antidot | 58911b7dbc485fb5e8bc3967de002ab5cb898023223d7a41e5dd7e1a074e40b1

Analysis

max time kernel
149s
max time network
133s
platform
android_x86
resource
android-x86-arm-20240624-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
submitted
26/09/2024, 15:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

qcojes.apk
Size

8.5MB
MD5

df2e25512953821661b4ab8a5688a9c8
SHA1

7f60852fef126e5fd8e71266a65ed153b6094d40
SHA256

58911b7dbc485fb5e8bc3967de002ab5cb898023223d7a41e5dd7e1a074e40b1
SHA512

a9d57579442311c693af3c4c5fecb4ef8cd4d68c2ddbb4a6734eb892ba6e5cca58fa4468f07a47da7433d2329a75d948696a652341fb05be30e4a448eb61c127
SSDEEP

196608:G1mTS0d6slb4lDlPUfTDfu/cggd0CRCYSIB2euR2kSdr4l:G8d6slb4lJPuTDfu/cICR9B21R2P4l

Score

10^/10

antidot banker discovery evasion execution infostealer persistence trojan

Malware Config

Signatures

Antidot
Antidot is an Android banking trojan first seen in May 2024.
banker trojan infostealer antidot

Antidot payload 1 IoCs

resource	yara_rule
behavioral3/memory/4274-0.dex	family_antidot

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.wafukizifi.server/app_addict/NFGYpTB.json	4274	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.wafukizifi.server/app_addict/NFGYpTB.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.wafukizifi.server/app_addict/oat/x86/NFGYpTB.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.wafukizifi.server/app_addict/NFGYpTB.json	4249	com.wafukizifi.server

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.wafukizifi.server

Requests allowing to install additional applications from unknown sources. 1 TTPs 1 IoCs

evasion

Code Signing Policy Modification

T1632.001

description	ioc	Process
Intent action	android.settings.MANAGE_UNKNOWN_APP_SOURCES	com.wafukizifi.server

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.wafukizifi.server

Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

execution persistence

Scheduled Task/Job

T1603

description	ioc	Process
Framework service call	android.app.job.IJobScheduler.schedule	com.wafukizifi.server

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.wafukizifi.server

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.wafukizifi.server

com.wafukizifi.server
1⤵
- Loads dropped Dex/Jar
- Queries the mobile country code (MCC)
- Requests allowing to install additional applications from unknown sources.
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Checks CPU information
- Checks memory information
PID:4249
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.wafukizifi.server/app_addict/NFGYpTB.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.wafukizifi.server/app_addict/oat/x86/NFGYpTB.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4274

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Subvert Trust Controls

T1632

Code Signing Policy Modification

T1632.001

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Discovery

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.wafukizifi.server/app_addict/NFGYpTB.json

Filesize
602KB

MD5
4ea265a5115ca4553a2f49ddd4bc936c

SHA1
98ef66230d578b1439d8ff95f45279e2f22c6454

SHA256
623bce07ec9cbfda83dbad1ce35f3a6c9a018d2018ed4c3749c106010caf036c

SHA512
c1f6ebe4adf58a4ee69173309921699b577b761b9491d35d0e16563a3ca7a6aa76236b0f9a8dba82a572c4b8a4d7f17d4a34b8214b3a4f3005a31f47610361a0

Download Submit
/data/data/com.wafukizifi.server/app_addict/NFGYpTB.json

Filesize
602KB

MD5
b0e5ce664d3b72ce27fd936ba50fc9f4

SHA1
5c003e9f84b972124465b1dc0500cb5e44644a61

SHA256
3c278b862d2689ae0f8cb6021ab3860035f9088b6b84f2b90b2f54ce9a3771d0

SHA512
b8e79f9abe0e1fe568ddbd2d0c0010c0ea797a02a106fce6f64d8ea1bd03c7cbb6559637ae4dd487026b9fbdab8c967dca77aff719735d7a6f5337c99cce1164

Download Submit
/data/data/com.wafukizifi.server/app_addict/oat/NFGYpTB.json.cur.prof

