Whats in the torrent:

The qateam/ folder is a copy of what appeared to be a QA server with copies of

all their Finspy Mobile malware.

The www/FinFisher folder is a dump of https://www.gamma-international.de/FinFisher/

That's where their customers went to download whatever they had purchased.

Unfortunately, the downloads are all either encrypted zip or gpg files. But, on

the chance that the encryption can be cracked (throw enough GPU at the zip

files), it'll have everything. The only unencrypted thing in that part is

FinFisher/Sales, which does have some semi-interesting stuff like a price list.

The www/GGI folder is a copy of http://finsupport.finfisher.com/

A dump of it's database is in Database.sql

That's where all their customers went for support questions. Often the

finfisher staff would reply over e-mail, and unfortunately I wasn't able to

get the mail servers. The most interesting things there are the support_request

and feedback tables in the database combined with the Support/Attachments

folder. There's also some decent stuff in Product/Documents and Product/Updates.

The www/conf folder has the webalizer stats on their visitors

The www/ffw folder has their FinFly-Web demo site.

Customers I've identified:

29 - the Bahraini group, in support requests they ask for help setting up a

website targetting activists in 14 Feb, and in another support request they

attach their C&C server logs. The names of people with admin access to the

FinSpy server are in the server logs, grep for "user name:"

Abdulla Husain, Ahmad, Abdulla Al Eid, Yousif Al Sadiq, Rizwan Saleem, Sayed

Ansar Husain, Humayun, and Mohammed Al Majed

From metadata in attached word documents.

69 - PCS Security Pte Ltd

49 - Cliff Harris

From text in support_request or feedback table:

21 - Nasser Alnuaimi Qatar state security bureau

82 - Sanjin Custovic, Intelligence-Security Agency of Bosnia and Herzegovina

73 - Peter Balogh, SSNS - NBSZ hungary secret service

61 - Wim Bordeyne, gives work e-mail of h.isrd@skynet.be although skynet.be is

an ISP?

48 - Vietnam

65 - Nigeria

18 - Mongolia, and their email odmagnai@gmail.com appears in this whois record:

http://wq.apnic.net/apnic-bin/whois.pl?searchtext=MAINT-MN-NITSYSTEM&form_type=advanced

From their username in customer table:

34 - Dyplex

9 - Trovicor

10 - Elaman

23 - Cobham

From gpg key used for their product download:

68 - Jochen van der Wal, technical engineer for KLPD (dutch police)

other customer gpg keys that are on keyservers but it doesn't identify them:

43 - USB on Fire <usbonfire@gmail.com>

14 - campo@campinator.com

Employees identified from gpg keys:

(1) Alfons Rauscher <alfons.rauscher@vervis.de>

1024 bit DSA key 66878388, created: 2013-04-17

(1) Hari Purnama (pgp) <hp@gammagroup.com>

2048 bit RSA key A7A4AC21, created: 2013-03-05

(1) Melvin Teoh (Gamma Group) <mt@gammmagroup.com>

2048 bit RSA key D81082F4, created: 2012-03-08

(1) Alexander Hagenah <ah@primepage.de>