We were able to decode its connection and found the distinctive features as long duration or heartbeat. In this blog, we have analyzed the network traffic from a phone infected with DroidJack v4.4 RAT.
The controller IP 147.32.83.253 is the IP address of Windows 7 virtual machine in our lab computer, meaning that the IP address is not connected to any indicator of compromise (IoC). Also, DroidJack uses the port 1334/TCP as a default port and the phone connects to it later too. In our case, the IP address of the controller is 147.32.83.253 and the port is 1337/TCP. To connect, the phone uses the IP address and the port of the controller specified in the APK.
#HOW TO FIND DROIDJACK ON PHONE APK#
Once the APK was installed in the phone, it directly tries to establish a TCP connection with the command and control (C&C) server. UTC time of the infection in the capture: 14:10:43 UTС The details about the network traffic capture are:
#HOW TO FIND DROIDJACK ON PHONE ANDROID#
upload a file, get GPS location, monitor files, etc.), we captured the network traffic on the Android virtual emulator. While performing different actions on the RAT controller (e.g. The Android Application Package (APK) built by the RAT builder was installed in the Android virtual emulator called Genymotion with Android version 8. It was executed on a Windows 7 virtual machine with Ubuntu 20.04 as a host.
The DroidJack v.4.4 RAT is a software package that contains the controller software and builder software to build an APK. So these RAT captures are functional and were used in real attacks. The goal of each of our RAT experiments is to use the software ourselves and to execute every possible action while capturing all the traffic and storing all the logs. In this blog post we provide the analysis of the network traffic of the RAT02-DroidJack v4.4. This is the second blog of a series analyzing the network traffic of Android RATs from our Android Mischief Dataset, a dataset of network traffic from Android phones infected with Remote Access Trojans (RAT).
0 kommentar(er)
