Analysis
-
max time kernel
30s -
max time network
134s -
platform
android-9_x86 -
resource
android-x86-arm-20240910-en -
resource tags
arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system -
submitted
13/02/2025, 22:06
Static task
static1
Behavioral task
behavioral1
Sample
283bdca4759a7e79094d6c64f4408b23a00df6ab5c96fa131f1abdfbf13bbb7f.apk
Resource
android-x86-arm-20240910-en
Behavioral task
behavioral2
Sample
283bdca4759a7e79094d6c64f4408b23a00df6ab5c96fa131f1abdfbf13bbb7f.apk
Resource
android-x64-arm64-20240910-en
General
-
Target
283bdca4759a7e79094d6c64f4408b23a00df6ab5c96fa131f1abdfbf13bbb7f.apk
-
Size
4.0MB
-
MD5
3ab3e18c9ef82e356c68455d08fbacd8
-
SHA1
749c09dc2f0f4eea4b66095aea0d5262f8c65178
-
SHA256
283bdca4759a7e79094d6c64f4408b23a00df6ab5c96fa131f1abdfbf13bbb7f
-
SHA512
be5de0b9b428c02efe832102201dad25034ddc8a0c7545b7ac2e161d7c6b7ff0120737b206c149783f3a9e55d9d0d01a835ef12082bcb05911e6b2c46415b0bc
-
SSDEEP
98304:vip5D/CYgV4R8yXJk/tUbjigQK2rVW9HWdTKkv1PNXI1:PZK8y5otMJ2rVW7kv19I1
Malware Config
Extracted
androrat
3.6.98.232:18443
Signatures
-
AndroRAT
AndroRAT is an open source Android remote administration tool.
-
Androrat family
-
pid Process 4325 com.tencent.mm -
Loads dropped Dex/Jar 1 TTPs 4 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.tencent.mm/app_mph_dex/apk.manager-v1.rizal.xml 4325 com.tencent.mm /data/user/0/com.tencent.mm/app_mph_dex/apk.manager-v1.rizal.xml 4325 com.tencent.mm /data/user/0/com.tencent.mm/app_mph_dex/apk.manager-v1.rizal.xml 4325 com.tencent.mm /data/user/0/com.tencent.mm/app_mph_dex/apk.manager-v1.rizal.xml 4325 com.tencent.mm -
Makes use of the framework's Accessibility service 4 TTPs 1 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.tencent.mm -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
description ioc Process Framework service call android.accounts.IAccountManager.getAccounts com.tencent.mm -
Reads the contacts stored on the device. 1 TTPs 1 IoCs
description ioc Process URI accessed for read content://com.android.contacts/data/phones com.tencent.mm -
Reads the content of the calendar entry data. 1 TTPs 1 IoCs
description ioc Process URI accessed for read content://com.android.calendar/events com.tencent.mm -
Reads the content of the call log. 1 TTPs 1 IoCs
description ioc Process URI accessed for read content://call_log/calls com.tencent.mm -
Requests cell location 2 TTPs 1 IoCs
Uses Android APIs to to get current cell location.
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getCellLocation com.tencent.mm -
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.tencent.mm -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.tencent.mm -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.tencent.mm -
Reads information about phone network operator. 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.tencent.mm -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule com.tencent.mm -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.tencent.mm
Processes
-
com.tencent.mm1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Queries account information for other applications stored on the device
- Reads the contacts stored on the device.
- Reads the content of the calendar entry data.
- Reads the content of the call log.
