Quark Android Malware Analysis Report
New Quark Rules For DroidKungFu
New Quark rules (#00212 - #00233) are now available. These rules target DroidKungFu, a malware family that gains unlimited access to a device, installs and uninstalls Apps, and forwards confidential data. Check here for the rule details.
With these rules, Quark is now able to identify the DroidKungFu malware family as high-risk. In our experiment, Quark achieved 100% accuracy and 100% precision. Check here for the APKs we tested.
Below is a summary report of a DroidKungFu sample (D277C97B1A8A78F859672B4A20E74B3313E9F964E68A6E857C1E9D33763434A5). The report shows that Quark identified the sample as high-risk and provided a list of the sample’s behaviors.
Identified Well-Known Threats
With Quark’s rule classification feature, analysts can generate behavior maps and see how behaviors are related. This feature helps identify 3 well-known threats from DroidKungFu, as shown below.
1. Gain unlimited access to a device
The diagram shows that the Lcom/google/update/UpdateService;getPermission2 function runs shell scripts and Linux commands directly, and also calls the Lcom/google/update/Utils;oldrun function to execute additional commands.
Behaviors detected by Quark:
Run shell script (#00069)
Execute Linux commands (#00068, #00155)
2. Install/Uninstall additional apps
The diagram shows that the Lcom/waps/k;a function installs APKs from a file, and calls the Lcom/waps/l;a function to install more APKs and the Lcom/waps/k;b function to connect to a URL.
Behaviors detected by Quark:
Install other APKs from file (#00054)
Connect to a URL and set request method (#00096)
3. Forward confidential data
The diagram shows that the Lcom/madhouse/android/ads/_;_ function queries confidential data such as SMS and call logs and also calls the Lcom/madhouse/android/ads/_;__ function to check for network connectivity.
Behaviors detected by Quark:
Query confidential data (#00077, #00219, #00221)
Check for network connectivity (#00224, #00226)
List of Tested APKs
The table below lists the APKs we tested.
in dex |
sha256 |
|---|---|
1 |
27 A63D6412B3459E821D88A8EF133727B8DDA99262CEC71C9989EC28E394F173 |
2 |
C3 B0FF9C168FCDB02573AF741FC1E9B9E3EEA993A5407CFCF0BB29E0800760BE |
3 |
E1 0A9E9A5758F04975FFE930AF08A339B897FF72DF85BE1707184C697C0E954F |
4 |
2C 6B542B30C644BE1840E38EB8ED4592B671E4734C08FE57B315B92299B23A4A |
5 |
1E C91FF1EA8ACCBC4181F3DF94C6A285013EC7A7D60467DEB9250E7681F4B73C |
6 |
20 639CFB1369F3D490ED532FE30E294ED4058B7D67C426484D7028B7B2B165E5 |
7 |
5F 7A40015A1F3F42802424EC776799F5E0960F19E9BF8C86298AA5CFAC116BF6 |
8 |
E2 BC4E09BA57740C17F033F6B116EC0316771EF8C1DCB99145EEAC17F15FF2FA |
9 |
7F 027D19AD8FCD2F4C6A6C74742DED6D1D7758FCD72BDD8B5590053BE65A1D2D |
10 |
21 D4EB1ADA6CA0925AB8E21D30BFF8A40E88BC60773700B003C048BF8619E75E |
11 |
73 A27FCF9FDE6D7EBC39F4995BD7DAA4F433C37314C0016D75C50CC39AE7A785 |
12 |
4E A68DEB209A29ED0B1FA7F7555006DEC050D8F77CF5820B550E32E5A6F6F88C |
13 |
E6 440A1AB96884C44250F2DB53618FC6762DD13EEBC59D1095F1E188D40C68E4 |
14 |
C1 7D0979882468CCC26FDE81F5C6F0DDFB602F9AB9D3C92AC355C8D87A585380 |
15 |
47 7C68553FF88F831026E8842FE99FE14B2DDF08821A0CA3072B7EDBC872A292 |
16 |
B4 098AE6205E3808A6B79495B2027452A7B8191200402F8BA32DBA0EAB21EA99 |
17 |
39 3456E6368079F36DC0CEA861361F976A5CD6A3191B69E49CFD6BF4692DC57E |
18 |
16 A0C217F26C948D683B515CBB9E06CC0AAC422A951CE9E9E532D7A571152D2F |
19 |
D2 77C97B1A8A78F859672B4A20E74B3313E9F964E68A6E857C1E9D33763434A5 |
20 |
51 BFB82709E927D65770E5C59AB6EB96B73B19525E127F60A25831CD2B8AEE82 |
21 |
C0 8539123E1F40439E0DB7DDEEDD6BF6B079AB5E62B2208E22884B28306C1CCA |
22 |
15 D1FDC4B27509DF6D31F851675D03A21939A165B2011BFE0DB5EEA69BBB6B3D |
23 |
94 BC85F5458E313AA138C9F4E4B8ED3AB8642694A07427B80441B8A538EC462C |
24 |
41 DD548C530516448CB6A28DA67407725163F9620D92A35F8735FA4135ECC0A2 |
25 |
A8 7C8FE4D821CB2B15FB4E1ADDF63E88DE7D09D37178A910C9221EA979C16F81 |
26 |
3B 736A91DCA7AE8608C2174AD589400D3FD5FAE55A395920841A49EB10657A37 |
27 |
80 0A8CFF0C559C9478E6941B5E0B30E3848E8A0F9246C8E0C1A34A1459288D68 |
28 |
BE DF51A5732D94C173BCD8ED918333954F5A78307C2A2F064B97B43278330F54 |
29 |
E2 0D4994C8A13854CD835919F5620A9B6217AC444016F9E97C3E9C3464E2F5CB |
30 |
AB 0A824F00E4AEE68A17DAD86182B6FFE83D6D7D07D572D31183CF4A8C1723DA |
31 |
AE BB5050F17588F0D3936B1B13BF7DCD856A7ACD8DB107C4853E7A9058D2A0CA |
32 |
AF 33315DFBF3ED5A0D28E8ED03A79D20C3B77B16129CCA9439BB4CBDDCA076E2 |
33 |
0A E6CECB96E4515F4536EFC711D583A447FFFDF2BCD4E04D2F4A0347F63E40EA |
34 |
3C 81C9DF7CE0F94918CD0B833B070DFBBCEACF8688824AFBC6344E975EDFEB24 |
35 |
C5 C508FD88D058F5E2B3ABC2A066C52C1FAFB148F27000C47DA859945F771512 |
36 |
FE 98A9B6D1ACF4E2B52CAF0015E90B9FAB856B0C0AA581D526F3D2951B2F7904 |
37 |
BA 949E090EAB02005F9B1823B59AA4329017EA2441E81734F4827B3822C9704E |
38 |
B6 BF9FACFA89990ADF7F01D561875AC54D7577CA351D0C23D69B5E83E376963E |
39 |
2A 93EB58C737572DD375A36F8A5397140C815DCAE05DC80DAFAAD4B3981A91B6 |
40 |
D2 E2396D8F6052E551E84CC69A97DB7D3D08DF9B3AA40C0070A7CE96B33622C8 |
41 |
25 BE589140F73949124F08759AB5BB57B126396F1401E3BFBFDC5E5C056E0D03 |
42 |
41 BD9843692B7421B2FBCEAC3C2F6AF3CE9C92339C10D43898E7E072B8E28BE3 |
43 |
3A C65392A5E371D1FF5C7A2CBF580A4F3C2A5B36E11C01601D6B38D715C2A74B |
44 |
5D 3A915B34D0925B9EA4A7E33E8E70A428B22CE57CD17CFB20DF37F463502B82 |
45 |
94 A96E66ABC0ACEF751AF0C2140AE7CAD05E434609EB56FE6A6E6602FFE3E4B9 |
46 |
67 E794151DD32338E0B1935A77ACA5B9A8D87C12C7A088326C2E9F2FFF048279 |
47 |
40 BA6610360FFFE5BAFEE8504751C78B5AF3B913DA1C2D4AE97AEEA156E5510B |
48 |
19 7041741B0DD2FACE3C01A2FE82AC697A6B6B801B7DC2D3579DA7BBF56ACD73 |
49 |
8C 5130774E5F1E8F6A0A16281A5AF22C5AC1FCD46DE907667714760ECB76F7EC |
50 |
86 FDE6F59EF9A8F762AF7BB62DFC4467CA9BD3ACC63E50E5AB78A7B4487ED70D |
51 |
0B 33469936791DB785E8546BB752AA75DE4C3227293A4237249DBD05FC12D039 |
52 |
25 061C50965D05E98E409E3A07FE4CE4825A9DACFF46A79FE57EDA7BFD184DEA |
53 |
D2 187491BAD25E07B6817CDD3F044466B8FE2BE63D255DA2FE7CA58E8C8C6321 |
54 |
44 6A635890947E7956D5E8DD10C758A733144D573528153D6F5AFD0DD038BFC4 |
55 |
DB 104CAC9471650E5E5AF54E14C80F6247E16923E78E41DFAEED42F28CF5C523 |
56 |
42 69E9F03F43D82DF992B417E961554CAECB80D06CA3B0C1B847A09FD257901F |
57 |
C3 1BC398066441E6FDB5F98EE6A4529D6F51925F4951EA679C028E50D0CAD950 |
58 |
EC 6212709ED75DEFC848626D2888B685AEAFC4FFD655AD830557F9994E8995F3 |
59 |
66 BB9310F7063CC3B12F803D2C809C1DB46AB29F229599BE81728C432C208C9F |
60 |
BA A24D27A78F0641ACF806BD03722AA47F1DCBC42F1CCA04B14B0118E398F94A |
61 |
AC 5E59080E8E951AA5C62038D606E2BD3F8A20C0552F8E1B326B407D4BDCAA15 |
62 |
82 3EE1A0F81C0067F804B3F2497E8268A677C76D90DDD261A910CFE8D116897D |
63 |
F3 F52121296119FF32C334075EA80B74495FDE648A7204BED66268B285FBF199 |
64 |
0D 9CB8010681D5F35969FB84F96FFCC53DD0B37AEE62F522C2972BEBF2759F02 |
65 |
03 259A1228E3AD616F10C2370B8C142A8D20132505FBC5CDB5137322A8A03FC6 |
66 |
8C B684F1C8FDA8D16E9399F9B75AE1972888BA4398EEE1A7BAAB311DAEAD5F0E |
67 |
27 B02028221B1AE647BD749EF916AC4D0AD39BA3C961ECD1AE37DF7988488225 |
68 |
56 628C603FDB1F33FDB8E53D796919F5385A9BAC31E3217A20F2E7531543CBD2 |
69 |
00 621E015191863041E78726B863B7E1374B17FDA690367878D1272B0E44B232 |
70 |
4D 62CFEE89DFC4451BDA6FC9E6C09189B6BAD089E2E97E36084FD0E910363D76 |
71 |
04 9D5D5E6DDA98F512E0A9FD2D8E3299BB16ADFB63D95033ED6A839588D14425 |
72 |
64 AB7A8E612D8D60C1C4CC8CE1B4ACE4AAFCEC7E1F5239894F2B214B094FA1B1 |
73 |
3E 38E7FF5776548DA0FA1AFF91B364B338D5D7D51E6CB4E3ABFE2FF4B9BF985A |
74 |
3E BB4C2BC959080EB9BA2328D10610B59E77892667F8CC5794479F0625E283EC |
75 |
4D C7570244C38A690BCA52A8DA1B9108C7A0EE214FBC0A972725D43C8C78FA9A |
76 |
EB 2F047FE3AEA452F1867EC57FAE2E4E853652FE9CBABDD995A11C6FEC0D6500 |
77 |
1B 7F0C198CB2278218B177F79F16D8C8CE9D7E46E2E65D2B6ACD61A3BA8C455A |
78 |
8E 6DFA5676DAD428FD3BB767D33B74920D4B3E5D51821A1501D0ADC35B834A50 |
79 |
24 CCB1BF995EEE442CC4BB86828795BEB0043CA5BF694B3765FBBDA7F69F4E40 |
80 |
E7 0FB0052314184463A9F7D194DEE438FA381C6584B8009F178785E0E8CC5D66 |
81 |
BA F7340F3F1FD943A0A0E79FF59CAD5362D1BA45F05EB172A6730455F8CD55FA |
82 |
CD 3AF68A6C2D93D0261962F50F8DBBB9D72BF952A88414B33DDA49C613DBD8B5 |
83 |
BA 14BC0202CF321F4368E0DEE08E67CC7B55AC3A03AAF1726E03C4CC0AB44F02 |
84 |
05 C68734C04460DFF87618C0065457788EDCAD84C23F32113B156A963290D917 |
85 |
