GroDDViewer: MobiDash

Sample name: com.cardgame.durak

Malware Family

Aggressive adware which can wait several weeks before triggering

Sample description:

We can see the main process cardgame.durak reading the file ads_settings.json to configure itself. We also see that the process is connecting to a lot of IP adresses. Some of those IP are contacted by the originating game itself to retrieve fair ads and most of them are contacted by the malware to download malicious ads. The IP adresses shared between cardgame.durak and android.browser are connections opened when agressive ads are displayed in fullscreen. We notice that the malware saves its history in a local directory, producing a lot of log files.

File details:

  • MD5 : 9e81bf61c5cae2c2856e4103353594fb
  • SHA256 : b41d8296242c6395eee9e5aa7b2c626a208a7acce979bc37f6cb7ec5e777665a
  • Size : 8.5 MB
View mode
System Flow Graph
Type: Group: Socket: .log: .db-journal: .txt: .xml: .journal: .db-wal: .bin: .db: .tmp: .db-shm: .shaders_cache: .db-mj586A4F89: .db-mj13D3674D: .apk: .db-mj2DB31ECB: .json: .db-mj0E3A0938: .conf: .log: .db-journal: .txt: .xml: .journal: .db-wal: .bin: .db: .tmp: .db-shm: .shaders_cache: .db-mj586A4F89: .db-mj13D3674D: .apk: .db-mj2DB31ECB: .json: .db-mj0E3A0938: .conf:
Grid Layout
Nb processes:

  • Graph legend
  • process
  • file
  • socket
Interactions frequency and zoom on time intervals
Min: 0 | Max: 1000 |
Current: 0
Speed: 500