Analysis
-
max time kernel
149s -
max time network
151s -
platform
android-10_x64 -
resource
android-x64-20240910-en -
resource tags
arch:x64arch:x86image:android-x64-20240910-enlocale:en-usos:android-10-x64system -
submitted
03/01/2025, 22:06
Static task
static1
Behavioral task
behavioral1
Sample
a68b1b8bbf7c834a8136b9f9ca221f7dc53225951dcf92ffe629dae037f85532.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
a68b1b8bbf7c834a8136b9f9ca221f7dc53225951dcf92ffe629dae037f85532.apk
Resource
android-x64-20240910-en
General
-
Target
a68b1b8bbf7c834a8136b9f9ca221f7dc53225951dcf92ffe629dae037f85532.apk
-
Size
4.0MB
-
MD5
7041e027d96b50bdff7fd945f861a5f8
-
SHA1
263bf5df478abac3e3b66ff375dcb9cd82b3da8d
-
SHA256
a68b1b8bbf7c834a8136b9f9ca221f7dc53225951dcf92ffe629dae037f85532
-
SHA512
37d3043f3f9a5261b92f518b12c8b083a2072ea175795b5e8746ddccadb93e24872ca73368cfd45b82c9d41acd2346e2fc900ed72a6ebb7b4ceb8a8e06447519
-
SSDEEP
49152:bgmBx0MkxPGRok3F3eyGAoWdXtAqPShdKOQFcbv7QG6elR0jqBxqN+zOnuyHXGAT:9CkKAoCRPSSOQcB66R0jqBxqvrXTjN
Malware Config
Extracted
androrat
3.6.98.232:18443
Signatures
-
AndroRAT
AndroRAT is an open source Android remote administration tool.
-
Androrat family
-
pid Process 5102 com.tencent.mm 5102 com.tencent.mm 5102 com.tencent.mm -
Loads dropped Dex/Jar 1 TTPs 4 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.tencent.mm/app_mph_dex/apk.manager-v1.rizal.xml 5102 com.tencent.mm /data/user/0/com.tencent.mm/app_mph_dex/apk.manager-v1.rizal.xml 5102 com.tencent.mm /data/user/0/com.tencent.mm/app_mph_dex/apk.manager-v1.rizal.xml 5102 com.tencent.mm /data/user/0/com.tencent.mm/app_mph_dex/apk.manager-v1.rizal.xml 5102 com.tencent.mm -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
description ioc Process Framework service call android.content.IClipboard.addPrimaryClipChangedListener com.tencent.mm -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
description ioc Process Framework service call android.accounts.IAccountManager.getAccounts com.tencent.mm -
Reads the contacts stored on the device. 1 TTPs 1 IoCs
description ioc Process URI accessed for read content://com.android.contacts/data/phones com.tencent.mm -
Reads the content of the call log. 1 TTPs 1 IoCs
description ioc Process URI accessed for read content://call_log/calls com.tencent.mm -
Requests cell location 2 TTPs 1 IoCs
Uses Android APIs to to get current cell location.
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getCellLocation com.tencent.mm -
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.tencent.mm -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.tencent.mm -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.tencent.mm -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.tencent.mm -
Reads information about phone network operator. 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.tencent.mm -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule com.tencent.mm -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.tencent.mm -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.tencent.mm -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo com.tencent.mm
Processes
-
com.tencent.mm1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Obtains sensitive information copied to the device clipboard
- Queries account information for other applications stored on the device
- Reads the contacts stored on the device.
- Reads the content of the call log.
