Whats in the torrent:The qateam/ folder is a copy of what appeared to be a Q

1. Whats in the torrent:
2.  
3. The qateam/ folder is a copy of what appeared to be a QA server with copies of
4. all their Finspy Mobile malware.
5.  
6. The www/FinFisher folder is a dump of https://www.gamma-international.de/FinFisher/
7. That's where their customers went to download whatever they had purchased.
8. Unfortunately, the downloads are all either encrypted zip or gpg files. But, on
9. the chance that the encryption can be cracked (throw enough GPU at the zip
10. files), it'll have everything. The only unencrypted thing in that part is
11. FinFisher/Sales, which does have some semi-interesting stuff like a price list.
12.  
13. The www/GGI folder is a copy of http://finsupport.finfisher.com/
14. A dump of it's database is in Database.sql
15. That's where all their customers went for support questions. Often the
16. finfisher staff would reply over e-mail, and unfortunately I wasn't able to
17. get the mail servers. The most interesting things there are the support_request
18. and feedback tables in the database combined with the Support/Attachments
19. folder. There's also some decent stuff in Product/Documents and Product/Updates.
20.  
21. The www/conf folder has the webalizer stats on their visitors
22.  
23. The www/ffw folder has their FinFly-Web demo site.
24.  
25.  
26. Customers I've identified:
27.  
28. 29 - the Bahraini group, in support requests they ask for help setting up a
29. website targetting activists in 14 Feb, and in another support request they
30. attach their C&C server logs. The names of people with admin access to the
31. FinSpy server are in the server logs, grep for "user name:"
32. Abdulla Husain, Ahmad, Abdulla Al Eid, Yousif Al Sadiq, Rizwan Saleem, Sayed
33. Ansar Husain, Humayun, and Mohammed Al Majed
34.  
35. From metadata in attached word documents.
36. 69 - PCS Security Pte Ltd
37. 49 - Cliff Harris
38.  
39. From text in support_request or feedback table:
40. 21 - Nasser Alnuaimi Qatar state security bureau
41. 82 - Sanjin Custovic, Intelligence-Security Agency of Bosnia and Herzegovina
42. 73 - Peter Balogh, SSNS - NBSZ hungary secret service
43. 61 - Wim Bordeyne, gives work e-mail of h.isrd@skynet.be although skynet.be is
44. an ISP?
45. 48 - Vietnam
46. 65 - Nigeria
47. 18 - Mongolia, and their email odmagnai@gmail.com appears in this whois record:
48. http://wq.apnic.net/apnic-bin/whois.pl?searchtext=MAINT-MN-NITSYSTEM&form_type=advanced
49.  
50. From their username in customer table:
51. 34 - Dyplex
52. 9 - Trovicor
53. 10 - Elaman
54. 23 - Cobham
55.  
56. From gpg key used for their product download:
57. 68 - Jochen van der Wal, technical engineer for KLPD (dutch police)
58.  
59. other customer gpg keys that are on keyservers but it doesn't identify them:
60. 43 - USB on Fire <usbonfire@gmail.com>
61. 14 - campo@campinator.com
62.  
63. Employees identified from gpg keys:
64. (1) Alfons Rauscher <alfons.rauscher@vervis.de>
65. 1024 bit DSA key 66878388, created: 2013-04-17
66. (1) Hari Purnama (pgp) <hp@gammagroup.com>
67. 2048 bit RSA key A7A4AC21, created: 2013-03-05
68. (1) Melvin Teoh (Gamma Group) <mt@gammmagroup.com>
69. 2048 bit RSA key D81082F4, created: 2012-03-08
70. (1) Alexander Hagenah <ah@primepage.de>
71. 2048 bit RSA key 3F895273, created: 2013-03-05