d5602|201707_InsiderInfo|MD5
c2237e9d415f542ce6e73adb260af123|201512_PackRAT|MD5
c25acaa45b0cf65a39c8413fa99e1fe8|201808_FamiliarFeeling|MD5
c2e55b0d7be1c1991a5b70be7280e528|2021_11_action_against_hackers_in_pakistan_and_syria|MD5
c3a7779e3eee4885078e03601fb2648b|2021_04_taking_action_against_hackers_in_palestine|MD5
c4c147bdfddffec2eea6bf99661e69ee|201510_NGO_Burma|MD5
c5b5f01ba24d6c02636388809f44472e|201611_KeyBoy|MD5
c9eabbca8b54f8e4d794702f3e270150c9e0e765b0724e69c5ead0c091bce4ef|2023_05_malware_iocs|SHA256
ca1d9908f32ee5c0bdd9b4efec79108f|2021_04_taking_action_against_hackers_in_palestine|MD5
cc3a42d62f6f1f3ea4043a154d656f319806226628f488d7459a26e6e9c61e77|2023_05_malware_iocs|SHA256
ccabc8f4868184a04b032b34d9303810|2021_11_action_against_hackers_in_pakistan_and_syria|MD5
ce274c0bd0743695529a43d7992e2d2c|2021_11_action_against_hackers_in_pakistan_and_syria|MD5
ce6065346a918a813eeb58bbb0814a23|201512_PackRAT|MD5
ce8ec932be16b69ffa06626b3b423395|201604_UP007_SLServer|MD5
cec071424d417a095221bf8992819388|201510_NGO_Burma|MD5
cee04466df0fef3c70d28586dd20b5f1936725e574170d873620621a3cbaf611|2023_05_malware_iocs|SHA256
cfcd2a90e87156e1a811f9c7b0051002|201604_UP007_SLServer|MD5
d07b2738840ce3419df651d3a0a3a246|201604_UP007_SLServer|MD5
d188115cbf404d96a8ee9c4df6a38787428f5ba31525b42ac0074ccda63913f4|2023_05_malware_iocs|SHA256
d2787aff6e827809b836e62b06cca68bec92b3e2144f132a0015ce397cf3cac2|2021_04_taking_action_against_hackers_in_palestine|SHA256
d2adecc6287dd4d559fe6ce2ce7a7e31|201512_PackRAT|MD5
d2e9412428c3bcf3ec98dba8a78adb7b|201603_Shifting_Tactics|MD5
d2f151312f7dee2483ddcab9766b56db|201512_PackRAT|MD5
d579d7a42ff140952da57264614c37bc|201604_UP007_SLServer|MD5
d7ec065cc3f563928504f80692578d2f|201803_BadTraffic|MD5
d7f34168b1a7dd7cbd8e62a5ab1ebc0e|201512_PackRAT|MD5
d80fc6a4f175e3ab417b9f96c3b37c73|201707_InsiderInfo|MD5
d8becbd6f188e3fb2c4d23a2d36d137b|201604_UP007_SLServer|MD5
d8ede9e6c3a1a30398b0b98130ee3b38|201604_UP007_SLServer|MD5
d9a39c41e9f599766b5527986e807840|2022_08_metas_adversarial_threat_report_q2|MD5
dc195d814ec16fe91690b7e949e696f6|201604_UP007_SLServer|MD5
dd1101adc86fd282f5f183942cc2f3b7|201512_PackRAT|MD5
dd5bedd915967c5efe00733cf7478cb4|201608_Group5|MD5
dd8485d87d8998d47de4f5dfcc9213e1|2021_04_taking_action_against_hackers_in_palestine|MD5
df0045bd4168893922480f7ccb29860a|201803_BadTraffic|MD5
df196bd42e1da1d34c23c8d947561618|2021_11_action_against_hackers_in_pakistan_and_syria|MD5
e0338b1f010fdc4751de5f58e4acf2ad|201707_InsiderInfo|MD5
e03be1849ad7cecba1e20923074cd22f|201512_PackRAT|MD5
e0eb981ad6be0bd16246d5d442028687|201604_UP007_SLServer|MD5
e1b03f5837533ecc9a05e19650d68e1d|201808_FamiliarFeeling|MD5
e20473bea7fe5968f0a032303838b601|2022_08_metas_adversarial_threat_report_q2|MD5
e36df1e426a2da7f98bc2ed336472068335b0201a05e24ed86bac3a6ae60ef31|2023_05_malware_iocs|SHA256
e436e849d9496ef3f651c1904786c78f|201803_BadTraffic|MD5
e510c361c8101384277dd95cc2c8e76715dd241f58553f592245b620422beaf3|201909_MissingLink|SHA256
e567efd5c800c5b0c6eb5aa0bccc10e9|2021_04_taking_action_against_hackers_in_palestine|MD5
e80d8a0c35133f7485d8e87ade903919|201803_BadTraffic|MD5
e841ecaa44b3589120b72e60b53f39c6|201707_InsiderInfo|MD5
e8a528491b28e4d62a472da7396c7047|2021_11_action_against_hackers_in_pakistan_and_syria|MD5
e8effd3ad2069ff8ff6344b85fc12dd6|2021_04_taking_action_against_hackers_in_palestine|MD5
ea45265fe98b25e719d5a9cc3b412d66|201603_Shifting_Tactics|MD5
ea50bf8abcf9c0c40c4490dc15fb0a2a|201512_PackRAT|MD5
ea7bcf58a4ccdecb0c64e56b9998a4ac|201512_PackRAT|MD5
ed8d7ed45b64890b8901b735018318f3|201512_PackRAT|MD5
efc0009d76a2057f86c5f00030378c72|201512_PackRAT|MD5
f1f84ea3229dca0ccacb7381a2f49f99|201608_Group5|MD5
f25466e4820404c817eaf75818b7177891735886|201605_Stealth_Falcon|SHA1
f282fd20d7eaebe848b5111ecdae82a6|201707_InsiderInfo|MD5
f344da38958dbc730ddebc10660cd451|201803_BadTraffic|MD5
f36e67109ae368c9db109d0a41b5817c|201803_BadTraffic|MD5
f70b295c6a5121b918682310ce0c2165|201604_UP007_SLServer|MD5
f7ea82e4c329bf8e29e9da37fcaf35201dd79c2fc55cc0feb88aedf0b2d26ec2|2021_04_taking_action_against_hackers_in_palestine|SHA256
f80edbb0fcfe7cec17592f61a06e4df2|201604_UP007_SLServer|MD5
fa90508007b94a4dbfeb8b48d5443ec8|201803_BadTraffic|MD5
fbb887dbcbac146adde68ae15bf0fadab144f2ed60e2db62a6acf5f13e31b80e|2023_05_malware_iocs|SHA256
fcf357556c3af14bab820810f5e94436|2021_11_action_against_hackers_in_pakistan_and_syria|MD5
fd7b5a118ce118698694c081de863e2e9bcc79acc44411cf24956648a94ddef7|2023_05_malware_iocs|SHA256
fd8da30dd9e45bd31af79a9652d50ece|2021_03_taking_action_against_hackers_in_china|MD5
fe77e052dc1a8ebea389bc0d017191e0f41d8e47d034c30df95e3d0dc33cfe10|2021_04_taking_action_against_hackers_in_palestine|SHA256
fef27f432e0ae8218143bc410fda340e|201603_Shifting_Tactics|MD5