09 B952BB0E499EA71E042F6984E6E7632FE1B2F646E212E16468B54A7D0E4253 |
86 |
70 3B9C40116A1AF70522933D25B72E85863EF177F937B28CE82C048928C83379 |
87 |
97 CE153A87917E46907CE3C43328FA398BADA713ADF9DF7A756174EE8C7F50E5 |
88 |
A5 706AD49019EF9671242437834A492170F6DDBBD11DF2BE8D0C7F0477530CBE |
89 |
4F FF4F4F98197ACD4A943ACEDE362D4C64F9D20EE5E64F7D0F4E66F3DD08FBBC |
90 |
54 F84DBB2A95A53AF72E7346CBE139BDEA1759C92C50AD202B66E8F6D548D876 |
91 |
93 BC7CAE3DC7ECAFB01A9D136A7D24E280673F7DDE1B30F545E1FE2646E8A66C |
92 |
66 ACC04320B125B0974DF859850C1A5B2B9C2B58768CBAB83A93BA955FA9287F |
93 |
C5 EA7E9101DCE70C56A0F48B622FCFF619D615F5034B15D21BDB7F40B74602CF |
94 |
14 F44E244274BF9A698960DAA82D98D3FD66AC7E8FE6F7F9916F164E468C30A7 |
95 |
0F 2931043C240C14DE48C7A6630752474C3FE5A87A5113F13851CFE8D14754DC |
96 |
1C 5A89EB4638229DD8DC6D4F55BCAC8D565D2FEF20F6BEFE52270D50973B6151 |
97 |
A1 F98073B0D39B6E3A981D7DB2C528CC9B88A4CC207350F4467916F265D0244F |
98 |
A1 28DE003C61B08C439F181253A5C8882DE1C48F517B0B0BF6B18614D11E2674 |
99 |
D6 95B7310BED20E3AE00C0C4754039C3BB095062F4D746897BDF417444F454C9 |
100 |
F5 2BD07D3457B69720C9A54BE5730545BFCC80269BE749FACA723906A303AD33 |
101 |
B4 524506739CBF40D3C823D716FA2DEB9ACE38C199CF0F7661FE8DDF688953E6 |
102 |
43 567A80FB8122F77E1CF72CFD898A6B9BFDC18F27EBE716C444143E03630200 |
103 |
22 20A2EBB3068D1C912189CA6F8E89D0E63836E40A75F5E5C2B7B99A498E7CBA |
104 |
E5 8BF56343D6A44B0D863534426109B348673C76EC433BF310E638F34EB786B7 |
105 |
30 866091584856AC8A7F353172C3D9B0643602F351BE56BA92B4AB2DFD68230D |
106 |
1E 1D93EDC231E7F2FAE9ABB825640E803137A1A672B9D5E93BDFA6D7E8F57DCE |
107 |
3D 210599B3EE6C84D9D8FCB236C02394D24974EE3E0FE2D03B013D538E611CE1 |
108 |
51 07DEDE507180C8458C4E5F87E27F580521F365A54D9E71286ACF0E54DB9E1E |
109 |
5D 5624B266E294C0DC7673D2FB8E126EC559D37CEC74C5508D8E6674377EF107 |
110 |
DA 2EE0B84AC470986543ACCA1F4C51DEF534D23F04E39F0DD85CCCBA45232738 |
111 |
72 865ADB5BAFDA646F6F60834E0462E1626C88F075E4161F3CE0EBF217D6C4CB |
112 |
8E A992D99898B26E014F82C475F605D90BF0828CFE244922197020B62147B55C |
113 |
45 36BF0914B3D76047AEB6EA92F21D0CB7561F68DAE870DB3F6DE9FD7420B785 |
114 |
CA 8EB1155C2F5B33822B906F2255CDEAC0EEAD86A58F151C11BD5003458CFCA1 |
115 |
00 1E0F67B5BB9DDAB14FACBEF94791EAED0EB939BCB651D19DAFD0E2A05D8178 |
116 |
37 C1F16781B2399019AAF2525834ADFE00592F1C62D07D1B0C91A40E11D1B80C |
117 |
F1 57946D3868FBE013EC23B14F1097BB727654B4F3926322F035E86E3F5F637E |
118 |
E9 484114F77952ECE8234927BCC865886938C41F4F4657741F01B22A214E10FA |
119 |
B0 CCDE6A945212ED23F3E85CD861D73A42A98C53D63237CD3C0EB67DDA57BDBC |
120 |
C9 07757169BBE2A5FA05080B75E5E273F0EF02B06552BF4DF3C386096FEFDD20 |
121 |
0F A18A95361BBF4413A9B734B540F52C6BD2411090DEC4D7E3DB6708FEDC68AE |
122 |
6E D52331A788EF18727C8E34746B59DB81ACDB261659934BE63B0266FB7C19E7 |
123 |
BC E128DBE9A75CCADE50ECAD2E52499F67E58479ECD69861B3D117984DF47136 |
124 |
AB 4B4D65A4C7CB3AAFBB7E6630830393D43E619881DA76EE06760466FB79E894 |
125 |
87 7BBED1EC7BA716D70754F6F015C950217FA16F6EA70833B0196C7C560B8239 |
126 |
00 15AE7C27688D45F79170DCEA16131CE557912A1A0C5F3B6B0465EE0774A452 |
127 |
B2 4B268C7C9574BB5FFA48C239F77089BD14BA3EA8B6DDE3DA42958569477D01 |
128 |
38 070B4D027E0256E6B8538384E374E14D7F8006920A60E9BB9238CD45855CC6 |
129 |
7B 5338E1E7BF8B4816B821DB9ED042ED13CE4F8EBD1748BA9788B070E45BF03D |
130 |
4F 1CBB091DCDE0CD0E8FE0D4BD27134750BAC6711029E0A37179832AD3698EA9 |
131 |
E2 6656A75FB347F317ACC7A670F8D16DD4C4433691443A77B46C84B9E3A0FB66 |
132 |
B9 0564F3809FC8B0B0CE1CBC53DBFF6C6A293BCFCC5EF7821E28BF87262FB9FD |
133 |
EE 21782BF346B26411CB00CA83F91AA18C01CF67086D500E66672A0DE046FFAD |
134 |
24 2A0048497BCBDEB4D1A5A43DF08E492BFD42B0B85FF63B2C2A49AD5EA50829 |
135 |
53 702B51E102AC3AD7C859019B8640B88D65B3D6008825ACA2D1FCB80B2FA845 |
136 |
FA E5B82A8DDD7C6EA2B417711E7D0FF8EE02244B7FF9980BCDADFB940EC85096 |
137 |
0F CE8643A036D954E75ECA205B2EBA45629C999AA13ABF8896B4BBC07B0BCFA7 |
138 |
D3 4E040FD052963C9348B8AF50B415419216BE1A00DBF25C7F7B86545EF84C7C |
139 |
9C 6724919CAF4DC134AACF828A62663084DDCD6459FD1249DF36BCFFC7EF2EBB |
140 |
91 84D161D1931A58CFA091569CDE481FCC87AA3A4D32C24622A29EAEA5FC3EEE |
141 |
C9 2E7ABD460FF39CB41709416959366739B08006DC2EEA05E367981F9578E6B0 |
142 |
B3 27C0BBB16C9ADCD566877AC29DC0B0EDCFF9E654DAD66C514B19877A45B6C8 |
143 |
62 923018BFCFB2AD1F05EDE135024EDBBADB20DFF9F816EC3F846B2900636ACF |
144 |
2B AF6E70672789096752383F0DFDA9774A3FEF55CD64C5AD7FE5CE02F4BEB8FB |
145 |
72 E6AE9CD081F8D38488CF4077F66DB0F97CEF486A60EB38C593BA82DB77ECD8 |
146 |
F6 EB0EB6FDBB4A1615050F59EB6FAE8F999824E5D65CE1A437761FE7BE4B8215 |
147 |
F7 B038B441E051B3BCC6F40964C215F61A3A226EF3A1B8D58A36E135115DBCFE |
148 |
73 5F5724975302D23C7CCB6F69C0AB4C64F3E63AF38E828E302DCE79FB08593A |
149 |
80 612FE193401626268553C54A865E67B76311E782005EDE2BA7A87A5D637420 |
150 |
93 8EFB5BDC96D353B28AF57DA2021B6A3C5A64452067059BF50D7FB7C7A66426 |
151 |
84 C7A452E72ABC4EAA51AD8F3569A6E10365804A963FA61C034FD1F3DC846957 |
152 |
07 FEAA0E04E56CB3CCD06FD7902A9D9CEC48DFD901BD6D5E07ADE81448DCC5D6 |
153 |
64 47ED2ABE5AB3827C519BC1EB732159FFE284BE73B8780F294F562996DC9C47 |
154 |
51 37EDD9FA6E73BE3B5C14C50FAF0B6602C7A155E30A931D2A98B31AC1E021C9 |
155 |
53 B1523A8F52D3C924043B93AC44FB96F2D496D1C054D873E62B5BC9644B1B52 |
156 |
D7 D47ABC80CDBC7D0AEDF9B8E863E28F0B79CA47D71155A3D364EF096DF98D7E |
157 |
AC 48E0526730A611D363AE5DBFD2F3AA4296BD71C66E13B9DB3D272B754EDCD9 |
158 |
42 2B2A9F8547E4239E1BB508359872C6365B42ECC460C82A0FABAC04F2E44808 |
159 |
7D 4FD317B9E19AF2BBC5B707C3CCCA5D504B11371D10E3CBAF0AB4E56D0ACAB0 |
160 |
D5 C60074995C0AA0842AEF02269C8567F8B59902E4AADB865C69CB3738D9051F |
161 |
C8 B6CC0BA9DDD2206FD35AA3AD379B169DEBFE223A0EE0E5AA28DA1AA683343C |
162 |
92 1F76D6153E86E480A1FE309A19DA4F75B85BC3F85F3826694977CD2046F0A3 |
163 |
C7 C46F7E5F58B1E6912BC0638475840741CAED5685AF0AB6B563A637B92D41A3 |
164 |
37 D382FAAFCAAD6F8BF5DA383CB8703B7094A045AEAC5E13B5F4225C6272A615 |
165 |
65 CEFD92274FB4AF9F33728F8759A6BE835C7550B96EDAB798787CBB8EC95FB3 |
166 |
28 7E705784FE12335E9355C20F8BC8072A7A6A87DEA751CE471CCE37D426E9F0 |
167 |
AE F39A6FAEB83695C7D97B93E6BC550D0AED93EFE886E651A1610DD8B2ED013A |
168 |
CB D9BA3E8D82F9D475C81BC3C057C19869810B2CD47E6EDBF392B4A7612F8239 |
169 |
51 F16E4D41EC420E8520220D44B0088C81619014896BE524F411B718E730A33F |
170 |
CF 997FE5C0AB00EA447EE13F7DEEC8E97EFE412F65355448F04565A1F7AC0E72 |
171 |
E4 EB02B2D64D33E4C0536406BFC9A6D8FCC6B5237642D92333EE3E089BD82723 |
172 |
5B 8D52ABE9FA8E849A89CF87F90CB07E77BB429E0FE5F518873C8B26EE231A87 |
173 |
C9 6029C4F9777C9D521249EE1AC27F75C2350614C361469D0C7B3F8124DA3E14 |
174 |
A0 E3891E0790A9EC38EA05BCC0EA7067E98CED68DBCAFEE10A5F73D560A97B17 |
175 |
FD ED1EC2D17F957B230FEB5FFF518EC98322A1617E4E28953FF38270CB16098A |
176 |
EB E06DFB790CCEC41432637C593139E6C813AF0BA0F1366FF9FF12F8DD89AD40 |
177 |
2D 2C183A82B5F13E458946DEFA3D2DC361B6FBB1321FE0535DAB40FCA4B7C272 |
178 |
A6 291A63E3B4E8E3B58E96DB2A98BA918E674B21B3483EC0A69DA5C5594390D8 |
179 |
C7 BE73CAC9A130F487490E98B811F707492F92EEB989D75681F113FC7B184F95 |
180 |
35 CEFBC2F7DB302E881DAEBB572093D721E3E94CDDEC465B6F08877095B572BD |
181 |
6E 417844E162251228B6305C70ACC481F423036C6F14DA753F8C591F115EA8E0 |
182 |
58 96A3D47B5CEEAAD8C69D9811C79438233EF78E042EBEEFF807C69B6EE63FB2 |
183 |
3A 867B8D991A3125CA3ED27E2F0D6568277AEC1CD15A0D8F9201981F4A5EEC6D |
184 |
D0 F06064FD7C105AFB139A30010104E1FE4A41A0967E450F9509ED7AA793AA1A |
185 |
F1 9B3B007B54813C8395F826D76ABB6C7573286D9866ECF1F71CBBB75C12BF04 |
186 |
EF 2B268D4FF17708D1D01E363CB486E7AA83616AB595434535CFB33BE0F716C4 |
187 |
E1 16D6C8F922AE101D2AF721AF3D183DD12D47A167312266E54C02F8B5AE53E3 |
188 |
C7 EE00F75D464EFE63FBF3998517B171AA296DBD3254E95DF25BC579F8517AA2 |
189 |
4D 920F5202A33EBD9BBAFD73E11D5D222D4B8E0D50C11BC9B8B5F4E291F7C8E1 |
190 |
02 E112947AA19A577FD9D825531BD74797BBF5825A74E9918D4027BBD24BB49B |
191 |
9A C9E6123537F163E7730768B1B39BDA34A7831B5A3F8752D2A0CA4C394F5752 |
192 |
2D 1EEE053F84BFFF1C9F4F82CAD96DD60D04596236DF9B929A921E32BF4EFB0A |
193 |
31 4BA33232F07D0EAE2648A6DF5B3009484CFDBDA6E57D8A0B221D215EC5300F |
New Quark Rules For GoldDream
New Quark rules (#00234 - #00237) are now available. These rules target GoldDream, a malware family that monitors SMS messages and phone calls and uploads them to remote servers. Check here for the rule details.