- Requests cell location
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about the current Wi-Fi connection
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
PID:4325
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Scheduled Task/Job
1Defense Evasion
Download New Code at Runtime
1Execution Guardrails
1Geofencing
1Foreground Persistence
1Hide Artifacts
1Suppress Application Icon
1Input Injection
1Discovery
Location Tracking
1Software Discovery
1Security Software Discovery
1System Network Configuration Discovery
1System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.9MB
MD57caaf4427f6acc3950b1d3ebc80df00f
SHA1333d57b54d19568c9e42a7c7390980fb9042168e
SHA256e0eb90ee2f34e485a846986d0373a240ac78aafd33302e68f42b88cf2a372472
SHA5127e78f7942297a1970b5507882438d3b679a31b81565d6938983951bb2e1842ea822ba6e7dd4737f1cd101855e21d7fe1b91f8ea141bf8f40e2382755102a68ce
-
Filesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
Filesize
512B
MD55fd6e168db6260b223b223f04b6cc48b
SHA168cc7bea79fab61e541e84f8959745bf84a3a701
SHA25632762ff44aac4d17606b34482751218650afdb876577b24d371b107948286f3c
SHA51254afd0316924a5c123aea1ea861a57492f952371bbf6d2f8976c6736c405fdea9cd992be76444b65c67f98552cac1d34f3b5aa35954d776a16038f4a6e41b9ef
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
60KB
MD5cf5167b77c37c141fc111c3599d2b38c
SHA1995d6c266d999c1e917106e0a00a9b0036bc154a
SHA256f7c633be47261f5692b5a8737982333c7f023ebb39bc54135a00245bd33cf691
SHA5128e214df041879897f1df5800a9345e9e52ac325c2b72c8c5108b7b16c4483948a10f58518e929e6b58cd053c4afbfeae111a4e61f63a444eebe6e78815f8bd76
-
Filesize
512B
MD58f285fb8e91fa1fdf005086f8df0e250
SHA18b63e6b86c913b3704b0a1cfe5b853d19ca4cf47
SHA25620b7189032594d43d50d84be98b40b70d938cec607c0a0cb9315b613ccaa2de5
SHA512a525f054c440498dd7e85868893899f22779efe96e32fc6c71fd2b21950f353efb6e841d5b4d350352c501e086e3c8c16cb4079477629c35baa877dba0f9db6d
-
Filesize
28KB
MD53262714c35048cd698b1b08dd9b82e8b
SHA18d9394cc9254eef4bf7dc5cb99e93fcdcde3e3bc
SHA256ac0059a2791198b06bf442036968ff169df95462f64b83f85a555a7fa3732ee4
SHA512d46f9545d825a95e8ee533e24c7817ae557c19b64e9f3d9ccc4d4f7cf6c3a88be41bab8a4de4285643c74df4978a9e054ce00a18707c4734bb7063634acc2358
-
Filesize
3B
MD558e0494c51d30eb3494f7c9198986bb9
SHA1cd0d4cc32346750408f7d4f5e78ec9a6e5b79a0d
SHA25637517e5f3dc66819f61f5a7bb8ace1921282415f10551d2defa5c3eb0985b570
SHA512b7a9336ed3a424b5d4d59d9b20d0bbc33217207b584db6b758fddb9a70b99e7c8c9f8387ef318a6b2039e62f09a3a2592bf5c76d6947a6ea1d107b924d7461f4
-
Filesize
116B
MD59acd999fa1d8cda340f50cbfc8e8897e
SHA1e321f5e4795026d00677d3024e04ca59d61afe9b
SHA2568e1c6779565c8c1e6668b881553ead84f491b4a637c9e1f55c4f8f311de3cee8
SHA5126c5e2fcb2a494f7ebb6426c3a41ea6725d73f764501ae8313888c245d84a4874d135d678802dd7c2572541adedaae15c83d07c2cc8414418a06a6d0e91c05163
-
Filesize
126B
MD51dea6256ffb156e494a0ed36e5347578
SHA1ffde87703553d8c333cba61ec288de17587c0861
SHA2569bd4666f2f8d070c4ecb984f46d76b518a8fbe447dcca19851cdd4475d50d3a9
