A Mozi botnet UPX unpacker and config extractor
This program operates on malware samples belonging to the Mozi botnet family. An analysis of the malware can be found here.
This program is designed to automate the preparation of the sample for analysis, such as circumventing the anti-unpacking measures taken to break UPX decompression, as well as to automate the extraction of the XOR-encrypted configuration string.
Unpacking
- Detection of UPX packing, and can fix broken headers to enable unpacking.
- Can make use of custom UPX magic numbers (which is sometimes used by malware authors to break standard UPX) to find and fix broken headers
Currently, this tool only supports unpacking for files that have a broken p_info
or l_info
header. Some Mozi samples utilize a custom form of UPX that cannot be fixed conventionally, and may require executing the sample to extract the executable from memory.
Config Extraction
- Can detect encrypted configuration within the sample and decrypt it
- Can parse the configuration with regular expressions to extract various fields
- Can dump the fields to a JSON file
usage: mozibgone.py [-h] [-u] [-e] [-a] [-m MAGIC] [-o OUTPUT] [-v] [-q] [-j JSON] file
Mozi botnet unpacker and config extractor
positional arguments:
file the file to operate on
options:
-h, --help show this help message and exit
-u, --unpack unpack the file only
-e, --extract extract the configuration only
-a, --all unpack and extract - equivalent to -ue
-m MAGIC, --magic MAGIC
a custom UPX magic number to use
-o OUTPUT, --output OUTPUT
separate file for UPX to output to
-v, --verbose enables debug output
-q, --quiet disable all output except for errors
-j JSON, --json JSON dump the configuration to a json file