2ea0243299aa9caf03534c90f0d7868093db0097e6912076f00dd8a10aa5046d

ioc	Process
/system/bin/su	com.knightli.book.jokebookseries.m3
/system/xbin/su	com.knightli.book.jokebookseries.m3

Queries information about the current nearby Wi-Fi networks 1 TTPs 1 IoCs

Application may abuse the framework's APIs to collect information about the current nearby Wi-Fi networks.

System Network Connections Discovery

collection discovery evasion

description	ioc	Process
Framework service call	android.net.wifi.IWifiManager.getScanResults	com.knightli.book.jokebookseries.m3

Requests cell location 2 TTPs 1 IoCs

Uses Android APIs to to get current cell location.

Location Tracking

T1430

Geofencing

T1627.001

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getCellLocation	com.knightli.book.jokebookseries.m3

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 1 IoCs

flow	ioc
4	alog.umeng.com

Queries information about active data network 1 TTPs 1 IoCs

System Network Connections Discovery

description	ioc	Process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.knightli.book.jokebookseries.m3

Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

System Network Connections Discovery

description	ioc	Process
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	com.knightli.book.jokebookseries.m3

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.knightli.book.jokebookseries.m3

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.knightli.book.jokebookseries.m3

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.knightli.book.jokebookseries.m3

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

description	ioc	Process
File opened for read	/proc/cpuinfo	com.knightli.book.jokebookseries.m3

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

description	ioc	Process
File opened for read	/proc/meminfo	com.knightli.book.jokebookseries.m3

com.knightli.book.jokebookseries.m3
1⤵
- Checks if the Android device is rooted.
- Queries information about the current nearby Wi-Fi networks
- Requests cell location
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4251

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Privilege Escalation

Defense Evasion

Execution Guardrails

T1627

Geofencing

T1627.001

Virtualization/Sandbox Evasion

2

T1633

System Checks

2

T1633.001

Credential Access

Discovery

Location Tracking

T1430

System Information Discovery

3

System Network Configuration Discovery

2

T1422

System Network Connections Discovery

3

Lateral Movement

Collection

Location Tracking

T1430

Command and Control

Exfiltration

Impact

Data Encrypted for Impact