{
	"id": "aff995dc-531e-4015-bb68-e2d3452e067b",
	"created_at": "2026-04-06T00:14:14.592472Z",
	"updated_at": "2026-04-10T03:20:55.829511Z",
	"deleted_at": null,
	"sha1_hash": "cb4be04f86580170ab1c12a536cadaf1d544abde",
	"title": "Dissecting a RAT. Analysis of the HawkShaw. — Stratosphere Laboratory",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 78223,
	"plain_text": "Dissecting a RAT. Analysis of the HawkShaw. — Stratosphere\r\nLaboratory\r\nPublished: 2021-05-10 · Archived: 2026-04-05 22:52:31 UTC\r\nThis blog post was authored by Kamila Babayeva (@_kamifai_) and Sebastian Garcia (@eldracote).\r\nThe RAT analysis research is part of the Civilsphere Project (https://www.civilsphereproject.org/), which aims to\r\nprotect the civil society at risk by understanding how the attacks work and how we can stop them. Check the\r\nwebpage for more information.\r\nThis is the sixth blog of a series analyzing the network traffic of Android RATs from our Android Mischief\r\nDataset [more information here], a dataset of network traffic from Android phones infected with Remote Access\r\nTrojans (RAT). In this blog post we provide the analysis of the network traffic of the RAT03-HawkShaw\r\n[download here]. The previous blogs analyzed Android Tester RAT, DroidJack RAT, SpyMax RAT, AndroRAT\r\nRAT and AhMyth RAT. \r\nRAT Details and Execution Setup\r\nThe goal of each of our RAT experiments is to configure and execute the RAT software and to do every possible\r\naction while capturing all traffic and storing all logs. These RAT captures are functional and used as in real\r\nattacks.\r\nThe HawkShaw RAT is the only RAT in our Android Mischief dataset that has the controller and the builder\r\nhosted in the cloud. The controller is the main program that allows an attacker to control the targeted device.\r\nUsually, this main program comes with a graphical user interface to make the RAT main program more\r\ninteractive. The builder is a program that buildы the APK for a targeted device. The HawkShaw RAT service in\r\nthe cloud is based on the Firebase platform. Firebase is a platform developed by Google for creating mobile and\r\nweb applications. We executed the online service of the HawkShaw RAT on Ubuntu 20.04 Virtualbox virtual\r\nmachine with Ubuntu 20.04 as a host. The Android Application Package (APK) built by the online RAT builder\r\nwas installed in a real Nokia phone with Android version 10. \r\nWhile performing different actions on the RAT controller (e.g. upload a file, get GPS location, monitor files), we\r\ncaptured the network traffic of the RAT controller on the Android virtual emulator. The network traffic of the\r\nphone was captured using Emergency VPN.\r\nThe details about the network traffic capture are:\r\nThe controller IP address: 35.201.97.85 (provided by the creator of the RAT)\r\nThe phone IP address: 10.8.0.249\r\nUTC time of the start of the infection in the capture: 2020-07-24 07:20:03 UTС\r\nhttps://www.stratosphereips.org/blog/2021/5/6/dissecting-a-rat-analysis-of-the-hawkshaw\r\nPage 1 of 4\n\nAnalysis Problem\r\nThe HawkShaw RAT online service was created using the Firebase platform. It means that the malicious APK\r\ncommunicates with the RAT service using various Firebase suite products such as Firebase Authentication, Cloud\r\nMessaging, Cloud Storage, Realtime Database, Analytics, Installations, etc. The Firebase platform provides secure\r\ncommunication, so all the connections going from the victim’s phone to the HawkShaw online service are\r\nencrypted. Considering that, our analysis is performed on the flow level, i.e. we analyze only the connections as\r\nflows going from the victim to the C\u0026C (not packet by packet).\r\nInfection and Initial Communication\r\nOnce the APK was installed in the phone, it tries to connect to the IP address 216.58.201.106 by using the server\r\nname firebaseinstallations.googleapis.com (Figure 1). This server name indicates a Firebase installation service\r\n(FIS) that provides a Firebase installation unique identifier and auth token for this malicious APK instance.\r\nFigure 1.  The victim phone starts by connecting to the IP 216.58.201.106 with the server name\r\nfirebaseinstallations.googleapis.com that indicates a Firebase installation service (FIS).\r\nWith the retrieved auth token and the unique identifier, the phone established a connection to the online\r\nHawkShaw RAT service. The victim successfully connected to the Firebase platform (35.201.97.85) with the\r\nserver name hawkshaw-cae48.firebaseio.com (Figure 2). Throughout the whole communication, the server name\r\nof hawkshaw-cae48.firebaseio.com is changed to s-usc1c-nss-283.firebaseio.com due to the Firebase policy of\r\ndecreasing the load.\r\nFigure 2. The victim connects to the Firebase platform (35.201.97.89) with the HawkShaw RAT\r\nservice to the server name hawkshaw-cae48.firebaseio.com. \r\nAfter the successful infection and connection to the C\u0026C online service, the infected phone connects to two\r\nservices: api.ipify.org and api6.ipify.org to retrieve the IPv4 and IPv6 addresses of the device. The connections to\r\napi.ipify.org and api6.ipify.org are invoked by the APK code shown in Figure 3. This part of the code belongs to a\r\nfunction called after receiving the C\u0026C command ‘Device Information’. It might mean that the controller\r\nautomatically calls the command ‘Device Information’ that aims to retrieve details about the targeted device\r\nhardware, software, settings, etc. Figure 4 shows the screenshot from the C\u0026C interface with all the data retrieved\r\nfrom the phone from the command ‘Device Information’.