cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--08f1a4b1-96c9-44c2-bc5b-5a779541213b.json

{
    "type": "bundle",
    "id": "bundle--2f851edf-41ad-48c8-afdf-40e8a83478f1",
    "spec_version": "2.0",
    "objects": [
        {
            "type": "relationship",
            "id": "relationship--08f1a4b1-96c9-44c2-bc5b-5a779541213b",
            "created": "2019-12-10T16:07:41.081Z",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "revoked": false,
            "external_references": [
                {
                    "source_name": "SecureList DVMap June 2017",
                    "description": "R. Unuchek. (2017, June 8). Dvmap: the first Android malware with code injection. Retrieved December 10, 2019.",
                    "url": "https://securelist.com/dvmap-the-first-android-malware-with-code-injection/78648/"
                }
            ],
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
            ],
            "modified": "2023-04-05T20:47:53.438Z",
            "description": "[Dvmap](https://attack.mitre.org/software/S0420) replaces `/system/bin/ip` with a malicious version. [Dvmap](https://attack.mitre.org/software/S0420) can inject code by patching `libdmv.so` or `libandroid_runtime.so`, depending on the Android OS version. Both libraries are related to the Dalvik and ART runtime environments. The patched functions can only call `/system/bin/ip`, which was replaced with the malicious version.(Citation: SecureList DVMap June 2017)",
            "relationship_type": "uses",
            "source_ref": "malware--22b596a6-d288-4409-8520-5f2846f85514",
            "target_ref": "attack-pattern--c6e17ca2-08b5-4379-9786-89bd05241831",
            "x_mitre_deprecated": false,
            "x_mitre_version": "1.0",
            "x_mitre_attack_spec_version": "3.1.0",
            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
        }
    ]
}