{
	"id": "04d87916-778a-472a-841a-edff8657da64",
	"created_at": "2026-04-06T01:31:58.734181Z",
	"updated_at": "2026-04-10T13:11:35.615973Z",
	"deleted_at": null,
	"sha1_hash": "604c3090ae09f82219eacf2e5a1c29c4fd4315e0",
	"title": "Dissecting a RAT. Analysis of the Command-line AndroRAT. — Stratosphere Laboratory",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 91794,
	"plain_text": "Dissecting a RAT. Analysis of the Command-line AndroRAT. —\r\nStratosphere Laboratory\r\nPublished: 2021-06-01 · Archived: 2026-04-06 01:17:29 UTC\r\nThis blog post was authored by Kamila Babayeva (@_kamifai_) and Sebastian Garcia (@eldracote).\r\nThe RAT analysis research is part of the Civilsphere Project (https://www.civilsphereproject.org/), which aims to\r\nprotect the civil society at risk by understanding how the attacks work and how we can stop them. Check the\r\nwebpage for more information.\r\nThis is the seventh blog of a series analyzing the network traffic of Android RATs from our Android Mischief\r\nDataset [more information here], a dataset of network traffic from Android phones infected with Remote Access\r\nTrojans (RAT). In this blog post we provide the analysis of the network traffic of the RAT08-command-line-AndroRAT [download here]. The previous blogs analyzed Android Tester RAT, DroidJak RAT, AndroRAT RAT,\r\nSpyMax RAT, AhMyth RAT and HawkShaw RAT. \r\nExecution Setup\r\nThe goal of each of our RAT experiments is to use the software ourselves and to execute every possible action\r\nwhile capturing all the traffic and storing all the logs. So these RAT captures are functional and were used in real\r\nattacks.\r\nDespite its name “Command line AndroRAT”, this RAT has no clear relationship with the RAT called\r\n“AndroRAT”. The Command line AndroRAT is a software package that contains the controller software and\r\nbuilder software to build an APK. It was executed on a Windows 7 guest virtual machine with Ubuntu 20.04 as a\r\nhost. The Android Application Package (APK) built by the RAT builder was installed in the Android virtual\r\nemulator called Genymotion using Android version 8. \r\nWhile performing different actions on the RAT controller (e.g. upload a file, get GPS location, monitor files, etc.),\r\nwe captured the network traffic on the Android virtual emulator. \r\nThe details about the network traffic capture are:\r\nThe controller IP address: 147.32.83.157\r\nThe phone IP address: 147.32.83.245\r\nUTC time of the infection in the capture: 2020-12-05 11:46:43 UTС\r\nRAT Details\r\nThis Command-line AndroRAT software was the first one in our dataset that did not have an graphical user\r\ninterface. Instead, it uses a command line interface to control the target’s device. Figure 1 shows the welcome\r\nhttps://www.stratosphereips.org/blog/2021/5/6/dissecting-a-rat-analysis-of-the-command-line-androrat\r\nPage 1 of 6\n\nmessage in the command line while waiting for the infected device to connect.This Command-line AndroRAT\r\nsoftware was the first one in our dataset that did not have an graphical user interface. Instead, it uses a command\r\nline interface to control the target’s device. Figure 1 shows the welcome message in the command line while\r\nwaiting for the infected device to connect.\r\nFigure 1. Welcome message in the Command-line AndroRAT interface. The message is shown until\r\nthe infected phone is connected.\r\nFigure 2. The controller IP and port specified during compilation can be seen in the code inside the\r\nAPK installed in the victim’s device. The phone uses the controller IP 147.32.83.157 and the port\r\n1337 to establish a TCP connection.\r\nThe phone initializes a 3-way TCP handshake to establish the connection between the phone and the C\u0026C. Figure\r\n3 shows these initial packets. The connection was successfully established without any reconnections, but with a\r\nretransmission packet. The lack of reconnections can be because both controller and victim were in the same\r\nnetwork.\r\nFigure 3.  A 3-way TCP handshake between the controller (147.32.83.157) and the phone\r\n(147.32.83.245). The connection was initialized by the phone and there is one retransmission\r\npacket. \r\nAfter the phone got infected and the connection between the phone and the controller was established, the phone\r\nsent a welcome message together with the phone model “Samsung-2”, as shown in Figure 4. The code from the\r\nmalicious APK that sends the welcome message to the controller is shown in Figure 5. \r\n0000   48 65 6c 6c 6f 20 74 68 65 72 65 2c 20 77 65 6c   Hello there, wel\r\n0010   63 6f 6d 65 20 74 6f 20 72 65 76 65 72 73 65 20   come to reverse \r\n0020   73 68 65 6c 6c 20 6f 66 20 53 61 6d 73 75 6e 67   shell of Samsung\r\n0030   2d 32 0a                                          -2.