{"id":15442949,"url":"https://github.com/kn0wl3dge/mozitools","last_synced_at":"2025-04-19T20:13:52.845Z","repository":{"id":61995233,"uuid":"311100453","full_name":"kn0wl3dge/mozitools","owner":"kn0wl3dge","description":"Mozi Botnet related tools helping to unpack a sample, decode a configuration and track active Mozi nodes using DHT.","archived":false,"fork":false,"pushed_at":"2022-11-13T15:26:54.000Z","size":179,"stargazers_count":44,"open_issues_count":0,"forks_count":8,"subscribers_count":3,"default_branch":"main","last_synced_at":"2024-10-18T13:17:09.404Z","etag":null,"topics":["botnet","config","decoder","mozi","mozi-nodes","python-3","python3","tools","unpacker","upx"],"latest_commit_sha":null,"homepage":"https://kn0wledge.fr/projects/mozitools","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/kn0wl3dge.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2020-11-08T16:04:38.000Z","updated_at":"2024-10-08T09:04:33.000Z","dependencies_parsed_at":"2023-01-21T16:16:43.557Z","dependency_job_id":null,"html_url":"https://github.com/kn0wl3dge/mozitools","commit_stats":null,"previous_names":[],"tags_count":4,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kn0wl3dge%2Fmozitools","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kn0wl3dge%2Fmozitools/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kn0wl3dge%2Fmozitools/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kn0wl3dge%2Fmozitools/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/kn0wl3dge","download_url":"https://codeload.github.com/kn0wl3dge/mozitools/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":249789006,"owners_count":21325777,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["botnet","config","decoder","mozi","mozi-nodes","python-3","python3","tools","unpacker","upx"],"created_at":"2024-10-01T19:32:06.058Z","updated_at":"2025-04-19T20:13:52.804Z","avatar_url":"https://github.com/kn0wl3dge.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Mozitools\n\n## Features\n* Repair the UPX p_info structure (p_filesize and p_blocksize are set to null\n  to avoid unpacking)\n* Unpack the sample using UPX\n* Recover and decrypt the configuration of the sample\n* Track the botnet using the DHT protocol to simulate a Mozi node and query other node configurations\n* Import Mozi configurations extracted by the tracker in ElasticSearch\n\n## Requirements\n* UPX must be installed and available in the user PATH\n\n## Usage\n```bash\n$ ./mozitools -h\n\n  __  __          _ _              _     \n |  \\/  | ___ ___(_) |_ ___   ___ | |___ \n | |\\/| |/ _ \\_  / | __/ _ \\ / _ \\| / __|\n | |  | | (_) / /| | || (_) | (_) | \\__ \\\n |_|  |_|\\___/___|_|\\__\\___/ \\___/|_|___/\n                                         \n\nmozitools facilites RE of Mozi malwares. \nIt can:\n        * Repair the UPX p_info structure (p_filesize and p_blocksize are set to null to avoid unpacking)\n        * Unpack the sample using UPX\n        * Recover and decrypt the configuration of the sample\n        * Fake a Mozi node and request config files\n        * Find others Mozi nodes and import results in ElasticSearch\n\nUsage:\n  mozitools [flags]\n  mozitools [command]\n\nAvailable Commands:\n  completion  Generate the autocompletion script for the specified shell\n  decode      Decode a Mozi configuration\n  help        Help about any command\n  track       Track Mozi compromised nodes\n  unpack      Unpack a Mozi sample\n\nFlags:\n  -h, --help   help for mozitools\n\nUse \"mozitools [command] --help\" for more information about a command.