With these rules, Quark is now able to identify the GoldDream malware family as high-risk. In our experiment, Quark achieved 100% accuracy and 100% precision. Please check here for the APKs we tested.
Below is a summary report of a GoldDream sample (ECA3A3666B0FD72028431431E7FAE6774A8CA692E35AE3CB44FD8F2AA418F746). The report shows that Quark identified the sample as high-risk, with a list of behaviors as evidence.
Identified Well-Known Threats
With Quark’s rule classification feature, analysts can generate behavior maps and see how behaviors are related. This feature helps identify 2 well-known threats from GoldDream, as shown below.
1. Monitor SMS messages and phone calls
The behavior map shows that the Lcom/sjhi/client/zjReceiver;onReceive function monitors SMS messages and phone call activity. It also calls the Lcom/sjhi/client/zjReceiver;a function to collect the data into files.
Behaviors detected by Quark:
Monitor incoming call status (#00064)
Monitor incoming SMS message (#00234)
Monitor outgoing phone call (#00235)
Write data to file (#00236)
2. Upload SMS messages and phone calls to remote servers
The behavior map shows that the Lcom/sjhi/client/e;a function connects to a URL and writes a file to an output stream. If the output stream is from the URL, this indicates the function uploads a file to a remote server.
Behaviors detected by Quark:
Connect to a URL and set request method (#00096)
Write file content to an output stream (#00237)
List of Tested APKs
The table below lists the APKs we tested.
index |
sha256 |
|---|---|
1 |
DAAFD978B9C3D6CE45DF705F9C5DE432609546673441A7F1ECAE7C4F42069FE1 |
2 |
D710998CC0C38046D8C3713463B992B925A647780D61030462DBEE41094D2E21 |
3 |
C2236E4159E14623214C9F22EB8B373AE47C20CEF126398B7EC2D11DDF7133CB |
4 |
30838B9223D7C9A029D25903030C0EE5784E2556F3FB4994A9A66D0E52452915 |
5 |
F44FF1D306731B7EA378569545963A71254145252C2D26CA6F679CAA8FD39468 |
6 |
26C12F1A899DBA752B29B20B599CEAC2A814BE1AB3CD50BEB96A26B6033F2F1E |
7 |
38A90E9AB4FAA62EA71F1FC726BA4B747FA363D9F4D15E7478239E771FC36BC9 |
8 |
72A3B68C5EBD84E1F9FF9AF529A2102A1DE08E7F1CA5B874CF1FFB4B380AF7C9 |
9 |
594EBCC14A163B86222BD09ADFE95498DA81CEAEB772B706339D0A24858B1267 |
10 |
4DB9936E2BD190CC35710264179D5FEB28735C0661991593F28D5FEA6B2A3998 |
11 |
021B664D927EE81E90B936E6B880844B040753BC048DEBFF0358B39FA15C39E7 |
12 |
6F3FF062C0A4CA13A12C68FB3FC17A12F75BD18BA6CB76CC82660F026A966990 |
13 |
ECA3A3666B0FD72028431431E7FAE6774A8CA692E35AE3CB44FD8F2AA418F746 |
14 |
05A64C76B56919F4C6063CE376B59AC84C707425D6A442936B5AD659F7293C1E |
15 |
36D7471FA1E7C3AF4BE233F4F4971B41CF0A1EF1067D4C3B1D3BD4C3CD3D2E38 |
16 |
70F447054FD798F6EC3D6E67104F0910C73BAD80A94FD83AAC4F119786A0F253 |
17 |
545E1A911DA1071D79D9C40E945480FD9D5BA051472991819F8EB2644C5A6F3D |
18 |
3E72CC3C0DB3513A29FF53E27726FB9277C7D2F13661CF0DFCA8EB34DC690074 |
19 |
FF2BEF8912CCD5CEE93DC8C6FB4BE2B142E790A30689AFEDB32ECB665AD1F040 |
20 |
BA84EB2885F01C15DFDA3FE394486BE9E7E0FAECE28EABA70B007BE5864C233D |
21 |
42979D0E32550419DFA7F7BB1C5CCA245056E0EC50B489CA73C259E45C76C66D |
22 |
969BCDB8DC4043483AB645AFFF4616A1845F2276EF4165475F6357D71508047C |
New Quark Rules For SpyNote
New Quark rules (#238 - #242) are now available. These rules target SpyNote, a malware family that takes screenshots, simulates user gestures, logs user input, and communicates with C2 servers. Check here for the rule details.
With these rules, Quark is now able to identify the SpyNote malware family as high-risk. In our experiment, Quark achieved 100% accuracy and 100% precision. Please check here for the APKs we tested.
Below is a summary report of a SpyNote sample (0713a683567125ea6fdff233cfa850b36a0d2c7d7c964510405cbdf669fe2a8b). The report shows that Quark identified the sample as high-risk, with a list of behaviors as evidence.
Identified Well-Known Threats
With Quark’s rule classification feature, analysts can generate behavior maps and see how behaviors are related. This feature helps identify 4 well-known threats from SpyNote, as shown below.
1. Take screenshots
The behavior map shows that the Lcom/maintain/gybbpabtniopoetzeacrkmlxdhuvgpvnwtahmsaxmtnaltfrgf2/keydkuycdcczonreivsieapzgrzkejxcowwsziydpvouihgqnu3/AccessService function obtains screenshot data and converts it into bitmap format.
Behaviors detected by Quark:
Extract screenshot data to bitmap format (#00238)
2. Simulate user gestures
The behavior map shows that the Lcom/maintain/gybbpabtniopoetzeacrkmlxdhuvgpvnwtahmsaxmtnaltfrgf2/Perfct;clickByGesture function simulates user finger gestures on a mobile phone.
Behaviors detected by Quark:
Simulate user gestures (#00240)
3. Log user input
The behavior map shows that the Lcom/maintain/gybbpabtniopoetzeacrkmlxdhuvgpvnwtahmsaxmtnaltfrgf2/keydkuycdcczonreivsieapzgrzkejxcowwsziydpvouihgqnu3/AccessService;checkPassword function obtains the description of a UI element. It also calls the Lcom/maintain/gybbpabtniopoetzeacrkmlxdhuvgpvnwtahmsaxmtnaltfrgf2/FileUtils;writeText to log the data to a file. If the UI element is a keypad button on the lock screen, the user’s password can be logged.
Behaviors detected by Quark:
Get the description of a UI element (#00241)
Write data to a file (#00242)
4. Communicate with C2 servers
The behavior map shows that the Lcom/maintain/gybbpabtniopoetzeacrkmlxdhuvgpvnwtahmsaxmtnaltfrgf2/hlshzietuthuztzpsjgswpikkmwdxkiqxbzdseqdoywzyerfhi4/CameraHandler$1;run function establishes a connection to an IP address, which could be a malicious C2 server.
Behaviors detected by Quark:
Establish a connection to an IP address (#00239)
List of Tested APKs
The table below lists the APKs we tested.
index |
sha256 |
|---|---|
1 |
059b5f74e053c2966775157cd521580fcfaa3b1a7613560b8f499dbd9c11d4b4 |
2 |
0713a683567125ea6fdff233cfa850b36a0d2c7d7c964510405cbdf669fe2a8b |
3 |
4b2b411e03aafaa19ea93286fadd39a5134f4a039db2d5019b1054547c0d5601 |
4 |
5c01f7727c78dea9c89dccf92b01b4c45e69406e6462340779401497bf4d4589 |
5 |
8c365bd58edeb2ca371ead5e28350ee6c480a79f558d967ecbef525e9f1d7b3e |
6 |
da4f59bdc91eaeaba238a8ba9602f7d5cc75f0892a92f5422e23b55accbbb2f0 |
7 |
dd7650a9cd3f853e109d2d0138ede785e1559d6c2d8c52eec2f2d9808a924f1c |
8 |
dee1eaaa8879a7d321ef4e698203be7b23eeda80a6dea3c70cbf3138597b1800 |
9 |
f46b863952599b91a4d2d682a80f345dfa03fad473d1938f2c53a3139c87a019 |
10 |
eec5096dfca6824317863f9225c29f6c4b3442c48fefa62dc382e3569bca5a60 |
New Quark Rules For DawDropper
New Quark rules (#243 - #245) are now available. These rules target DawDropper, a malware family that downloads and installs additional APKs. Check here for the rule details.
With these rules, Quark is now able to identify the DawDropper malware family as high-risk. In our experiment, Quark achieved 100% accuracy and 100% precision. Please check here for the APKs we tested.
Below is a summary report of a DawDropper sample (a1298cc00605c79679f72b22d5c9c8e5c8557218458d6a6bd152b2c2514810eb). The report shows that Quark identified the sample as high-risk, with a list of behaviors as evidence.
Identified Well-Known Threats
With Quark’s rule classification feature, analysts can generate behavior maps and see how behaviors are related. This feature helps identify two well-known threats from DawDropper, as shown below.
1. Download APKs from remote servers
The behavior map shows that the Lcom/techmediapro/photoediting/core/MainActivity;N0 function downloads a file from a URL. If the URL points to an APK, it indicates that the function downloads an additional APK from a remote server.
Behaviors detected by Quark:
Connect to a URL and read data from it (#00243)
Write data to a file (#00244)
2. Install additional APKs
The behavior map shows that the Lcom/techmediapro/photoediting/core/MainActivity;S0 function installs additional APKs.
Behaviors detected by Quark:
Install other APKs from file (#00245)
List of Tested APKs
The table below lists the APKs we tested.
index |
sha256 |
|---|---|
1 |
022a01566d6033f6d90ab182c4e69f80a3851565aaaa386c8fa1a9435cb55c91 |
2 |
02499a198a8be5e203b7929287115cc84d286fc6afdb1bc84f902e433a7961e4 |
3 |
05b3e4071f62763b3925fca9db383aeaad6183c690eecbbf532b080dfa6a5a08 |
4 |
71c44a78cd77a8f5767096f268c3193108ac06ff3779c65e78bc879d3b0ff11d |
5 |
77f226769eb1a886606823d5b7832d92f678f0c2e1133f3bbee939b256c398aa |
6 |
8fef8831cbc864ffe16e281b0e4af8e3999518c15677866ac80ffb9495959637 |
7 |
9b2064f8808d3aaa2d3dc9f5c7ee0775b29e29df3a958466a8953f148b702461 |
8 |
a1298cc00605c79679f72b22d5c9c8e5c8557218458d6a6bd152b2c2514810eb |
9 |
b4bd13770c3514596dd36854850a9507e5734374083a0e4299c697b6c9b9ec58 |
10 |
d5ac8e081298e3b14b41f2134dae68535bcf740841e75f91754d3d0c0814ed42 |
New Quark Rules For SLocker
New Quark rule (#246) is now available. This rule targets SLocker, a malware family that locks the device with an overlay screen. Check here for the rule details.
With this rule, Quark is now able to identify the SLocker malware family as high-risk. In our experiment, Quark achieved 100% accuracy and 100% precision. Please check here for the APKs we tested.
Below is a summary report of a SLocker sample (570e2811e8c87f714eb3485c271ec03b9de699c6b7f67e858a24396ce5f7b69e). The report shows that Quark identified the sample as high-risk, with a list of behaviors as evidence.
Identified Well-Known Threats
With Quark’s rule classification feature, analysts can generate behavior maps and see how behaviors are related. This feature helps identify 1 well-known threat from SLocker, as shown below.
1. Lock the device with an overlay screen
The behavior map reveals that the Lcom/lololo/LockService;onCreate function creates an overlay window on top of other applications. By configuring the window to occupy the entire screen, the APK can block all user interactions and lock the device.
