Skip to content

Latest commit

 

History

History
59 lines (43 loc) · 1.55 KB

README.md

File metadata and controls

59 lines (43 loc) · 1.55 KB

MoqHao Android malware analysis

Full malware analysis on www.xanhacks.xyz/p/moqhao-malware-analysis/.

Samples

ZIP password protected archive samples.zip (password: infected).

Extract imgur biography

Usage

$ bash extract_imgur_biography.sh | sort | uniq
7UurGk6tyAChWZNECbg8FmDcpcasRFy3
AdRBwBroGenjq92vbyStxbdqcStQ9iK9
agyY5IGBFFqaXkBXoIvMR6g6_L0j37eE
FaRPCdEp9o05vGWA-r0_i_IHXXynJgDl
I-fVjf3rKx2LtMcK11fdyic1nTe3PBQp
I-fVjf3rKx3h7eWNDRlSHq9ZmgY-K6CT

Decrypt C2 biography

Usage

$ python3 decrypt_c2.py
[!] Usage : decrypt_c2.py <ciphertext>

$ python3 decrypt_c2.py 'ffgtrrtagyY5IGBFFqaXkBXoIvMR6g6_L0j37eEffgtrrt'
b'[*] Cleartext : 134.119.218.100:28843\x03\x03\x03'

Pipe it through extractor

$ for bio in $(bash extract_imgur_biography.sh); do python3 decrypt_c2.py "$bio"; done | sort | uniq
b'[*] Cleartext : 107.148.160.222:28867\x03\x03\x03'
b'[*] Cleartext : 134.119.218.100:28843\x03\x03\x03'
b'[*] Cleartext : 151.106.31.51:29870\x05\x05\x05\x05\x05'
b'[*] Cleartext : 27.255.75.200:28856\x05\x05\x05\x05\x05'
b'[*] Cleartext : 27.255.75.201:38866\x05\x05\x05\x05\x05'
b'[*] Cleartext : 61.97.243.111:28999\x05\x05\x05\x05\x05'

Unpack DEX resource

Usage

$ python3 unpack.py
[!] Usage : unpack.py <resource>
$ python3 unpack.py rosolhvtig/assets/xmdop/1eqlsfh
[*] Unpacked at 'rosolhvtig/assets/xmdop/1eqlsfh.dex'.

$ file rosolhvtig/assets/xmdop/1eqlsfh.dex
rosolhvtig/assets/xmdop/1eqlsfh.dex: Dalvik dex file version 035