Skip to content

Latest commit



134 lines (99 loc) · 5.87 KB

File metadata and controls

134 lines (99 loc) · 5.87 KB



  • Repair the UPX p_info structure (p_filesize and p_blocksize are set to null to avoid unpacking)
  • Unpack the sample using UPX
  • Recover and decrypt the configuration of the sample
  • Track the botnet using the DHT protocol to simulate a Mozi node and query other node configurations
  • Import Mozi configurations extracted by the tracker in ElasticSearch


  • UPX must be installed and available in the user PATH


$ ./mozitools -h

  __  __          _ _              _     
 |  \/  | ___ ___(_) |_ ___   ___ | |___ 
 | |\/| |/ _ \_  / | __/ _ \ / _ \| / __|
 | |  | | (_) / /| | || (_) | (_) | \__ \
 |_|  |_|\___/___|_|\__\___/ \___/|_|___/

mozitools facilites RE of Mozi malwares. 
It can:
        * Repair the UPX p_info structure (p_filesize and p_blocksize are set to null to avoid unpacking)
        * Unpack the sample using UPX
        * Recover and decrypt the configuration of the sample
        * Fake a Mozi node and request config files
        * Find others Mozi nodes and import results in ElasticSearch

  mozitools [flags]
  mozitools [command]

Available Commands:
  completion  Generate the autocompletion script for the specified shell
  decode      Decode a Mozi configuration
  help        Help about any command
  track       Track Mozi compromised nodes
  unpack      Unpack a Mozi sample

  -h, --help   help for mozitools

Use "mozitools [command] --help" for more information about a command.

$ ./mozitools unp -i Mozi.m -o Mozi
2022/10/24 22:28:33 Running Mozi unpacker on Mozi.m
2022/10/24 22:28:33 Found UPX at /usr/local/bin/upx
2022/10/24 22:28:33 Unpacked file SHA256: 8f3a5bc6088b999d50bce0eef02c41860bc8ac5e63a2379508c20a1c188eb38d
Unpacked Mozi sample in /Users/baptistin/Documents/Projects/dev/mozitools/Mozi

$ ./mozitools dec -i Mozi
2022/10/24 22:28:49 Running Mozi decoder on /Users/baptistin/Documents/Projects/dev/mozitools/Mozi
2022/10/24 22:28:49 Mozi raw configuration:

2022/10/24 22:28:49 Mozi configuration signature1:

2022/10/24 22:28:49 Mozi configuration signature2:

2022/10/24 22:28:49 Mozi configuration version: 2

2022/10/24 22:28:49 Parsed Mozi configuration:
2022/10/24 22:28:49     [ss   ] (Bot role                    ) -> botv2
2022/10/24 22:28:49     [hp   ] (DHT node hash prefix        ) -> 88888888
2022/10/24 22:28:49     [count] (URL that used to report bot ) ->
2022/10/24 22:28:49     [idp  ] (report bot                  ) -> true
2022/10/24 22:28:49     [dip  ] (ip:port to download Mozi bot) ->
2022/10/24 22:28:49 
2022/10/24 22:28:49 Successfully decoded Mozi configuration!

$ ./mozitools track --index mozi-test --url --user elastic --pass elastic
2022/10/24 22:45:14 Running Mozi tracker...
2022/10/24 22:45:14 Running the elasticsearch client...
2022/10/24 22:45:14 Running the Mozi DHT scanner...
2022/10/24 22:45:14 Running the Mozi DHT responses parser...

Try it

If you have UPX installed on your machine, you can download and try the latest release on the release page. The binaries are self sufficient.

However, if you want to run this tool in a more isolated way you can use the provided Container file.

Execute the following command to create the image :

podman build -t mozitools -f Containerfile

You are now able to run Mozitools from the previously built image:

podman run -v $PWD:/app/data mozitools unp -i data/Mozi.m -o data/Mozi

Elasticsearch and Kibana stack

To deploy the stack a docker-compose is available if you're looking to try the Mozi tracker. Please be aware that it is not intended and clearly unsafe for production usage.

docker-compose up -d

How does it work?

You can check out this Blog Article for more information.

Submit an issue

Feel free to submit any issue you could encounter. I'll be happy to provide a fix.
Please, do not forget to add details related to your issue (command line , output, sample...).