4494
vigil/ioc/hosts.txt Normal file
View File

File diff suppressed because it is too large Load Diff

2333
vigil/ioc/hosts_block.txt Normal file
View File

File diff suppressed because it is too large Load Diff

141
vigil/ioc/ips.txt Normal file
View File

@@ -0,0 +1,141 @@
# Vigil IOC: Malicious IPs
# Format: ip|threat_name|category
103.147.225.210|PhoneSpy|c2
103.242.134.243|201611_KeyBoy|c2
103.40.102.233|201611_KeyBoy|c2
103.55.24.196|201808_FamiliarFeeling|c2
104.18.54.129|iKeyMonitor|c2
104.18.55.129|iKeyMonitor|c2
104.207.132.165|201801_SpyingOnABudget|c2
104.236.73.120|Hoverwatch|c2
104.238.191.204|201702_NilePhish|c2
104.25.169.109|iKeyMonitor|c2
104.25.170.109|iKeyMonitor|c2
104.25.28.15|EasyLogger|c2
104.25.29.15|EasyLogger|c2
104.26.14.56|iKeyMonitor|c2
104.26.15.56|iKeyMonitor|c2
108.178.9.124|SentryPC|c2
108.61.176.96|201702_NilePhish|c2
109.169.40.172|201603_Shifting_Tactics|c2
109.169.77.230|201603_Shifting_Tactics|c2
112.10.117.47|201611_KeyBoy|c2
115.126.39.107|201801_SpyingOnABudget|c2
115.126.86.151|201808_FamiliarFeeling|c2
116.193.154.69|201611_KeyBoy|c2
119.8.35.235|FlexiSpy|c2
138.201.32.118|Spy24|c2
139.59.125.208|AndroidPolice|c2
140.82.17.222|201909_MissingLink|c2
144.202.59.23|201909_MissingLink|c2
149.28.93.11|201909_MissingLink|c2
149.56.26.44|Hoverwatch|c2
157.7.84.81|201611_KeyBoy|c2
158.69.24.236|Hoverwatch|c2
162.144.212.52|Xnore|c2
162.144.75.253|CatWatchful|c2
162.209.103.68|201608_NSO_Group|c2
167.114.114.207|AppSpy|c2
167.71.189.163|TheWiSpy|c2
172.67.194.85|iKeyMonitor|c2
172.67.73.2|iKeyMonitor|c2
172.67.81.216|EasyLogger|c2
172.67.82.183|iKeyMonitor|c2
175.126.146.147|PhoneSpy|c2
176.123.26.42|201702_NilePhish|c2
176.9.42.16|Reptilicus|c2
178.33.203.110|AndroidMonitor|c2
178.62.59.165|Snoopza|c2
179.208.187.216|201512_PackRAT|c2
184.154.69.210|RealtimeSpy|c2
185.2.103.130|MonitorUltra|c2
185.87.51.116|AndroidPolice|c2
186.220.1.84|201512_PackRAT|c2
186.220.11.67|201512_PackRAT|c2
188.130.241.205|Hoverwatch|c2
189.100.148.188|201512_PackRAT|c2
190.20.180.181|201512_PackRAT|c2
190.210.180.181|201512_PackRAT|c2
192.169.243.65|201512_PackRAT|c2
192.241.149.43|201611_KeyBoy|c2
192.253.251.118|201603_Shifting_Tactics|c2
193.105.134.27|201512_PackRAT|c2
198.100.150.203|Hoverwatch|c2
198.12.150.249|201512_PackRAT|c2
198.44.190.85|201510_NGO_Burma|c2
199.38.181.70|FreeAndroidSpy|c2
201.33.21.62|eagleSPY|c2
201.52.24.126|201512_PackRAT|c2
203.189.232.207|201808_FamiliarFeeling|c2
206.189.65.198|201909_MissingLink|c2
210.61.12.153|201604_UP007_SLServer|c2
212.7.195.171|201608_Group5|c2
213.239.228.196|SpyHuman|c2
217.182.176.52|FreeAndroidSpy|c2
217.182.250.165|Snoopza|c2
217.182.54.223|201905_EndlessMayfly|c2
23.239.106.119|201707_InsiderInfo|c2
27.126.176.169|201808_FamiliarFeeling|c2
27.126.186.222|201808_FamiliarFeeling|c2
37.120.162.163|AndroidPolice|c2
43.240.14.37|201707_InsiderInfo|c2
43.251.16.87|201909_MissingLink|c2
45.114.224.147|CatWatchful|c2
45.124.24.39|201707_InsiderInfo|c2
45.125.12.147|201611_KeyBoy|c2
45.127.97.222|201808_FamiliarFeeling|c2
45.32.47.148|201611_KeyBoy|c2
45.32.75.217|201909_MissingLink|c2
45.32.91.137|201909_MissingLink|c2
45.40.135.228|CallSMSTracker|c2
45.63.0.49|201801_SpyingOnABudget|c2
45.76.149.154|201909_MissingLink|c2
45.76.53.26|201909_MissingLink|c2
45.78.79.100|201909_MissingLink|c2
45.79.149.154|ShadySpy|c2
46.105.57.148|Snoopza|c2
46.127.56.109|201603_Shifting_Tactics|c2
46.246.89.246|201512_PackRAT|c2
46.40.125.240|FreeAndroidSpy|c2
47.252.23.40|AndroidPolice|c2
47.88.63.70|ClevGuard|c2
5.54.19.17|201603_Shifting_Tactics|c2
50.28.38.175|EasyPhoneTrack|c2
50.62.133.49|201512_PackRAT|c2
50.63.202.57|201512_PackRAT|c2
51.15.183.209|MobileTrackerFree|c2
51.255.101.144|201905_EndlessMayfly|c2
52.22.130.9|AndroidPolice|c2
52.8.153.44|201608_NSO_Group|c2
52.8.52.166|201608_NSO_Group|c2
52.90.126.68|AndroidPolice|c2
54.251.49.214|201608_NSO_Group|c2
59.188.12.123|201604_UP007_SLServer|c2
66.42.58.59|201909_MissingLink|c2
67.227.193.142|pcTattletale|c2
69.64.74.239|TheTruthSpy|c2
69.64.81.166|TheTruthSpy|c2
69.64.81.49|TheTruthSpy|c2
69.64.81.98|TheTruthSpy|c2
69.64.91.29|TheTruthSpy|c2
78.129.252.159|201603_Shifting_Tactics|c2
78.46.34.14|TalkLog|c2
78.47.16.3|HelloSpy|c2
80.241.216.14|MonitorUltra|c2
80.255.12.237|201705_TaintedLeaks|c2
82.80.202.200|201608_NSO_Group|c2
82.80.202.204|201608_NSO_Group|c2
85.13.206.195|TheOneSpy|c2
85.13.218.229|TheOneSpy|c2
87.117.229.109|201603_Shifting_Tactics|c2
88.198.222.163|201608_Group5|c2
89.32.40.238|201705_TaintedLeaks|c2
89.33.190.8|VIPTrack|c2
89.40.181.119|201705_TaintedLeaks|c2
91.121.70.22|SpyMasterPro|c2
91.196.212.201|LetMeSpy|c2
91.196.212.202|LetMeSpy|c2
95.154.195.159|201603_Shifting_Tactics|c2
95.154.195.171|201603_Shifting_Tactics|c2
95.169.2.57|201909_MissingLink|c2
95.215.44.37|201605_Stealth_Falcon|c2

1197
vigil/ioc/packages.txt Normal file
View File

File diff suppressed because it is too large Load Diff

236
vigil/lib/forensic_shield.sh Executable file
View File

@@ -0,0 +1,236 @@
#!/system/bin/sh
# Vigil — Forensic Shield (Anti-Cellebrite/UFED)
# Monitors USB, detects forensic extraction tools, triggers defensive response
# (c) Setec Labs
#
# Based on research from: levlesec/lockup, bakad3v/Android-AntiForensic-Tools
#
# Detection vectors:
# 1. USB device connection monitoring
# 2. Cellebrite binary hash detection in staging directories
# 3. Cellebrite signing certificate detection
# 4. Forensic tool process detection
# 5. ADB state monitoring
VIGIL_DATA="/data/adb/vigil"
VIGIL_LOG="$VIGIL_DATA/vigil.log"
IOC_DIR="$VIGIL_DATA"
ALERT_DIR="$VIGIL_DATA/alerts"
[ -f "$VIGIL_DATA/vigil.conf" ] && . "$VIGIL_DATA/vigil.conf"
log() {
echo "[$(date '+%Y-%m-%d %H:%M:%S')] [forensic] $1" >> "$VIGIL_LOG"
}
alert() {
local severity="$1"
local message="$2"
local timestamp=$(date +%s)
echo "${severity}|${timestamp}|forensic_shield|${message}" >> "$ALERT_DIR/pending"
log "ALERT [$severity]: $message"
}
# Known forensic tool staging directories
STAGING_DIRS="/data/local/tmp /data/local/tmp/cb /cblr /dev/shm /data/local/tmp/frida"
# Known forensic tool process names
FORENSIC_PROCESSES="cellebrite\|ufed\|graykey\|grayshift\|magnet.forensic\|oxygen.forensic\|msab\|xry\|elcomsoft\|passware\|hashcat\|john\|volatility\|autopsy\|ftk\|encase\|axiom\|nuix\|paraben\|susteen\|mobiledit\|belkasoft"
# Known exploit binary names used by forensic tools
EXPLOIT_NAMES="nandread\|dirtycow\|dirty_cow\|pingroot\|zergRush\|psneuter\|salmatak\|gingerbreak\|rageagainstthecage\|exploid\|zimperlich\|levitator\|mempodroid\|motochopper\|put_user\|towelroot\|framaroot\|kingroot"
# ── STAGING DIRECTORY MONITOR ──
check_staging_dirs() {
local hits=0
for dir in $STAGING_DIRS; do
if [ -d "$dir" ]; then
# Check for any files
local files=$(find "$dir" -type f 2>/dev/null)
if [ -n "$files" ]; then
echo "$files" | while read -r filepath; do
local filename=$(basename "$filepath")
local filesize=$(stat -c '%s' "$filepath" 2>/dev/null || echo "0")
# Check filename against exploit patterns
if echo "$filename" | grep -qiE "$EXPLOIT_NAMES"; then
alert "CRITICAL" "FORENSIC EXPLOIT BINARY: $filepath ($filename)"
hits=$((hits + 1))
fi
# Check file hash against Cellebrite hashes
if [ -f "$IOC_DIR/cellebrite_hashes.txt" ] && [ "$filesize" -gt 0 ]; then
local file_hash=$(sha256sum "$filepath" 2>/dev/null | cut -d' ' -f1)
if grep -qi "^${file_hash}" "$IOC_DIR/cellebrite_hashes.txt" 2>/dev/null; then
alert "CRITICAL" "CELLEBRITE BINARY DETECTED: $filepath (hash: ${file_hash:0:16}...)"
hits=$((hits + 1))
fi
fi
# Check for Frida-related files
if echo "$filename" | grep -qiE "frida|gadget|agent.*\.so|re\.frida"; then
alert "HIGH" "FRIDA INJECTION TOOL: $filepath"
hits=$((hits + 1))
fi
done
fi
fi
done
return $hits
}
# ── PROCESS MONITOR ──
check_forensic_processes() {
local hits=0
ps -A -o PID,NAME 2>/dev/null | while read -r pid name; do
if echo "$name" | grep -qi "$FORENSIC_PROCESSES"; then
alert "CRITICAL" "FORENSIC TOOL PROCESS: $name (PID: $pid)"
hits=$((hits + 1))
# If auto-lockdown is enabled, trigger it immediately
if [ "${FORENSIC_AUTO_LOCKDOWN:-0}" = "1" ]; then
log "AUTO-LOCKDOWN triggered by forensic process: $name"
"$VIGIL_DATA/../modules/vigil/vigil/lib/key_wiper.sh" lockdown
fi
fi
done
return $hits
}
# ── USB STATE MONITOR ──
check_usb_state() {
local usb_state=$(cat /sys/class/android_usb/android0/state 2>/dev/null || getprop sys.usb.state 2>/dev/null)
local usb_config=$(getprop sys.usb.config 2>/dev/null)
# If we're in lockdown and USB is connected, alert
if [ -f "$VIGIL_DATA/.lockdown" ]; then
if [ "$usb_state" = "CONFIGURED" ] || [ "$usb_state" = "CONNECTED" ]; then
alert "HIGH" "USB CONNECTED DURING LOCKDOWN (config: $usb_config)"
# Force charging-only mode
setprop sys.usb.config "charging" 2>/dev/null
fi
fi
# Check if ADB got re-enabled unexpectedly
if [ "${FORENSIC_ADB_GUARD:-1}" = "1" ]; then
local adb_state=$(settings get global adb_enabled 2>/dev/null)
if [ -f "$VIGIL_DATA/.lockdown" ] && [ "$adb_state" = "1" ]; then
alert "HIGH" "ADB RE-ENABLED DURING LOCKDOWN — disabling"
settings put global adb_enabled 0 2>/dev/null
stop adbd 2>/dev/null
fi
fi
}
# ── PACKAGE INSTALL MONITOR ──
# Check recently installed packages for forensic tool signatures
check_recent_installs() {
local hits=0
local threshold=$(($(date +%s) - 300)) # Last 5 minutes
# Check for recently installed packages with suspicious signing certs
pm list packages -i 2>/dev/null | while read -r line; do
local pkg=$(echo "$line" | sed 's/package:\([^ ]*\).*/\1/')
local installer=$(echo "$line" | grep -oP 'installer=\K[^ ]+')
# Non-store installs are suspicious during forensic scenarios
if [ "$installer" != "com.android.vending" ] && [ "$installer" != "com.google.android.packageinstaller" ]; then
# Check if this is a known forensic tool package
if echo "$pkg" | grep -qiE "cellebrite\|ufed\|forensic\|graykey\|grayshift\|msab\|oxygen"; then
alert "CRITICAL" "FORENSIC TOOL PACKAGE INSTALLED: $pkg (installer: $installer)"
hits=$((hits + 1))
fi
fi
done
return $hits
}
# ── CONTINUOUS MONITOR (run as daemon) ──
cmd_monitor() {
log "Forensic shield monitor starting..."
echo "Forensic Shield active — monitoring USB, processes, staging dirs"
while true; do
check_usb_state
check_forensic_processes
check_staging_dirs
# Quick process check every second if in lockdown, otherwise every 5
if [ -f "$VIGIL_DATA/.lockdown" ]; then
sleep 1
else
sleep 5
fi
done
}
# ── ONE-TIME SCAN ──
cmd_scan() {
log "Forensic shield scan..."
echo "Forensic Shield Scan"
echo "━━━━━━━━━━━━━━━━━━━━"
local total=0
echo -n " Staging directories: "
check_staging_dirs
local s=$?
total=$((total + s))
echo "$s findings"
echo -n " Forensic processes: "
check_forensic_processes
local p=$?
total=$((total + p))
echo "$p findings"
echo -n " USB state: "
check_usb_state
echo "checked"
echo -n " Recent installs: "
check_recent_installs
local i=$?
total=$((total + i))
echo "$i findings"
echo "━━━━━━━━━━━━━━━━━━━━"
if [ $total -gt 0 ]; then
echo "⚠ FORENSIC ACTIVITY DETECTED: $total findings"
else
echo "✓ No forensic tool activity detected"
fi
return $total
}
# ── STATUS ──
cmd_status() {
echo "Forensic Shield Status:"
echo " Enabled: ${FORENSIC_SHIELD_ENABLED:-1}"
echo " USB Guard: ${FORENSIC_USB_MONITOR:-1}"
echo " ADB Guard: ${FORENSIC_ADB_GUARD:-1}"
echo " Auto-Lock: ${FORENSIC_AUTO_LOCKDOWN:-0}"
echo " Lockdown: $([ -f "$VIGIL_DATA/.lockdown" ] && echo "ACTIVE" || echo "inactive")"
local usb_state=$(getprop sys.usb.config 2>/dev/null)
local adb_state=$(settings get global adb_enabled 2>/dev/null)
echo " USB Config: $usb_state"
echo " ADB: $([ "$adb_state" = "1" ] && echo "ENABLED" || echo "disabled")"
}
# ── DISPATCH ──
case "$1" in
monitor) cmd_monitor ;;
scan) cmd_scan ;;
status) cmd_status ;;
*)
echo "Forensic Shield — Anti-Extraction Defense"
echo "Usage: forensic_shield.sh {monitor|scan|status}"
;;
esac

