MobileOrder

Description

(Palo Alto) The malware uses the AMAP SDK to get accurate location of infected devices by GPS, mobile network (such as base stations), WiFi and other information. MobileOrder acts on instructions provided by its C2 server, which it communicates with over TCP port 3728. All C2 communications are encrypted with the AES algorithm using a key generated by computing five MD5 hashes starting with the key “1qazxcvbnm”, and adding a salt value of “.)1/” in each iteration.

The C2 server will respond to requests from MobileOrder with commands that the Trojan refers to as “orders”. MobileOrder contains a command handler with functionality that provides a fairly robust set of commands, as seen in Table 6. The first byte of data provided by the C2 server is order number, which is followed by the encrypted data that needed to carry out the specific order.

Names

Name
MobileOrder

Type

Backdoor
Info stealer
Exfiltration
Downloader

Information

https://unit42.paloaltonetworks.com/scarlet-mimic-years-long-espionage-targets-minority-activists/

Mitre Attack

https://attack.mitre.org/software/S0079/

Malpedia

https://malpedia.caad.fkie.fraunhofer.de/details/apk.mobile_order

Alienvault Otx

https://otx.alienvault.com/browse/pulses?q=tag:MobileOrder

Other Information

Uuid

e1aa1dd5-eaa8-4bb6-91be-ba0d350827bc

Last Card Change

2023-06-22

Threat Intelligence Garden

Explorer

MobileOrder

MobileOrder

Description

Names

Category

Type

Information

Mitre Attack

Malpedia

Alienvault Otx

Other Information

Uuid

Last Card Change

Graph View

Table of Contents

Backlinks