\r\nFigure 3. Code from the RAT in the infected device that takes care of connecting to the services\r\napi.ipify.org and api6.ipify.org to retrieve the IPv4 and IPv6 IP addresses. This function gets\r\nexecuted after the C\u0026C command sends the command ‘Device Information’.\r\nFigure 4. The C\u0026C interface after the controller sends the command ‘Device Information’ to the\r\nvictim, that aims to retrieve the details of the victim’s device.\r\nSimultaneously with the connections to api.ipify.org and api6.ipify.org, the phone connects to the IP address\r\n216.58.201.74 with the server name firebasestorage.googleapis.com (Figure 5). This server name indicates\r\nhttps://www.stratosphereips.org/blog/2021/5/6/dissecting-a-rat-analysis-of-the-hawkshaw\r\nPage 2 of 4\n\nFirebase Storage to store the data. The phone sends all retrieved data from the C\u0026C command ‘Device\r\nInformation’ to store in the Firebase storage. \r\nFigure 5. The victim connects to the IP 216.58.201.74 with the server name\r\nfirebasestorage.googleapis.com that indicates Firebase Storage.\r\nExample of C\u0026C Commands\r\nCompared to other RATs in the Android Mischief Dataset, Hawkshaw RAT is the most sophisticated in its\r\nfunctionality. Like other RATs, HawkShaw was able to control victim’s calls, SMS, camera, location, system files,\r\nand device’s settings, but also it was able to interfere social media conversations (Figure 6), and its keylogger\r\nworked perfectly (Figure 7).\r\nFigure 6. HawkShaw controller interferes Instagram conversation of the victim’s device. The C\u0026C\r\ncan send and receive messages in the chat.\r\nFigure 7. Keylogger C\u0026C command. The C\u0026C captures all the keys clicked on a compromised\r\ndevice.\r\nComplete communication between the C\u0026C and victim phone\r\nThrough the whole infection, 17 malicious connections to the Firebase platform were performed: 10 connections\r\nto Firebase App, 3 connections to Firebase Cloud Storage, 2 connections to Firebase installation service, and 2\r\nconnections to api.ipify.org and api6.ipify.org. Due to the poor quality of code, the connections between the\r\nvictim’s phone and the C\u0026C were interrupted often and had very short duration of the connections (Figure 8). The\r\nphone was connected to the Firebase storage in order to send large files such as video, photos, documents, and\r\naudio. The connections to the Firebase Installation service might be explained with the initializing or updating\r\ninstance ID and auth token.\r\nFigure 8. The duration of the connections between the victims and the HawkShaw online service is\r\nshort, no more than approx. 13 minutes (785 seconds).\r\nAfter a careful analysis of each malicious connection, we found no heartbeat performed in any of them. Even\r\nthough there were 10 connections established between the HawkShaw C\u0026C service and the victim, there were no\r\nsimultaneous connections performed between the C\u0026C and the victim.\r\nConclusion\r\nIn this blog we have analyzed the network traffic from a phone infected with the HawkShaw RAT that uses\r\nFirebase platform to operate and control devices. All the retrieved data from the devices is stored in the Firebase\r\ndatabase to which the creator of the HawkShaw RAT probably has access. We were not able to decode its\r\nconnection due to Firebase secure connection. The HawkShaw RAT seems to be complex in its communication\r\nprotocol, and it is sophisticated in its work.\r\nTo summarize, the details found in the network traffic of this RAT are:\r\nhttps://www.stratosphereips.org/blog/2021/5/6/dissecting-a-rat-analysis-of-the-hawkshaw\r\nPage 3 of 4\n\nThe RAT is hosted on the cloud with the use of Firebase platform.\r\nFirebase provides an encrypted connection between the HawkShaw online service and the victim.\r\nThe targeted device connects to api.ipify.org and api6.ipify.org to retrieve and send its IPv4 and IPv6\r\naddresses.\r\nThere is no heartbeat in the communication between the C\u0026C and the phone.\r\nThere are no simultaneous connections established to the C\u0026C.\r\nThere are a lot of connections to the Firebase platform, but of a very small size.\r\nBiographies\r\nSource: https://www.stratosphereips.org/blog/2021/5/6/dissecting-a-rat-analysis-of-the-hawkshaw\r\nhttps://www.stratosphereips.org/blog/2021/5/6/dissecting-a-rat-analysis-of-the-hawkshaw\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.stratosphereips.org/blog/2021/5/6/dissecting-a-rat-analysis-of-the-hawkshaw"
	],
	"report_names": [
		"dissecting-a-rat-analysis-of-the-hawkshaw"
	],
	"threat_actors": [],
	"ts_created_at": 1775434454,
	"ts_updated_at": 1775791255,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/cb4be04f86580170ab1c12a536cadaf1d544abde.pdf",
		"text": "https://archive.orkl.eu/cb4be04f86580170ab1c12a536cadaf1d544abde.txt",
		"img": "https://archive.orkl.eu/cb4be04f86580170ab1c12a536cadaf1d544abde.jpg"
	}
}