- Requests cell location
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about the current Wi-Fi connection
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:5102
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Scheduled Task/Job
1Defense Evasion
Download New Code at Runtime
1Execution Guardrails
1Geofencing
1Foreground Persistence
1Hide Artifacts
1Suppress Application Icon
1Virtualization/Sandbox Evasion
2System Checks
2Discovery
Location Tracking
1Software Discovery
1Security Software Discovery
1System Information Discovery
2System Network Configuration Discovery
2System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.9MB
MD55a171b938523af817334cfaf2ee16a2e
SHA1be6cab8d005721812e594263d8e28842b9565b6d
SHA2563c665b4906d7763252a834f505056515a8e41cbb8fb894deafa8b6d9a8a37704
SHA512370826a203220cf4513e38fb39ee13bcb5a48390cf8e8dfc55017508f9f90858023a19cf876832511e33bc9ede953870cf0d5cb7449e9fbe4de19f9380bf8a26
-
Filesize
32KB
MD50ec8d5e24581e56eb01c45155efe2049
SHA14de2aebc5e22d0420e54cb553c2739e50481e50a
SHA2565bb1fd7e82a28019975971aae5f49b0eb2ddef4a943663b654ede402d2f7f616
SHA51223f87b81f1b49b80a88b1eab7d5e08e7001486b135bedc434601eed4ab74b72804ae4f907ede18213454dfa9da7058692b012861170306adbe6b12650dd51fd4
-
Filesize
8KB
MD59be3f3302de7ae1d333a43e4ce26c952
SHA128b5c402545981f4912918ec5c67e083999d5917
SHA2569bb99a0956d71d6e905ce6dea11ed2780094bdab3eac5f803b9d7af4e05280fe
SHA5122594afa47bd73fca626da744204bbfc686504a2358ce4cc1b4f8480b29646f95b65c62f9bc128851dbcf262ec4330028e4a2fe97df83f72039d80a1944247292
-
Filesize
512B
MD585335d0c12ab4fea5949a2c7a08553af
SHA13d9375545aa6ca8778843ae3863515e791f9b2ca
SHA2562b743b5c1d0255e10fd79c2354f1dcf43915bf6e83e39578f5ae9964039bfa7b
SHA5124912a9e7842572c47dfc8846fc7b1a9d9ad2ddd755da2f87a5381339060cf637c280b6316c40fc25fabced22b5485fab0b940777a673c29575652cb389004793
-
Filesize
8KB
MD543d801c5fbe41450ea2a567fc394282b
SHA155698e49cddd8612a23abee2d80cef0361834c10
SHA256b29fbf0117234d8a741a0f3bce53ba5303f9559f7c1d392cf926a7d4ff84796d
SHA512e4052896b6ff08147e30e3bad0c61081f40e0575775e21c3dfe6ae627152952093b28e73d7dfd9b5c496dd4ab0c41b6f6ef4b00094cb09d542886f641626b4bd
-
Filesize
8KB
MD5bbb56d7acc43210e371c8ff698553a01
SHA1c43bc462102e9db81a6458569c20f5715a4c8077
SHA256bf373a2c7b95d4da9cce97eb0bcbb59e878405127370ebe9c279f66f19a78bd2
SHA51290f556292cd29b69b74e1837b8ecb1de1f837404f691411a1b0038e1da76dd3c1fb7a6f7166b4c84781da42ede85c4b2f9acd8b282059cc90e5b8be46bb523f0
-
Filesize
8KB
MD59b73ed33fc80d0e19d5d85285cee8f26
SHA16fe76805c389ad0a462291f657060ea9633e9a52
SHA25629d2945e2959b8c6205b1d1a5053ac5561a7596f5af7fbcbb9694ac0d901e76c