\n\n\n\n$ ./mozitools unp -i Mozi.m -o Mozi\n2022/10/24 22:28:33 Running Mozi unpacker on Mozi.m\n2022/10/24 22:28:33 Found UPX at /usr/local/bin/upx\n2022/10/24 22:28:33 Unpacked file SHA256: 8f3a5bc6088b999d50bce0eef02c41860bc8ac5e63a2379508c20a1c188eb38d\nUnpacked Mozi sample in /Users/baptistin/Documents/Projects/dev/mozitools/Mozi\n\n\n$ ./mozitools dec -i Mozi\n2022/10/24 22:28:49 Running Mozi decoder on /Users/baptistin/Documents/Projects/dev/mozitools/Mozi\n2022/10/24 22:28:49 Mozi raw configuration:\n    5b73735d626f7476325b2f73735d5b6469705d3139322e3136382e322e3130303a38305b2f6469705d5b68705d38383838383838385b2f68705d5b636f756e745d687474703a2f2f69612e35312e6c612f676f313f69643d31373637353132352670753d68747470253361253266253266762e62616964752e636f6d2f5b6964705d5b2f636f756e745d0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\n\n2022/10/24 22:28:49 Mozi configuration signature1:\n    b0e74673720d660dd4a369e706576943f6be4f71966516acb1c842d5bf36cfc86717caf562b1fbc12b0a80fab170217ba2aa3e3bad1844af856320add9c1f8afe2eac3acf522c7737d7568551b902b926fd65c969a2c4f34aa4a380fe2ada249\n\n2022/10/24 22:28:49 Mozi configuration signature2:\n    c33f318d0bee9747640f78bbb90b9b4192c325d178e7e50575d67c3566917abee559b6cf1acb5d2bc4db08a420afea4d921a2e6dff86cc92e603ce6987f2f2a100e8408f2c184a53ccb29978bbd16261e964ee7e80aa86296d9880429a31e1cf\n\n2022/10/24 22:28:49 Mozi configuration version: 2\n\n2022/10/24 22:28:49 Parsed Mozi configuration:\n2022/10/24 22:28:49     [ss   ] (Bot role                    ) -\u003e botv2\n2022/10/24 22:28:49     [hp   ] (DHT node hash prefix        ) -\u003e 88888888\n2022/10/24 22:28:49     [count] (URL that used to report bot ) -\u003e http://ia.51.la/go1?id=17675125\u0026pu=http%3a%2f%2fv.baidu.com/\n2022/10/24 22:28:49     [idp  ] (report bot                  ) -\u003e true\n2022/10/24 22:28:49     [dip  ] (ip:port to download Mozi bot) -\u003e 192.168.2.100:80\n2022/10/24 22:28:49 \n2022/10/24 22:28:49 Successfully decoded Mozi configuration!\n\n\n$ ./mozitools track --index mozi-test --url https://127.0.0.1:9200 --user elastic --pass elastic\n2022/10/24 22:45:14 Running Mozi tracker...\n2022/10/24 22:45:14 Running the elasticsearch client...\n2022/10/24 22:45:14 Running the Mozi DHT scanner...\n2022/10/24 22:45:14 Running the Mozi DHT responses parser...\n^C\n```\n\n## Try it\n\nIf you have UPX installed on your machine, you can download and try the latest release on the [release page](https://github.com/kn0wl3dge/mozitools/releases).\nThe binaries are self sufficient.\n\nHowever, if you want to run this tool in a more isolated way you can use the provided Container file.\n\nExecute the following command to create the image :\n```\npodman build -t mozitools -f Containerfile\n```\n\nYou are now able to run Mozitools from the previously built image:\n\n```\npodman run -v $PWD:/app/data mozitools unp -i data/Mozi.m -o data/Mozi\n```\n\n### Elasticsearch and Kibana stack\nTo deploy the stack a docker-compose is available if you're looking to try the Mozi tracker. Please be aware that it is not intended and clearly unsafe for production usage.\n\n```\ndocker-compose up -d\n```\n\n# How does it work?\nYou can check out this [Blog Article](https://kn0wledge.fr/projects/mozitools) for more\ninformation.\n\n# Submit an issue\n\nFeel free to submit any issue you could encounter. I'll be happy to provide a\nfix.  \nPlease, do not forget to add details related to your issue (command line\n, output, sample...).\n\n# References\n* https://www.cyberdefensemagazine.com/mozi-botnet-is-responsible-for-most-of-the-iot-traffic/\n* https://securityintelligence.com/posts/botnet-attack-mozi-mozied-into-town/\n* https://blog.netlab.360.com/mozi-another-botnet-using-dht/\n* https://blag.nullteilerfrei.de/2019/12/26/upx-packed-elf-binaries-of-the-peer-to-peer-botnet-family-mozi/\n* https://cujo.com/upx-anti-unpacking-techniques-in-iot-malware/\n* https://blog.lumen.com/new-mozi-malware-family-quietly-amasses-iot-bots/\n* https://threatpost.com/mozi-botnet-majority-iot-traffic/159337/\n\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkn0wl3dge%2Fmozitools","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fkn0wl3dge%2Fmozitools","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkn0wl3dge%2Fmozitools/lists"}