Home > List all groups > List all tools > List all groups using tool MobileOrder

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link Tool: MobileOrder

TypeBackdoor, Info stealer, Exfiltration, Downloader
Description(Palo Alto) The malware uses the AMAP SDK to get accurate location of infected devices by GPS, mobile network (such as base stations), WiFi and other information. MobileOrder acts on instructions provided by its C2 server, which it communicates with over TCP port 3728. All C2 communications are encrypted with the AES algorithm using a key generated by computing five MD5 hashes starting with the key “1qazxcvbnm”, and adding a salt value of “.)1/” in each iteration.

The C2 server will respond to requests from MobileOrder with commands that the Trojan refers to as “orders”. MobileOrder contains a command handler with functionality that provides a fairly robust set of commands, as seen in Table 6. The first byte of data provided by the C2 server is order number, which is followed by the encrypted data that needed to carry out the specific order.
AlienVault OTX<>

Last change to this tool card: 22 April 2020

Download this tool card in JSON format

Previous: MKL Pro Keylogger
Next: ModPipe

All groups using tool MobileOrder


APT groups

 Scarlet MimicChina2015 

1 group listed (1 APT, 0 other, 0 unknown)

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
PGP Download PGP key