888rat | c7e0f6bec293dc451cfd65030dcf6b847c83ec252cf62c2722ad96cb7aaeb069

Analysis

max time kernel
12s
max time network
134s
platform
android_x64
resource
android-33-x64-arm64-20240624-en
resource tags

androidarch:arm64arch:x64image:android-33-x64-arm64-20240624-enlocale:en-usos:android-13-x64system
submitted
13-09-2024 18:46

Target

Live Tiktok.apk
Size

3.3MB
MD5

4106bc5d5551761b8dfeacc47217563b
SHA1

03f9de2ddd7dd96d20d1f06ac3db900b890c73c9
SHA256

c7e0f6bec293dc451cfd65030dcf6b847c83ec252cf62c2722ad96cb7aaeb069
SHA512

89e267ab76e38625955e10c8fc629fa02701ea6ed95c46c07ea8adea579e5d3a6be186862f320c632aa54a00cb526a307d40257bd75d630b5d62125e9baa3821
SSDEEP

49152:P3BzBInlSy8vOFOJ+B2dvBSWDmH/tyEY+jWL9xuKU2L7wuzP/M+4IJj8YarJig9M:p1IlSy86OJ+BKBf0/9CRvUWDM+vJoltC

Score

10^/10

888RAT
888RAT is an Android remote administration tool.
trojan infostealer rat 888rat
Acquires the wake lock 1 IoCs

Processes:

com.example.dat.a8andoserverx

description ioc process

Framework service call android.os.IPowerManager.acquireWakeLock com.example.dat.a8andoserverx

description	ioc	process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.example.dat.a8andoserverx

Declares services with permission to bind to the system 1 IoCs

Processes:

description	ioc
Required by accessibility services to bind with the system. Allows apps to access accessibility features.	android.permission.BIND_ACCESSIBILITY_SERVICE

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
evasion persistence

Foreground Persistence
T1541

Processes:

com.example.dat.a8andoserverx

description ioc process

Framework service call android.app.IActivityManager.setServiceForeground com.example.dat.a8andoserverx

description	ioc	process
Framework service call	android.app.IActivityManager.setServiceForeground	com.example.dat.a8andoserverx

Requests dangerous framework permissions 4 IoCs

Processes:

description	ioc
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device.	android.permission.READ_PHONE_STATE
Allows an application to read SMS messages.	android.permission.READ_SMS
Allows an application to send SMS messages.	android.permission.SEND_SMS
Allows an application to receive SMS messages.	android.permission.RECEIVE_SMS

com.example.dat.a8andoserverx
1⤵
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
PID:4349

Initial Access

Execution

Persistence

Foreground Persistence

Privilege Escalation

Defense Evasion

Foreground Persistence

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

/storage/emulated/0/.app.apk

Filesize
1.4MB

MD5
13073de69286b27058682b1f997e8a43

SHA1
0454fc81ab3f0b9fecf2b724ea9f6068f32c3945

SHA256
b666b3d6f59062959281f8eb28da96c3b42db92e5b65846c41b1c60afe193993

SHA512
858cf7cd1b048d260c50ac4113ea23c6859fec53b987d5a9e7aa40d5ffe02f5a4118882db422af01bb697ca39aa1af5fb3028b12f5c7f7d163debc51709decec

Download Submit