228
vigil/lib/integrity.sh Executable file
View File

@@ -0,0 +1,228 @@
#!/system/bin/sh
# Vigil — FrostGuard File Integrity Monitor
# Provides pseudo-locked-bootloader protection via file integrity + heuristics
# (c) Setec Labs
VIGIL_DATA="/data/adb/vigil"
BASELINE_DIR="$VIGIL_DATA/baseline"
ALERT_DIR="$VIGIL_DATA/alerts"
VIGIL_LOG="$VIGIL_DATA/vigil.log"
# Load config
[ -f "$VIGIL_DATA/vigil.conf" ] && . "$VIGIL_DATA/vigil.conf"
CRITICAL_PATHS="${FROSTGUARD_CRITICAL_PATHS:-/system/bin /system/xbin /system/lib64 /system/framework /system/app /system/priv-app /vendor/bin}"
log() {
echo "[$(date '+%Y-%m-%d %H:%M:%S')] [frostguard] $1" >> "$VIGIL_LOG"
}
alert() {
local severity="$1"
local message="$2"
local timestamp=$(date +%s)
echo "${severity}|${timestamp}|frostguard|${message}" >> "$ALERT_DIR/pending"
log "ALERT [$severity]: $message"
}
# Generate SHA256 hash of a file
hash_file() {
sha256sum "$1" 2>/dev/null | cut -d' ' -f1
}
# ── BASELINE: Create integrity baseline of critical system files ──
cmd_baseline() {
log "Creating file integrity baseline..."
mkdir -p "$BASELINE_DIR"
local count=0
for path in $CRITICAL_PATHS; do
if [ -d "$path" ]; then
find "$path" -type f 2>/dev/null | while read -r file; do
local hash=$(hash_file "$file")
local perms=$(stat -c '%a:%u:%g' "$file" 2>/dev/null || ls -ln "$file" | awk '{print $1":"$3":"$4}')
local size=$(stat -c '%s' "$file" 2>/dev/null || ls -ln "$file" | awk '{print $5}')
echo "${hash}|${perms}|${size}|${file}"
done
elif [ -f "$path" ]; then
local hash=$(hash_file "$path")
local perms=$(stat -c '%a:%u:%g' "$path" 2>/dev/null || ls -ln "$path" | awk '{print $1":"$3":"$4}')
local size=$(stat -c '%s' "$path" 2>/dev/null || ls -ln "$path" | awk '{print $5}')
echo "${hash}|${perms}|${size}|${path}"
fi
done > "$BASELINE_DIR/system.baseline"
# Also baseline boot image hashes if accessible
for part in boot init_boot vendor_boot dtbo vbmeta; do
local block=$(find /dev/block -name "$part" 2>/dev/null | head -1)
if [ -n "$block" ] && [ -r "$block" ]; then
local bhash=$(sha256sum "$block" 2>/dev/null | cut -d' ' -f1)
echo "${bhash}|${part}" >> "$BASELINE_DIR/partitions.baseline"
fi
done
count=$(wc -l < "$BASELINE_DIR/system.baseline" 2>/dev/null || echo 0)
log "Baseline created: $count files indexed"
echo "Baseline created: $count files indexed"
}
# ── VERIFY: Check current state against baseline ──
cmd_verify() {
if [ ! -f "$BASELINE_DIR/system.baseline" ]; then
log "No baseline found — run 'vigil integrity baseline' first"
echo "ERROR: No baseline found"
return 1
fi
log "Verifying file integrity..."
local violations=0
local checked=0
local missing=0
local modified=0
local perm_changed=0
local new_files=0
# Check each baselined file
while IFS='|' read -r expected_hash expected_perms expected_size filepath; do
checked=$((checked + 1))
if [ ! -f "$filepath" ]; then
alert "HIGH" "File MISSING: $filepath"
missing=$((missing + 1))
violations=$((violations + 1))
continue
fi
local current_hash=$(hash_file "$filepath")
local current_perms=$(stat -c '%a:%u:%g' "$filepath" 2>/dev/null || ls -ln "$filepath" | awk '{print $1":"$3":"$4}')
local current_size=$(stat -c '%s' "$filepath" 2>/dev/null || ls -ln "$filepath" | awk '{print $5}')
if [ "$current_hash" != "$expected_hash" ]; then
alert "CRITICAL" "File MODIFIED: $filepath (expected: ${expected_hash:0:16}... got: ${current_hash:0:16}...)"
modified=$((modified + 1))
violations=$((violations + 1))
fi
if [ "$current_perms" != "$expected_perms" ]; then
alert "MEDIUM" "Permissions CHANGED: $filepath ($expected_perms -> $current_perms)"
perm_changed=$((perm_changed + 1))
violations=$((violations + 1))
fi
done < "$BASELINE_DIR/system.baseline"
# Heuristic: check for NEW files in critical paths (could indicate implants)
for path in $CRITICAL_PATHS; do
if [ -d "$path" ]; then
find "$path" -type f -newer "$BASELINE_DIR/system.baseline" 2>/dev/null | while read -r newfile; do
if ! grep -q "|${newfile}$" "$BASELINE_DIR/system.baseline" 2>/dev/null; then
alert "HIGH" "NEW file detected: $newfile"
new_files=$((new_files + 1))
violations=$((violations + 1))
fi
done
fi
done
# Check boot partitions
if [ -f "$BASELINE_DIR/partitions.baseline" ]; then
while IFS='|' read -r expected_hash part_name; do
local block=$(find /dev/block -name "$part_name" 2>/dev/null | head -1)
if [ -n "$block" ] && [ -r "$block" ]; then
local current_hash=$(sha256sum "$block" 2>/dev/null | cut -d' ' -f1)
if [ "$current_hash" != "$expected_hash" ]; then
alert "CRITICAL" "PARTITION MODIFIED: $part_name"
violations=$((violations + 1))
fi
fi
done < "$BASELINE_DIR/partitions.baseline"
fi
log "Integrity check complete: $checked files checked, $violations violations"
echo "FrostGuard Report:"
echo " Files checked: $checked"
echo " Modified: $modified"
echo " Missing: $missing"
echo " Permission changes: $perm_changed"
echo " New files: $new_files"
echo " Total violations: $violations"
return $violations
}
# ── VERIFY-CRITICAL: Fast check of most important files only ──
cmd_verify_critical() {
if [ ! -f "$BASELINE_DIR/system.baseline" ]; then
return 0 # No baseline yet, skip
fi
# Only check key binaries and framework files
local violations=0
for pattern in "/system/bin/app_process" "/system/bin/linker" "/system/framework/framework.jar" "/system/framework/services.jar" "/init"; do
local line=$(grep "|${pattern}$" "$BASELINE_DIR/system.baseline" 2>/dev/null)
if [ -n "$line" ]; then
local expected_hash=$(echo "$line" | cut -d'|' -f1)
local current_hash=$(hash_file "$pattern")
if [ -n "$current_hash" ] && [ "$current_hash" != "$expected_hash" ]; then
alert "CRITICAL" "Critical file MODIFIED: $pattern"
violations=$((violations + 1))
fi
fi
done
return $violations
}
# ── HEURISTIC: Detect suspicious system modifications ──
cmd_heuristic() {
log "Running heuristic analysis..."
local suspicious=0
# Check for common implant locations
for dir in /data/local/tmp /data/local/tmp/cb /cblr /dev/shm; do
if [ -d "$dir" ] && [ "$(ls -A "$dir" 2>/dev/null)" ]; then
local fcount=$(find "$dir" -type f 2>/dev/null | wc -l)
if [ "$fcount" -gt 0 ]; then
alert "HIGH" "Suspicious files in staging directory: $dir ($fcount files)"
suspicious=$((suspicious + 1))
fi
fi
done
# Check for unexpected SUID binaries
find /system /vendor -perm -4000 -type f 2>/dev/null | while read -r suid; do
if ! grep -q "|${suid}$" "$BASELINE_DIR/system.baseline" 2>/dev/null; then
alert "HIGH" "Unexpected SUID binary: $suid"
suspicious=$((suspicious + 1))
fi
done
# Check for Frida, Xposed, or other injection frameworks
for proc_name in frida-server frida-agent xposed zygisk; do
if ps -A 2>/dev/null | grep -qi "$proc_name"; then
alert "MEDIUM" "Injection framework detected: $proc_name"
suspicious=$((suspicious + 1))
fi
done
# Check SELinux status
local selinux=$(getenforce 2>/dev/null)
if [ "$selinux" = "Permissive" ] || [ "$selinux" = "Disabled" ]; then
alert "HIGH" "SELinux is $selinux — system may be compromised"
suspicious=$((suspicious + 1))
fi
echo "Heuristic analysis: $suspicious suspicious findings"
return $suspicious
}
# ── DISPATCH ──
case "$1" in
baseline) cmd_baseline ;;
verify) cmd_verify ;;
verify-critical) cmd_verify_critical ;;
heuristic) cmd_heuristic ;;
*)
echo "FrostGuard — File Integrity Monitor"
echo "Usage: integrity.sh {baseline|verify|verify-critical|heuristic}"
;;
esac

