Analysis
-
max time kernel
16s -
max time network
154s -
platform
android-9_x86 -
resource
android-x86-arm-20240910-en -
resource tags
arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system -
submitted
05/02/2025, 22:03
Static task
static1
Behavioral task
behavioral1
Sample
69ae5079f26908ff840960dc5bea1d055d3b1bd78318102a4e64b605ee7e4ff9.apk
Resource
android-x86-arm-20240910-en
Behavioral task
behavioral2
Sample
69ae5079f26908ff840960dc5bea1d055d3b1bd78318102a4e64b605ee7e4ff9.apk
Resource
android-x64-20240910-en
General
-
Target
69ae5079f26908ff840960dc5bea1d055d3b1bd78318102a4e64b605ee7e4ff9.apk
-
Size
4.1MB
-
MD5
45b5377f3a42484d5391af34ad47785c
-
SHA1
8fb49e59b8e025a70be935ad0a720a677ca1031d
-
SHA256
69ae5079f26908ff840960dc5bea1d055d3b1bd78318102a4e64b605ee7e4ff9
-
SHA512
e22e285dc0b4739d191f3be9e339e7076af02e0f907cbebb0d7fb7c7584f7c741e7b8ff3c7993bd4672d0308a7f82ff41137fbbf4e4c6fc5fb5cf7611c01f034
-
SSDEEP
49152:ygmPDdoPGRo5X3meyRZJyYVza3qc65Kt6u7wpymvMfVVW9BX5pgtflZMekqeDj0V:WD6hbYZkLjtB7fTg7gdlVkXjvYCZAz9F
Malware Config
Extracted
androrat
3.6.98.232:18443
Signatures
-
AndroRAT
AndroRAT is an open source Android remote administration tool.
-
Androrat family
-
pid Process 4270 com.tencent.mm -
Loads dropped Dex/Jar 1 TTPs 6 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.tencent.mm/app_mph_dex/apk.manager-v1.rizal.xml 4270 com.tencent.mm /data/user/0/com.tencent.mm/app_mph_dex/apk.manager-v1.rizal.xml 4331 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.tencent.mm/app_mph_dex/apk.manager-v1.rizal.xml --output-vdex-fd=42 --oat-fd=44 --oat-location=/data/user/0/com.tencent.mm/app_mph_dex/oat/x86/apk.manager-v1.rizal.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/com.tencent.mm/app_mph_dex/apk.manager-v1.rizal.xml 4270 com.tencent.mm /data/user/0/com.tencent.mm/app_mph_dex/apk.manager-v1.rizal.xml 4270 com.tencent.mm /data/user/0/com.tencent.mm/app_mph_dex/apk.manager-v1.rizal.xml 4392 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.tencent.mm/app_mph_dex/apk.manager-v1.rizal.xml --output-vdex-fd=42 --oat-fd=44 --oat-location=/data/user/0/com.tencent.mm/app_mph_dex/oat/x86/apk.manager-v1.rizal.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/com.tencent.mm/app_mph_dex/apk.manager-v1.rizal.xml 4270 com.tencent.mm -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule com.tencent.mm -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.tencent.mm
Processes
-
com.tencent.mm1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
PID:4270 -
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.tencent.mm/app_mph_dex/apk.manager-v1.rizal.xml --output-vdex-fd=42 --oat-fd=44 --oat-location=/data/user/0/com.tencent.mm/app_mph_dex/oat/x86/apk.manager-v1.rizal.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4331
-
-
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.tencent.mm/app_mph_dex/apk.manager-v1.rizal.xml --output-vdex-fd=42 --oat-fd=44 --oat-location=/data/user/0/com.tencent.mm/app_mph_dex/oat/x86/apk.manager-v1.rizal.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4392
-
Network
MITRE ATT&CK Mobile v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.9MB
MD5c8f6ba71cea84260cb55fd11ad2d0c4a
SHA1d1f1e7e20a168047729d1c959de13401707a5691
SHA256fb799b0b47b3404aa43a4fd4a6b43d7d8367a58dae8d25ec2d331d9005f8d867
SHA51266485f9c9adc1f8514773d14103b62488e3b9ab05a4dac322f17d51641924589b2eee3c46cb67673b0053bc3f3e3de3c013ddc3d2603e0445349867a51e8d774
-
Filesize
3.0MB
MD5816ff97c55fa609561bd900657ad5431
SHA1c11f5860337170602824e4c4dc11aac011eb5082
SHA256cedb29b3dff81aa6652eebd774a501452b16547b627939405f5fb74da849bd09
SHA512841bfc69e1cf7508b120d3b17f63590ad8c7ff656615c182b53258783a266893f38239916b3f4d2b4f977aede3f6ce7cfc34881fc2fb37f43ed1bfde838c7b16
-
Filesize
8B
MD55bef64cc7650cce5b95c17f2f7de0d41
SHA1cf282932713ecb4bc4975f3a43185a598338a2c2
SHA2565f9da690e712f4cc30ec9888f166676b677beb32a3c67b614b3c5f33d083022a
SHA51242a2305c9af3281c190b8305333f5da30d82efaf10389319ffe35f154a1e258b065df4114eef1d47da0eaa50ec874538747aae5b778c679a094ab1dc157c0586
-
Filesize
5.9MB
MD568ea026269d9e8aac8298aa5c8f9cd00
SHA1f1a3fc8227cc91104a1d22c7ce7cbd62a259bbce
SHA2564ff7f160d6e57b3d8e24f46e87a7f2cdbf63911c68719ce3dc778d582559c035
SHA512f92b8a83db2fda067b8561c1ab915627282f98a5c614ae1dd201ca01afa1a84a67bb6ae9a5f9ff43e9113f32130a36813125d37aa8fbfc505a9a4abe4743c082