From 2792988626e9bd2c51ef57fc012689d82535b019 Mon Sep 17 00:00:00 2001
From: Janik Besendorf <janik@besendorf.org>
Date: Wed, 25 Mar 2026 09:02:09 +0100
Subject: [PATCH] Support SHA1 and MD5 hash matching in AQF files module

---
 src/mvt/android/modules/androidqf/aqf_files.py | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/src/mvt/android/modules/androidqf/aqf_files.py b/src/mvt/android/modules/androidqf/aqf_files.py
index f924516..e82d1fd 100644
--- a/src/mvt/android/modules/androidqf/aqf_files.py
+++ b/src/mvt/android/modules/androidqf/aqf_files.py
@@ -105,15 +105,15 @@ class AQFFiles(AndroidQFModule):
                     )
                     self.detected.append(result)
 
-            if result.get("sha256", "") == "":
-                continue
-
-            ioc = self.indicators.check_file_hash(result["sha256"])
-            if ioc:
-                result["matched_indicator"] = ioc
-                self.detected.append(result)
-
-            # TODO: adds SHA1 and MD5 when available in MVT
+            for hash_key in ("sha256", "sha1", "md5"):
+                file_hash = result.get(hash_key, "")
+                if not file_hash:
+                    continue
+                ioc = self.indicators.check_file_hash(file_hash)
+                if ioc:
+                    result["matched_indicator"] = ioc
+                    self.detected.append(result)
+                    break
 
     def run(self) -> None:
         if timezone := self._get_device_timezone():