Skip to content

S0489 WolfRAT

WolfRAT is malware based on a leaked version of Dendroid that has primarily targeted Thai users. WolfRAT has most likely been operated by the now defunct organization Wolf Research.1

Item Value
ID S0489
Associated Names
Version 1.0
Created 20 July 2020
Last Modified 11 September 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
mobile T1517 Access Notifications WolfRAT can receive system notifications.1
mobile T1429 Audio Capture WolfRAT can record call audio.1
mobile T1533 Data from Local System WolfRAT can collect user account, photos, browser history, and arbitrary files.1
mobile T1407 Download New Code at Runtime WolfRAT can update the running malware.1
mobile T1630 Indicator Removal on Host -
mobile T1630.002 File Deletion WolfRAT can delete files from the device.1
mobile T1406 Obfuscated Files or Information WolfRAT’s code is obfuscated.1
mobile T1424 Process Discovery WolfRAT uses dumpsys to determine if certain applications are running.1
mobile T1636 Protected User Data -
mobile T1636.002 Call Log WolfRAT can collect the device’s call log.1
mobile T1636.003 Contact List WolfRAT can collect the device’s contact list.1
mobile T1636.004 SMS Messages WolfRAT can collect SMS messages.1
mobile T1513 Screen Capture WolfRAT can record the screen and take screenshots to capture messages from Line, Facebook Messenger, and WhatsApp.1
mobile T1582 SMS Control WolfRAT can delete and send SMS messages.1
mobile T1418 Software Discovery WolfRAT can obtain a list of installed applications.1
mobile T1422 System Network Configuration Discovery WolfRAT sends the device’s IMEI with each exfiltration request.1
mobile T1512 Video Capture WolfRAT can take photos and videos.1
mobile T1633 Virtualization/Sandbox Evasion -
mobile T1633.001 System Checks WolfRAT can perform primitive emulation checks.1