\r\nFigure 4. The welcome message with the model of the phone sent from the infected phone to the controller after a\r\nsuccessful infection. Notice the English language\r\nFigure 5. Code from the malicious APK that sends the welcome message to the C\u0026C.\r\nAfter sending a welcome message, the phone waits for the C\u0026C command. While waiting for the C\u0026C command,\r\nthere was no heartbeat performed between the phone and the controller. \r\nThe phone then received its first executed C\u0026C command ‘device info’ that aims to retrieve the details about the\r\nphone’s hardware, system, settings, etc. Figure 6 shows the data field of the packet with the command ‘device\r\ninfo’. The C\u0026C command is sent in the plain text, without any structure. \r\n0000   64 65 76 69 63 65 49 6e 66 6f 0a                  deviceInfo.\r\nhttps://www.stratosphereips.org/blog/2021/5/6/dissecting-a-rat-analysis-of-the-command-line-androrat\r\nPage 2 of 6\n\nFigure 6.  The data field of the packet with the C\u0026C command ‘device info’ that aims to retrieve the details about\r\nthe infected device. The data is in the plain text without any structure.\r\nThe phone answers to the command ‘device info’ with device details composed of Manufacturer, Version/Release,\r\nProduct, Model, Brand, Device and Host. The data field of this packet is displayed in Figure 7. It is important to\r\nnotice that the answer from the phone does not follow any structure, the data is sent in the plain text.\r\n--------------------------------------------\r\nManufacturer: unknown\r\nVersion/Release: 8.1.0\r\nProduct: vbox86p\r\nModel: Samsung-2\r\nBrand: Android\r\nDevice: vbox86p\r\nHost: 49cfa9ee5067\r\n--------------------------------------------\r\nFigure 7. The data field of the packet with the phone’s answer to the C\u0026C command ‘device info’. The data is\r\nsent in the plain without any structure. It may seem that the controller is separating these values by searching for\r\nthe words “Manufacturer:”, “Version/Release”, etc.\r\nThe request and answer to the C\u0026C command ‘device info’ are shown in the command line interface of the C\u0026C,\r\nas shown in Figure 8. \r\nFigure 8. The command line interface of the C\u0026C with the executed command ‘Device Info’ and\r\nthe phone’s reply. The characters “[36m” and similar seem to be related to a bug in the assignment\r\nof colors to the interface.\r\nExample of C\u0026C Commands\r\nhttps://www.stratosphereips.org/blog/2021/5/6/dissecting-a-rat-analysis-of-the-command-line-androrat\r\nPage 3 of 6\n\nThrough the whole communication, the controller sends the C\u0026C commands inplaintext, the phone answers these\r\ncommands in plaintext as well. When the controller or the victim sends a big amount of data, e.g. photo, video,\r\naudio, text files., it defines the end of data by adding a string ‘END123\\n’ at the end. \r\nAs an example we can analyze the exchange of packets between the C\u0026C and the victim during the C\u0026C\r\ncommand ‘getSMS’. This command aims to retrieve the messages sent and received by the targeted device. The\r\ndata of the packet with the ’getSMS’ command is displayed in Figure 9. As before, the data is sent in plaintext and\r\ndoes not follow any structure. As a reply to this command, the phone sends two packets: the first packet confirms\r\nthe execution of the C\u0026C command (Figure 10), the second packet sends the actual data (Figure 11).\r\n0000  67 65 74 53 4d 53 20 69 6e 62 6f 78 0a    getSMS inbox.\r\nFigure 9. The data field of the packet sent by the controller with C\u0026C command ‘getSMS’ that aims to retrieve\r\nthe message inbox inside the targeted phone.\r\n0000  72 65 61 64 53 4d 53 20 69 6e 62 6f 78 0a   readSMS inbox.\r\nFigure 10. The data field of the packet sent by the victim phone with the text ‘readSMS’ as a confirmation answer\r\nto the command “getSMS”.\r\n#0\r\nNumber : 333333\r\nPerson : null\r\nDate : Sun Jun 13 13:18:52 EST 52877\r\nBody : Hey! i am thwoing a party at my house next week! wanna join?\r\n#1\r\nNumber : 928934\r\nPerson : null\r\nDate : Sun Jun 13 04:14:21 EST 52877\r\nBody : Hello! How are you and your child? Are you back from vacation already?\r\nEND123\r\nFigure 11. The data field of the phone reply to the command ‘getSMS’. The messages are sent in the plaintext. In\r\norder to define the end of the data, it puts the ‘END123\\n’ string at the end of the data. The fields seem to be\r\nseparated, again, by searching for keywords such as “Number”, “Person”, etc.\r\nThere are a total of 18 commands that the RAT software can perform on the targeted device. The complete list is\r\nshown in Figure 12.