Filesize
1KB

MD5
80fff6b8bc3b9ba72d34fabd824a7592

SHA1
2b6cacb700fcd05ce80f31b194c3d051492ad00a

SHA256
742088369ab3e96707deafc324d060303b800cc21095e59df8ff7c05519efa7f

SHA512
4511bf32e1004fe30f701a115728009216781ed17bd6536ac9cd98344fec0073c0fa5c66c464da4dd626d115e572e0f9df4cc23446b900bbd0cecc9430413df9

Download Submit
/data/data/com.wafukizifi.server/app_addict/oat/NFGYpTB.json.cur.prof

Filesize
2KB

MD5
8189c606e22bbb240184095d3b81758b

SHA1
e431bf072470e06153f8ce678e0da4b8b8aaefdf

SHA256
57792a40ce79176779cd8571caa91f34b119c205692cdf90d330cf87e18f8ad9

SHA512
164330d5a4567c7f39ca421c8c3ab094369ccfb594b7b491dcc6d530bb0b930e68bf64fae3d75b72da96497ffc9926eb0f54ac9eedcb5139d1ba22ee4337f1da

Download Submit
/data/data/com.wafukizifi.server/app_addict/oat/NFGYpTB.json.cur.prof

Filesize
2KB

MD5
abe0d488832c1f9b19337e092e56c6a3

SHA1
3216b566d3f32577b603af927110a79ef86c8f11

SHA256
414d7383fa709a75a1d7c755913c09c8b49341a9fd9ddc8467f228aa0bac9efc

SHA512
ab7a7a1d61a5ecbf80ea3b65ff07adead16611088a4c07866649ff7ba4cc3cf9cc21dc82fc4462797d05de84a6dfceca21150ae6689f16945915b15001264dc2

Download Submit
/data/data/com.wafukizifi.server/files/profileInstalled

Filesize
24B

MD5
962561d98991371534d337ff7897ccc4

SHA1
dff403a3d53f5f662b0dd90ac1549257dc89fa72

SHA256
6df638815b32461bfdd7af7848570964dbcb41cd4885187fb9552121598ef79e

SHA512
f8bc8b01a7a2a69e95ea995204552fdca242c15f05d2b8cb625bc1909ba3aa0a765a5abf2d5cc8f85750cf83d05127fd5552933155ffadfbe15b72076b731275

Download Submit
/data/data/com.wafukizifi.server/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

Filesize
8B

MD5
4f7a3448af5ae9004ba95d1cbc35ead7

SHA1
e8948518e4f50d28683b9287b83ad7910603e66e

SHA256
b1cc9e4297a86883cd90ae1ab08ab833848ff7c41a95f6444752fb8f1660eaef

SHA512
9a077e00fe97f48c2362ed5bc4f909b76063b5d30f5955cf1bbd065d10b2f6638f83e2e2aecb2ccd5e8789de094cd4e92ea73083dbeb2ec1d80a89dfaceaa0ca

Download Submit
/data/data/com.wafukizifi.server/no_backup/androidx.work.workdb

Filesize
136KB

MD5
f1eafdac69e702c6191297fa002de16d

SHA1
2f22bffb432787b863be7f193ad9661a3b58dea5

SHA256
2c6333dd256cba620e3c91d90e3d84375258ddf4bd94992adea01eb3cf50b4c8

SHA512
81a1d7dce90135ab415ed888c469703ddcf60daa9dec8e3fd238d1c8e30b8e713023237265e081d71fe5b672a5011353d0d3880450eb7a3d14cd3144889a2a55

Download Submit
/data/data/com.wafukizifi.server/no_backup/androidx.work.workdb-journal

Filesize
512B

MD5
74f5fc1753f9ff771e00e7bcf5a1a83c

SHA1
576710e55f8bd5b7d7b75c4ed6d5afaa127cf3a4

SHA256
e96c60f15c5786d224d7141e421f6e1419d18b64baf7de2c8b5a8c10de3be626

SHA512
d75868e20e7364264955fc2095125b499c9ee6b5236a7b4228245154a143c78f9056256a4f55c6a0fbfeb568728119833498392f03cf9fc391a1247630194da6

Download Submit
/data/data/com.wafukizifi.server/no_backup/androidx.work.workdb-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/com.wafukizifi.server/no_backup/androidx.work.workdb-wal

