Full malware analysis on www.xanhacks.xyz/p/moqhao-malware-analysis/.
ZIP password protected archive samples.zip (password: infected
).
$ bash extract_imgur_biography.sh | sort | uniq
7UurGk6tyAChWZNECbg8FmDcpcasRFy3
AdRBwBroGenjq92vbyStxbdqcStQ9iK9
agyY5IGBFFqaXkBXoIvMR6g6_L0j37eE
FaRPCdEp9o05vGWA-r0_i_IHXXynJgDl
I-fVjf3rKx2LtMcK11fdyic1nTe3PBQp
I-fVjf3rKx3h7eWNDRlSHq9ZmgY-K6CT
$ python3 decrypt_c2.py
[!] Usage : decrypt_c2.py <ciphertext>
$ python3 decrypt_c2.py 'ffgtrrtagyY5IGBFFqaXkBXoIvMR6g6_L0j37eEffgtrrt'
b'[*] Cleartext : 134.119.218.100:28843\x03\x03\x03'
$ for bio in $(bash extract_imgur_biography.sh); do python3 decrypt_c2.py "$bio"; done | sort | uniq
b'[*] Cleartext : 107.148.160.222:28867\x03\x03\x03'
b'[*] Cleartext : 134.119.218.100:28843\x03\x03\x03'
b'[*] Cleartext : 151.106.31.51:29870\x05\x05\x05\x05\x05'
b'[*] Cleartext : 27.255.75.200:28856\x05\x05\x05\x05\x05'
b'[*] Cleartext : 27.255.75.201:38866\x05\x05\x05\x05\x05'
b'[*] Cleartext : 61.97.243.111:28999\x05\x05\x05\x05\x05'
$ python3 unpack.py
[!] Usage : unpack.py <resource>
$ python3 unpack.py rosolhvtig/assets/xmdop/1eqlsfh
[*] Unpacked at 'rosolhvtig/assets/xmdop/1eqlsfh.dex'.
$ file rosolhvtig/assets/xmdop/1eqlsfh.dex
rosolhvtig/assets/xmdop/1eqlsfh.dex: Dalvik dex file version 035