The behavior detected by Quark:
Create an overlay window on top of other applications (#00246)
List of Tested APKs
The table below lists the APKs we tested.
index |
sha256 |
|---|---|
1 |
35c39da84abfc8d8b89389524d6e203d91e5af8004720c60f13b492e14ddde56 |
2 |
570e2811e8c87f714eb3485c271ec03b9de699c6b7f67e858a24396ce5f7b69e |
3 |
88b86662dd1653845985544299fd8cc732f49c72d63c86ea3ffb7bb3b3249138 |
4 |
8ec195cd1f5c9f66c75000f26120832d7e1a9044fe3699d18d676bd5739b8518 |
5 |
9cc9fba099c35d65638f521e5a1d748ea432b64d82fe9732cfc52f8b57d3dffd |
6 |
9e875f82515cc6b27367ae20ef52b9e0d7476bf8bda91e2ba0d888cf0857311f |
7 |
a60082e481d6873103537e136b7b14a7892cd1205593d64567a448453eff4a6a |
8 |
b5ab87692109c072cc277246e957ab32cfce6973f9f06c609ba51b53114cce51 |
9 |
df091031ed5073de09158b3afcf1fb956d1f337a66e552e9d3458ed5f5f6edb1 |
10 |
e504ff4501da2412758babadabb05a761ae6edacd043d68334e384d94fe4f4ac |
11 |
f3fcd84b4e92a52ae5b30df003b911f21b2ea4325f788d5a5decc08582d3fd40 |
New Quark Rules For PhantomCard
New Quark rules (#247 - #251) are now available. These rules target PhantomCard, a malware family that communicates with C2 servers, reads the payment data of NFC cards, and captures PINs of NFC cards through deceptive screens. Check here for the rule details.
With these rules, Quark is now able to identify the PhantomCard malware family as high-risk. In our experiment, Quark achieved 100% accuracy and 100% precision. Please check here for the APKs we tested.
Below is a summary report of a PhantomCard sample (5769ae3cc93943dda4d1743f2febf6cec1282a0a6289da68cb55bb4724ec9332). The report shows that Quark identified the sample as high-risk, with a list of behaviors as evidence.
Identified Well-Known Threats
With Quark’s rule classification feature, analysts can generate behavior maps and see how behaviors are related. This feature helps identify 3 well-known threats from PhantomCard, as shown below.
1. Communicate with C2 servers
The behavior map reveals that the Ls1/j;doInBackground function establishes a connection to an IP address, which could be a malicious C2 server.
Behaviors detected by Quark:
Establish a connection to an IP address (#00247)
2. Read the payment data of NFC cards
The behavior map reveals that the Lt1/c;b function establishes a connection to an NFC card and reads the payment data stored in it.
Behaviors detected by Quark:
Establish a connection to an NFC card (#00248)
Read the payment data stored in an NFC card (#00249)
3. Captures PINs of NFC cards through deceptive screens
The behavior map reveals that the Le/r;onReceive function creates a UI layout and listens for user clicks on a UI element. If the UI layout is deceptive, users could be deceived into entering their NFC card PINs. Subsequently, the app could harvest the PINs by listening for user clicks on UI elements such as keypad buttons.
Behaviors detected by Quark:
Create a UI layout from XML (#00250)
Listen for user clicks on a UI element (#00251)
List of Tested APKs
The table below lists the APKs we tested.
index |
sha256 |
|---|---|
1 |
0d5fd1997ecb76a167df753d5cce7688dfd0d813c028c9644025da352af77b7d |
2 |
21c66fe505f2bcd7b29d413189920b3a85df48da0ecf4eb6962d6a504a7fdcd8 |
3 |
2922fcf373e2caf3588266cfafeaafbc74304c81d024315d279f0ea537adc1b6 |
4 |
360966ad8752d040e9aaae5cb4a5913e6f85edcf56ecfeb8246729b45d0e6c78 |
5 |
5769ae3cc93943dda4d1743f2febf6cec1282a0a6289da68cb55bb4724ec9332 |
6 |
a78ab0c38fc97406727e48f0eb5a803b1edb9da4a39e613f013b3c5b4736262f |
7 |
ab2906d88e4f64ec0784ef8fdf132bb7ca9a914c037c3b731803f3adfd7a8f66 |
8 |
cb10953f39723427d697d06550fae2a330d7fff8fc42e034821e4a4c55f5a667 |
9 |
d3f863757e946d117ee7c7b50e480264a2ff1a08e7925bd2de3e6c43182868ed |
10 |
e27579b92fcad2f4fe96db7b5e7a7cdc41754a7cd126fcaf598d3f8d8c21c0f5 |
New Quark Rules For ToxicPanda
New Quark rules (#00252 - #00262) are now available. These rules target ToxicPanda, a malware family that steals financial data via deceptive overlays, remotely controls devices, intercepts one-time passwords, and stay active in the background. Check here for the rule details.
With these rules, Quark is now able to identify the ToxicPanda malware family as high-risk. In our experiment, Quark achieved 100% accuracy and 100% precision. Please check here for the APKs we tested.
Below is a summary report of a ToxicPanda sample (12d94320a25c1496ae3c7d326e07d4d92d34381d7b821f58ef9f4e135612c6d8). The report shows that Quark identified the sample as high-risk, with a list of behaviors as evidence.
Identified Well-Known Threats
With Quark’s rule classification feature, analysts can generate behavior maps and see how behaviors are related. This feature helps identify 4 well-known threats from ToxicPanda, as shown below.
1. Steal financial data via deceptive overlays
The behavior map shows that the Lnp/;run function creates a overlay on top of other application by gathering screen information and calling Lnp/ࢯ;̐. To make the overlay deceptive, it displays a website within the overlay and allows the website to access internal methods, enabling the theft of financial data.
Behaviors detected by Quark:
Get the status bar height (#00256)
Get the navigation bar height (#00257)
Create an overlay window on top of other applications (#00252)
Allow website to access internal methods (#00258)
Display URL content on a WebView (#00259)
2. Remotely control device
The behavior map shows that the Lnp/Ī;call function retrieves data from a URL and calls multiple functions (Lnp/;̓, Lnp/;̐, Lnp/;̒, Lnp/;̎, Lnp/ࣼ;̔, and Lnp/;̍) to simulate user gestures. If the URL points to a remote server, threat actors can use this mechanism to remotely control the device.
Behaviors detected by Quark:
Query a URI and append the result into a string (#00190)
Simulate a touch gesture on the device screen (#00205)
Simulate user gestures (#00240)
Save gestures into a list (#00253)
Dispatch gesture from a list (#00260)
3. Intercept one-time passwords
The behavior map shows that Lnp/ࣿ;onReceive reads incoming SMS messages. This enables the malware to intercept SMS-based one-time passwords (OTPs) and bypass two-factor authentication on financial accounts.
Behaviors detected by Quark:
Read SMS message from Intents (#00254)
Read SMS message from PDU (#00261)
4. Stay active in the background
The behavior map shows that Lnp/ࣿ;onReceive monitors device boot events and calls Lnp/ࣿ;̍ to schedule a periodic job. If the job starts the malware, this mechanism allows the malware to stay active in the background after the device boots.
Behaviors detected by Quark:
Monitor device boot completion (#00262)
Schedule a periodic job (#00255)
List of Tested APKs
The table below lists the APKs we tested.
index |
sha256 |
|---|---|
1 |
12d94320a25c1496ae3c7d326e07d4d92d34381d7b821f58ef9f4e135612c6d8 |
2 |
2bf76945694c257d9bb1533c70075fbabce2d8671b476b7478421389ed258980 |
3 |
377f07b92d33e0ea9d7cfe3c288e19df2be8555154bdb1141b82a87d068a0cf7 |
4 |
86fdfff09f03b0cde4cd0cde3ce0f75e37859925ef6fd89b372bbfada1ace572 |
5 |
9d00052eb9a97a53a49c8e1a26138de835e2d354adef44a51ce8fb599d769fc1 |
6 |
d40e45359546cb801887a38d4adb397327ce4bf0a166192f5f72165471fff10d |
7 |
fde931224d2e558e67ac8c9c0c1d0aac4f7562622a67870d6c3024bdeb851676 |
New Quark Rules For Hydra
New Quark rule (#00263) is now available. This rule targets Hydra, a banking trojan family that intercepts SMS messages to capture OTPs, performs overlay attacks to steal banking credentials, communicates with C2 servers for remote control, and collects device fingerprints for tracking. Check here for the rule details.
With this rule, Quark is now able to identify the Hydra malware family as high-risk. In our experiment, Quark achieved 100% accuracy and 100% precision. Please check here for the APKs we tested.
Below is a summary report of a Hydra sample (3154684c4192a1ae7a00f9f61d3024e2d25a85508c512094a771f878c3130848). The report shows that Quark identified the sample as high-risk, with a list of behaviors as evidence.
Identified Well-Known Threats
With Quark’s rule classification feature, analysts can generate behavior maps and see how behaviors are related. This feature helps identify 6 well-known threats from Hydra, as shown below.
1. Intercept SMS messages to capture OTPs and banking codes
The behavior map shows that the Lcom/payu/custombrowser/PayUCBLifecycle$7;onReceive function reads SMS messages from PDU format, queries the phone number from the SMS sender, and retrieves data from the broadcast. This behavior is commonly used by banking trojans to intercept one-time passwords (OTPs) sent via SMS.
Behaviors detected by Quark:
Read SMS message from PDU
Query the phone number from SMS sender
Retrieve data from broadcast
2. Overlay attacks to deceive users into revealing sensitive information
The behavior map shows that the Lcom/mopub/mobileads/BaseWebView;clearWebViewDeadlock function retrieves the application context and adds a view to the window manager. By adding a view through the WindowManager, the APK can display an overlay window on top of other applications, potentially mimicking a legitimate banking app to steal user credentials.
Behaviors detected by Quark:
Retrieve the application context and add a view to the window manager
3. Communicate with C2 servers for remote control
The behavior map shows that the Lcom/ufotosoft/ad/utils/CachedBitmapFactory;decodeBitmapHTTP function calls Lcom/ufotosoft/ad/utils/HttpUtil;decodeBitmapHttp, which connects to a remote server through a given URL and reads the input stream. This behavior is commonly used for C2 communication, allowing attackers to send commands and receive stolen data.
Behaviors detected by Quark:
Connect to the remote server through the given URL
Read the input stream from given URL
Connect to a URL and get the response code
Connect to a URL and receive input stream from the server
Connect to a URL and read data from it
4. Collect device fingerprints for tracking
The behavior map shows two functions collecting device identifiers. The Lcom/douban/amonsul/device/DeviceInfo;initPhoneInfo function queries the IMEI number, IMSI number, and the network operator name. The Lcom/alipay/sdk/util/a;<init> function queries the IMEI number, IMSI number, and WiFi information including the MAC address. These identifiers can be used to uniquely identify and track infected devices.
Behaviors detected by Quark:
Query the IMEI number
Query the IMSI number
Get the network operator name and IMSI
Get the network operator name
Get the current WIFI information
Query WiFi information and WiFi Mac Address
Get the current WiFi MAC address
5. Detect foreground applications to trigger overlay attacks
The behavior map shows a transitive call chain: Lcom/igexin/push/extension/distribution/basic/a/a;a and Lcom/igexin/push/extension/distribution/basic/a/a;b both call a intermediate function that uses reflection and dynamic class loading, which in turn calls Lcom/igexin/push/extension/distribution/basic/j/c;b to check the list of currently running applications. This is a prerequisite behavior for overlay attacks — when a targeted banking app is detected in the foreground, the malware triggers the overlay to display a phishing screen.
Behaviors detected by Quark:
Check the list of currently running applications
Instantiate new object using reflection, possibly used for dexClassLoader
Initialize class object dynamically
Start a background service
Send notification
Method reflection
6. Inject JavaScript into WebView for credential harvesting
The behavior map shows that the Lcom/payu/sdk/ProcessPaymentActivity;onCreate function allows a website to access internal methods and retrieves data from a broadcast. By injecting a JavaScript interface into a WebView, the malware can interact with web content displayed in the WebView, potentially modifying banking pages or extracting form data entered by users.
