From 1aea0a8e1577f260c3cdbc6e609fa39a73fe3ca5 Mon Sep 17 00:00:00 2001 From: zinwang Date: Tue, 21 Oct 2025 23:16:51 +0800 Subject: [PATCH 1/3] Add docs for DawDropper --- docs/source/quark_rules.rst | 69 +++++++++++++++++++++++++++++++++++++ 1 file changed, 69 insertions(+) diff --git a/docs/source/quark_rules.rst b/docs/source/quark_rules.rst index 4652643c..a8f67680 100644 --- a/docs/source/quark_rules.rst +++ b/docs/source/quark_rules.rst @@ -851,3 +851,72 @@ The table below lists the APKs we tested. - f46b863952599b91a4d2d682a80f345dfa03fad473d1938f2c53a3139c87a019 * - 10 - eec5096dfca6824317863f9225c29f6c4b3442c48fefa62dc382e3569bca5a60 + + +New Quark Rules For DawDropper +=============================== + +New Quark rules (#243 - #245) are now available. These rules target `DawDropper `_\ , a malware family that installs additional apps. Check `here `_ for the rule details. + +With these rules, Quark is now able to identify the DawDropper malware family as high-risk. In our experiment, Quark achieved 100% accuracy and 100% precision. Please check :ref:`here ` for the APKs we tested. + +Below is a summary report of a DawDropper sample (\ ``a1298cc00605c79679f72b22d5c9c8e5c8557218458d6a6bd152b2c2514810eb``\ ). The report shows that Quark identified the sample as high-risk, with a list of behaviors as evidence. + + +.. image:: https://i.postimg.cc/44T6JT3v/Screenshot-2025-10-21-22-38-20.png + :target: https://i.postimg.cc/44T6JT3v/Screenshot-2025-10-21-22-38-20.png + :alt: + + +Identified Well-Known Threats +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +With Quark's `rule classification `_ feature, analysts can generate behavior maps and see how behaviors are related. This feature helps identify one well-known threat from DawDropper, as shown below. + +**1. Install additional apps** + + +.. image:: https://i.postimg.cc/nc663z2H/installapk.png + :target: https://i.postimg.cc/nc663z2H/installapk.png + :alt: + + +The behavior map shows that the ``Lcom/techmediapro/photoediting/core/MainActivity;S0`` function installs additional APKs. + +Behaviors detected by Quark: + + +* Install other APKs from file (#00245) + +.. _list-of-tested-apks-dawdropper: + +List of Tested APKs +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The table below lists the APKs we tested. + +.. list-table:: + :header-rows: 1 + + * - index + - sha256 + * - 1 + - 022a01566d6033f6d90ab182c4e69f80a3851565aaaa386c8fa1a9435cb55c91 + * - 2 + - 02499a198a8be5e203b7929287115cc84d286fc6afdb1bc84f902e433a7961e4 + * - 3 + - 05b3e4071f62763b3925fca9db383aeaad6183c690eecbbf532b080dfa6a5a08 + * - 4 + - 71c44a78cd77a8f5767096f268c3193108ac06ff3779c65e78bc879d3b0ff11d + * - 5 + - 77f226769eb1a886606823d5b7832d92f678f0c2e1133f3bbee939b256c398aa + * - 6 + - 8fef8831cbc864ffe16e281b0e4af8e3999518c15677866ac80ffb9495959637 + * - 7 + - 9b2064f8808d3aaa2d3dc9f5c7ee0775b29e29df3a958466a8953f148b702461 + * - 8 + - a1298cc00605c79679f72b22d5c9c8e5c8557218458d6a6bd152b2c2514810eb + * - 9 + - b4bd13770c3514596dd36854850a9507e5734374083a0e4299c697b6c9b9ec58 + * - 10 + - d5ac8e081298e3b14b41f2134dae68535bcf740841e75f91754d3d0c0814ed42 From 91981e0a3c62fb53d7ff2d5aae791c4d2bbdd579 Mon Sep 17 00:00:00 2001 From: zinwang Date: Thu, 23 Oct 2025 21:12:40 +0800 Subject: [PATCH 2/3] Add famous threat behavior --- docs/source/quark_rules.rst | 22 +++++++++++++++++++--- 1 file changed, 19 insertions(+), 3 deletions(-) diff --git a/docs/source/quark_rules.rst b/docs/source/quark_rules.rst index a8f67680..932dfb83 100644 --- a/docs/source/quark_rules.rst +++ b/docs/source/quark_rules.rst @@ -856,7 +856,7 @@ The table below lists the APKs we tested. New Quark Rules For DawDropper =============================== -New Quark rules (#243 - #245) are now available. These rules target `DawDropper `_\ , a malware family that installs additional apps. Check `here `_ for the rule details. +New Quark rules (#243 - #245) are now available. These rules target `DawDropper `_\ , a malware family that downloads and installs additional APKs. Check `here `_ for the rule details. With these rules, Quark is now able to identify the DawDropper malware family as high-risk. In our experiment, Quark achieved 100% accuracy and 100% precision. Please check :ref:`here ` for the APKs we tested. @@ -871,9 +871,25 @@ Below is a summary report of a DawDropper sample (\ ``a1298cc00605c79679f72b22d5 Identified Well-Known Threats ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -With Quark's `rule classification `_ feature, analysts can generate behavior maps and see how behaviors are related. This feature helps identify one well-known threat from DawDropper, as shown below. +With Quark's `rule classification `_ feature, analysts can generate behavior maps and see how behaviors are related. This feature helps identify two well-known threats from DawDropper, as shown below. -**1. Install additional apps** +**1. Download APKs from remote servers** + + +.. image:: https://i.postimg.cc/VLW5TKMP/downloadapk.png + :target: https://i.postimg.cc/VLW5TKMP/downloadapk.png + :alt: + + +The behavior map shows that the ``Lcom/techmediapro/photoediting/core/MainActivity;N0`` function downloads APKs from remote servers. + +Behaviors detected by Quark: + + +* Connect to a URL and read data from it (#00243) +* Write data to a file (#00244) + +**2. Install additional APKs** .. image:: https://i.postimg.cc/nc663z2H/installapk.png From 0883cee1e64139a77b5ce09f5f538e67aba57806 Mon Sep 17 00:00:00 2001 From: zinwang Date: Fri, 24 Oct 2025 08:31:55 +0800 Subject: [PATCH 3/3] Update threat description --- docs/source/quark_rules.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/source/quark_rules.rst b/docs/source/quark_rules.rst index 932dfb83..219c93c3 100644 --- a/docs/source/quark_rules.rst +++ b/docs/source/quark_rules.rst @@ -881,7 +881,7 @@ With Quark's `rule classification