SHA512fafb9e957721a4406bee34bc1a2f6fffe0230ae496258633e572dc4d43d5fe331a38b6511c87e8faf6cc17ae770ea5f81d6b2932cd17efbaf076323665122950
-
Filesize
116B
MD57adba86b8d45716cf60a0300096146d7
SHA1c2e24675bf056210f104d2449c85bae9b481d01d
SHA256e9136693d48a476a68780c05d112c1f663bbabe8f1940061f743dc1bb928db18
SHA5127a795337d93926ab12ce9bc9e53940df829c609ecb2d963e1ca332ebc2422d88b6d7df9d11464869a38ca62005750126305fe8762150228f6434e7e3bad979c2
-
Filesize
126B
MD5a2e74b93aad811f6624748e417d433e2
SHA114523f00042eee40c6db9c7aea93ed13b8a75fe9
SHA2565e58d58c3025a264505e44c48b6f83151cf595effdfa9dc8d1b22b98777603af
SHA512341bb7f91bab9e6be772787ef5427803685b21117fa25c8d706791a3789a6b04a7e404725bdcc58e005950ef04b9147bdbc42e9550f44779e2f8131ad100ccca
-
Filesize
341B
MD52ccc9369eedaf096efcd9ee4f68cabb9
SHA173ad96a6c1866f8bbf749c59daa184113bd50277
SHA256946b4e8c8265b3df9e098d5b07a7fa87fea87f2bf2a8fbffef5c9b2b0ce72bf8
SHA512e425f59701eafe12fd46c3f0634c6b44842fa0aae6357c81d70771f067f3b052107311296ddacacc190adce7a8d2fd07c3425803ba0f92d08fea8748f9ea3dc8
-
Filesize
430B
MD54add4e19aed042b4277ec261510e1db7
SHA1370e00098008f83a432339098d1f63a8fc789172
SHA256a21be71bd037feae630738575c70c4bb88dce3e5b4a1ebca370f7e94291eed9f
SHA51268805862e74d00fee76800582e1947206b14b32f26e37b3b88a28d27d539c301ab0910ea41292a795dd403f2f606e358372593f6260c212a8ab8b6568cefb5c8
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
609B
MD571235e52e8500b8afd06e58844faf79f
SHA18a30da73a000032cb0316d2541e6dd84d8ef37c4
SHA256d9cbd1e096a3c380ab2be90edf96f9b19ee162cb68e9c1be77bc8251cd7cc783
SHA5121b259abf71495eca46baa6d41c5f1e0435ff3baad85b69be113b3cfdfcd63127e283e3876c7b85e5ff0b1f3cc659f5a79301babaa41d2b91de8db6a35c66958a
-
Filesize
5KB
MD5b1356b307602e0458f966b6c3f65f6c2
SHA135efa8ba45f7801fd01ae03033d8dfe2228d7093
SHA25613aa31a50a7e3d9dac43e1c95b9f1dd360fa1e74200b80ead086a1b546fe907e
SHA5129ac27473d618d6d8c1cf74363afedb67ed56a4289183914c0a27313e04bd79adad0c56ce8ccce47bb27e21476d1881aedf283040aaecf3f0cf7fe0cec1cdcaf2
-
Filesize
2.9MB
MD50cde52a22676973616207325e6d28e43
SHA13f395a88b28c0bb248dbb2d9deefa2b69a6cd53a
SHA2562138f6e7b16413924b92c8292022cccdf738a239a8929f38717d7a86586ca934
SHA5122d4f88b0b9a49c04176678a66d366202836a03ad8424796fe73efc46e648195eba0d28681542a425c792fce8b32cf3e385e75a77475c3785add0c7d09d358519
-
Filesize
8B
MD51c81a241aa3134f5e4702e401032ce03
SHA10be8c30c5d5303ea7f7ffec16fe8c6e8a1c93b92
SHA25614c29a5496904182d3dd0d35373f6532dafd626acfdff4c5ed33f508e2558412
SHA512ccdabc4a1e6b3e1a856a474e325debb2f24a85c63dd4c82c7bdd0683c516eb46fcf19a8718e02298e81eff322db99f526c2c36db16d3d7243130630ea09168cd
-
Filesize
174B
MD5572ce0c5c823ae6470ca2b05b2ed6ea7
SHA1e903d32aa00b4a51df6b7726b9250b54fa10563d
SHA256068e0e95471c134b2cfb2417b9a28b1a08d39a997354bc3b9a6091d1afe6c252
SHA512c17b7193fb8b22a2653e7cf36cde15ef74786805cc1c6425b78f2014546248b57739befb52d769ff6ec690dc4bdeeccc632e81f2e4cd686ae72efc025112239e