\r\ndeviceInfo --\u003e returns basic info of the device\r\ncamList --\u003e returns cameraID\r\nhttps://www.stratosphereips.org/blog/2021/5/6/dissecting-a-rat-analysis-of-the-command-line-androrat\r\nPage 4 of 6\n\ntakepic [cameraID] --\u003e Takes picture from camera\r\nstartVideo [cameraID] --\u003e starts recording the video\r\nstopVideo --\u003e stop recording the video and return the video file\r\nstartAudio --\u003e starts recording the audio\r\nstopAudio --\u003e stop recording the audio\r\ngetSMS [inbox|sent] --\u003e returns inbox sms or sent sms in a file\r\ngetCallLogs --\u003e returns call logs in a file\r\nshell --\u003e starts a interactive shell of the device\r\nvibrate [number_of_times] --\u003e vibrate the device number of time\r\ngetLocation --\u003e return the current location of the device\r\ngetIP --\u003e returns the ip of the device\r\ngetSimDetails --\u003e returns the details of all sim of the device\r\nclear --\u003e clears the screen\r\ngetClipData --\u003e return the current saved text from the clipboard\r\ngetMACAddress --\u003e returns the mac address of the device\r\nexit --\u003e exit the interpreter\r\nFigure 12. The complete list of 18 commands that can be used from the controller. It is a print of the help function\r\nin the C\u0026C interface.  \r\nEnd of communication\r\nAfter the C\u0026C sends the command ‘exit’ (Figure 13), the connection between the phone and the controller should\r\nhave been closed. However, in our experiment, after the connection was closed (Figure 14), the phone attempts to\r\nreconnect to the C\u0026C several times with an interval of 3 seconds (Figure 15), showing a buggy implementation of\r\nthe exit function in the APK, or showing that the controller may no longer be active but giving the victims the\r\nopportunity to reconnect if necessary.\r\n0000  65 78 69 74 0a exit.\r\nFigure 13. The C\u0026C command ‘exit’ that aims to close the connection between the phone and the controller.\r\nFigure 14. Successful 4-way handshake TCP termination between the controller and the targeted\r\nphone after the C\u0026C command ‘exit’.\r\nFigure 15. After the phone received the ‘exit’ C\u0026C command, it still tries to reconnect with the\r\ncontroller. However, the controller already closed the socket after the ‘exit’ C\u0026C command.\r\nThe complete communication between the phone and the controller in the experiment happened in one flow.\r\nAccording to Wireshark-Statistics-Conversations (Figure 16), the connection between the phone and the controller\r\nis considered to be the longest (approximately 16 minutes) in the traffic. However, based on previous RATs\r\nanalysis in the Android Mischief dataset, connections to services such as Facebook, Instagram, etc. might be\r\nlonger than the 16 minutes of this malicious connection. Due to the victim reconnecting to the C\u0026C several times\r\nafter the connection was closed, Wireshark displays a number of flows to the C\u0026C with a really short duration\r\n(Figure 17). \r\nhttps://www.stratosphereips.org/blog/2021/5/6/dissecting-a-rat-analysis-of-the-command-line-androrat\r\nPage 5 of 6\n\nFigure 16. TOP connections from Wireshark-Statistics-Conversations sorted by the flow duration.\r\nThe connection between the victim and C\u0026C is the longest.\r\nFIgure 17. Wireshark displays reconnections to the C\u0026C as the flows of really short duration.\r\nConclusion\r\nIn this blog we have analyzed the network traffic from a phone infected with a unique command line AndroRAT.\r\nDue to the RAT simple communication protocol, we were able to decode its connection. The command line\r\nandroRAT does not seem to be complex in its communication, however, it is quite sophisticated in its work. It is\r\nnot interrupting throughout the whole communication compared to other RATs in the dataset.\r\nTo summarize, the details found in the network traffic of this RAT are:\r\nThe C\u0026C sends the packets in plaintext without any structure.\r\nThe infected phone sends the packets in plaintext without any structure.\r\nThe communication between the C\u0026C and the phone is done in one flow of long duration (approximately\r\n16 minutes).\r\nEven though the connection between the controller and the phone was closed, the phone tries to reconnect\r\nevery 3 seconds.\r\nThere is no heartbeat in the traffic between the phone and the controller.\r\nBiographies\r\nSource: https://www.stratosphereips.org/blog/2021/5/6/dissecting-a-rat-analysis-of-the-command-line-androrat\r\nhttps://www.stratosphereips.org/blog/2021/5/6/dissecting-a-rat-analysis-of-the-command-line-androrat\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.stratosphereips.org/blog/2021/5/6/dissecting-a-rat-analysis-of-the-command-line-androrat"
	],
	"report_names": [
		"dissecting-a-rat-analysis-of-the-command-line-androrat"
	],
	"threat_actors": [],
	"ts_created_at": 1775439118,
	"ts_updated_at": 1775826695,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/604c3090ae09f82219eacf2e5a1c29c4fd4315e0.pdf",
		"text": "https://archive.orkl.eu/604c3090ae09f82219eacf2e5a1c29c4fd4315e0.txt",
		"img": "https://archive.orkl.eu/604c3090ae09f82219eacf2e5a1c29c4fd4315e0.jpg"
	}
}