192
vigil/lib/key_wiper.sh Executable file
View File

@@ -0,0 +1,192 @@
#!/system/bin/sh
# Vigil — Encryption Key Wiper / BFU Mode
# Wipes encryption keys from memory, forces device into BFU-equivalent state
# (c) Setec Labs
#
# THEORY OF OPERATION:
# Android devices in "After First Unlock" (AFU) state keep FBE/FDE keys in memory.
# Forensic tools exploit this to extract data without the user's PIN.
# This module wipes those keys, runs TRIM to prevent NAND recovery, kills logging,
# and effectively moves the phone to "Before First Unlock" (BFU) state — the same
# protection as a freshly powered-on phone.
VIGIL_DATA="/data/adb/vigil"
VIGIL_LOG="$VIGIL_DATA/vigil.log"
[ -f "$VIGIL_DATA/vigil.conf" ] && . "$VIGIL_DATA/vigil.conf"
log() {
# Only log if we haven't killed logd yet
echo "[$(date '+%Y-%m-%d %H:%M:%S')] [keywiper] $1" >> "$VIGIL_LOG" 2>/dev/null
}
# ── LOCKDOWN: Full BFU-mode transition ──
cmd_lockdown() {
log "=== LOCKDOWN INITIATED ==="
# Step 1: Disable ADB immediately
if [ "${KEYWIPER_DISABLE_ADB:-1}" = "1" ]; then
log "Disabling ADB..."
settings put global adb_enabled 0 2>/dev/null
setprop persist.sys.usb.config "charging" 2>/dev/null
setprop sys.usb.config "charging" 2>/dev/null
stop adbd 2>/dev/null
fi
# Step 2: Clear clipboard and recent apps
if [ "${KEYWIPER_CLEAR_CLIPBOARD:-1}" = "1" ]; then
log "Clearing clipboard..."
am broadcast -a clipclear 2>/dev/null
service call clipboard 2 2>/dev/null
fi
# Step 3: Lock device
log "Locking device..."
input keyevent 26 2>/dev/null # Power button press
# Step 4: Evict FBE keys — this is the core operation
# Force credential-encrypted storage to lock
log "Evicting encryption keys..."
# Evict CE (Credential Encrypted) keys for all users
for user_dir in /data/user/*; do
if [ -d "$user_dir" ]; then
local uid=$(basename "$user_dir")
# Use vold to evict CE keys
vdc cryptfs lockUserKey "$uid" 2>/dev/null
fi
done
# Alternative: use keymaster/keystore to flush
# This forces the keystore daemon to drop cached keys
setprop vold.decrypt trigger_post_fs_data 2>/dev/null
# Try to flush kernel key retention
# keyctl clear @s 2>/dev/null # Flush session keyring
# keyctl clear @u 2>/dev/null # Flush user keyring
# Step 5: Drop filesystem caches (contains decrypted data)
log "Dropping filesystem caches..."
echo 3 > /proc/sys/vm/drop_caches 2>/dev/null
# Step 6: Run TRIM to mark deleted blocks as free (prevents NAND recovery)
if [ "${KEYWIPER_TRIM_ON_LOCKDOWN:-1}" = "1" ]; then
log "Running TRIM on storage..."
sm fstrim 2>/dev/null &
fstrim /data 2>/dev/null &
fstrim /cache 2>/dev/null &
fi
# Step 7: Disable logging
if [ "${KEYWIPER_KILL_LOGD:-1}" = "1" ]; then
log "Disabling system logging..."
setprop persist.logd.logpersistd "" 2>/dev/null
setprop persist.log.tag "S" 2>/dev/null # Suppress all logs
setprop logd.logpersistd.size 65536 2>/dev/null # Minimize buffer
# Don't fully stop logd — it causes instability. Just minimize it.
fi
# Step 8: Disable developer settings
settings put global development_settings_enabled 0 2>/dev/null
# Step 9: Block safe mode boot
settings put global safe_boot_disallowed 1 2>/dev/null
# Step 10: Write lockdown marker
echo "$(date +%s)" > "$VIGIL_DATA/.lockdown"
log "=== LOCKDOWN COMPLETE ==="
echo "LOCKDOWN ACTIVE — Device is in BFU-equivalent state"
echo "Encryption keys evicted, ADB disabled, logging minimized"
echo "Reboot required to restore normal operation"
}
# ── QUICK LOCK: Fast key eviction without full lockdown ──
cmd_quick() {
log "Quick key eviction..."
# Just evict keys and drop caches
for user_dir in /data/user/*; do
if [ -d "$user_dir" ]; then
local uid=$(basename "$user_dir")
vdc cryptfs lockUserKey "$uid" 2>/dev/null
fi
done
echo 3 > /proc/sys/vm/drop_caches 2>/dev/null
input keyevent 26 2>/dev/null
echo "Quick lock complete — keys evicted, device locked"
}
# ── WIPE SESSION: Clear sensitive data from memory ──
cmd_wipe_session() {
log "Wiping session data..."
# Clear app recents
am broadcast -a com.android.systemui.CLEAR_RECENT 2>/dev/null
# Drop caches
echo 3 > /proc/sys/vm/drop_caches 2>/dev/null
# Clear clipboard
service call clipboard 2 2>/dev/null
# Clear notifications
service call notification 1 2>/dev/null
# Run TRIM
fstrim /data 2>/dev/null &
echo "Session data wiped"
}
# ── STATUS ──
cmd_status() {
echo "Key Wiper Status:"
if [ -f "$VIGIL_DATA/.lockdown" ]; then
local lockdown_time=$(cat "$VIGIL_DATA/.lockdown")
echo " State: LOCKDOWN (since $(date -d @"$lockdown_time" 2>/dev/null || echo "$lockdown_time"))"
else
echo " State: Normal"
fi
local adb_state=$(settings get global adb_enabled 2>/dev/null)
echo " ADB: $([ "$adb_state" = "1" ] && echo "ENABLED" || echo "disabled")"
local dev_settings=$(settings get global development_settings_enabled 2>/dev/null)
echo " DevOpts: $([ "$dev_settings" = "1" ] && echo "ENABLED" || echo "disabled")"
local selinux=$(getenforce 2>/dev/null || echo "unknown")
echo " SELinux: $selinux"
}
# ── UNLOCK: Remove lockdown state (after reboot) ──
cmd_unlock() {
if [ -f "$VIGIL_DATA/.lockdown" ]; then
rm -f "$VIGIL_DATA/.lockdown"
log "Lockdown state cleared"
echo "Lockdown state cleared"
else
echo "Not in lockdown"
fi
}
# ── DISPATCH ──
case "$1" in
lockdown) cmd_lockdown ;;
quick) cmd_quick ;;
wipe-session) cmd_wipe_session ;;
status) cmd_status ;;
unlock) cmd_unlock ;;
*)
echo "Key Wiper — BFU Mode Controller"
echo "Usage: key_wiper.sh {lockdown|quick|wipe-session|status|unlock}"
echo ""
echo " lockdown Full BFU lockdown (evict keys, disable ADB, TRIM, kill logs)"
echo " quick Fast key eviction + lock screen"
echo " wipe-session Clear session data (clipboard, caches, recents)"
echo " status Show current security state"
echo " unlock Remove lockdown marker (after reboot)"
;;
esac