Behaviors detected by Quark:
Allow website to access internal methods
Retrieve data from broadcast
List of Tested APKs
The table below lists the APKs we tested.
index |
sha256 |
|---|---|
1 |
2d0b157e27359bc36c31e3c3ef891964bc98b2cb66c4f95c2ffc4af7d3477e30 |
2 |
3154684c4192a1ae7a00f9f61d3024e2d25a85508c512094a771f878c3130848 |
3 |
49bca7195e05926210f7dffe4289f6b30372db9de7af72bc6a4802cb477e5729 |
4 |
5c128cfee50059349b9b155c417e3950aaf292f4a9098e1b6748524e5fdfa6de |
5 |
6005f5569a6240c36f07de53438df1615ea6f000000fa5452d5a8870afe6336b |
6 |
74f3a191e941c68bbc7bf87515a12ae547e79eba4d9ffd5c2799a9c44b77dc2d |
7 |
91126eea4f088df8a38667eff9f0fd8b6d49a58b919e8cfd242612a44d702b40 |
8 |
a2c91743a0834cd1fb63c6965c581e1f5a57f1d2fcb226985423894ac814c93a |
9 |
c08903e2be8737c3fbea2293c6a1a5242afe58e6e90a3da45724a1dae7c88a25 |
10 |
c2ef244e7a1980880aeb212672705e877851b9cc054e023015dd748c8e69ab38 |
11 |
d5a63c4ace387cff8d641ad9aeedf9e406684b0f3bdcfc79e97de80eef177bee |
12 |
e51f32dbe18d52eafe2ac65f77f84450fd279fecd0278b0df95ce654017dddd2 |
13 |
e80cb43578f6a8b2ded95c8a2e86076f3661d60e2f18ebd1f094308e1d593c87 |
14 |
ea6058517e957895fbd3c26cac63013df3442ceea289123c7afd4bd0b24bea82 |
15 |
f6da0d9f1d74f2f80cd4d69183a78ccc1b3679689419262c9704787cea754726 |
16 |
faaf963fd84d0e7c86f8750115f5291f0692d0aca0f97e151cf4cc870a65d88e |
17 |
fb34414b386d0d12c24d11bce56f087730afc3fbab1ee397182f5dd64183b53b |
18 |
fe9cfc5046c583a7b28fa506cd33e636d27310b14240247625c693444a27336f |
New Quark Rules For SharkBot
New Quark rules (#00264 - #00265) are now available. These rules target SharkBot , a sophisticated Android malware family primarily designed for financial fraud. SharkBot leverages techniques such as overlay attacks and credential theft to compromise user accounts. It has been observed targeting banking applications and employs various evasion techniques to avoid detection. Check here for detailed rule information.
With these rules, Quark is now able to identify the SharkBot malware family as high-risk. In our experiment, Quark achieved 100% accuracy and 100% precision. Please check here for the APKs we tested.
Below is a summary report of a SharkBot sample (20E8688726E843E9119B33BE88EF642CB646F1163DCE4109B8B8A2C792B5F9FC). The report shows that Quark identified the sample as high-risk, with a list of behaviors as evidence.
Identified Well-Known Threats
With Quark’s rule classification feature, analysts can generate behavior maps and see how behaviors are related. This feature helps identify 3 well-known threats from SharkBot, as shown below.
1. Stealing User Credentials
The behavior map shows that the Lcom/guksydvbflaqtwqg2cfuvjwxai7b/ggxfimuhpqlyzg8d2evysfqo/MyServiceA;l function simulates user gestures and queries device data to steal user credentials, calling the Lcom/guksydvbflaqtwqg2cfuvjwxai7b/ggxfimuhpqlyzg8d2evysfqo/MyServiceA;k function to read and compile sensitive data into a JSON object.
Behaviors detected by Quark:
Read sensitive data(SMS, CALLLOG) and put it into JSON object (#00010)
Read sensitive data(SMS, CALLLOG, etc) (#00077)
Query a URI and check the result (#00187)
Simulate a touch gesture on the device screen (#00205)
Query device data with ContentResolver (#00212)
Query device data with ContentResolver and a URI parsed from a string (#00222)
Simulate user gestures (#00240)
2. Intercepting Sms Messages
The diagram indicates that the function Lcom/guksydvbflaqtwqg2cfuvjwxai7b/ggxfimuhpqlyzg8d2evysfqo/MyServiceA;k processes SMS-related data and stores it in a JSON object.
Behaviors detected by Quark:
Read sensitive data(SMS, CALLLOG) and put it into JSON object (#00010)
Read sensitive data(SMS, CALLLOG, etc) (#00077)
3. Downloading Additional Payloads
The behavior map shows that the Landroidx/lifecycle/ViewModelProvider$AndroidViewModelFactory;create function uses reflection to instantiate new objects, which may indicate preparation for dynamic code loading via DexClassLoader.
Although no direct download evidence was identified, this pattern can be regarded as one possible indicator of additional payload delivery or loading.
Behaviors detected by Quark:
Instantiate new object using reflection, possibly used for dexClassLoader (#00157)
List of Tested APKs
The table below lists the APKs we tested.
index |
sha256 |
|---|---|
1 |
20E8688726E843E9119B33BE88EF642CB646F1163DCE4109B8B8A2C792B5F9FC |
2 |
4F1822817690D89943E7E57468AB4366E360772C0ADCE67BF74A7224B3732DEE |
3 |
57F8A57320EEED2F5B5A316D67319191CE717CC51384318966B61F95722E275F |
4 |
6AEFC2C4727CE80F03867F356DF462F1A1CE21C72801B877FDB95E67CD00D6A4 |
5 |
7F55DDDCFAD05403F71580EC2E5ACAFDC8C9555E72F724EB1F9E37BF09B8CC0C |
6 |
8F45831B1DF8FE44111E35B05271F6EC1796B03C104A67CD6481BF93F2AFFE86 |
7 |
DD0641F261D75864B164A7F963B45DC43C6C815AD01E5F51C29504C668E6D5EC |
8 |
E5B96E80935CA83BBE895F6239EABCA1337DC575A066BB6AE2B56FAACD29DDAA |
New Quark Rules For Antidot
New Quark rules (#00266–#00270) are now available. These rules target Antidot, an Android malware family known for stealing sensitive information and executing a wide range of malicious activities on infected devices. Antidot primarily targets banking applications and leverages multiple evasion and persistence techniques to avoid detection. Check here for the rule details.
With these rules, Quark is now able to identify the Antidot malware family as high-risk. In our experiment, Quark achieved 100% accuracy and 100% precision. Please check here for the APKs we tested.
Below is a summary report of a Antidot sample (07DA124F1F4BA891E7917082BDFA74C580E78543164DF2FEC86E8B0C3AB0211E). The report shows that Quark identified the sample as high-risk, with a list of behaviors as evidence.
Identified Well-Known Threats
With Quark’s rule classification feature, analysts can generate behavior maps and see how behaviors are related. This feature helps identify 4 well-known threats from Antidot, as shown below.
1. Data Theft
The behavior map shows that the Lcom/luck/picture/lib/loader/LocalMediaPageLoader$1;doInBackground function queries device data using ContentResolver to read sensitive information such as SMS and call logs, and appends the results into a string for potential exfiltration.
Behaviors detected by Quark:
Query device data with ContentResolver (#00218)
Read sensitive data(SMS, CALLLOG, etc) (#00077)
Query a URI and check the result (#00187)
Query device data with ContentResolver and obtain the number of results (#00215)
Query a URI and append the result into a string (#00190)
2. Sms Interception
The diagram indicates that the Lcom/arsryg/auto/login/activity/ActivityShow2;uploadSms function retrieves the content and address of SMS messages by querying a URI, facilitating the interception and potential unauthorized access to SMS data.
Behaviors detected by Quark:
Get the content of a SMS message (#00189)
Get the address of a SMS message (#00188)
Query a URI and check the result (#00187)
Query data from URI (SMS, CALLLOGS) (#00011)
3. Keylogging
The behavior map shows that the Lcom/blankj/utilcode/util/ClipboardUtils;getText function reads the primary clipboard content, allowing the malware to passively capture credentials and other sensitive text the user copies.
Behaviors detected by Quark:
Read clipboard (#00266)
4. Remote Control
The diagram shows that the Lcom/arsryg/auto/AccUtils;longClickScreen function builds and dispatches accessibility gestures to simulate user input, enabling the attacker to remotely drive the device as if they were sitting in front of it.
Behaviors detected by Quark:
Simulate user gestures (#00240)
Simulate a touch gesture on the device screen (#00205)
Dispatch gesture (#00267)
List of Tested APKs
The table below lists the APKs we tested.
index |
sha256 |
|---|---|
1 |
07DA124F1F4BA891E7917082BDFA74C580E78543164DF2FEC86E8B0C3AB0211E |
2 |
08A646C04974EACA9F50CE5D77FF6216AF5BFF400EC1B48782A4DAE22FEFBEF0 |
3 |
0AF689DA84A03383863583DCAD6C640BA4AB9762AFFDE3D56C199A9EB08E9F41 |
4 |
0B7F4C3BE1D0B0F0B53495FF33E8C4B22ADF122E01F8C72D705C489A975FE498 |
5 |
12D1FC37FBFA5E0EEC3954F5FC31CDBD55AC61EBD84E41C59FF00567D03B107A |
6 |
160940892DC1983ED1B46D8756F1A529D9EC9CE5E3C4481F75C57C568748A38C |
7 |
1AE0C4FFE18E7934C019AD1279219D1E8E8491BF62E8B34102E1497010C58247 |
8 |
2EDC7CBC0DCE61739A4D977ACD8B6E6940A817D4E698CBCCAA8CE1DDBE0A7BBC |
9 |
335FB32EE34E2374D28C9C5A95549FC2965D254B22A9550B505AC7F7304BAE80 |
10 |
4338AB77D05AEACD7EAC5ACBE9EED5568778C8E3E9499562816805B54B4D1A6A |
11 |
476DDA92941E2F211ABC209EA411D97E3007E9434632C0A721AE48F4FE427259 |
12 |
506033F7A6EA5C9E4D89F9EDCC998ED1F33FB74E4A2A4F32AF8CEC2EC009A906 |
13 |
518F74277C26B9CA91A2FE4AEABB26AE9B675A5E2E1BC6BDBE53067183477071 |
14 |
578D3B5DBB35738F47165EE053138021F88C4BEBFE5EBB2B79DBB998600EAA16 |
15 |
6499730A01703CAD20711803829862F3D19EE7A3FEDBE72FEA2F319394B29627 |
16 |
6A99E6D4ABC66F09A490443786432D90C675CB6282C791FAE996136CBB69B7E9 |
17 |
7748CA5B385DB3FDA3E07000B1552CA05405333083B33C4F470DD3AE4F0E3A5F |
18 |
7A373702F30FB4A293574DFF762AB4B89D101DA117F5152BD3BA2369B9DE1661 |
19 |
89CACC44F42639F27EFE324F4937B923E2711B88B67B1FDAE8BBAE1210F573E7 |
20 |
8EA78D335B8B931B49945E3CE36D12B1576647E7FB797840D3D1FA61B2F42200 |
21 |
9DA55AD04E480FA1FD3B45A5F245E6511DFC45D44123000E1CC2D1E10C65E8B8 |
22 |
A2A9FB573C9F39E3654467EFD78C9B5424DE3033303FACAD972DF1A5F8B2FA04 |
23 |
B482C7A2734B90EEA3E35E61962DE17336ED81F26BC9432175A03D4E7DA03D65 |
24 |
BC02322AAF96FA1841101636DC4C8011DA3BCC5571A6F0278813884CE54B5B3F |
25 |
C6E52BD7D8A1DE54E5A6551A7A737C989D93537C1BB440FDF37914C799E77F16 |
26 |
DA7B254CB8877278EC38C674B922D54C2AF67405694823C2A35F12EBF920891B |
27 |
DD4BCE9274CABCBCB2F3EA2B00867932399AD0DE9B923896A70AC03076231EFA |
28 |
E11DBB99B9083326FC1F148C161A5ED9F4B3C59F44C976248C43600334308E21 |
29 |
F3DFED0600935C66C5CB48CA9C4D0CAA65E01545A63CF9256964AF06AA4665AD |
30 |
FE4B2B288565CC1A85B7DD23398CC8AB850B0B0C73D46EC9E7C308AF86A96D60 |
New Quark Rules For Arsink
A new Quark rule (#00271) is now available. This rule targets Arsink. The Arsink malware family is a type of Android malware that targets users through various malicious behaviors, including accessing sensitive device information, initiating phone calls, and extensive Accessibility Service abuse for UI automation. It is often disguised as a legitimate application to evade detection and gain unauthorized access to user data. See the quark-rules repository for the rule details.
With these rules, Quark is now able to identify the Arsink malware family as high-risk. In our experiment, Quark achieved 100% accuracy and 100% precision. Please check here for the APKs we tested.
Below is a summary report of an Arsink sample (48f19eef9d420137dee9974e3cc6af3ded9532bd631ace36f7d15eebec6a2dce). The report shows that Quark identified the sample as high-risk, with a list of behaviors as evidence.
Identified Well-Known Threats
With Quark’s rule classification feature, analysts can generate behavior maps and see how behaviors are related. This feature helps identify 3 well-known threats associated with Arsink, as shown below.
1. Accessing Sensitive Information
The diagram indicates that the LSay/hello/To/Arthur/FileUtil; convertUriToFilePath function works in conjunction with LSay/hello/To/Arthur/FileUtil; getDataColumn to access sensitive information, e.g., image, video, audio, and download file paths, from content resolver.