SHA512a12f0854872e83e2b8da2bc60df770e19cd57e7c3c4727eba81ff902abff1835588df0e74dccc8b08faa835f36f1d6b86be50de2eb284be80a53b9bb040146c3
-
Filesize
16KB
MD512627a2ec645c4a4bc50dba5903afd59
SHA1504005c938517e61bcf68b65a055c2faba635c2e
SHA256f177ffae9650eb4f407c2d9a510bb5a5abe1ece2fdfe24effc62478a1bfa5903
SHA5127ff69589296e02383a217373399e75d8a82fa17146e4273f4c0eb630f096dd9f394a3324d60858b02f7e5cf177c82c6d966f5cbedb68ae6a98df7cc851b79cfd
-
Filesize
512B
MD566b30fb4172faf1f83c91881743dd067
SHA1cedd7e63e74328e3786a082f4e45da340385bf50
SHA2569b7adaedfa7413296d17981abd823c5aeccc644b70a6ce21b7772962df9da0dd
SHA512a73515f5d208bf101636d108c2c5390a52ddd82c27f39cdc89fa8a0a83fb2e68d7249f8db26156385b303b636b8946fc6cc73e47d8c7c4a5cc7dcbfe498cee19
-
Filesize
8KB
MD5be7ad14ef8d006886acc747e2f9250e0
SHA17e0c874fe6e0087a45d22b3dbbd2378cd3492a3b
SHA25656821222e8d449b0b8d114c9bef3f22dc270d17056f37e047b3dc22f0f4a9112
SHA512df83ceacdd03d37e923880bc3bd17462d7e0514bf0a1d0546f8cecafd9003e84db805b12688a2246c9b49032f5d4f697c741918f1f5f2d879b51d3d5f46033f2
-
Filesize
8KB
MD5d5f2e80277dc4c8392791312e00c4a29
SHA168250588927065bf760425fc14aa6878bd918cfe
SHA256b2b50c91f0e78c2b20785f267a0dc891badd3538df8048b411694b55af7e143b
SHA512ceae97695dbf39305bbcfe3d0514b723f81f8967973556e3bc4ab8620b124dc9d22c8fba1ebeb5894c19d6a4a94c8300f57577b65b8c38070611d31c524cdbba
-
Filesize
3B
MD558e0494c51d30eb3494f7c9198986bb9
SHA1cd0d4cc32346750408f7d4f5e78ec9a6e5b79a0d
SHA25637517e5f3dc66819f61f5a7bb8ace1921282415f10551d2defa5c3eb0985b570
SHA512b7a9336ed3a424b5d4d59d9b20d0bbc33217207b584db6b758fddb9a70b99e7c8c9f8387ef318a6b2039e62f09a3a2592bf5c76d6947a6ea1d107b924d7461f4
-
Filesize
108B
MD5ba2069c74b98dd6647d7747a0d638b31
SHA18662e6305ba330bebef0a830b5473a297bb945d9
SHA2569306e5f4463c7a107536565f2e128b7db47334dabab4ee7aac2fa1dec46d6334
SHA512362be3e24e53b8287c860b9354c851c4ed6000bb3172ed117b05c1965c44afe751a5d63103b099b37b701e2820dcd80ee1523805f341cdc2626be34eb1efa34e
-
Filesize
126B
MD5c9b53d5f78e2bafdf5f3a20f9921c158
SHA174cf5f133f2ac8a6e9fecb1ee2425504ef5edc5b
SHA256c94a4931e68bd91d57d8824c8866a5eb4cf67cb4201ad10e12cc2ece4be56fe7
SHA512c773383b34ce7e5d6a0a395b1b1e0f422040d5ab5644747db21db2b2c4f38db90861873112fc8d8634485e439cea4812c7480eed285b0bea7e52d6c1dadae106
-
Filesize
108B
MD5897fa73fddce228830a654af0fd14645
SHA1d93bd89a9ec81eb243d34156fa15ea8f3897aae5
SHA256571429b3d3bf138fbcdc2b8f56eea1a5c46f6218d55b8fac7e9d16021eb8ffc1
SHA51254c3038349b471fd65272efc7599bdd15c98ce3dd5a39d7cf2aa6971daf633be6c242df395de94428dc9234c618ed50f1bf08e58c81ec2f755f280b0bc036925
-
Filesize
137B
MD5f9465d9ab851bd70c300d7923d08012a
SHA187c88e4558c48b631061c8dedead624ffcfde26d
