antidot | f511bd33d3242911d05b0939f910a3133ef2ba0e0ff1e098128f9f3cd0c16610

Analysis

max time kernel
24s
max time network
209s
platform
android_x64
resource
android-33-x64-arm64-20240624-en
resource tags

androidarch:arm64arch:x64image:android-33-x64-arm64-20240624-enlocale:en-usos:android-13-x64system
submitted
10-07-2024 12:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Magisk-v27.0.apk
Size

11.9MB
MD5

4475064c5f6a5474e31f2f3dfafc22ed
SHA1

872199f3781706f51b84d8a89c1d148d26bcdbad
SHA256

f511bd33d3242911d05b0939f910a3133ef2ba0e0ff1e098128f9f3cd0c16610
SHA512

cf6095f2d93e078f42d26265699deed377af12f304dd83179140d32a69a034639d4e07b83b8bb999d503f6d8dc6ced46b6b88741ed39771eed6a12411648e4bc
SSDEEP

196608:tHkjVWApVgQBoMrdr+TnhpPsOz0VbMtiquy/WP0SxqdHgCg2RNB2KNcjktbs1:tHYGQBpdqpibWDe0SuH6WNBrba

Score

10^/10

antidot banker evasion execution infostealer persistence trojan

Malware Config

Signatures

Antidot
Antidot is an Android banking trojan first seen in May 2024.
banker trojan infostealer antidot

Antidot payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/files/fstream-16.dat	family_antidot

Loads dropped Dex/Jar 1 TTPs 4 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

Processes:

com.topjohnwu.magisk

ioc	pid	Process
/system_ext/framework/androidx.window.extensions.jar	4335	com.topjohnwu.magisk
/system_ext/framework/androidx.window.extensions.jar	4335	com.topjohnwu.magisk
/system_ext/framework/androidx.window.sidecar.jar	4335	com.topjohnwu.magisk
/system_ext/framework/androidx.window.sidecar.jar	4335	com.topjohnwu.magisk

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

Processes:

flow	ioc
135	raw.githubusercontent.com
136	raw.githubusercontent.com

Requests dangerous framework permissions 4 IoCs

Processes:

description	ioc
Allows an application to request installing packages.	android.permission.REQUEST_INSTALL_PACKAGES
Allows an app to post notifications.	android.permission.POST_NOTIFICATIONS
Allows an application to read from external storage.	android.permission.READ_EXTERNAL_STORAGE
Allows an application to write to external storage.	android.permission.WRITE_EXTERNAL_STORAGE

Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

execution persistence

Scheduled Task/Job

T1603

Processes:

com.topjohnwu.magisk

description	ioc	Process
Framework service call	android.app.job.IJobScheduler.schedule	com.topjohnwu.magisk

com.topjohnwu.magisk
1⤵
- Loads dropped Dex/Jar
- Schedules tasks to execute at a specified time
PID:4335

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.topjohnwu.magisk/cache/27000.md

Filesize
444B

MD5
5f079604cc5bb6962b33c36d8e0b2ef4

SHA1
04999bdb0f990b7c39d0f72c3deae92d635a0f66

SHA256
960b98b8b26fb64586d6c7ce6c916591b1d3087bf58d412664327945403d31d6

SHA512
135a39579b705f678cbde71e8b8e09e944f5ce62d76205860e0d65d98879c2063a9478a6ccc07fc646cf9cb00d074805c42ab85fe132d6dcba9daae88938e050

Download Submit
/data/data/com.topjohnwu.magisk/cache/okhttp/b5e19eca1e184690a6d76eba4376f625.0.tmp

Filesize
6KB

MD5
05f20befdd81a20aceea708ebae2cb82

SHA1
70f66c41b293baad666b1fb28b085b1548fe3b75

SHA256
e1e21612e4a237847138fec3b1941513a3276ee7312e954d07f1d91fd74f7cdc

SHA512
a1dc22a776095f4d7b9d480bfd9cb36944aadb50c4c09b8f604f7282030ab0578606cada95a054317f77d49d81ca4d095195c789b9d3d8f587d33db9227a713b

Download Submit
/data/data/com.topjohnwu.magisk/cache/okhttp/b5e19eca1e184690a6d76eba4376f625.1.tmp

Filesize
190B

MD5
ca8578487ba4126d8d2f212098555cd6

SHA1
ec3489766afe24d0c23caeb3fb48e8b3ff932ae6

SHA256
5af2d631442481623f80eabeb040ca955ce15b2c4f61c7e44e2a8b3c69a40df0

SHA512
7a2f45620cf315790c0aecbe8fcf43c9d45f830426246e0af8d7b79edddbf1337fa6663e2df65a95e4415c05450f695e1ac8f7d9dea390a2ba8110d4e6bb0afc

Download Submit
/data/data/com.topjohnwu.magisk/cache/okhttp/f1b16c4fe89f35c71888b140b5437e07.0.tmp