Behaviors detected by Quark:
Query data from URI (SMS, CALLLOGS) (#00011)
Read sensitive data (SMS, CALLLOG, etc) (#00077)
Query device data with ContentResolver (#00212)
Query device data with ContentResolver and a URI parsed from a string (#00222)
Accessing sensitive data from content provider (#00271)
Check if the device is in data roaming mode (#00086)
2. Initiate Phone Calls
The diagram shows that the Lnet/cloud/analyzer/screen/b;c function uses implicit intents via setData to initiate actions such as making phone calls. This capability enables the malware to trigger phone call operations on the infected device.
Behaviors detected by Quark:
Implicit intent(view a web page, make a phone call, etc.) via setData (#00051)
3. Accessibility-Based UI Control
The behavior map shows that the Ld/g;i function orchestrates UI automation by calling multiple helper functions (Ld/g;x, Ld/g;p, Ld/g;y) that leverage accessibility services to interact with UI elements. These functions perform actions such as getting root windows, finding nodes by View ID and text, retrieving screen bounds, and executing actions on accessibility nodes to enable comprehensive UI automation.
Behaviors detected by Quark:
Use accessibility service to perform action getting node info by text (#00159)
Use accessibility service to perform action getting node info by View Id (#00160)
Perform accessibility service action on accessibility node info (#00161)
Use accessibility service to perform action getting root in active window (#00167)
Use accessibility service to perform global action getting node info by View Id (#00169)
Get bounds in screen of an AccessibilityNodeInfo and perform action (#00173)
List of Tested APKs
The table below lists the APKs we tested.
index |
sha256 |
|---|---|
1 |
06F7DFDFBFF03719082750FB11CA1F1FE720DAA57F11C7D30D3B3277BFECEB13 |
2 |
0BCDF887E6BD21EA4073385A8B2E59025768BE3131A92E9940886E05C748E1CC |
3 |
16CB7952AB3CE88EC30B57E1C5F16A8871457E9985D43675AAE47D8DDB5044C8 |
4 |
1FC3BA39F0CE8109BCB4F42441250DF5E9C601744B738A2E7C40D612CD29FEC3 |
5 |
2063030918DF932A61673559F99E51CC47F3436337F94AFB2E8ACAAFA84289FF |
6 |
2C0BCE17BC9BBFBEA95E5B75E6294FD1D5205B915B24729D1F2377E2A6F2B578 |
7 |
35F06F91902FAF5A4BC27C8B73F74B74AEA6A6BE2215AE1E990EE504CEB29E4F |
8 |
3AE188387DD8B01CD5595B9AD937DAE48D90C4D17FA8BA7F85D3A1F34D1EF3C8 |
9 |
3E6EDEBC2DA9A4A80507EEB7ABF529C9C3A70201927F1AE864F9F257CA64BC2E |
10 |
4070678717CF011417C9E4307C9ECB4D481563DB4758FFAADA5FA6870E06A4AC |
11 |
48F19EEF9D420137DEE9974E3CC6AF3DED9532BD631ACE36F7D15EEBEC6A2DCE |
12 |
4CF809B14083143E921BD8FDB7E7725E20E303653D9A3E6C848D9596A33F6C8E |
13 |
501E35F1600CE0548226C9957EED76F5F04CB2E1DBFD4F3FB8652009B38E8C9F |
14 |
5948A349B534156F5734B3A99E761EC6D84E527AB729B1F28242049B3AFAB2E6 |
15 |
595355DAAA6AAD284090210CD55C4A2E276C5263C83D2B202E1486D347AF3701 |
16 |
5E48BBE1C62DA18D4C0F2CCA0F8855219C5A05F81C5FB64C1B4A0A6871FA8736 |
17 |
603D89C5A2883AB2ED68E12517212BD0B74760F1EF755A61D059440AEBA045FD |
18 |
68F800FBED83116AC9EFB2524326FA5D710A911B506762D580A34C19932A21E8 |
19 |
6D06806CCEE64D3BAA5B9DA63019C3AC7A23DFE210747FBDBC048A84196325C5 |
20 |
744346BD46F139837BF2825206FA95D48DDF6DC078E341492B34B35743A0B297 |
21 |
76B8569EFF05CE94BA580E10FB1161AF6537D931F8C9D07EDBA20E93A4A34BB6 |
22 |
7DDD3C4808372C91C916C4B77A07A09F61753BC26A592FF7DA3BD71D12802A0C |
23 |
8159C79C8A9B54AD363516F9B53C7CADA3EA4AFA0B2D0F6E7DC66FE147D03A93 |
24 |
8314ECE95207FF28466D4FC8BF6CEF22CC6E28FEF47E9BEDE381B502F038B552 |
25 |
89D492B7539B5552445764907A96B517D08D448F8FF0E3E7A93958DF82D3DF58 |
26 |
8E9C6AA5EA90DDD2C3199128E41DE82C4D406B3D2D32BA34CF9D6B1F9C5A8F26 |
27 |
917CDE4F5DFDE864C07A412E586E218F65826B71810083BFFB086C3518DEC645 |
28 |
9A778FBB730EE653F45B36700A369C81792509F855C2529ACA73DE1443C62DE8 |
29 |
9FB8A940492EE6095A24B4A34ECFA252A515FB681F16636A8F00B1E0E7D47FE2 |
30 |
A3F487BBE5AC9A9EB3556E9612C7A16177EA2767783E9401A6643765B1EE39B3 |
31 |
BA71C7E507E1B0D8202447F9F86F585286B4AB01B58C7E32BB4F495381EF5004 |
32 |
BBB41EC382738C0EE5B94D023F023209928CA98893F146A8CFDAA608AFE7B4E6 |
33 |
C002E68F52DE1B2B62013A82828245D8A956A075B87E220C3F6E1B2BFB220D19 |
34 |
C1183C6868BF4E006BA412A538A3A07DADBAEDED2BE6F148765DECF69DC284EC |
35 |
C4F51CCDE0525887B61FB919EEFC5830B24EC35FDCB2AF2AA3893E5F56957C40 |
36 |
CB93D5C96AE3E0B358AC2A0C57008A5655A049AC3BC5543F814AF5157E2F27DE |
37 |
D41329E084AD90A62C37E906F18E1089002F4D5E7C5CE123F7753DA90E410372 |
38 |
D41A27EE5D4B12F6C94E73CC453C69B20FF92CE29823B0FF5BCC50C0D61F826E |
39 |
D5B6C048A278C06E2625C47A3A57F5CE2E4D6D73D830051A84DE1768E0445882 |
40 |
D7362FF697A5CAE24B4B084D0436CCDE7060524A24C34F37F185F64597930514 |
41 |
DB5B22F8D3400BAFA449B6DB01F44896DD8040733B03D11DBC187146E58DFBCD |
42 |
EB76F62F4BA0718AFD9B1BCCCD6389A6043A4394A6769730F75F8E1F8B3752AF |
43 |
F9B00165598A0600D53064B2871477FEC3BD62549A69328C4BDD39467AF2D48D |
44 |
FD263056ADFE6CB5596A11612440FA5D851B3B9BED34A481139C2206A6C570B1 |
New Quark Rules For TrickMo
New Quark rule (#00272) is now available. This rules target TrickMo. See the quark-rules repository for the rule details.
TrickMo is an Android banking trojan that evolved from the TrickBot ecosystem. It primarily intercepts SMS messages for 2FA bypass, and employs accessibility service abuse for screen recording and credential theft. The malware uses sophisticated evasion techniques and has been identified since 2019.
With these rules, Quark is now able to identify the TrickMo malware family as high-risk. In our experiment, Quark achieved 100% accuracy and 100% precision across 29 tested APKs. See here for the list.
Below is a summary report of a TrickMo sample (4284e6bbc2fc274d8b0a1f37f91408efc0404e4cae0ba28abc4d583bc59af6bd). The report shows that Quark identified the sample as high-risk, with a list of behaviors as evidence.
Identified Well-Known Threats
With Quark’s rule classification feature, analysts can generate behavior maps and see how behaviors are related. This feature helps identify 6 well-known threats from TrickMo, as shown below.
1. SMS Interception for 2FA Bypass
The Lcom/cmaster/cloner/oO0o0ooo;OooO0o0 function queries sensitive data, e.g., SMS and call logs via content provider. In a banking-trojan context, this behavior is consistent with silently reading incoming SMS messages to intercept one-time passwords (OTPs), defeating SMS-based 2FA.
Behaviors detected by Quark:
Read sensitive data (SMS, CALLLOG, etc.) (#00077)
2. Screen Recording and Screenshot Capture
The Lcom/cmaster/cloner/oOO00ooO;OooOO0O function allocates a canvas around a bitmap and renders a target view’s contents into that off-screen bitmap. This pattern lets the malware silently capture the rendered UI it can reach — including banking-app screens displaying account numbers, balances, or OTPs — without triggering Android’s MediaProjection consent dialog.
Behaviors detected by Quark:
Allocate canvas (#00268)
Capture view (#00270)
3. Persistent Background Service
The Lcom/amazon/device/iap/internal/c/e;a function starts a background service. A persistent background service keeps the malware active beyond the app’s foreground lifetime, enabling the continuous device surveillance commonly associated with TrickMo’s accessibility-service abuse.
Behaviors detected by Quark:
Start a background service (#00225)
4. Device Information Exfiltration
The Lcom/inmobi/media/tk;a function, together with 4 callee functions, collects GPS coordinates, network operator identity, ISO country code, network connectivity state, and calendar data. This breadth of collection produces a comprehensive device snapshot consistent with the reconnaissance stage of a banking trojan attack.
Behaviors detected by Quark:
Get location of the device and append this info to a string (#00017)
Query the network operator name (#00060)
Get the ISO country code and put it into JSON (#00085)
Check the current network type (#00087)
Check the network capabilities (#00100)
Get location and put it into JSON (#00113)
Get last known location of the device (#00115)
Check the current active network type (#00124)
Query the ISO country code (#00132)
Get calendar information (#00142)
Get the time of current location (#00147)
Compare network operator with a string (#00171)
5. Reflection-Based API Obfuscation
The Lnet/dress/absorb/Tdomaintuna;onCreate function dynamically resolves method calls and field accesses at runtime via Java reflection. Together, these behaviors hide the complete set of Android APIs and data fields the malware accesses from static analysis — a known evasion technique in TrickMo.
Behaviors detected by Quark:
Method reflection (#00026)
Resolve field via reflection (#00272)
List of Tested APKs
The table below lists the APKs we tested.
index |
sha256 |
|---|---|
1 |
04CB1225B4A5A0C256234A9B027408994C45911041766FE0B7E691C44A29389D |
2 |
0E69F3D10BA88974C47A9CE83A095A29E9AC3DE66B0441DB60624FBE0772F6C3 |
3 |
11AF0DA9A7C5F65BB098ED52973E814B12EBA492FB3615A5FADA5D4CC390928D |
4 |
17FC5D1C8BD8B10471131282E42EC289BB1E1EE107CA676F369BB42FC3643AF3 |
5 |
1E386AFECBBF96D119876DC5FD54382FEB0FAE878A416321E4ED3A897E763F4F |
6 |
2CDFB07D6CAD4B2DCBBDB2713A99AE70DCDD2C049D2E3B356DE4609A905E500A |
7 |
2E6C7354F7B4DCE59752054929731C5055DF15301ED094820BDBBCD5C0CFA12E |
8 |
3FB75B18F25919C3FC2E2D60905214C432CAF182D3A600F2CA68E3B1BBCF3575 |
9 |
4284E6BBC2FC274D8B0A1F37F91408EFC0404E4CAE0BA28ABC4D583BC59AF6BD |
10 |
4FCCE7C445D89D7DE943EC0E0C2FC285D4B25A67950AD7D6BCB50DBCBC4AC29B |
11 |
5489C3F1F561E1F7FA68F7A6041FBA8AED8F682095E1F50B07B4B91AC284E9BD |
12 |
57940C5EEE8641E02F49D1122528665A0DDFBF5B6B0D4B910B5287E15542591D |
13 |
5885804AC3FBD9A06595B9314B77898747B2F9B8A7624F72D402F5D5C5BAAC68 |
14 |
6EB525100F54B9A830CD2D0F1169B053EDB55332B2BE73DD29A8B165B9CCDBF5 |
15 |
6F58B07B5DDABC29C9C7E7165349EDBD2BEE923446514044D67040DE2F36664A |
16 |
7593B0F4BC4C52CB359196F35868636B319641B01C8DB9F662076285739A0505 |
17 |
7B1FA1AC136469CA0CF8E0B80830876185E9858A168098A093AAF43319FC60A7 |
18 |
963A61A8ECA4378566CE39113DDBCB08EE961EF54C274068E62EFC9201FAD1CC |
19 |
9A5182C4F9B3061D30652264096D225CE16CB5C962E1C67ED153E3986D9E05C8 |
20 |
A7FD4A7AD1B5F67F588CFCDC7BB092D1C8AED71FFC9402F618F4562C3DADF8E1 |
21 |
ABA8466F8162846C8ADC7BE242BB78A346775804DE2C14A978D69649B0639C6D |
22 |
AC21DDC972B50C66A9876F1A470F0A29F4DF58C1557B8FA0BA649FC0B255DD37 |
23 |
B1A8A189A95DFE33683141BA24F022357B2E60E5A811F5559B3119FE67C17BDC |
24 |
B80C00BC987EA9ACACEC57EEAF299421DA8E083F611084816BF0C015C7088DED |
25 |
B9F0D4A2EA3FD0B0E2A7F3EF024E056AB58F51DD21960DD671DD42ABF81A7B21 |
26 |
C00419B21D10A236B47B43BB1EED3DBC5298E471CF9616848A84DA5BAAE8E611 |
27 |
CEEA4208D55B4DE89279633183DAE164E57AA03D729ADE7D39A75C7D1E583078 |
28 |
CFA37C111D5D86AA348A8411C39FE1C54034C437A5C15777A42638C6A9D03EB0 |
29 |
D0D4EF735A8BF076D81A6F3651D6BCFD8C69285049ADD2E6B6BEE1276A99C37C |
New Quark Rules For anubis
New Quark rule (#00273) is now available. This rule targets anubis. Anubis is a sophisticated Android banking trojan that emerged around 2017, targeting financial institutions worldwide. It features overlay attacks to steal banking credentials, keylogging, screen recording, SMS interception, and ransomware capabilities. The malware is distributed through malicious apps on Google Play and phishing campaigns.
