mvt-project / mvt-indicators Goto Github PK

Please any IOC of FirstMile?

Could the new Kaspersky detection methods be implemented in mvt? Thank you for your wonderful work. 🙏

Ive detected some strange activity on my phone lately and been trying to figure it out, for a long time. I just think that maybe posting here u guys could help me out. My phone is receiving a tp-link-smarthome request and sending it to port 9999. It keeps on changing the source port but the destination remains the same just like a backdoor.

Frame 5992: 189 bytes on wire (1512 bits), 189 bytes captured (1512 bits) on interface wlan0, id 0
Section number: 1
Interface id: 0 (wlan0)
Interface name: wlan0
Encapsulation type: Ethernet (1)
Arrival Time: Mar 8, 2024 22:39:14.482624444 -03
UTC Arrival Time: Mar 9, 2024 01:39:14.482624444 UTC
Epoch Arrival Time: 1709948354.482624444
[Time shift for this packet: 0.000000000 seconds]
[Time delta from previous captured frame: 0.002034568 seconds]
[Time delta from previous displayed frame: 120.006425176 seconds]
[Time since reference or first frame: 723.581862141 seconds]
Frame Number: 5992
Frame Length: 189 bytes (1512 bits)
Capture Length: 189 bytes (1512 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ethertype:ip:udp:tplink-smarthome:json]
[Coloring Rule Name: UDP]
[Coloring Rule String: udp]
Ethernet II, Src: MYPHONEMAC Dst: Broadcast (ff:ff:ff:ff:ff:ff)
Destination: Broadcast (ff:ff:ff:ff:ff:ff)
Address: Broadcast (ff:ff:ff:ff:ff:ff)
.... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
.... ...1 .... .... .... .... = IG bit: Group address (multicast/broadcast)
Source: MYPHONEMAC
Address: MYPHONEMAC
.... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Type: IPv4 (0x0800)
Internet Protocol Version 4, Src:MYPHONEIP Dst: 255.255.255.255
0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes (5)
Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
0000 00.. = Differentiated Services Codepoint: Default (0)
.... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
Total Length: 175
Identification: 0xb391 (45969)
010. .... = Flags: 0x2, Don't fragment
0... .... = Reserved bit: Not set
.1.. .... = Don't fragment: Set
..0. .... = More fragments: Not set
...0 0000 0000 0000 = Fragment Offset: 0
Time to Live: 64
Protocol: UDP (17)
Header Checksum: 0xc5d3 [validation disabled]
[Header checksum status: Unverified]
Source Address:MYPHONEIP
Destination Address: 255.255.255.255
User Datagram Protocol, Src Port: 38624, Dst Port: 9999
Source Port: 38624
Destination Port: 9999
Length: 155
Checksum: 0x244e [unverified]
[Checksum Status: Unverified]
[Stream index: 249]
[Timestamps]
[Time since first frame: 120.006425176 seconds]
[Time since previous frame: 120.006425176 seconds]
UDP payload (147 bytes)
TP-Link Smart Home Protocol
Cmd: {"system":{"get_sysinfo":{}},"cnCloud":{"get_info":{}},"smartlife.iot.common.cloud":{"get_info":{}},"smartlife.cam.ipcamera.cloud":{"get_info":{}}}
JavaScript Object Notation
Object
Member: system
Object
Member: get_sysinfo
Object
Key: get_sysinfo
[Path: /system/get_sysinfo]
Key: system
[Path: /system]
Member: cnCloud
Object
Member: get_info
Object
Key: get_info
[Path: /cnCloud/get_info]
Key: cnCloud
[Path: /cnCloud]
Member: smartlife.iot.common.cloud
Object
Member: get_info
Object
Key: get_info
[Path: /smartlife.iot.common.cloud/get_info]
Key: smartlife.iot.common.cloud
[Path: /smartlife.iot.common.cloud]
Member: smartlife.cam.ipcamera.cloud
Object
Member: get_info
Object
Key: get_info
[Path: /smartlife.cam.ipcamera.cloud/get_info]
Key: smartlife.cam.ipcamera.cloud
[Path: /smartlife.cam.ipcamera.cloud]

After this I went on a quest to figure it out the destination port and found a "nobody" service listed as port 9999, no matter what I do, try to block udp traffic,tried to block this service, no matter what, it keeps coming back with different source door.

Any hints on this?

MVT - Mobile Verification Toolkit
https://mvt.re
Version: 2.1.3
Indicators updates checked recently, next automatic check in 12 hours

00:51:28 INFO [mvt.ios.cmd_check_backup] Parsing STIX2 indicators file at path
/home/jaiminho/.local/share/mvt/indicators/raw.githubusercontent.com_AmnestyTech_investigations_master_2021-07-18_nso_pegasus.stix2
INFO [mvt.ios.cmd_check_backup] Extracted 1547 indicators for collection with name "Pegasus"
INFO [mvt.ios.cmd_check_backup] Parsing STIX2 indicators file at path
/home/jaiminho/.local/share/mvt/indicators/raw.githubusercontent.com_AmnestyTech_investigations_master_2021-12-16_cytrox_cytrox.stix2
INFO [mvt.ios.cmd_check_backup] Extracted 333 indicators for collection with name "Predator"
INFO [mvt.ios.cmd_check_backup] Parsing STIX2 indicators file at path
/home/jaiminho/.local/share/mvt/indicators/raw.githubusercontent.com_mvt-project_mvt-indicators_main_2022-06-23_rcs_lab_rcs.stix2
INFO [mvt.ios.cmd_check_backup] Extracted 40 indicators for collection with name "RCSLab"
INFO [mvt.ios.cmd_check_backup] Loaded a total of 1920 unique indicator

update - thx for reply

Hello frinds, is there a like a deadline or any news regarding an update on celebritte ufed indicators? Brazilian army bought this software and when asked why, they did not specify its reasons.