255
vigil/lib/network_monitor.sh Executable file
View File

@@ -0,0 +1,255 @@
#!/system/bin/sh
# Vigil — Network Monitor / C2 Domain Blocker
# Blocks known C2, tracking, and surveillance domains via hosts + iptables
# (c) Setec Labs
VIGIL_DATA="/data/adb/vigil"
VIGIL_LOG="$VIGIL_DATA/vigil.log"
IOC_DIR="$VIGIL_DATA"
ALERT_DIR="$VIGIL_DATA/alerts"
NET_LOG="$VIGIL_DATA/network.log"
[ -f "$VIGIL_DATA/vigil.conf" ] && . "$VIGIL_DATA/vigil.conf"
HOSTS_MARKER="# vigil-managed"
IPTABLES_CHAIN="VIGIL_BLOCK"
log() {
echo "[$(date '+%Y-%m-%d %H:%M:%S')] [network] $1" >> "$VIGIL_LOG"
}
alert() {
local severity="$1"
local message="$2"
local timestamp=$(date +%s)
echo "${severity}|${timestamp}|network|${message}" >> "$ALERT_DIR/pending"
log "ALERT [$severity]: $message"
}
# ── HOSTS FILE: Install domain blocklist ──
cmd_install_hosts() {
log "Installing domain blocklist into hosts file..."
local hosts_file="/system/etc/hosts"
local vigil_hosts="$IOC_DIR/hosts.txt"
if [ ! -f "$vigil_hosts" ]; then
log "WARNING: hosts.txt not found"
echo "ERROR: No hosts blocklist found at $vigil_hosts"
return 1
fi
# Count domains to block
local domain_count=$(grep -c "^0.0.0.0" "$vigil_hosts" 2>/dev/null || echo 0)
# Backup original hosts if not already backed up
if [ ! -f "$VIGIL_DATA/hosts.backup" ]; then
cp "$hosts_file" "$VIGIL_DATA/hosts.backup" 2>/dev/null
fi
# Make /system writable (KernelSU overlay should handle this)
mount -o rw,remount /system 2>/dev/null
# Remove old vigil entries
if grep -q "$HOSTS_MARKER" "$hosts_file" 2>/dev/null; then
sed -i "/$HOSTS_MARKER/d" "$hosts_file"
fi
# Append new entries
echo "" >> "$hosts_file"
while read -r line; do
echo "$line $HOSTS_MARKER" >> "$hosts_file"
done < "$vigil_hosts"
mount -o ro,remount /system 2>/dev/null
log "Hosts blocklist installed: $domain_count domains"
echo "Domain blocklist active: $domain_count domains blocked"
}
# ── HOSTS FILE: Remove blocklist ──
cmd_remove_hosts() {
log "Removing domain blocklist from hosts file..."
local hosts_file="/system/etc/hosts"
mount -o rw,remount /system 2>/dev/null
if grep -q "$HOSTS_MARKER" "$hosts_file" 2>/dev/null; then
sed -i "/$HOSTS_MARKER/d" "$hosts_file"
log "Hosts blocklist removed"
echo "Domain blocklist removed"
else
echo "No vigil entries in hosts file"
fi
mount -o ro,remount /system 2>/dev/null
}
# ── IPTABLES: Block known malicious IPs ──
cmd_install_iptables() {
if [ "${NETWORK_IPTABLES_ENABLED:-1}" != "1" ]; then
echo "iptables blocking disabled in config"
return 0
fi
log "Installing iptables IP blocklist..."
local ip_file="$IOC_DIR/ips.txt"
if [ ! -f "$ip_file" ]; then
log "WARNING: ips.txt not found"
echo "ERROR: No IP blocklist found"
return 1
fi
# Create chain if it doesn't exist
iptables -N "$IPTABLES_CHAIN" 2>/dev/null
ip6tables -N "$IPTABLES_CHAIN" 2>/dev/null
# Flush existing rules in our chain
iptables -F "$IPTABLES_CHAIN" 2>/dev/null
ip6tables -F "$IPTABLES_CHAIN" 2>/dev/null
# Add our chain to OUTPUT if not already there
iptables -C OUTPUT -j "$IPTABLES_CHAIN" 2>/dev/null || \
iptables -I OUTPUT -j "$IPTABLES_CHAIN" 2>/dev/null
ip6tables -C OUTPUT -j "$IPTABLES_CHAIN" 2>/dev/null || \
ip6tables -I OUTPUT -j "$IPTABLES_CHAIN" 2>/dev/null
# Block each IP with logging
local count=0
while IFS='|' read -r ip threat_name category; do
[ -z "$ip" ] && continue
[ "${ip:0:1}" = "#" ] && continue
# Determine if IPv4 or IPv6
if echo "$ip" | grep -q ":"; then
ip6tables -A "$IPTABLES_CHAIN" -d "$ip" -j DROP 2>/dev/null && count=$((count + 1))
else
iptables -A "$IPTABLES_CHAIN" -d "$ip" -j DROP 2>/dev/null && count=$((count + 1))
fi
done < "$ip_file"
log "iptables blocklist installed: $count IPs"
echo "IP blocklist active: $count IPs blocked"
}
# ── IPTABLES: Remove blocklist ──
cmd_remove_iptables() {
log "Removing iptables blocklist..."
iptables -D OUTPUT -j "$IPTABLES_CHAIN" 2>/dev/null
ip6tables -D OUTPUT -j "$IPTABLES_CHAIN" 2>/dev/null
iptables -F "$IPTABLES_CHAIN" 2>/dev/null
ip6tables -F "$IPTABLES_CHAIN" 2>/dev/null
iptables -X "$IPTABLES_CHAIN" 2>/dev/null
ip6tables -X "$IPTABLES_CHAIN" 2>/dev/null
echo "IP blocklist removed"
}
# ── CONNECTION MONITOR: Watch for suspicious network activity ──
cmd_monitor() {
log "Network monitor starting..."
echo "Network monitor active — watching for C2 connections"
local domain_file="$IOC_DIR/domains.txt"
while true; do
# Check active connections against known C2 IPs
if [ -f "$IOC_DIR/ips.txt" ]; then
# Get current connections
cat /proc/net/tcp /proc/net/tcp6 2>/dev/null | awk '{print $3}' | while read -r hex_addr; do
# Convert hex IP to dotted notation
local hex_ip=$(echo "$hex_addr" | cut -d: -f1)
if [ ${#hex_ip} -eq 8 ]; then
# IPv4
local ip=$(printf "%d.%d.%d.%d" \
"0x${hex_ip:6:2}" "0x${hex_ip:4:2}" \
"0x${hex_ip:2:2}" "0x${hex_ip:0:2}" 2>/dev/null)
if grep -q "^${ip}|" "$IOC_DIR/ips.txt" 2>/dev/null; then
local match=$(grep "^${ip}|" "$IOC_DIR/ips.txt" | head -1)
local threat=$(echo "$match" | cut -d'|' -f2)
alert "CRITICAL" "ACTIVE C2 CONNECTION: $ip ($threat)"
echo "$(date +%s)|C2_CONNECTION|$ip|$threat" >> "$NET_LOG"
fi
fi
done
fi
# Check DNS cache / resolved domains if possible
# dumpsys connectivity can reveal recent DNS lookups on some ROMs
if [ -f "$domain_file" ]; then
dumpsys connectivity 2>/dev/null | grep -oE '[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}' | sort -u | while read -r domain; do
if grep -q "^${domain}|" "$domain_file" 2>/dev/null; then
local match=$(grep "^${domain}|" "$domain_file" | head -1)
local threat=$(echo "$match" | cut -d'|' -f2)
local category=$(echo "$match" | cut -d'|' -f3)
alert "HIGH" "SUSPICIOUS DOMAIN RESOLVED: $domain ($threat) [$category]"
echo "$(date +%s)|DNS_RESOLVE|$domain|$threat" >> "$NET_LOG"
fi
done
fi
sleep 30
done
}
# ── STATUS ──
cmd_status() {
echo "Network Monitor Status:"
echo " Enabled: ${NETWORK_MONITOR_ENABLED:-1}"
echo " C2 Block: ${NETWORK_BLOCK_C2:-1}"
echo " Tracker Block: ${NETWORK_BLOCK_TRACKERS:-1}"
echo " iptables: ${NETWORK_IPTABLES_ENABLED:-1}"
# Check if our hosts entries are active
local hosts_count=$(grep -c "$HOSTS_MARKER" /system/etc/hosts 2>/dev/null || echo 0)
echo " Hosts rules: $hosts_count domains"
# Check iptables chain
local ipt_count=$(iptables -L "$IPTABLES_CHAIN" 2>/dev/null | grep -c "DROP" || echo 0)
echo " IP rules: $ipt_count IPs"
if [ -f "$NET_LOG" ]; then
local detections=$(wc -l < "$NET_LOG")
echo " Detections: $detections logged"
fi
}
# ── FULL INSTALL ──
cmd_install() {
cmd_install_hosts
cmd_install_iptables
}
# ── FULL REMOVE ──
cmd_remove() {
cmd_remove_hosts
cmd_remove_iptables
}
# ── DISPATCH ──
case "$1" in
install) cmd_install ;;
remove) cmd_remove ;;
install-hosts) cmd_install_hosts ;;
remove-hosts) cmd_remove_hosts ;;
install-iptables) cmd_install_iptables ;;
remove-iptables) cmd_remove_iptables ;;
monitor) cmd_monitor ;;
status) cmd_status ;;
*)
echo "Network Monitor — C2 & Tracker Blocker"
echo "Usage: network_monitor.sh {install|remove|monitor|status}"
echo ""
echo " install Install hosts + iptables blocklists"
echo " remove Remove all blocklists"
echo " install-hosts Install hosts-based domain blocking only"
echo " install-iptables Install iptables IP blocking only"
echo " monitor Live network connection monitoring"
echo " status Show network monitor status"
;;
esac