In the representative sample, Quark observed the following behaviors at the API level: use accessibility service to query UI elements, read SMS messages, audio recording via microphone, make outbound phone calls programmatically, read and decode file contents, and HTTP communication with remote server. Check here for the rule details.
With these rules, Quark is now able to identify the anubis malware family as high-risk. In our experiment, Quark achieved 100% accuracy and 100% precision. Please check here for the APKs we tested.
Below is a summary report of a TrickMo sample (13f00206aaed4612ce4655152b972aeb2787ca4133aeacc8c9acd8c4d38ea3f79.apk). The report shows that Quark identified the sample as high-risk, with a list of behaviors as evidence.
Identified Well-Known Threats
With Quark’s rule classification feature, analysts can generate behavior maps and see how behaviors are related. The 6 behaviours below were observed in the representative sample at the API level.
1. Use Accessibility Service to Query UI Elements
onAccessibilityEvent uses the accessibility service to retrieve node information by matching text content. Together, these calls enable programmatic inspection of UI elements displayed in other applications.
Behaviors detected by Quark:
Use accessibility service to perform action getting node info by text (#00159)
2. Read SMS Messages
DelIndox queries SMS data from the content provider URI and reads message contents. Combined, these APIs allow the service to access and extract stored SMS messages from the device.
Behaviors detected by Quark:
Query data from URI (SMS, CALLLOGS) (#00011)
Read sensitive data(SMS, CALLLOG, etc) (#00077)
3. Audio Recording via Microphone
recordAudio configures the audio source, encoder, file format, and output path, then initializes and starts the recorder. Together, these calls capture live audio from the device microphone and save it to a file.
Behaviors detected by Quark:
Set the audio source (MIC) and recorded file format (#00194)
Set the recorded file format and output path (#00196)
Set the audio encoder and initialize the recorder (#00197)
Initialize the recorder and start recording (#00198)
4. Make Outbound Phone Calls Programmatically
onCreate constructs an implicit intent with a phone number and initiates a call action. Combined, these APIs trigger an outbound phone call without user interaction.
Behaviors detected by Quark:
Implicit intent(view a web page, make a phone call, etc.) via setData (#00051)
Make a phone call (#00202)
Put a phone number into an intent (#00203)
5. Read and Decode File Contents
readCommand calls getIDwindowsBot to open and read a file from its absolute path, then decodes the Base64-encoded content and writes it. Together, these calls retrieve encoded file data and persist the decoded output.
Behaviors detected by Quark:
Get absolute path of the file and store in string (#00020)
Open a file from given absolute path of the file (#00022)
Write file after Base64 decoding (#00024)
6. HTTP Communication with Remote Server
doInBackground establishes URL connections, sends POST requests, and reads response streams and status codes. Combined, these APIs enable bidirectional HTTP communication with a remote server.
Behaviors detected by Quark:
Connect to the remote server through the given URL (#00030)
Connect to a URL and receive input stream from the server (#00089)
Connect to a URL and read data from it (#00094)
Connect to a URL and set request method (#00096)
Read the input stream from given URL (#00108)
Connect to a URL and get the response code (#00109)
Send HTTP POST request and receive response (#00273)
List of Tested APKs
The table below lists the APKs we tested.
index |
sha256 |
|---|---|
1 |
30B0B3B0D4733F3B94517AB4E407214E82ABF6AAD3ADF918717FF842E28D672F |
2 |
3F00206AAED4612CE4655152B972AEB2787CA4133AEACC8C9ACD8C4D38EA3F79 |
3 |
63263048A73FD8B6E37431688A331A2A88E8FC86848BFB4BA09751F2E7AB8F5C |
4 |
7138689203DC5A2FE9CFCB84C39885E4B53EEC9A72F37E36DDEE61490F8217CA |
5 |
7CE3D3AA76710A4D70D7DBA0379FDE70724F923E582381AF4AE32365A9B9B516 |
6 |
9B2AF95F9F69CE03DB5C03B13F4F9F69051BB490C968A1C7CA6A9B80D20FDF94 |
7 |
9FC2E5D32B4A4E2886CD835A9DDDD6A2C94C85BF175700A0655A70D422E2DEB8 |
8 |
AD2053BC0CF1CC54C5A0F7E6DE4653B8012BA349219AC56B27E26E6CF2B96077 |
9 |
C7411C0DAFF520468C3ACCFF4318076A66034B2D14CBAE08A5D3ECEC2C6CE9ED |
10 |
D0E684DEDD320A8B1838DAB6C94E97384058FB18B831CEB3F479AEA849D83811 |
11 |
D7511298F5F6C7205EB753ECD7A4E0070E9F4E353F8E6C94EF3339B4A1886B73 |
12 |
E0D3EE34E12845AD99E8E23FD0CFBED54C7640EABEA957337DEC0176D152F837 |
13 |
F57308A3D0A09D0DA95D9055EC76E3DCED8292B47FCD41FEF237EBF7C1AD5F03 |
New Quark Rules For godfather
New Quark rule (#00274) is now available. This rule targets godfather. Check here for the rule details.
With these rules, Quark is now able to identify the godfather malware family as high-risk. In our experiment, Quark achieved 100% accuracy and 100% precision. Please check here for the APKs we tested.
Identified Well-Known Threats
This section uses MITRE ATT&CK Mobile as its reference taxonomy. The table below lists every technique documented for GodFather (per software entry S1231 GodFather) alongside how each manifests in real-world campaigns — all of which the current Quark rule set can detect statically from APK bytecode.
MITRE Technique |
Real-world manifestation |
|---|---|
T1418 Software Discovery |
Enumerating installed banking and cryptocurrency apps to select overlay targets |
T1417 Input Capture |
Harvesting credentials and payment card data via accessibility service keylogging |
T1516 Input Injection |
Automating fraudulent transactions by simulating taps and gestures through accessibility APIs |
T1582 SMS Control |
Intercepting SMS-based two-factor authentication codes to bypass account protections |
T1616 Call Control |
Blocking or redirecting incoming calls from banks to evade fraud alerts |
T1624 Event Triggered Execution |
Launching overlay attacks when targeted banking applications are opened by user |
T1629 Impair Defenses |
Disabling Google Play Protect and preventing uninstallation via device administrator privileges |
All behavior maps below were rendered from sample 0b72c22517fdefd4cf0466d8d4c634ca73b7667d378be688efe131af4ac3aed8.apk — chosen as the representative sample whose detected behaviors most fully cover the documented profile of GodFather. The other 11 family samples were used to compute the accuracy and precision figures above.
Each section below corresponds to one technique from the table above. Within each section we first quote the MITRE definition, then show the Quark behavior map extracted from the representative sample’s bytecode, then walk through the call sequence and list the underlying rules.
1. T1418 Software Discovery
T1418 Software Discovery — attack.mitre.org
MITRE definition (T1418): Adversaries may attempt to get a listing of applications that are installed on a device.
number_task calls getApps to enumerate installed applications and store the list in shared preferences. Together, these calls enable the malware to discover and persist a complete inventory of software present on the device.
Behaviors detected by Quark:
Get installed applications and put the list in shared preferences (#00170)
Enumerate installed applications (#00264)
2. T1417 Input Capture
T1417 Input Capture — attack.mitre.org
MITRE definition (T1417): Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal device usage, users often provide credentials to various locations, such as login pages/portals or system dialog boxes.
onAccessibilityEvent calls two helpers to query UI nodes by ID and text, check view content, and perform actions on accessibility node info. Together, these calls enable automated inspection and interaction with UI elements in the active window.
Behaviors detected by Quark:
Use accessibility service to perform action getting node info by text (#00159)
Use accessibility service to perform action getting node info by View Id (#00160)
Perfom accessibility service action on accessibility node info (#00161)
Use accessibility service to perform action getting root in active window (#00167)
Check if the text of the view contains the given string (#00206)
Check if the resource name of the view contains the given string (#00207)
3. T1582 SMS Control
T1582 SMS Control — attack.mitre.org
MITRE definition (T1582): Adversaries may delete, alter, or send SMS messages without user authorization. This could be used to hide C2 SMS messages, spread malware, or various external effects. This can be accomplished by requesting the RECEIVE_SMS or SEND_SMS permissions depending on what the malware is attempting to do.
onReceive calls SMRC to monitor incoming SMS messages and extract sender phone numbers and message content. Together, these calls enable the receiver to intercept and inspect SMS data as it arrives on the device.
Behaviors detected by Quark:
Monitor the general action to be performed (#00025)
Query the phone number from SMS sender (#00049)
Check if the content of SMS contains given string (#00118)
Monitor incoming SMS message (#00234)
4. T1616 Call Control
T1616 Call Control — attack.mitre.org
MITRE definition (T1616): Adversaries may make, forward, or block phone calls without user authorization. This could be used for adversary goals such as audio surveillance, blocking or forwarding calls from the device owner, or C2 communication.
onCreate constructs an implicit intent with a phone number and initiates a phone call via setData. Combined, these APIs enable the activity to programmatically place outbound calls without user interaction.
Behaviors detected by Quark:
Implicit intent(view a web page, make a phone call, etc.) via setData (#00051)
Make a phone call (#00202)
Put a phone number into an intent (#00203)
5. T1624 Event Triggered Execution
T1624 Event Triggered Execution — attack.mitre.org
MITRE definition (T1624): Adversaries may establish persistence using system mechanisms that trigger execution based on specific events. Mobile operating systems have means to subscribe to events such as receiving an SMS message, device boot completion, or other device activities.
The behavior map above shows GodFather subscribing to the incoming-SMS broadcast — Android’s SMS_RECEIVED is one of the canonical “specific events” called out in the MITRE definition, and the malware uses it as a trigger for persistent execution. onReceive monitors the general action performed and incoming SMS messages, enabling the receiver to detect and respond to SMS arrival events in real time.
Behaviors detected by Quark:
Monitor the general action to be performed (#00025)
Monitor incoming SMS message (#00234)
6. T1629 Impair Defenses
T1629 Impair Defenses — attack.mitre.org
MITRE definition (T1629): Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior.
The behavior map above shows GodFather deleting SMS and call-log entries via content URIs — a concrete instance of impairing the user’s ability to audit communication activity (matching the MITRE definition’s phrase “detection capabilities defenders can use to audit activity”). DelSent deletes media specified by content URIs, including SMS and call logs, erasing traces of communication activity.