Filesize
6KB

MD5
1f8a9a757f8351fc2196879fd67efb09

SHA1
670d01db80758de3c3db41a4cd8d3963757e8653

SHA256
49904be846d336c601e110f77bb9f93937d7b1854ea37fdab3f75d41e586fdd7

SHA512
27343f7e67f7c398420dd3307ca4207897e2872e2379b8c4dc5471b37847dbba4a10554c71459d04fc6bde772ac26e867a1eb719ca2ba533a90ebbbc95b14e27

Download Submit
/data/data/com.topjohnwu.magisk/cache/okhttp/f1b16c4fe89f35c71888b140b5437e07.1.tmp

Filesize
318B

MD5
211a2dc3b495b9ff1cd83266720ef315

SHA1
34cdf653badd5ae2a56d80d329683ecfcef44ee8

SHA256
7b76430e0f8fd383b7cc50f5acc2bd1956f173141480bc822ee03bcd895acf26

SHA512
0a864432f9fa2b529a9dea6bbe50bbca48e03409c366844f69fbf90665d5f3ea84c03aa1aae4dc1b9b4989f37eadfedd1a4c63194991ae7e003f6c0a02e13b9f

Download Submit
/data/data/com.topjohnwu.magisk/cache/okhttp/journal

Filesize
210B

MD5
27279c7eed6ceb8dd74db05e82447754

SHA1
b0e6fc64a3bc7a945aa5f4bb5f4ea77f5937a91e

SHA256
5d253c28f2b42fd951ee48363cee4b12cfe608c6db7c15247680e0cc02127396

SHA512
19bdbb4a65a2b9dc6268bbfaa96af4d33596f243b79c7af431573b7d476f36ba6454e2ab18a536023c8cd1da07dd18a98ede288f239f4b2d4fd4488b5d356840

Download Submit
/data/data/com.topjohnwu.magisk/cache/okhttp/journal.tmp

Filesize
36B

MD5
37e8e716e0e2f4a0b05cd9571d95b84d

SHA1
f8d068f6931707bddb8cd69f706f2224ad1fea3c

SHA256
7080cb592d5149c858b206d3fd0d5e3e7d601f120af00b2616bee928ee1291ca

SHA512
e62b850901835fdb73fa6224618422f721dd765861d42f6bc2dd013413e96bd910ac5313afd9b4f63da74beb12a15fac81b5157456c9caa3031862dab84423f6

Download Submit
/data/data/com.topjohnwu.magisk/files/profileInstalled

Filesize
24B

MD5
5f80e35e81ad5e38fba471791118beb2

SHA1
45a54d35cb1695256712a94fdd17f3c162ddfef6

SHA256
01bb7e6a356f0f76b5f1467adfda2c33a8a2112248b1814a526b832ac965d9e6

SHA512
9cf6453f38ad2b987397cbb16f1ca952a3f295750bd8bb99abc3652e9e4f1387a34d346ab890a37f8f19dd9a9d00509ab8094d25354bf1f3731720d30a1e57f7

Download Submit
/data/data/com.topjohnwu.magisk/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

Filesize
8B

MD5
f67fb31a08a22fd9cb6aba042d50c0c2

SHA1
195cfeb0d06d4f83b1bc5baf6f78c3dc4fe93650

SHA256
21cdafdfecfbc6d96d51d18867bd16742d56ba3d51be496f475a24c0f88e1086

SHA512
4d17988a24aad9398f2e4f17c90a308377899516d202e8e5ae0efde6c81a4c64bed5c7e2fa761acf7e0183d9006a3fb93dc48edddec3041adafd3c54935e0554

Download Submit
/data/misc/profiles/cur/0/com.topjohnwu.magisk/primary.prof

Filesize
2KB

MD5
a77991b1f29a11ff32aceb05999d0035

SHA1
4f86483f11069e3c4d83079b940b64cba46d4df3

SHA256
97b76d1e067b092ecdd2072b1fdcd4296b177205110a4e7b2332c9caa842606c

SHA512
85d380676abd69e91c7badac920beb9579e62a0d7c6ceab164ae7c87d98fa404023bfe9c3fc6cf8d06f5e4d9c0c6aca32c3aa6b1a42958d4d4daeec25eb85795

Download Submit
/data/user_de/0/com.topjohnwu.magisk/cache/main.jar

Filesize
3KB

MD5
803d520477442e45318b1b0fc76c6c15

SHA1
68e0102a3a91f7a050cda807889b3ffa0e25ba18

SHA256
4efaf47682fe8bf49c1aaa9ee7b907ced7246277ca996086da2284324fc8a9ab

SHA512
2523395f82258842bce3edd4033af92c0b1e10d664ad8817f6622b9ea701851ca0ba03bb2c06b9bc956f5e8ee988eacd41e9042e5873045449dabe78d6dcd913

Download Submit
/data/user_de/0/com.topjohnwu.magisk/install/addon.d.sh

Filesize
3KB

MD5
471483db1f25c972b4e3205531139509

SHA1
6ea1ea1fcaf064bfffcb33c95a88aaf8eda4aab2

SHA256
9a61e919b71b73a4ffbb41c00e6a9631c09de289b589b77f421ef5f7a43a55d2

SHA512
bd37319747e398fcec2158b165e976b5b2efeb2c253f866383788f61397a781f878c2d5d03132a58d67a88f470369a9f70a0811c830c340b1a12219f14f07727