Filesize
16KB

MD5
e4203774e303b69a197cccb9ec5d33f9

SHA1
a4493d6c53115eda185168512c59e4f0873323fa

SHA256
dcf33bf15ea8f34cd74a9dea0c76ead677bf048c02dee0de5d685ad674df441f

SHA512
b17db83cd55f1996fc9724a6e106fd949f8d0319cd40a741b33af74a43ca9449f21d4a794d1ab1cd751a0749311e4d3a7a78d59ead67c718a4dcbf6175437ede

Download Submit
/data/data/com.wafukizifi.server/no_backup/androidx.work.workdb-wal

Filesize
116KB

MD5
fe2612e0dab37ccfde1269cd3afeb30d

SHA1
90ddf33169715000fdac63d3b608ffbf0bc6204f

SHA256
fb4fd62afe1aa36e0168630d14e11f61dddc5d214346617526f3fc2299b02292

SHA512
8c6033d2bb935523031a5eb8ea6166cd9368c61779647dc824bc51e63dfc8cc094f447d1f4bede2e49b398d80020ca5d56a6ae1563c58d9e356b24303e732e85

Download Submit
/data/data/com.wafukizifi.server/no_backup/androidx.work.workdb-wal

Filesize
434KB

MD5
035cce3e69ac16bd36c1ef67f385a0c1

SHA1
456c9aa373f41d7175459877c428b167f1f6f527

SHA256
b7f6a5ffac25fe535d503cbac8f83c516de8b153cf92d6d9b8b765c09903d204

SHA512
2328ac08eaea272274b32c81e3038deef427139d8eca6b3d7ec02f0a83f7d787a688c2d57a7edc4f2e9d2326b3e9b539c919e3d7bc70a8f3a91759b9ce4f2c37

Download Submit
/data/misc/profiles/cur/0/com.wafukizifi.server/primary.prof

Filesize
978B

MD5
55d76a4e1123e8a1a14c423161f826f4

SHA1
89281fd85e898b47e1a10abf842f0e3f477c715f

SHA256
94582a73f60c2f8f11aa02c50325386637307ae42694405ea6884978a150c00b

SHA512
38c8ca5aedac261d81de95648faea27e546e277f5e1ef5fe18586642d9b58057f89edb7d44ddef9b83f4894afbaf58bbd778b11835b31ad9a926fa52016813ee

Download Submit
/data/misc/profiles/cur/0/com.wafukizifi.server/primary.prof

Filesize
204B

MD5
553f5641a72413daaacafc7ac36e19e9

SHA1
45c5d4c42362e3a7569891cdc1e8e2b6a20e7386

SHA256
5db2280c30d11a99bb0999aabeae5094ecc0a65d2be1a701e0a9673df7dc4b8b

SHA512
aec7674ec1dbb3fd82fafa3bb8043d1e66aa39ae215f7f7219dac55c70b5ada2b67b78478bd157bf014d490872ed758abbe733c4af986f63bdadf273374fbff6

Download Submit
/data/user/0/com.wafukizifi.server/app_addict/NFGYpTB.json

Filesize
1.3MB

MD5
dc807c5bbd67dcd72c06e92cb299f171

SHA1
703496f3b41e0985ea649dbff769603e37306dc8

SHA256
3b408160d16d56611207244946a81e149a3d5d4f9fd102cdf18a304e728b668e

SHA512
4069f145d8778359ef055e278fb594f7cbcc675c47c4ecbc19245e653ee01d31dba9168ed9e8fd571df438496b6273f1c67f10c9466e0a9be268c0b9e8c481b0

Download Submit
/data/user/0/com.wafukizifi.server/app_addict/NFGYpTB.json

Filesize
1.3MB

MD5
c9aaae1e74411b132d2394bb0be61477

SHA1
b88481229124c0def855b73e2046cddacfff3e08

SHA256
ffd4d13e1f12225aeb58b15f8f2348b6be7e332d5f90bb8d218fa4ebf3510e05

SHA512
695e2033b15f7d7463599a8567b097757bb241ec155b027a56daf0bd2a69b5884ae3b8af79de2df98e217deff9bd474549babfccacb8f6aaef2df7eb872c1b0d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads