{
	"id": "497332f9-b9c6-439a-9be8-6141d532e53a",
	"created_at": "2026-04-06T00:16:34.338078Z",
	"updated_at": "2026-04-10T03:20:22.016418Z",
	"deleted_at": null,
	"sha1_hash": "21215e4952b655c2c9777cf16b2c800c063ef356",
	"title": "Dissecting a RAT. Analysis of DroidJack v4.4 RAT network traffic. — Stratosphere Laboratory",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1180355,
	"plain_text": "Dissecting a RAT. Analysis of DroidJack v4.4 RAT network traffic.\r\n— Stratosphere Laboratory\r\nPublished: 2021-02-03 · Archived: 2026-04-05 12:56:23 UTC\r\nThis is the second blog of a series analyzing the network traffic of Android RATs from our Android Mischief\r\nDataset [more information here], a dataset of network traffic from Android phones infected with Remote Access\r\nTrojans (RAT). In this blog post we provide the analysis of the network traffic of the RAT02-DroidJack v4.4\r\n[download here]. \r\nRAT Details and Execution Setup\r\nThe goal of each of our RAT experiments is to use the software ourselves and to execute every possible action\r\nwhile capturing all the traffic and storing all the logs. So these RAT captures are functional and were used in real\r\nattacks.\r\nThe DroidJack v.4.4 RAT is a software package that contains the controller software and builder software to build\r\nan APK. It was executed on a Windows 7 virtual machine with Ubuntu 20.04 as a host. The Android Application\r\nPackage (APK) built by the RAT builder was installed in the Android virtual emulator called Genymotion with\r\nAndroid version 8. \r\nWhile performing different actions on the RAT controller (e.g. upload a file, get GPS location, monitor files, etc.),\r\nwe captured the network traffic on the Android virtual emulator. \r\nThe details about the network traffic capture are:\r\nThe controller IP address: 147.32.83.253\r\nThe phone IP address: 10.8.0.57\r\nUTC time of the infection in the capture: 2020-08-01 14:10:43 UTС\r\nInitial Communication and Infection\r\nOnce the APK was installed in the phone, it directly tries to establish a TCP connection with the command and\r\ncontrol (C\u0026C) server. To connect, the phone uses the IP address and the port of the controller specified in the\r\nAPK. In our case, the IP address of the controller is 147.32.83.253 and the port is 1337/TCP. Also, DroidJack uses\r\nthe port 1334/TCP as a default port and the phone connects to it later too. The controller IP 147.32.83.253 is the IP\r\naddress of Windows 7 virtual machine in our lab computer, meaning that the IP address is not connected to any\r\nindicator of compromise (IoC).\r\nhttps://www.stratosphereips.org/blog/2021/1/22/analysis-of-droidjack-v44-rat-network-traffic\r\nPage 1 of 6\n\nFigure 1. A 3-way handshake started by the phone to establish TCP connection with the C\u0026C\r\ncontroller.\r\nIn Figure 1 we can see that the connection was established, but the C\u0026C server was resetting it several times.\r\nAfter a while a successful 3-way handshake was performed and the connection was established, the C\u0026C sends\r\nthe next packet with following data:\r\nFigure 2. Data sent by the C\u0026C after establishing the first TCP connection with the phone.\r\nFigure 3. Data sent by the phone with initialization parameters.\r\nFigure 4. Bytes sent from the phone to the C\u0026C controller in one packet, including how we found\r\nthe format.\r\nIn Figure 4, the actual length of the packet is 64. The byte 0x3C is 60 in a decimal format, which is exactly the\r\nlength of the packet without the byte for packet length 0x3C (1 byte) and the sequence of NULL characters (3\r\nbytes).\r\nIn the small packets of length 1 or 2, like in Figure 2 or in the heartbeat in Figure 6, there are no delimiters. Thus\r\nonly packets with data of more than 2 bytes sent from the C\u0026C and the phone over 1337/TCP has the following\r\nformat:\r\n{00 00 00}{data length}{delimiter}{data in plain text}\r\nFigure 5. The format of packets sent from the C\u0026C and the phone as part of the custom protocol used by the RAT.\r\nhttps://www.stratosphereips.org/blog/2021/1/22/analysis-of-droidjack-v44-rat-network-traffic\r\nPage 2 of 6\n\nAfter sending phone parameters, the phone is waiting for the command from the controller. While waiting for the\r\ncommand, the phone and the C\u0026C maintain a heartbeat, which in this case is a couple of packets in both\r\ndirections inside the same connection. They exchange packets every 8 seconds.