SHA25680064bf2116a23ef2a1673fabc3caa6fd5ddd4e3e7b4d82930b80c32b5f02e00
SHA5122b624dafecb47a46b7fc1b02a9c572f46c0b9ece10ab5426712bcdb844ee20ca5f5ea7ad41c9a99be37e7af71f121fb41a558cabfab4c35dc98cfd9d75a6ac1a
-
Filesize
126B
MD50bf8930cd86b96f954c9783bd8296959
SHA16d8b6f4c8fcbc679d0e6bfd5e43e56a6b90805e0
SHA2567113a306401ef596d4194dae898e08167eb3870e9dc91a5d156a1a0a7046e3d2
SHA51224860251f4bfa21dce0316d2c765fda7561fe72b386802cd148c01e6155328fce5f1038634dfa0fbeb81bf62a688f077637809cba0f617bc0d89ee161d55c519
-
Filesize
137B
MD589bf28033c0b88a0af9c83ed6d661c4e
SHA18f90196625031ab9d850c97793518e13693f20ef
SHA256761d1d43b4b8fdde331db1d606cf2ff414b2ad40a8431612ed5bc3aeea0aa10c
SHA5125c36f0b1c4ebc999eaef88e78ec1bc086d855123994e0f349a8950c7f9aff1dd67541625fde94f989c9a32e6b186b6b4e47d6ec15ec3fe634408fd9052ff2767
-
Filesize
262B
MD5599382028dd60bb48adad7c1eb2b141f
SHA1e92812f8826fafab64f0b7c2645f87d4455fd9a2
SHA256d26db3c83fb76d716939fd9df761daacfa3774136a01c35e76f16973f62ac9ae
SHA512d58cffbfb2299e608251c048750878818cf3600dc400386c7b2e31ef8ab430f7f62476fae3e9e956bb739158d121ed5f8fcaa19171d19c21acf630546b8a02d5
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
827B
MD5821a3c550ee5b430f2eaa118a5e555f9
SHA10064cc6794942be0c4f78914bfdda1fcfebddc9e
SHA256ef1e129de7d66ed0c830536bd7960bef6941aa894e9e4f5f7db5232c63e18e61
SHA512eb8b0b43d57160883a4e7e8185306a8aedf864cdda7620961c94d96bbfe42abf745742bf8d1204c1116f56176d8046001268a07b1640e768e16f163c3e38703b
-
Filesize
827B
MD5262b80a04764d2e9f6f5fd9e386e450f
SHA1786ec1b4f62aa24cd329d14c05f94c35827f68a1
SHA2566f4c5ed806c091317da6b83e26dcaca80369922b115bc4840dde04d465570338
SHA51209c1c30de7c83212a0998e15fe08fe0e782fa831c6cf2bf6b205225e152935d96ebfb4d69dfc856cfeb59d434b44ebd1e255bec1b615a152295a64fb77f74091
-
Filesize
9KB
MD582934c9a9c0a2d625f2c13b1a5229ce1
SHA1030c58a2977c60cf8459fef8f71b0f33126989df
SHA2562feb853d787d84c09acf63a6f4a16d133cc45c4594418a1f7ca468eb3220a6c8
SHA51283fec3872eb514350cec0fcc2dd02aa069a9cc469943d4a09d6c915ffcf16b4da243f44fc3d191989e3bc30333ce5a00222a28548aac69770aca57d53fce2f3c
-
Filesize
3.0MB
MD5fcafb9253cf1bc18731459cbf483de44
SHA1706685591e0929375632f435c2e6b79547e16a14
SHA256e3f34ef496279c2f513f7f14fce72b75790c3ba4c1e6a1cb07593f1129743b7e
SHA5128f9d57ba6f41fa8cdf84feb77ae43dd92e307381561e9d4f99c95a1a746afa9cd58e9a09c3a9648f69945dfb5309c6638e816f0cc94ecda0bce8c6d56f9d794a
-
Filesize
8B
MD5c76faa4ddcee508edc61196a7d63cd0f
SHA15b96a86d76a5d6110d4474b3210a9c1586162e8d
SHA256477a6136caf595f625d5246820da10ee579e0195d48607ec6ebee077319f50ab
SHA5123b1192df72842023c709d5d788e333b2588746a9ee65059906e77963e8fc4378e16b7e94dc92e12dbc63fd00f5af3ad873a09622353234caff186f0233046898