Hunting Potential C2 Commands in Android Malware via Smali String Comparison and Control Flow Analysis

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for krnick from gravatar.com krnick

Unverified details

These details have not been verified by PyPI
Meta
Report project as malware

Project description

c2hunt

  ____ ____  _                 _   
 / ___|___ \| |__  _   _ _ __ | |_ 
| |     __) | '_ \| | | | '_ \| __|
| |___ / __/| | | | |_| | | | | |_ 
 \____|_____|_| |_|\__,_|_| |_|\__|
Hunting potential C2 commands in Android malware via Smali string comparison and control flow analysis

C2Hunt is a command-line tool for analyzing Android APK or DEX files to detect Command and Control (C2) commands within given target file. The tool supports scanning for C2 commands based on custom opcode definitions and can also extract strings or smali methods from APK/DEX files for further analysis.

Features

  • Analyze Android APK/DEX files for C2 commands handling structures
  • Print all smali methods from the target APK/DEX
  • Support for custom opcode/API definition in JSON format

Installation

You can use either pip or pipenv to install dependencies.

Using pip

pip install c2hunt

Using pipenv

pipenv install

pipenv shell

Usage

After installation, you can run the tool directly with the c2hunt command:

c2hunt --file <APK_OR_DEX_PATH> [--opcode <OPCODE_JSON>] [--print-smali]

or with short options:

c2hunt -f <APK_OR_DEX_PATH> [-o <OPCODE_JSON>] [-p]

Options

  • -f, --file PATH (required):
    Path to the target APK or DEX file

  • -o, --opcode PATH (optional, default: custom-opcode/switch-equals.json):
    Path to the custom opcode JSON file

  • -p, --print-smali (flag, optional):
    Print all smali methods from the target APK/DEX instead of scanning for C2 commands

Examples

Analyze an APK with the default opcode file

c2hunt -f malware_family/tgtoxic.dex

Analyze a DEX file with a custom opcode file

c2hunt -f malware_family/tgtoxic.dex -o custom-opcode/switch-equals.json

Print all smali methods (no analysis)

c2hunt -f malware_family/tgtoxic.dex -p

How It Works

  • By default, C2Hunt scans the specified APK or DEX file for C2 commands using the given opcode definition file.
  • If the --print-smali flag is provided, it will only print all smali methods without analysis.

Example Output

(c2hunt) bash-3.2$ c2hunt -f malware_family/tgtoxic.dex -o custom-opcode/switch-equals.json

  ____ ____  _                 _   
 / ___|___ \| |__  _   _ _ __ | |_ 
| |     __) | '_ \| | | | '_ \| __|
| |___ / __/| | | | |_| | | | | |_ 
 \____|_____|_| |_|\__,_|_| |_|\__|
Hunting potential C2 commands in Android malware via Smali string comparison and control flow analysis

[INFO] Analyzing: malware_family/tgtoxic.dex
[INFO] Using OPcode & Android API Pattern Rule: custom-opcode/switch-equals.json
[INFO] Opcode & APIs threshold: {'sparse-switch': 1, 'const-string': 10, 'invoke-virtual': 10, 'move-result': 10, 'if-eqz': 10, 'Ljava/lang/String;->equals(Ljava/lang/Object;)Z': 10}

[+] The following functions potentially contain C2 commands:

Function: Lcom/example/mysoul/KszahaVmkrjij$UoO1i1liii0; call ([Ljava/lang/Object;)V
Opcode & APIs count: {'sparse-switch': 2, 'const-string': 219, 'invoke-virtual': 467, 'move-result': 446, 'if-eqz': 148, 'Ljava/lang/String;->equals(Ljava/lang/Object;)Z': 100}
=====[ C2HUNT RESULT ]================================================================================
flag
homepage
action
screen_relay
walletList
installPermission
gestureB
requestfloaty
admLockRule
swipePwdScreenOff
inputSend
realtimeSet
showShortcuts
reqPerList
wallpaper
autoRequestPerm
readSmsList
autoBoot
backstage
setDebugMode
startCam
startApk
catAllViewSwitch
permissionB
closeEnv
installApk
lockScreen
setWakeup
doNotDisturb
capture
callAcc
touchMove
touchDown
logMode
gestureCapture
gestureUnlock
setDebugOn
setHideMode
swipePwdScreenOn
power
light
black
Awake
openIntent
home
back
adm
sendAlert
callAppSetting
init_data
screenshot
readContactList
permission
capturePic
clickPoint
wakeup
clickInput
update
setCam
recent
reConn
lightT
takeScreen
touchUp
admLock
setAppStyle
realtimeOnOff
antiDeleteOff
fetchIcon
openUrl
uninstallApk
readAlbumThumbnail
clickB
reOpenMe
blackB
rightClick
admSet
admPwd
reqScreenPermission
googleAuth
cancelAwake
releaseScreenCapture
closeProtect
readAlbumList
readAlbumLast
ask_relay
antiDeleteOn
cancelWakeup
transparent
setDebugOff
restartApp
hideShortcuts
stopHereTest
restartSc
restartMe
stopCam
updateApk

flowchart TD
    A[Input APK/DEX file] --> B[Extract all functions and exclude system libraries, Android APIs, and third-party libraries]
    B --> C[Extract Smali instructions for each function]
    C --> D[Match each function against opcode and Android API pattern rules]
    D --> E{Matches any pattern rule?}
    E -- No --> F[Continue to next function]
    E -- Yes --> G{≥ threshold?}
    G -- No --> F
    G -- Yes --> H[Flag as potential C2-command-containing function and extract all string constants within the function]
    H --> I[Output flagged functions and extracted strings]

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for krnick from gravatar.com krnick

Unverified details

These details have not been verified by PyPI
Meta

Release history Release notifications | RSS feed

This version

0.0.8

0.0.7

0.0.6

0.0.5

0.0.4

0.0.1

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

c2hunt-0.0.8.tar.gz (10.6 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

c2hunt-0.0.8-py3-none-any.whl (11.0 kB view details)

Uploaded Python 3

File details

Details for the file c2hunt-0.0.8.tar.gz.

File metadata

  • Download URL: c2hunt-0.0.8.tar.gz
  • Upload date:
  • Size: 10.6 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for c2hunt-0.0.8.tar.gz
Algorithm Hash digest
SHA256 9c33ae5c416b8bd5e7af9a6554fda6d83811e5610c458a7342832496a5e1a7ac
MD5 29441c7dc3bc96432512edafb8518805
BLAKE2b-256 97d08723188c87884cc51035e81c8c649f7323c6a1d2efbf755534a55cbf5cc9

See more details on using hashes here.

Provenance

The following attestation bundles were made for c2hunt-0.0.8.tar.gz:

Publisher: python-publish.yml on krnick/c2hunt

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file c2hunt-0.0.8-py3-none-any.whl.

File metadata

  • Download URL: c2hunt-0.0.8-py3-none-any.whl
  • Upload date:
  • Size: 11.0 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for c2hunt-0.0.8-py3-none-any.whl
Algorithm Hash digest
SHA256 00cc8d69abdde82b30624c839cadefc36703133e64f944889003552e0aa2060a
MD5 72a1f7cf8d61f3c13576d1ddd02063bf
BLAKE2b-256 1eaee0e2887bc3a12486a2ab1166b95bbeb1395b9a9fc2db8efdf09db268a63b

See more details on using hashes here.

Provenance

The following attestation bundles were made for c2hunt-0.0.8-py3-none-any.whl:

Publisher: python-publish.yml on krnick/c2hunt

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page