362
vigil/lib/scanner.sh Executable file
View File

@@ -0,0 +1,362 @@
#!/system/bin/sh
# Vigil — Threat Scanner Engine
# Scans installed packages, processes, certificates, accessibility services
# against the IOC database
# (c) Setec Labs
VIGIL_DATA="/data/adb/vigil"
VIGIL_LOG="$VIGIL_DATA/vigil.log"
IOC_DIR="$VIGIL_DATA"
ALERT_DIR="$VIGIL_DATA/alerts"
[ -f "$VIGIL_DATA/vigil.conf" ] && . "$VIGIL_DATA/vigil.conf"
log() {
echo "[$(date '+%Y-%m-%d %H:%M:%S')] [scanner] $1" >> "$VIGIL_LOG"
}
alert() {
local severity="$1"
local message="$2"
local timestamp=$(date +%s)
echo "${severity}|${timestamp}|scanner|${message}" >> "$ALERT_DIR/pending"
log "ALERT [$severity]: $message"
}
load_exclusions() {
EXCLUDED_PACKAGES=""
if [ -f "$VIGIL_DATA/exclusions.conf" ]; then
EXCLUDED_PACKAGES=$(grep -v '^#' "$VIGIL_DATA/exclusions.conf" | grep -v '^$')
fi
}
is_excluded() {
local pkg="$1"
echo "$EXCLUDED_PACKAGES" | grep -qx "$pkg" 2>/dev/null
}
# ── PACKAGE SCAN: Check installed apps against IOC package list ──
scan_packages() {
log "Scanning installed packages..."
local hits=0
local checked=0
local ioc_file="$IOC_DIR/packages.txt"
if [ ! -f "$ioc_file" ]; then
log "WARNING: packages.txt IOC file not found"
return 0
fi
# Get installed packages
local installed=$(pm list packages 2>/dev/null | sed 's/^package://')
for pkg in $installed; do
checked=$((checked + 1))
# Skip exclusions
is_excluded "$pkg" && continue
# Check against IOC database
local match=$(grep "^${pkg}|" "$ioc_file" 2>/dev/null | head -1)
if [ -n "$match" ]; then
local threat_name=$(echo "$match" | cut -d'|' -f2)
local category=$(echo "$match" | cut -d'|' -f3)
hits=$((hits + 1))
case "$category" in
pegasus|government)
alert "CRITICAL" "STATE-LEVEL SPYWARE: $pkg ($threat_name) [$category]"
;;
spyware|stalkerware)
alert "HIGH" "STALKERWARE DETECTED: $pkg ($threat_name) [$category]"
;;
trojan)
alert "HIGH" "TROJAN DETECTED: $pkg ($threat_name) [$category]"
;;
tracker)
alert "MEDIUM" "TRACKER APP: $pkg ($threat_name) [$category]"
;;
*)
alert "HIGH" "THREAT DETECTED: $pkg ($threat_name) [$category]"
;;
esac
fi
done
log "Package scan complete: $checked checked, $hits threats found"
echo " Packages: $checked scanned, $hits threats"
return $hits
}
# ── CERTIFICATE SCAN: Check app signing certs against IOC cert list ──
scan_certificates() {
log "Scanning app certificates..."
local hits=0
local checked=0
local ioc_file="$IOC_DIR/certificates.txt"
if [ ! -f "$ioc_file" ]; then
log "WARNING: certificates.txt IOC file not found"
return 0
fi
# Get certificate info for each package
pm list packages 2>/dev/null | sed 's/^package://' | while read -r pkg; do
# Extract signing certificate hash from package info
local cert_info=$(dumpsys package "$pkg" 2>/dev/null | grep -A1 "signatures=" | grep -oE '[0-9a-fA-F]{40}')
for cert_hash in $cert_info; do
checked=$((checked + 1))
local cert_upper=$(echo "$cert_hash" | tr 'a-f' 'A-F')
local cert_lower=$(echo "$cert_hash" | tr 'A-F' 'a-f')
local match=$(grep -i "^${cert_lower}\|^${cert_upper}" "$ioc_file" 2>/dev/null | head -1)
if [ -n "$match" ]; then
local threat_name=$(echo "$match" | cut -d'|' -f2)
hits=$((hits + 1))
alert "HIGH" "MALICIOUS CERTIFICATE on $pkg: $cert_hash ($threat_name)"
fi
done
done
log "Certificate scan complete: $checked checked, $hits threats found"
echo " Certificates: $checked checked, $hits threats"
return $hits
}
# ── PROCESS SCAN: Check running processes for suspicious activity ──
scan_processes() {
log "Scanning running processes..."
local hits=0
# Known suspicious process patterns
local suspicious_patterns="pegasus\|predator\|chrysaor\|hermit\|candiru\|sourgum\|quadream\|cytrox\|cellebrite\|ufed\|graykey\|magnet.forensic\|oxygen.forensic\|frida-server\|objection"
# Check running processes
ps -A -o PID,NAME 2>/dev/null | while read -r pid name; do
if echo "$name" | grep -qi "$suspicious_patterns"; then
hits=$((hits + 1))
alert "CRITICAL" "SUSPICIOUS PROCESS: $name (PID: $pid)"
fi
done
# Check for hidden processes (processes that don't show in normal ps)
# Compare /proc entries with ps output
local ps_pids=$(ps -A -o PID 2>/dev/null | tail -n +2 | sort -n)
for pid_dir in /proc/[0-9]*; do
local pid=$(basename "$pid_dir")
if ! echo "$ps_pids" | grep -qx "$pid" 2>/dev/null; then
local cmdline=$(cat "/proc/$pid/cmdline" 2>/dev/null | tr '\0' ' ')
if [ -n "$cmdline" ]; then
alert "HIGH" "HIDDEN PROCESS: PID $pid ($cmdline)"
hits=$((hits + 1))
fi
fi
done
log "Process scan complete: $hits suspicious processes"
echo " Processes: $hits suspicious"
return $hits
}
# ── ACCESSIBILITY SCAN: Check for stalkerware abusing accessibility ──
scan_accessibility() {
log "Scanning accessibility services..."
local hits=0
local ioc_file="$IOC_DIR/packages.txt"
# Get enabled accessibility services
local enabled=$(settings get secure enabled_accessibility_services 2>/dev/null)
if [ -n "$enabled" ] && [ "$enabled" != "null" ]; then
# Split by colon
echo "$enabled" | tr ':' '\n' | while read -r service; do
local pkg=$(echo "$service" | cut -d'/' -f1)
# Check if this package is in our IOC database
if [ -f "$ioc_file" ]; then
local match=$(grep "^${pkg}|" "$ioc_file" 2>/dev/null | head -1)
if [ -n "$match" ]; then
local threat_name=$(echo "$match" | cut -d'|' -f2)
hits=$((hits + 1))
alert "CRITICAL" "STALKERWARE ACCESSIBILITY SERVICE: $service ($threat_name)"
fi
fi
# Heuristic: check if accessibility service belongs to a non-system app
local is_system=$(pm dump "$pkg" 2>/dev/null | grep -c "SYSTEM")
if [ "$is_system" = "0" ]; then
# Non-system app with accessibility — suspicious
local app_name=$(pm dump "$pkg" 2>/dev/null | grep "applicationInfo" | head -1)
alert "MEDIUM" "Non-system accessibility service: $service"
hits=$((hits + 1))
fi
done
fi
log "Accessibility scan complete: $hits suspicious services"
echo " Accessibility: $hits suspicious"
return $hits
}
# ── DEVICE ADMIN SCAN: Check for malicious device admins ──
scan_device_admin() {
log "Scanning device administrators..."
local hits=0
local ioc_file="$IOC_DIR/packages.txt"
# Get active device admins
dumpsys device_policy 2>/dev/null | grep "Active Admins" -A 100 | grep "ComponentInfo" | while read -r line; do
local component=$(echo "$line" | grep -oE '\{[^}]+\}' | tr -d '{}')
local pkg=$(echo "$component" | cut -d'/' -f1)
if [ -f "$ioc_file" ]; then
local match=$(grep "^${pkg}|" "$ioc_file" 2>/dev/null | head -1)
if [ -n "$match" ]; then
local threat_name=$(echo "$match" | cut -d'|' -f2)
hits=$((hits + 1))
alert "CRITICAL" "MALICIOUS DEVICE ADMIN: $component ($threat_name)"
fi
fi
done
log "Device admin scan complete: $hits suspicious"
echo " Device admins: $hits suspicious"
return $hits
}
# ── APK HASH SCAN: Check APK file hashes (slow, thorough) ──
scan_hashes() {
log "Scanning APK hashes (this may take a while)..."
local hits=0
local checked=0
local ioc_file="$IOC_DIR/hashes.txt"
if [ ! -f "$ioc_file" ]; then
log "WARNING: hashes.txt IOC file not found"
return 0
fi
# Scan non-system APKs
pm list packages -f 2>/dev/null | sed 's/^package://' | while IFS='=' read -r apk_path pkg; do
# Skip system apps for speed (focus on user-installed)
case "$apk_path" in
/system/*|/vendor/*|/product/*) continue ;;
esac
checked=$((checked + 1))
local apk_hash=$(sha256sum "$apk_path" 2>/dev/null | cut -d' ' -f1)
if [ -n "$apk_hash" ]; then
local match=$(grep "^${apk_hash}|" "$ioc_file" 2>/dev/null | head -1)
if [ -n "$match" ]; then
local threat_name=$(echo "$match" | cut -d'|' -f2)
hits=$((hits + 1))
alert "CRITICAL" "MALICIOUS APK HASH: $pkg ($apk_path) matches $threat_name"
fi
fi
done
log "Hash scan complete: $checked APKs checked, $hits threats found"
echo " APK hashes: $checked checked, $hits threats"
return $hits
}
# ── FULL SCAN ──
cmd_full_scan() {
log "=== FULL THREAT SCAN STARTED ==="
load_exclusions
local total_hits=0
echo ""
echo "Vigil Threat Scan Report"
echo "━━━━━━━━━━━━━━━━━━━━━━━━"
echo "Time: $(date)"
echo ""
[ "${SCANNER_CHECK_PACKAGES:-1}" = "1" ] && {
scan_packages
total_hits=$((total_hits + $?))
}
[ "${SCANNER_CHECK_CERTS:-1}" = "1" ] && {
scan_certificates
total_hits=$((total_hits + $?))
}
[ "${SCANNER_CHECK_PROCESSES:-1}" = "1" ] && {
scan_processes
total_hits=$((total_hits + $?))
}
[ "${SCANNER_CHECK_ACCESSIBILITY:-1}" = "1" ] && {
scan_accessibility
total_hits=$((total_hits + $?))
}
[ "${SCANNER_CHECK_DEVICE_ADMIN:-1}" = "1" ] && {
scan_device_admin
total_hits=$((total_hits + $?))
}
[ "${SCANNER_CHECK_HASHES:-1}" = "1" ] && {
scan_hashes
total_hits=$((total_hits + $?))
}
echo ""
echo "━━━━━━━━━━━━━━━━━━━━━━━━"
if [ $total_hits -gt 0 ]; then
echo "⚠ THREATS DETECTED: $total_hits"
echo "Run 'vigil alerts' for details"
else
echo "✓ No threats detected"
fi
echo ""
log "=== FULL SCAN COMPLETE: $total_hits threats ==="
return $total_hits
}
# ── QUICK SCAN (packages + processes only) ──
cmd_quick_scan() {
log "=== QUICK SCAN STARTED ==="
load_exclusions
local total_hits=0
echo "Vigil Quick Scan..."
scan_packages
total_hits=$((total_hits + $?))
scan_processes
total_hits=$((total_hits + $?))
scan_accessibility
total_hits=$((total_hits + $?))
if [ $total_hits -gt 0 ]; then
echo "$total_hits threats detected — run 'vigil scan' for full scan"
else
echo "✓ Quick scan clean"
fi
log "=== QUICK SCAN COMPLETE: $total_hits threats ==="
return $total_hits
}
# ── DISPATCH ──
case "$1" in
full) cmd_full_scan ;;
quick) cmd_quick_scan ;;
packages) load_exclusions; scan_packages ;;
certificates) scan_certificates ;;
processes) scan_processes ;;
accessibility) scan_accessibility ;;
device-admin) scan_device_admin ;;
hashes) scan_hashes ;;
*)
echo "Vigil Threat Scanner"
echo "Usage: scanner.sh {full|quick|packages|certificates|processes|accessibility|device-admin|hashes}"
;;
esac