Download Submit
/data/user_de/0/com.topjohnwu.magisk/install/boot_patch.sh

Filesize
6KB

MD5
3b324a47607ae17ac0376c19043bb7b1

SHA1
ed9b8e74a2d1522d03bbf33355b1c0189ec3c303

SHA256
3f8f975fe20bdba9c506118032eebf230ad2214f09e70022c7308cfb0b0ebee5

SHA512
88ca6321301de4c8a0851634605306f039e9237fa6183720a0fe145bc6407049f80db6bf91084f373f3d4632e2686bbb5f1135bfd03006b1bc1b0394e4991b32

Download Submit
/data/user_de/0/com.topjohnwu.magisk/install/chromeos/futility

Filesize
535KB

MD5
03e93f99bbf7f29993b2ce6e533eea20

SHA1
12f779f878b4a7a3e4d4f57c292821b5a93d09d7

SHA256
2b18aabff02b5daf5b7efec3d33bfffb8721ba7bf24fde5882db7f61020e4e45

SHA512
43c4ca1929121770cbd08e83eef672aa2f54c84cd8801194624c9f1d4dad42b8fdcdfc4eb78c11f04efd0d91446cef9833a470b23071623782cc195c12eee4ce

Download Submit
/data/user_de/0/com.topjohnwu.magisk/install/chromeos/kernel.keyblock

Filesize
1KB

MD5
61c5ff73c136ed07a7aadbf58db3d96a

SHA1
cde89256dfff246fe0734456d39d3b6446985715

SHA256
4e708c9ec43ac4a5d718474c9431ba6b6da3e64a9dda6afd2853a9e9e3079ffb

SHA512
bb6718984a7357c9b00c37e4788480e5b8b75018c172ecc1441bc3fc5d2d42444eb5d8c7f9d2e3a7d6fed6d03acb565e3c0559486e494c40a7fe6bd0570c9ede

Download Submit
/data/user_de/0/com.topjohnwu.magisk/install/chromeos/kernel_data_key.vbprivk

Filesize
1KB

MD5
584777ae88bce2c5659960151b64c7d8

SHA1
a0b906e30ff91cb6fb7deb3e9174e49a69c8858e

SHA256
bc9e707a86e55a93f423e7bcdae4a25fd470b868e53829b91bbe2ccfbc6da27b

SHA512
143dea30c6da00e504c99984a98a0eb2411f558fcdd9dfa7f607d6c14e9e7dffff9cb00121d9317044b07e3e210808286598c785ee854084b993ec9cb14d8232

Download Submit
/data/user_de/0/com.topjohnwu.magisk/install/stub.apk

Filesize
32KB

MD5
2e705f24df00d854a7343bc3f7d692fb

SHA1
f352b6e27dd1daf86f3d541707c4cf75d26f81ef

SHA256
7b6388c2574a3b320a7d086ff3464ed816f0ab1b14ce07ecc9e96760ed08e22b

SHA512
f1a19c62aabb8ed08ee0dc7d77f143664f2e163cf895bdbeb27eed47af5cf6b7f66bacc3dbd2d01cf0483459917d6fdff456e4598bb9cd57f117ad2076b2f89f

Download Submit
/data/user_de/0/com.topjohnwu.magisk/install/util_functions.sh

Filesize
19KB

MD5
487ae2ecbd4bef647a2c428c970c2e6a

SHA1
cecdf531c4905b4d3f786ad68a6564266581be5e

SHA256
a4dce9fa5bf4e0f35e495fd43680b6c361914ae1255cdc84b6f82f7516a0431e

SHA512
75be2c1406a70c5e8b0a2e33ca96c840819eab3aaaf38a0703a00572bfb9bfab7cc7f3241ac0d50dbe640a97412c1e05564a9eea93a84fed81f84d569f59b459

Download Submit
/system_ext/framework/androidx.window.extensions.jar

Filesize
123KB

MD5
3056e1bdb7d4e19789d0319eff484bd0

SHA1
6791ae47aa9466fe0bca27ad6643f846853bbee4

SHA256
8e6331a07c9f2ac139214c527dcaff2c82d126bbe7bd3420cdc36d6a8c9204b0

SHA512
c790980fd68d9f89e32743bc28846807d5e5947c555f494de47714dec5cbd0c08d81c3260fa463759d1b17a953af3c44ec30b14fb08bf6b29db3837346c9f658

Download Submit
/system_ext/framework/androidx.window.sidecar.jar

Filesize
25KB

MD5
29469324e59dfcc052f24b5af4e7b2c4

SHA1
10c1e17ac6f598037bb51baa07945663645de4eb

SHA256
9195dc6a1c75a841384050240dfc972e48178964993fba6619788625f4b40d1a

SHA512
5e27c2b1431369a248298f2f749136a575005584f9999f2a4c204a0c47adce2e33c8df9f058bdafa1bde1c99e46d175560cedfcddcd8581718ed1d9973c37cc2

Download Submit