Hunting Potential C2 Commands in Android Malware via Smali String Comparison and Control Flow Analysis

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for krnick from gravatar.com krnick

Unverified details

These details have not been verified by PyPI
Meta
Report project as malware

Project description

c2hunt

  ____ ____  _                 _   
 / ___|___ \| |__  _   _ _ __ | |_ 
| |     __) | '_ \| | | | '_ \| __|
| |___ / __/| | | | |_| | | | | |_ 
 \____|_____|_| |_|\__,_|_| |_|\__|
Hunting potential C2 commands in Android malware via Smali string comparison and control flow analysis

C2Hunt is a command-line tool for analyzing Android APK or DEX files to detect Command and Control (C2) commands within given target file. The tool supports scanning for C2 commands based on custom opcode definitions and can also extract strings or smali methods from APK/DEX files for further analysis.

Features

  • Analyze Android APK/DEX files for C2 commands handling structures
  • Print all smali methods from the target APK/DEX
  • Support for custom opcode/API definition in JSON format

Installation

You can use either pip or pipenv to install dependencies.

Using pip

pip install -r requirements.txt

Using pipenv

pipenv install

Usage

After installation, you can run the tool directly with the c2hunt command:

c2hunt --file <APK_OR_DEX_PATH> [--opcode <OPCODE_JSON>] [--print-smali]

or with short options:

c2hunt -f <APK_OR_DEX_PATH> [-o <OPCODE_JSON>] [-p]

Options

  • -f, --file PATH (required):
    Path to the target APK or DEX file

  • -o, --opcode PATH (optional, default: custom-opcode/switch-equals.json):
    Path to the custom opcode JSON file

  • -p, --print-smali (flag, optional):
    Print all smali methods from the target APK/DEX instead of scanning for C2 commands

Examples

Analyze an APK with the default opcode file

c2hunt -f target.apk

Analyze a DEX file with a custom opcode file

c2hunt -f classes.dex -o my-opcodes.json

Print all smali methods (no analysis)

c2hunt -f target.apk -p

How It Works

  • By default, C2Hunt scans the specified APK or DEX file for C2 commands using the given opcode definition file.
  • If the --print-smali flag is provided, it will only print all smali methods without analysis.

Example Output

(c2hunt) bash-3.2$ c2hunt -f malware_family/tgtoxic.dex -o custom-opcode/switch-equals.json

  ____ ____  _                 _   
 / ___|___ \| |__  _   _ _ __ | |_ 
| |     __) | '_ \| | | | '_ \| __|
| |___ / __/| | | | |_| | | | | |_ 
 \____|_____|_| |_|\__,_|_| |_|\__|
Hunting potential C2 commands in Android malware via Smali string comparison and control flow analysis

[INFO] Analyzing: malware_family/tgtoxic.dex
[INFO] Using OPcode & Android API Pattern Rule: custom-opcode/switch-equals.json
[INFO] Opcode & APIs threshold: {'sparse-switch': 1, 'const-string': 10, 'invoke-virtual': 10, 'move-result': 10, 'if-eqz': 10, 'Ljava/lang/String;->equals(Ljava/lang/Object;)Z': 10}

[+] The following functions potentially contain C2 commands:

Function: Lcom/example/mysoul/KszahaVmkrjij$UoO1i1liii0; call ([Ljava/lang/Object;)V
Opcode & APIs count: {'sparse-switch': 2, 'const-string': 219, 'invoke-virtual': 467, 'move-result': 446, 'if-eqz': 148, 'Ljava/lang/String;->equals(Ljava/lang/Object;)Z': 100}
=====[ C2HUNT RESULT ]================================================================================
flag
homepage
action
screen_relay
walletList
installPermission
gestureB
requestfloaty
admLockRule
swipePwdScreenOff
inputSend
realtimeSet
showShortcuts
reqPerList
wallpaper
autoRequestPerm
readSmsList
autoBoot
backstage
setDebugMode
startCam
startApk
catAllViewSwitch
permissionB
closeEnv
installApk
lockScreen
setWakeup
doNotDisturb
capture
callAcc
touchMove
touchDown
logMode
gestureCapture
gestureUnlock
setDebugOn
setHideMode
swipePwdScreenOn
power
light
black
Awake
openIntent
home
back
adm
sendAlert
callAppSetting
init_data
screenshot
readContactList
permission
capturePic
clickPoint
wakeup
clickInput
update
setCam
recent
reConn
lightT
takeScreen
touchUp
admLock
setAppStyle
realtimeOnOff
antiDeleteOff
fetchIcon
openUrl
uninstallApk
readAlbumThumbnail
clickB
reOpenMe
blackB
rightClick
admSet
admPwd
reqScreenPermission
googleAuth
cancelAwake
releaseScreenCapture
closeProtect
readAlbumList
readAlbumLast
ask_relay
antiDeleteOn
cancelWakeup
transparent
setDebugOff
restartApp
hideShortcuts
stopHereTest
restartSc
restartMe
stopCam
updateApk

flowchart TD
    A[Input APK/DEX file] --> B[Extract all functions and exclude system libraries, Android APIs, and third-party libraries]
    B --> C[Extract Smali instructions for each function]
    C --> D[Match each function against opcode and Android API pattern rules]
    D --> E{Matches any pattern rule?}
    E -- No --> F[Continue to next function]
    E -- Yes --> G{≥ threshold?}
    G -- No --> F
    G -- Yes --> H[Flag as potential C2-command-containing function and extract all string constants within the function]
    H --> I[Output flagged functions and extracted strings]

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for krnick from gravatar.com krnick

Unverified details

These details have not been verified by PyPI
Meta

Release history Release notifications | RSS feed

0.0.8

This version

0.0.7

0.0.6

0.0.5

0.0.4

0.0.1

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

c2hunt-0.0.7.tar.gz (10.6 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

c2hunt-0.0.7-py3-none-any.whl (11.0 kB view details)

Uploaded Python 3

File details

Details for the file c2hunt-0.0.7.tar.gz.

File metadata

  • Download URL: c2hunt-0.0.7.tar.gz
  • Upload date:
  • Size: 10.6 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for c2hunt-0.0.7.tar.gz
Algorithm Hash digest
SHA256 a06a6597f53c193e065b85dee12d9c96e08f47abde7e7192c30dbf218a7c0901
MD5 84e85cd9d05dcddf269e187ac7487909
BLAKE2b-256 5ccbdfdd767d404b8ab8c4c4aee149a7248260495f2f967e7ccfaa55cdaf7767

See more details on using hashes here.

Provenance

The following attestation bundles were made for c2hunt-0.0.7.tar.gz:

Publisher: python-publish.yml on krnick/c2hunt

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file c2hunt-0.0.7-py3-none-any.whl.

File metadata

  • Download URL: c2hunt-0.0.7-py3-none-any.whl
  • Upload date:
  • Size: 11.0 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for c2hunt-0.0.7-py3-none-any.whl
Algorithm Hash digest
SHA256 76e14f24ddc7b0882a1c81db0730dc4ed45af8f42b218591bbae05987c21f940
MD5 9d7adbbe1cb2cff1de3e608146b73170
BLAKE2b-256 983f2e0210e98a2e4e29b1a87cc526f0c6a9068eaf158a5f6b454bacd76d456e

See more details on using hashes here.

Provenance

The following attestation bundles were made for c2hunt-0.0.7-py3-none-any.whl:

Publisher: python-publish.yml on krnick/c2hunt

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page