General

  • Target

    283bdca4759a7e79094d6c64f4408b23a00df6ab5c96fa131f1abdfbf13bbb7f.bin

  • Size

    4.0MB

  • Sample

    250213-1z52cswrex

  • MD5

    3ab3e18c9ef82e356c68455d08fbacd8

  • SHA1

    749c09dc2f0f4eea4b66095aea0d5262f8c65178

  • SHA256

    283bdca4759a7e79094d6c64f4408b23a00df6ab5c96fa131f1abdfbf13bbb7f

  • SHA512

    be5de0b9b428c02efe832102201dad25034ddc8a0c7545b7ac2e161d7c6b7ff0120737b206c149783f3a9e55d9d0d01a835ef12082bcb05911e6b2c46415b0bc

  • SSDEEP

    98304:vip5D/CYgV4R8yXJk/tUbjigQK2rVW9HWdTKkv1PNXI1:PZK8y5otMJ2rVW7kv19I1

Malware Config

Extracted

Family

androrat

C2

3.6.98.232:18443

Targets

    • Target

      283bdca4759a7e79094d6c64f4408b23a00df6ab5c96fa131f1abdfbf13bbb7f.bin

    • Size

      4.0MB

    • MD5

      3ab3e18c9ef82e356c68455d08fbacd8

    • SHA1

      749c09dc2f0f4eea4b66095aea0d5262f8c65178

    • SHA256

      283bdca4759a7e79094d6c64f4408b23a00df6ab5c96fa131f1abdfbf13bbb7f

    • SHA512

      be5de0b9b428c02efe832102201dad25034ddc8a0c7545b7ac2e161d7c6b7ff0120737b206c149783f3a9e55d9d0d01a835ef12082bcb05911e6b2c46415b0bc

    • SSDEEP

      98304:vip5D/CYgV4R8yXJk/tUbjigQK2rVW9HWdTKkv1PNXI1:PZK8y5otMJ2rVW7kv19I1

    • AndroRAT

      AndroRAT is an open source Android remote administration tool.

    • Androrat family

    • Removes its main activity from the application launcher

    • Loads dropped Dex/Jar

      Runs executable file dropped to the device during analysis.

    • Makes use of the framework's Accessibility service

      Retrieves information displayed on the phone screen using AccessibilityService.

    • Obtains sensitive information copied to the device clipboard

      Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

    • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

    • Queries account information for other applications stored on the device

      Application may abuse the framework's APIs to collect account information stored on the device.

    • Reads the contacts stored on the device.

    • Reads the content of the calendar entry data.

    • Reads the content of the call log.

    • Requests cell location

      Uses Android APIs to to get current cell location.

    • Acquires the wake lock

    • Makes use of the framework's foreground persistence service

      Application may abuse the framework's foreground service to continue running in the foreground.

    • Queries information about the current Wi-Fi connection

      Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

    • Reads information about phone network operator.

MITRE ATT&CK Mobile v15

Tasks