{"description": "Mobile techniques used by RatMilad, ATT&CK software S1241 (v1.0)", "name": "RatMilad (S1241)", "domain": "mobile-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1437", "showSubtechniques": true}, {"techniqueID": "T1437.001", "comment": "[RatMilad](https://attack.mitre.org/software/S1241) has used HTTP POST requests for communicating with its C2 server.(Citation: ZimperiumGupta_RatMilad_Oct2022) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1429", "comment": "[RatMilad](https://attack.mitre.org/software/S1241) has captured audio from the device.(Citation: ZimperiumGupta_RatMilad_Oct2022) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1414", "comment": "[RatMilad](https://attack.mitre.org/software/S1241) has collected clipboard content.(Citation: ZimperiumGupta_RatMilad_Oct2022) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1662", "comment": "[RatMilad](https://attack.mitre.org/software/S1241) has deleted files on the device.(Citation: ZimperiumGupta_RatMilad_Oct2022) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1533", "comment": "[RatMilad](https://attack.mitre.org/software/S1241) has listed files and pictures on the device starting from `/mnt/sdcard/`.(Citation: ZimperiumGupta_RatMilad_Oct2022) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1407", "comment": "[RatMilad](https://attack.mitre.org/software/S1241) has used a fake application to request permissions and to download itself.(Citation: ZimperiumGupta_RatMilad_Oct2022) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1646", "comment": "[RatMilad](https://attack.mitre.org/software/S1241) has exfiltrated collected data to the C2.(Citation: ZimperiumGupta_RatMilad_Oct2022) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1420", "comment": "[RatMilad](https://attack.mitre.org/software/S1241) has listed files and pictures on the device starting from `/mnt/sdcard/`.(Citation: ZimperiumGupta_RatMilad_Oct2022) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1430", "comment": "[RatMilad](https://attack.mitre.org/software/S1241) has collected the device\u2019s last known location.(Citation: ZimperiumGupta_RatMilad_Oct2022) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1660", "comment": "[RatMilad](https://attack.mitre.org/software/S1241) has concealed itself behind variants of a phone number spoofing application, which was distributed through links on social media and communication platforms.(Citation: ZimperiumGupta_RatMilad_Oct2022) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1636", "showSubtechniques": true}, {"techniqueID": "T1636.002", "comment": "[RatMilad](https://attack.mitre.org/software/S1241) has accessed the device\u2019s call log.(Citation: ZimperiumGupta_RatMilad_Oct2022) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1636.003", "comment": "[RatMilad](https://attack.mitre.org/software/S1241) has accessed the device\u2019s contact list.(Citation: ZimperiumGupta_RatMilad_Oct2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1636.004", "comment": "[RatMilad](https://attack.mitre.org/software/S1241) has accessed the device\u2019s SMS messages, including messages that were in the inbox, sent, draft, outbox, failed, and queued.(Citation: ZimperiumGupta_RatMilad_Oct2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1636.005", "comment": "[RatMilad](https://attack.mitre.org/software/S1241) has collected account names and their types from the compromised device.(Citation: ZimperiumGupta_RatMilad_Oct2022) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1418", "comment": "[RatMilad](https://attack.mitre.org/software/S1241) has collected package names.(Citation: ZimperiumGupta_RatMilad_Oct2022) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1426", "comment": "[RatMilad](https://attack.mitre.org/software/S1241) has collected device information such as model, brand, buildId, Android version and manufacturer.(Citation: ZimperiumGupta_RatMilad_Oct2022) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1422", "comment": "[RatMilad](https://attack.mitre.org/software/S1241) has collected  device information such as MAC address, IMEI and phone number.(Citation: ZimperiumGupta_RatMilad_Oct2022) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1512", "comment": "[RatMilad](https://attack.mitre.org/software/S1241) has taken photos and videos using the device\u2019s camera.(Citation: ZimperiumGupta_RatMilad_Oct2022) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by RatMilad", "color": "#66b1ff"}]}