\r\nFigure 6. The heartbeat between the C\u0026C and the phone.\r\nAfter some time, when it is requested by the botmaster, the C\u0026C server sends a packet with the command to the\r\nphone. The command is ‘File Voyager’, which aims to search through the file system of the phone. In the C\u0026C\r\nsoftware, the command ‘File Voyager ’ looks like this:\r\nFigure 7. The command ‘File Voyager’ in DroidJack v4.4 C\u0026C software. \r\nFigure 8. Command ‘File Voyager’ sent from the C\u0026C after the heartbeat.\r\nThe commands from the C\u0026C server to the phone seem to be predefined with a specific number. From Figure 8,\r\nnumber 20 might define the command ‘File Voyager’ and it is followed by some extra parameters\r\n(false#/~#0194074 5667#.). The character ‘#’ might be a separator between parameters. As a reply to the C\u0026C\r\ncommand, the phone sends back:\r\nhttps://www.stratosphereips.org/blog/2021/1/22/analysis-of-droidjack-v44-rat-network-traffic\r\nPage 3 of 6\n\nFigure 9. The phone’s reply on the command ‘File Voyager’ sent by the C\u0026C.\r\nFigure 10. The phone replies to the command sent by the C\u0026C in port 1337/TCP (shown in Figure\r\n8) with data over another connection on port 1334/TCP.\r\nFigure 11. Packet sent from the phone to the controller over 1334/TCP.\r\nFigure 12. UDP packets from the phone to the C\u0026C server sent every 20 seconds over port\r\n1337/UDP.\r\nFigure 13. Example data inside the UDP packets on port 1337/UDP sent from the phone to the\r\ncontroller. \r\nhttps://www.stratosphereips.org/blog/2021/1/22/analysis-of-droidjack-v44-rat-network-traffic\r\nPage 4 of 6\n\nFigure 14. Top connections between the phone and the controller from Wireshark -\u003e Statistics -\u003e\r\nConversations -\u003e TCP. It can be noted the long duration of the main connections.\r\nFigure 15. Behavioral model of the connection between the phone and C\u0026C over 1334/TCP.\r\nFigure 16. Alert from slips that it detects a C\u0026C channel over port 1334/TCP using a machine\r\nlearning LSTM neural network. The LSTM uses the letters shown in Figure 15.\r\nhttps://www.stratosphereips.org/blog/2021/1/22/analysis-of-droidjack-v44-rat-network-traffic\r\nPage 5 of 6\n\nFigure 17. Behavioral model created by Slips for the connection between phone and C\u0026C over\r\n1337/UDP.\r\nConclusion\r\nIn this blog, we have analyzed the network traffic from a phone infected with DroidJack v4.4 RAT. We were able\r\nto decode its connection and found the distinctive features as long duration or heartbeat. The DroidJack v4.4 RAT\r\ndoes not seem to be complex in its communication protocol and it is not sophisticated in its work.\r\nTo summarize, the details found in the network traffic of this RAT are:\r\nThe phone connects directly to the IP address and ports specified in APK (default port and custom port).\r\nSome connections over port 1337/TCP between the phone and the controller are long, i.e. more than 30\r\nminutes.\r\nThere is a heartbeat between the controller and the phone over 1337/TCP.\r\nPackets sent from the phone and the C\u0026C over port 1337/TCP have a form of {00 00 00}{data length}\r\n{delimiter}{data in plain text}.\r\nA new connection over 1334/TCP is established when a new command is received from the C\u0026C.\r\nThe phone sends UDP packets to the C\u0026C every 20 seconds.\r\nPackets sent from the phone to the C\u0026C over 1334/TCP and 1337/UDP are in plain text.\r\nBiographies\r\nSource: https://www.stratosphereips.org/blog/2021/1/22/analysis-of-droidjack-v44-rat-network-traffic\r\nhttps://www.stratosphereips.org/blog/2021/1/22/analysis-of-droidjack-v44-rat-network-traffic\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://www.stratosphereips.org/blog/2021/1/22/analysis-of-droidjack-v44-rat-network-traffic"
	],
	"report_names": [
		"analysis-of-droidjack-v44-rat-network-traffic"
	],
	"threat_actors": [],
	"ts_created_at": 1775434594,
	"ts_updated_at": 1775791222,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/21215e4952b655c2c9777cf16b2c800c063ef356.pdf",
		"text": "https://archive.orkl.eu/21215e4952b655c2c9777cf16b2c800c063ef356.txt",
		"img": "https://archive.orkl.eu/21215e4952b655c2c9777cf16b2c800c063ef356.jpg"
	}
}