Skip to content

arifkyi/PegasusSpyWare_Check_Iphone

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

43 Commits
IOS_IOCS_STIX2.zip
IOS_IOCS_STIX2.zip
 
 
README.md
README.md
 
 

Repository files navigation

Pegasus SpyWare Check for Iphone

you can see the video here:

https://www.youtube.com/watch?v=MYeN7wzSNiU

Background :

Although the title is about Pegasus spyware, but the scope is also checking others spyware, such as Cytrox, Stalkerware, RCS Lab etc.

Back up The Iphone

Backup your iPhone with Itunes and encrypted is ON, with Password, just an example: MyPassword123

i just using the password during backup: MyPassword123

Check the result in /Users/ahmadrifky/Library/Application Support/MobileSync

We just move it to ~/Desktop

Prepare the verification tools

Pull Image from Docker

https://docs.mvt.re/en/latest/docker/

git clone https://github.com/mvt-project/mvt.git

cd mvt

docker build -t mvt .

Just run this command in the same directory where the backup file is belong: docker run --rm -it -v "$PWD:/mnt/tmp" mvt

Alternatively if The DockerFile above not Work For Build

Pull from my Image Repository https://hub.docker.com/r/arifkyi/mvt to build

and or run this

docker run --rm -it -v "$PWD:/mnt/tmp" arifkyi/mvt

the rest of the steps are the same

Usage

Now start to Decrypt the Backup:

root@ceac05f52f3f:/mnt/tmp# MVT_IOS_BACKUP_PASSWORD="MyPassword123" mvt-ios decrypt-backup -d /home/cases /mnt/tmp/Backup

Make the output directory: mkdir /home/output

do the basic check:

mvt-ios check-backup --output /home/output/ /home/cases/

check in the /home/output is there any suspicious thing detected:

/home/output# ls -ltr|grep -i detect

Check the compromise

download the STIX file

mvt-ios download-iocs

If just in case in the future:

download IOCSnot work, i already backup in this repository in Zip file IOS_IOCS_STIX2.zip

indicators "NSO Group Pegasus Indicators of Compromise" to

/root/.local/share/mvt/indicators/raw.githubusercontent.com_AmnestyTech_investigations_master_2021-07-18_nso_pegasus.stix2

indicators "Cytrox Predator Spyware Indicators of Compromise" to

/root/.local/share/mvt/indicators/raw.githubusercontent.com_AmnestyTech_investigations_master_2021-12-16_cytrox_cytrox.stix2

indicators "RCS Lab Spyware Indicators of Compromise" to

/root/.local/share/mvt/indicators/raw.githubusercontent.com_mvt-project_mvt-indicators_main_2022-06-23_rcs_lab_rcs.stix2

indicators "Stalkerware Indicators of Compromise" to

/root/.local/share/mvt/indicators/raw.githubusercontent.com_AssoEchap_stalkerware-indicators_master_generated_stalkerware.stix2

Check one by one by fire these commands below:

mvt-ios check-backup --output /home/output/ /home/cases/ --iocs [full path name of the stix file]

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

5 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published