roamingmantis

A collection of scripts to make a surface analysis of Roaming Mantis related malware families.

Requirements

• Python 3.8+
• Poetry

Install

git clone https://github.com/ninoseki/roamingmantis
cd roamingmantis
poetry install

FakeSpy

• Features:
  • Extract a hidden dex.
  • Extract C2 destinations.
  • Send a command to C2.

$ fakespy --help
Usage: fakespy [OPTIONS] COMMAND [ARGS]...

Options:
  --install-completion  Install completion for the current shell.
  --show-completion     Show completion for the current shell, to copy it or
                        customize the installation.

  --help                Show this message and exit.

Commands:
  analyze-apk
  send-command

fakespy analyze-apk /path/to/apk

You can send the following commands.

• GetMessage
• GetMessage2(sendSms)
• GetMoreMessage(sendAll)
• GetMoreConMessge(sendCon)

fakespy send-command GetMessage2 foo.bar.com

MoqHao

• Features:
  • Extract a hidden dex.
  • Extract C2 destinations.
  • Extract URLs of phishing websites.

$ moqhao --help
Usage: main.py [OPTIONS] PATH

Arguments:
  PATH  [required]

Options:
  --extract-dex / --no-extract-dex
                                  [default: True]
  --install-completion            Install completion for the current shell.
  --show-completion               Show completion for the current shell, to
                                  copy it or customize the installation.

  --help                          Show this message and exit.

moqhao /path/to/apk