201
vigil/lib/sms_shield.sh Executable file
View File

@@ -0,0 +1,201 @@
#!/system/bin/sh
# Vigil — SMS Shield / Silent SMS Interceptor
# Detects and handles Class-0 (Flash) and Type-0 (silent) SMS pings
# used for device tracking by intelligence agencies and stalkers
# (c) Setec Labs
#
# THEORY:
# - Class-0 SMS: "Flash SMS" displayed immediately, may not be saved
# - Type-0 SMS: Completely invisible, generates delivery receipt revealing location
# - Silent SMS: Used by law enforcement/intelligence to confirm SIM is active
# and triangulate location via cell tower
#
# Android hides Type-0 SMS since May 2010 patch, but they can be detected
# via logcat at the RIL/telephony layer with root access.
VIGIL_DATA="/data/adb/vigil"
VIGIL_LOG="$VIGIL_DATA/vigil.log"
ALERT_DIR="$VIGIL_DATA/alerts"
SMS_LOG="$VIGIL_DATA/sms_shield.log"
[ -f "$VIGIL_DATA/vigil.conf" ] && . "$VIGIL_DATA/vigil.conf"
log() {
echo "[$(date '+%Y-%m-%d %H:%M:%S')] [sms] $1" >> "$VIGIL_LOG"
}
alert() {
local severity="$1"
local message="$2"
local timestamp=$(date +%s)
echo "${severity}|${timestamp}|sms_shield|${message}" >> "$ALERT_DIR/pending"
log "ALERT [$severity]: $message"
}
# ── SILENT SMS DETECTOR (via logcat) ──
# Monitors RIL/telephony logs for Type-0 and Class-0 SMS indicators
cmd_monitor() {
log "SMS Shield monitor starting..."
echo "SMS Shield active — monitoring for silent/stealth SMS"
# Clear logcat SMS buffer to start fresh
logcat -c 2>/dev/null
# Monitor logcat for SMS-related events
# Key patterns that indicate silent SMS:
# - "SMS type 0" or "type0" in RIL layer
# - "class 0" in SMS dispatch
# - "WAP PUSH" binary SMS
# - "GsmInboundSmsHandler" processing events
# - "SmsMessage" with TP-PID indicating silent
# - "BroadcastSmsActivity" for flash SMS
logcat -s \
GsmInboundSmsHandler:* \
SmsMessage:* \
ImsSMSDispatcher:* \
InboundSmsHandler:* \
CdmaInboundSmsHandler:* \
SmsDispatchersController:* \
RIL:* \
RILJ:* \
TelephonyManager:* \
2>/dev/null | while read -r line; do
# Detect Type-0 SMS (completely silent)
if echo "$line" | grep -qiE "type.?0.*sms|sms.*type.?0|TP-PID.*type.?0|pid=0.*dcs"; then
local timestamp=$(date '+%Y-%m-%d %H:%M:%S')
alert "CRITICAL" "TYPE-0 SILENT SMS DETECTED — possible location tracking"
echo "$timestamp|TYPE0|$line" >> "$SMS_LOG"
if [ "${SMS_BLOCK_SILENT:-1}" = "1" ]; then
log "Attempting to suppress delivery receipt..."
# Try to block the delivery report by toggling airplane mode briefly
# This prevents the network from confirming the SIM is active
cmd svc wifi disable 2>/dev/null
settings put global airplane_mode_on 1 2>/dev/null
am broadcast -a android.intent.action.AIRPLANE_MODE --ez state true 2>/dev/null
sleep 2
settings put global airplane_mode_on 0 2>/dev/null
am broadcast -a android.intent.action.AIRPLANE_MODE --ez state false 2>/dev/null
cmd svc wifi enable 2>/dev/null
log "Delivery receipt suppression attempted"
fi
fi
# Detect Class-0 SMS (Flash SMS)
if echo "$line" | grep -qiE "class.?0|flash.*sms|sms.*flash|messageClass.*CLASS_0|displayMessageBody"; then
local timestamp=$(date '+%Y-%m-%d %H:%M:%S')
alert "HIGH" "CLASS-0 FLASH SMS DETECTED — possible tracking ping"
echo "$timestamp|CLASS0|$line" >> "$SMS_LOG"
fi
# Detect WAP Push (can be used for silent configuration)
if echo "$line" | grep -qiE "wap.*push|wap_push|application/vnd.wap"; then
local timestamp=$(date '+%Y-%m-%d %H:%M:%S')
alert "MEDIUM" "WAP PUSH SMS detected — possible OTA configuration attack"
echo "$timestamp|WAP_PUSH|$line" >> "$SMS_LOG"
fi
# Detect binary SMS (non-text, potentially data exfil or C2)
if echo "$line" | grep -qiE "binary.*sms|sms.*binary|data_sms_received|port.*sms"; then
local timestamp=$(date '+%Y-%m-%d %H:%M:%S')
alert "MEDIUM" "BINARY SMS detected on data port"
echo "$timestamp|BINARY|$line" >> "$SMS_LOG"
fi
# Detect USSD commands (can be used for remote device control)
if echo "$line" | grep -qiE "ussd|MMI.*code|supplementary.*service"; then
local timestamp=$(date '+%Y-%m-%d %H:%M:%S')
alert "LOW" "USSD/MMI activity detected"
echo "$timestamp|USSD|$line" >> "$SMS_LOG"
fi
done
}
# ── SMS HISTORY ANALYSIS ──
# Analyze existing SMS database for suspicious patterns
cmd_analyze() {
log "Analyzing SMS patterns..."
echo "SMS Pattern Analysis"
echo "━━━━━━━━━━━━━━━━━━━━"
# Check SMS database for suspicious entries
local sms_db="/data/data/com.android.providers.telephony/databases/mmssms.db"
local sms_db_alt="/data/user_de/0/com.android.providers.telephony/databases/mmssms.db"
local db=""
[ -f "$sms_db" ] && db="$sms_db"
[ -f "$sms_db_alt" ] && db="$sms_db_alt"
if [ -n "$db" ] && command -v sqlite3 >/dev/null 2>&1; then
# Count SMS by type
local total=$(sqlite3 "$db" "SELECT COUNT(*) FROM sms;" 2>/dev/null)
local empty_body=$(sqlite3 "$db" "SELECT COUNT(*) FROM sms WHERE body IS NULL OR body = '';" 2>/dev/null)
local short_codes=$(sqlite3 "$db" "SELECT COUNT(*) FROM sms WHERE LENGTH(address) <= 6;" 2>/dev/null)
echo " Total SMS: ${total:-unknown}"
echo " Empty body SMS: ${empty_body:-unknown} (potential silent SMS)"
echo " Short code SMS: ${short_codes:-unknown}"
# Look for suspicious patterns
if [ "${empty_body:-0}" -gt 0 ]; then
alert "MEDIUM" "Found $empty_body empty-body SMS messages — possible silent SMS history"
echo ""
echo " Empty SMS details:"
sqlite3 "$db" "SELECT address, date, type FROM sms WHERE body IS NULL OR body = '' ORDER BY date DESC LIMIT 10;" 2>/dev/null | while read -r row; do
echo " $row"
done
fi
else
echo " SMS database not accessible (sqlite3 may not be available)"
echo " Install sqlite3 or use 'vigil sms monitor' for real-time detection"
fi
# Check our own detection log
if [ -f "$SMS_LOG" ]; then
local log_entries=$(wc -l < "$SMS_LOG")
echo ""
echo " Detection log: $log_entries entries"
echo " Recent detections:"
tail -5 "$SMS_LOG" | while read -r entry; do
echo " $entry"
done
fi
echo "━━━━━━━━━━━━━━━━━━━━"
}
# ── STATUS ──
cmd_status() {
echo "SMS Shield Status:"
echo " Enabled: ${SMS_SHIELD_ENABLED:-1}"
echo " Silent Detect: ${SMS_SILENT_DETECT:-1}"
echo " Block Silent: ${SMS_BLOCK_SILENT:-1}"
echo " Fake Response: ${SMS_FAKE_RESPONSE:-0}"
if [ -f "$SMS_LOG" ]; then
local total=$(wc -l < "$SMS_LOG")
local type0=$(grep -c "TYPE0" "$SMS_LOG" 2>/dev/null || echo 0)
local class0=$(grep -c "CLASS0" "$SMS_LOG" 2>/dev/null || echo 0)
echo " Detections: $total total ($type0 Type-0, $class0 Class-0)"
else
echo " Detections: none yet"
fi
}
# ── DISPATCH ──
case "$1" in
monitor) cmd_monitor ;;
analyze) cmd_analyze ;;
status) cmd_status ;;
*)
echo "SMS Shield — Silent SMS Interceptor"
echo "Usage: sms_shield.sh {monitor|analyze|status}"
echo ""
echo " monitor Real-time silent SMS detection via logcat"
echo " analyze Analyze SMS database for suspicious patterns"
echo " status Show SMS Shield status and detection history"
;;
esac