Behaviors detected by Quark:
Deletes media specified by a content URI(SMS, CALL_LOG, File, etc.) (#00052)
List of Tested APKs
The table below lists the APKs we tested.
index |
sha256 |
|---|---|
1 |
0B72C22517FDEFD4CF0466D8D4C634CA73B7667D378BE688EFE131AF4AC3AED8 |
2 |
138551CD967622832F8A816EA1697A5D08EE66C379D32D8A6BD7FCA9FDEAECC4 |
3 |
20116083565A50F6B2DB59011E9994E9A9F5DB5994703D53233B8B202A5AD2F3 |
4 |
3BBEF6F36E2E673DF2620A01463F9B598D0F70C76F450601EC29873D8EBA5B7A |
5 |
3D4F63FC88EC8A4DFC9A5C3FEE1A59DED40BBB2F4F04ED937C135B144E8A166D |
6 |
58D335B2FD86126AB18CFBECD117C7700D154A2473CC1BDD507C0F57FA7052E3 |
7 |
6E0D01C4C547D235C247A6D0719F2ACA2D4996AE78DF4B671275914A9E3FD2D3 |
8 |
75CC07A1AF57D9D2A9A06840A25D1B9B368B1DDD57D98BAC9A5A5F2F4D0D931D |
9 |
9DFB5B4AD9AAC36C2D7FBB93F8668FAA819CB0DF16F4A55D00F1CDDA89C9A6D2 |
10 |
A14AAD1265EB307FBE71A3A5F6E688408CE153FF19838B3C5229F26EE3ECE5DD |
11 |
A6ED100AE42E4FDABFD1B4C992762152BC4A11CC8E521B647B444C75BB7A9782 |
12 |
C2BCCFC8B3BDF2DA5FB5C22055A9C4859256BE7904933E9E0B92FA31FD0420D3 |
New Quark Rules For tanglebot
New Quark rule (#00275) is now available. This rule targets TangleBot. Check here for the rule details.
With these rules, Quark is now able to identify the tanglebot malware family as high-risk. In our experiment, Quark achieved 100% accuracy and 100% precision. Please check here for the APKs we tested.
Identified Well-Known Threats
This section uses MITRE ATT&CK Mobile as its reference taxonomy. The table below lists every technique documented for TangleBot (per software entry S1069 TangleBot) alongside how each manifests in real-world campaigns — all of which the current Quark rule set can detect statically from APK bytecode.
MITRE Technique |
Real-world manifestation |
|---|---|
T1430 Location Tracking |
Real-time GPS coordinate harvesting to monitor victim physical movements and location |
T1418 Software Discovery |
Enumerating installed applications to profile device usage and identify high-value targets |
T1513 Screen Capture |
Capturing screenshots to exfiltrate sensitive on-screen data including credentials and messages |
T1582 SMS Control |
Intercepting and exfiltrating SMS messages including authentication codes and private communications |
T1616 Call Control |
Initiating, redirecting, or blocking phone calls to facilitate fraud or eavesdropping |
All behavior maps below were rendered from sample 7badeb43e25c4bc7772b4e62d97a7bffc84a02b8f50ea83e8ab8acb598a20bad.apk — chosen as the representative sample whose detected behaviors most fully cover the documented profile of TangleBot. The other 8 family samples were used to compute the accuracy and precision figures above.
Each section below corresponds to one technique from the table above. Within each section we first quote the MITRE definition, then show the Quark behavior map extracted from the representative sample’s bytecode, then walk through the call sequence and list the underlying rules.
1. T1430 Location Tracking
T1430 Location Tracking — attack.mitre.org
MITRE definition (T1430): Adversaries may track a device’s physical location through use of standard operating system APIs via malicious or exploited applications on the compromised device. On Android, applications holding the
ACCESS_COARSE_LOCATIONorACCESS_FINE_LOCATIONpermissions provide access to the device’s physical location.
Ld/g$g;c retrieves device time, longitude, current location, and last known location through location services. Together, these calls enable precise geographic tracking of the device over time.
Behaviors detected by Quark:
Get location of the device (#00075)
Get last known location of the device (#00115)
Get device time and longitude (#00214)
2. T1418 Software Discovery
T1418 Software Discovery — attack.mitre.org
MITRE definition (T1418): Adversaries may attempt to get a listing of applications that are installed on a device.
Lc0/d;a queries package information for a specific application installed on the device. This call enables the malware to enumerate installed app details including version and permissions.
Behaviors detected by Quark:
Get the package info of a particular app (#00231)
3. T1513 Screen Capture
T1513 Screen Capture — attack.mitre.org
MITRE definition (T1513): Adversaries may use screen capture to collect additional information about a target device, such as applications running in the foreground, user data, credentials, or other sensitive information.
Ll3/c$a;onSuccess extracts screenshot data into bitmap format and compresses the resulting image. Together, these calls capture the device screen and reduce the image’s file size so it can be exfiltrated efficiently.
Behaviors detected by Quark:
Extract screenshot data to bitmap format (#00238)
Compress bitmap (#00269)
4. T1582 SMS Control
T1582 SMS Control — attack.mitre.org
MITRE definition (T1582): Adversaries may delete, alter, or send SMS messages without user authorization. This could be used to hide C2 SMS messages, spread malware, or various external effects. This can be accomplished by requesting the
RECEIVE_SMSorSEND_SMSpermissions depending on what the malware is attempting to do.
Ll3/a;t calls two helpers to query and read SMS and call log data from URIs, then sends SMS messages. Together, these calls enable both exfiltration of existing messages and transmission of new SMS content.
Behaviors detected by Quark:
Read sensitive data(SMS, CALLLOG) and put it into JSON object (#00010)
Query data from URI (SMS, CALLLOGS) (#00011)
Send SMS (#00040)
Read sensitive data(SMS, CALLLOG, etc) (#00077)
Query a URI and append the result into a string (#00190)
5. T1616 Call Control
T1616 Call Control — attack.mitre.org
MITRE definition (T1616): Adversaries may make, forward, or block phone calls without user authorization. This could be used for adversary goals such as audio surveillance, blocking or forwarding calls from the device owner, or C2 communication.
Ll3/a;C constructs an implicit intent with a phone number and initiates a phone call via setData. Combined, these APIs enable programmatic dialing to arbitrary numbers without user interaction.
Behaviors detected by Quark:
Implicit intent(view a web page, make a phone call, etc.) via setData (#00051)
Make a phone call (#00202)
Put a phone number into an intent (#00203)
List of Tested APKs
The table below lists the APKs we tested.
index |
sha256 |
|---|---|
1 |
1F8AA27D59C8B9C5D1F28610C1F195C7C6EFA2C80F98842FD3FB18B4241472C3 |
2 |
6098A436094F1E3E8721FB87FF36781A1A283711CC0388F608723A18132607C4 |
3 |
669C3BE3CB02D6A20F74EB13104E145747C8E3D4E7A51103F95F3F97EBA958CE |
4 |
752AC24697F9581E90655BC03FDE742EA70ABA5EE831AC8BBEE113DF3B1CAB6E |
5 |
7BADEB43E25C4BC7772B4E62D97A7BFFC84A02B8F50EA83E8AB8ACB598A20BAD |
6 |
A72E0D19CB6DB3D96D27F97874C4462589AE0242EAE024D924D08B0663EB5019 |
7 |
BE512E871FC1871314794EA0E83F70EBE6CD9E537883ACA6CA41440B3032DBFC |
8 |
BF781F7D66A8CED4929674EA81A87C814F617EF677301B5EE4B4D32C04287B68 |
9 |
D5D9B9FD3A6C5A9F44CE9EE46A32822F3E9261F4DF68466FAE809D58FA58A1D7 |
Brata Malware Family Analysis Report
Quark’s existing rule set already detects the brata malware family — no new rule was required. Check here for the rule set.
With these rules, Quark is able to identify the brata malware family as high-risk. In our experiment, Quark achieved 100% accuracy and 100% precision. Please check here for the APKs we tested.
Identified Well-Known Threats
This section uses MITRE ATT&CK Mobile as its reference taxonomy. The table below lists every technique documented for BRATA (per software entry S1094 BRATA) alongside how each manifests in real-world campaigns — all of which the current Quark rule set can detect statically from APK bytecode.
MITRE Technique |
Real-world manifestation |
|---|---|
T1418.001 Security Software Discovery |
Detecting antivirus or security products to evade analysis and detection |
T1513 Screen Capture |
Recording device screen content to harvest credentials and sensitive user data |
T1533 Data from Local System |
Exfiltrating contacts, messages, photos, and other locally stored personal information |
All behavior maps below were rendered from sample 2d15bc6c736c5422f3673d94c8f9d3d28ac1512eae6f459cd768842103266937.apk — chosen as the representative sample whose detected behaviors most fully cover the documented profile of BRATA. The other 21 family samples were used to compute the accuracy and precision figures above.
Each section below corresponds to one technique from the table above. Within each section we first quote the MITRE definition, then show the Quark behavior map extracted from the representative sample’s bytecode, then walk through the call sequence and list the underlying rules.
1. T1418.001 Security Software Discovery
T1418.001 Security Software Discovery — attack.mitre.org
MITRE definition (T1418.001): Adversaries may attempt to get a listing of security applications and configurations that are installed on a device. This may include things such as mobile security products.
The behavior map above shows BRATA querying the package manager for a single application’s information and display label (GetApplicationLabel). Malware uses this same lookup to check for security software: by querying the package names of known antivirus or mobile-security apps, it can tell whether any are installed. This is the Security Software Discovery (T1418.001) behavior documented for BRATA — it lets the malware decide whether to keep operating or stay dormant to avoid detection.
Behaviors detected by Quark:
Get application info and label (#00265)
2. T1513 Screen Capture
T1513 Screen Capture — attack.mitre.org
MITRE definition (T1513): Adversaries may use screen capture to collect additional information about a target device, such as applications running in the foreground, user data, credentials, or other sensitive information.
onImageAvailable copies pixels from the latest rendered image into a Bitmap object. This call enables the malware to capture screenshots of the device screen in real time.
Behaviors detected by Quark:
Copy pixels from the latest rendered image into a Bitmap (#00210)
3. T1533 Data from Local System
T1533 Data from Local System — attack.mitre.org
MITRE definition (T1533): Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to exfiltration. Access to local system data, which includes information stored by the operating system, often requires escalated privileges.
FindByMail calls getAllContacts to read records from a content provider via ContentResolver, iterating the returned cursor. Both are methods of the app’s B4A ContactsWrapper, indicating the queries target the device’s contact database. The behavior map evidences these generic content-provider reads; it does not pin down a specific field such as email address.
Behaviors detected by Quark:
Query a URI and check the result (#00187)
Query device data with ContentResolver (#00212)
Query device data with ContentResolver and obtain the number of results (#00215)
List of Tested APKs
The table below lists the APKs we tested.
index |
sha256 |
|---|---|
1 |
27E0EC79DBB7C7F99B43C8C01A94188D1071D1245B1745D0E066AE774C78A8F8 |
2 |
2846C9DDA06A052049D89B1586CFF21F44D1D28F153A2FF4726051AC27CA3BA7 |
3 |
2D15BC6C736C5422F3673D94C8F9D3D28AC1512EAE6F459CD768842103266937 |
4 |
32552C098CD0E8075583162B1E895F1089A3E97FA9AC6281C0D0272D9AF132E2 |
5 |
37A0F317B897F23F5A6BA4A6B1C5E03A80333FF81BC8C1FADC09EB4C1914797D |
6 |
4392358E24121C8C9C1BD36341286CEAD074ECE01B5E615EC56C572F5583E0B0 |
7 |
46F4F981BE30D60795164F97B45219C523DBF8F59608901EB29DA42BCF941CFE |
8 |
4C57C5EAE5A1BAE1A50BEED28AFFDFF722C89416886E5EDA8088A06771CC29C8 |
9 |
5395936963DF4D72B365FD30AB52A00A88F8A5F75336BA84AC8A9FC369E0F811 |
10 |
6327B82AAAB714DC17322E1F215BCA9219F937A1DF6F71C8892BF75FCFA53830 |
11 |
80443FF27C7D665E1D9DB78CE70E67478C2A2F47DB4F84AF7BA4DB85C0EAD677 |
12 |
98B778F619E1C0F822B9514C81B9869F0302A2FEF53754739BB92C67D02609E0 |
13 |
9BF89B33609973D48C7D09D5774C39BFCEFD3922202DB0D872F12B3FFDB28529 |
14 |
B2EC5CBCA08D8AEF4F638FFB479FDF613EEAA31FF9C30C73DBEDA7FF8EB4A25B |
15 |
B5A64791728AA641838D2A478375F5D46F91C91B8DF0CDE34B21DDA2D4D7D8A1 |
16 |
B64123E4FF92CD7BE104B21CA0DEAEFD89E8270572746C61EFC3E7CD05999B5D |
17 |
D774779A1E53D5C1012EC855CD6567D6E9F779299DDF0D07E96DDE6C0679F4DF |
18 |
D7AF3C8E53B2B1B5B84E5542353FC80C28B2297238469E189F7C83ACB666943B |
19 |
DCDCACAFACB1F8A9474FF714DD418E0104E854B87AD07220CE5E4564568CE997 |
20 |
ED1C4B8B6F7ED4F93A9B06F4FBE4BB28782994BC121CD0540F9DE62FF22FA78F |
21 |
F690E30B6EE25C153EFFC5620FD7EC61481A449A127B54A67C7AFC4C13D7917F |
22 |
FA816C631249922539EEEB3E8F73D3EF4EA997AB729751ADEBCEA3D0DE32A63B |