136
vigil/signatures/cellebrite.sig Normal file
View File

@@ -0,0 +1,136 @@
# Vigil Forensic Tool Signatures - Cellebrite UFED
# Format: sig_type|value|description
# Generated: 2026-03-30 | Entries: 127
# Source: lockup (KoreLogic Cellebrite UFED research)
# sig_type: sha256, filename, path, cert_sha256, cert_issuer
#
# Binary SHA256 hashes: Cellebrite UFED privilege escalation exploits
# These are deployed to /data/local/tmp during device extraction
#
sha256|df89c654afaad67ac7e85e5d34072b5463ea0849ef3e8462a13e299baa6aa6dc|Cellebrite UFED elevator/exploit binary
sha256|a944fd9e66d6b56bd031a3236b6ae8daee4b90e4689f167c22f7c0d02eaa3a98|Cellebrite UFED elevator/exploit binary
sha256|b5804223bdf91099de465a9cdc3d6bc8aec01f19a8856f6e9bdaec3a2a941035|Cellebrite UFED elevator/exploit binary
sha256|ab8130caac25334f2ae46781e4ef625020bd95b215a427785798c729d81fc410|Cellebrite UFED elevator/exploit binary
sha256|5e8dce4e63214099c35f342c6c5a548be30ed6341ec9f4655827f28473333b6b|Cellebrite UFED elevator/exploit binary
sha256|9da883c6999f2f333ab91631946984893fc51163e0c109e8683131b4775accdb|Cellebrite UFED elevator/exploit binary
sha256|49b7368bd28c936ac824bf6040101f57f2c42ce4e9e16877dab2f44922683213|Cellebrite UFED elevator/exploit binary
sha256|ca52579b3ded35fc8337ff9763634c4bf5407a97c85d0c03fb3de16b22d7638b|Cellebrite UFED elevator/exploit binary
sha256|37178f4d2711fc132b8ef19499c1517a70f73d29dc204116a85f5e6caa025034|Cellebrite UFED elevator/exploit binary
sha256|bbe87d1cd44869ee1ba8dbca4a671965765fcd5818f16efa434bbe972961de1c|Cellebrite UFED elevator/exploit binary
sha256|3541425a729454569dccdf713f84102a8b2efeeb77abd34a6c210dd4b9b61cf4|Cellebrite UFED elevator/exploit binary
sha256|6a14b252b01f7ddc21a20a4a9577cb76c82f459652845959040eae677c0df3ce|Cellebrite UFED elevator/exploit binary
sha256|47e7ddbadcb1ec5c228413e93baa029e06f24f44e77a83e817ba48770ffddd10|Cellebrite UFED elevator/exploit binary
sha256|08853c949bbc98b9e334ae52d6d344f219e225914abaf7e813c81307a8e3bcb5|Cellebrite UFED elevator/exploit binary
sha256|856ef82bb6f1e7d940be20a049a3566842a0c9b2c8635d646fdd487a00bd051a|Cellebrite UFED elevator/exploit binary
sha256|859192e3d697a8522a7f9c19088d125b723193ce27df348712701ee78aea286c|Cellebrite UFED elevator/exploit binary
sha256|c58a06ba1b0be01c564629f76f496fc3b7e2d971c807ab6fe06ade291fafb3cc|Cellebrite UFED elevator/exploit binary
sha256|872944fcf79fb92eb5f4134d87b6f6caabc5dec919070a1109ee820442942250|Cellebrite UFED elevator/exploit binary
sha256|ab9bc4c15b1589e45dcf9c604617eaa67034c388c8b8df3af7c71dc50b29bef5|Cellebrite UFED elevator/exploit binary
sha256|23d9ce4a7df20b28d0b5b24ac320a9643c1716987dd5f29110bff71f775dca8d|Cellebrite UFED elevator/exploit binary
sha256|d3aa3c7b75e986d2addf4364f90fb948addee91deade17765a383ec69f582806|Cellebrite UFED elevator/exploit binary
sha256|07e3923c52e1c73e6ba314e230605e2ddbb5033aab75495654c131ff8b1b32a6|Cellebrite UFED elevator/exploit binary
sha256|829dd6f9fc7b39d16b3f75428b3b8417e3b411a9dbb422030f4a2d0e93dbbe3f|Cellebrite UFED elevator/exploit binary
sha256|17afd50ea379a6669e59af03fa73af816f3947ab0bc979b41e8828916c63dc49|Cellebrite UFED elevator/exploit binary
sha256|39560ebb98e6973c88e4a92fb20e5b216616e4c7f607432329f26538aff77694|Cellebrite UFED elevator/exploit binary
sha256|96ea633fe332a30f65e80e1c48ca9a0158b6e02c33afcb4d05d9d96d62135aab|Cellebrite UFED elevator/exploit binary
sha256|962390deb44b84d5781c5f0868aaea7f55d374b2db161598bebe3dd90abc1564|Cellebrite UFED elevator/exploit binary
sha256|1226873d2fac892c3187b7a7da3a1c4b2a5c31d7ecdcd0c18f7ecba4197b05f0|Cellebrite UFED elevator/exploit binary
sha256|3c6dee8fcf4a47c70be5b2b1af6a84c7b54f4941b2a341f23547f1a1db64d034|Cellebrite UFED elevator/exploit binary
sha256|064af61a468a719291779c2aab1d8fd152e66d422b402ebf112c5d896f268a52|Cellebrite UFED elevator/exploit binary
sha256|6a4e49d86f471cd5be05af0737fcc8a7f58922c591c0d03c446bd0cf3bb0d8cb|Cellebrite UFED elevator/exploit binary
sha256|6bea0ed340e33aa457ca91a986ed266906e3639bccf7ee6cdf1597ba683d25cb|Cellebrite UFED elevator/exploit binary
sha256|e228cf22fa4934168fbde171e67729c8774df3813c1d31d9e5e206a19097ab87|Cellebrite UFED elevator/exploit binary
sha256|2a797d28f44e9865d0dc0a9b7393b62e468fde03a8e1982ddb32142f7570b23b|Cellebrite UFED elevator/exploit binary
sha256|f9ca7565b557f315a9a4fc0d77571206ba8471713160784b570bebc541a29fac|Cellebrite UFED elevator/exploit binary
sha256|cac5fdb8be75968291b42ab75dd654b3b21cf5dd1a5539490e6e8e015cb2a4ff|Cellebrite UFED elevator/exploit binary
sha256|5a14004e4c1a67acfd124ff21703b78ef3710c8e81677013234b4deb6af7da66|Cellebrite UFED elevator/exploit binary
sha256|97496d8bbfb71bff2ea121ae731da8e474d1cdd6aabdb2bf1d592afe3bd649de|Cellebrite UFED elevator/exploit binary
sha256|7b6343e560c51c0152af0479a8cd9e7c74b9464f16deaaf07a7263f3b876c6e2|Cellebrite UFED elevator/exploit binary
sha256|98e2efe999a859531af4940b4fcc63725f9b84f0c14645c32fd7def907e03030|Cellebrite UFED elevator/exploit binary
sha256|945a19f4a22daab9cdea1686971a0215f777d3b19f5ee45ffcf846b3a0638cd3|Cellebrite UFED elevator/exploit binary
sha256|7e898e7d0f04e798954f285d50feb44f9697b47a443bfac27a7bedee52942bf6|Cellebrite UFED elevator/exploit binary
sha256|5de2e8d08d246a7bb5c8ddd020853dbb5896cec4149527fa9256a786ebf3541d|Cellebrite UFED elevator/exploit binary
sha256|460ba81b6dc17efe179cf7d0617ff99dc66be3be4375348f1c97a88dfa4f39ea|Cellebrite UFED elevator/exploit binary
sha256|7546f3e3e6bfd3cc3b0d91f7883e39a1c9cd39be7a3a2c72cd76d9ca5378c540|Cellebrite UFED elevator/exploit binary
sha256|5c3d38ad5f26606ca19d277ee7392b039555449ac66cc96e9ad2c818857a3b31|Cellebrite UFED elevator/exploit binary
sha256|a4ea82cd91d99bf26ca19dfd4b1969c42b5551151f1d3bdb635ebb2567e5a741|Cellebrite UFED elevator/exploit binary
sha256|6c6909839af1076330fdfd64a82d2209030fcfd3f7819acbfccc7697d7d3b5ae|Cellebrite UFED elevator/exploit binary
sha256|46a202a88af8c7208d552904cd16d28580a24830011a536c431703848c5739fb|Cellebrite UFED elevator/exploit binary
sha256|a8212687308d7067af3d25664e84ace7f84fd939914a96a1c47e67c613c7b225|Cellebrite UFED elevator/exploit binary
sha256|a75788739e8f97fd9901496f2a69d5b6b24892992c106a1e8ee06faa25076c18|Cellebrite UFED elevator/exploit binary
sha256|7efdbc53f31c24bfe0046452e902be8fd7a500aae1a97d0d554ebe2bf8f2f9d8|Cellebrite UFED elevator/exploit binary
sha256|2db036febbbad09586eac6279a4de4852c353444c4cacb7f926605d174cc7e6e|Cellebrite UFED elevator/exploit binary
sha256|8e13aff69bc075116194f9d4e2dc7f2ef38ab502903649b4da8b9fc9ce2347e4|Cellebrite UFED elevator/exploit binary
sha256|6c66e32cc3c16dca941b9322e21463bb57c99cd7f3909e748fdfa671171cf66d|Cellebrite UFED elevator/exploit binary
sha256|3254e75112c3d219e1af7bbb7be73d2cea76e4786aa9678683bf8d77f1ffbde2|Cellebrite UFED elevator/exploit binary
sha256|0519d111df96968e376a0dc1fb4c37eef35829dd0f472953e71e19d05b15eb47|Cellebrite UFED elevator/exploit binary
sha256|ffc118fc66a09e5a421f2aa5a036c0b49fb178dc9a18d847592d68ddf21cbd1e|Cellebrite UFED elevator/exploit binary
sha256|93028ad412cfc3a792614596d5db155470840bb5614eb416d9e3265b959fc95c|Cellebrite UFED elevator/exploit binary
sha256|a2ea5e0d94abb55ade88a6ffe40a73f49329347c96d334c58426e1bc0c41e72b|Cellebrite UFED elevator/exploit binary
cert_sha256|df89c654afaad67ac7e85e5d34072b5463ea0849ef3e8462a13e299baa6aa6dc|Cellebrite UFED APK signing certificate
cert_sha256|a4ea82cd91d99bf26ca19dfd4b1969c42b5551151f1d3bdb635ebb2567e5a741|Cellebrite UFED APK signing certificate
cert_sha256|6a14b252b01f7ddc21a20a4a9577cb76c82f459652845959040eae677c0df3ce|Cellebrite UFED APK signing certificate
cert_sha256|f9ca7565b557f315a9a4fc0d77571206ba8471713160784b570bebc541a29fac|Cellebrite UFED APK signing certificate
cert_sha256|5a14004e4c1a67acfd124ff21703b78ef3710c8e81677013234b4deb6af7da66|Cellebrite UFED APK signing certificate
cert_sha256|49b7368bd28c936ac824bf6040101f57f2c42ce4e9e16877dab2f44922683213|Cellebrite UFED APK signing certificate
cert_sha256|97496d8bbfb71bff2ea121ae731da8e474d1cdd6aabdb2bf1d592afe3bd649de|Cellebrite UFED APK signing certificate
cert_sha256|93028ad412cfc3a792614596d5db155470840bb5614eb416d9e3265b959fc95c|Cellebrite UFED APK signing certificate
cert_sha256|856ef82bb6f1e7d940be20a049a3566842a0c9b2c8635d646fdd487a00bd051a|Cellebrite UFED APK signing certificate
cert_sha256|945a19f4a22daab9cdea1686971a0215f777d3b19f5ee45ffcf846b3a0638cd3|Cellebrite UFED APK signing certificate
cert_sha256|962390deb44b84d5781c5f0868aaea7f55d374b2db161598bebe3dd90abc1564|Cellebrite UFED APK signing certificate
filename|nandreadStatic_7180|Cellebrite UFED exploit/elevator binary
filename|pingroot_vultest|Cellebrite UFED exploit/elevator binary
filename|DisableHuaweiLogging_2.1.5767a|Cellebrite UFED exploit/elevator binary
filename|nandread64-pie-vold|Cellebrite UFED exploit/elevator binary
filename|autonomous_app.apk|Cellebrite UFED exploit/elevator binary
filename|exploits_2.1.5769.csv|Cellebrite UFED exploit/elevator binary
filename|forensics|Cellebrite UFED exploit/elevator binary
filename|nandreadStatic_1788|Cellebrite UFED exploit/elevator binary
filename|rootspot_verify_env|Cellebrite UFED exploit/elevator binary
filename|EnableHuaweiLogging_2.1.5767a|Cellebrite UFED exploit/elevator binary
filename|frida_script_obfuscated.js|Cellebrite UFED exploit/elevator binary
filename|manifest.webapp|Cellebrite UFED exploit/elevator binary
filename|c2a_disable_selinux_64.ko|Cellebrite UFED exploit/elevator binary
filename|EnableSharpRead_2.1.5767a|Cellebrite UFED exploit/elevator binary
filename|com.mr.meeseeks.apk|Cellebrite UFED exploit/elevator binary
filename|nandreadPie_7182|Cellebrite UFED exploit/elevator binary
filename|salamtak32|Cellebrite UFED exploit/elevator binary
filename|pingroot|Cellebrite UFED exploit/elevator binary
filename|zergRush_2.1.5767a|Cellebrite UFED exploit/elevator binary
filename|psneuter_2.1.5767a|Cellebrite UFED exploit/elevator binary
filename|shellcode_32_iptables.bin|Cellebrite UFED exploit/elevator binary
filename|dirtycow_32|Cellebrite UFED exploit/elevator binary
filename|nandreadPie_1788|Cellebrite UFED exploit/elevator binary
filename|shellcode_32_oatdump.bin|Cellebrite UFED exploit/elevator binary
filename|django_2.1.5767a|Cellebrite UFED exploit/elevator binary
filename|fourrunnerStatic_2.1.5767a|Cellebrite UFED exploit/elevator binary
filename|index.html|Cellebrite UFED exploit/elevator binary
filename|rosecure_2.1.5767a|Cellebrite UFED exploit/elevator binary
filename|patcher.exe|Cellebrite UFED exploit/elevator binary
filename|nandd|Cellebrite UFED exploit/elevator binary
filename|c2a_disable_selinux_32.ko|Cellebrite UFED exploit/elevator binary
filename|dirtycow|Cellebrite UFED exploit/elevator binary
filename|setuid_2.1.5767a|Cellebrite UFED exploit/elevator binary
filename|RecoveryImageMap.csv|Cellebrite UFED exploit/elevator binary
filename|salamtak64|Cellebrite UFED exploit/elevator binary
filename|gb_2.1.5767a|Cellebrite UFED exploit/elevator binary
filename|nandreadStatic_7182|Cellebrite UFED exploit/elevator binary
filename|nandread-pie_7182|Cellebrite UFED exploit/elevator binary
filename|shellcode.bin|Cellebrite UFED exploit/elevator binary
filename|nandread-pie-vold|Cellebrite UFED exploit/elevator binary
filename|daemonize|Cellebrite UFED exploit/elevator binary
filename|adbd.bin|Cellebrite UFED exploit/elevator binary
filename|nandreadPie_7181|Cellebrite UFED exploit/elevator binary
filename|rootspotter.apk|Cellebrite UFED exploit/elevator binary
path|/data/local/tmp|Cellebrite UFED staging directory
path|/data/local/tmp/cb|Cellebrite UFED staging directory
path|/data/app-asec/data/local/tmp|Cellebrite UFED staging directory
path|/cblr|Cellebrite UFED staging directory
cert_issuer|CN=Oleg Beloussov,OU=mobile secure,O=BeloussovOleg ltd.,L=Tel Aviv,ST=Israel,C=092|Cellebrite UFED APK certificate issuer DN
cert_issuer|C=IL|Cellebrite UFED APK certificate issuer DN
cert_issuer|CN=Cellebrite|Cellebrite UFED APK certificate issuer DN
cert_issuer|O=Cellebrite|Cellebrite UFED APK certificate issuer DN
cert_issuer|CN=mr meeseeks,OU=cell|Cellebrite UFED APK certificate issuer DN
cert_issuer|C=IL,L=Tel Aviv,O=Cellebrite,OU=Research,CN=Cellebrite Cellebrite|Cellebrite UFED APK certificate issuer DN
cert_issuer|CN=KYOCERA Corporation,OU=KYOCERA Corporation,O=KYOCERA Corporation,L=Fushimi,ST=Kyoto,C=JP|Cellebrite UFED APK certificate issuer DN
cert_issuer|CN=aaa,OU=aaa,O=aaa,L=aaaaa,ST=aaa,C=aaa|Cellebrite UFED APK certificate issuer DN