antidot | 1f0e2b0a9ede1f1b99764e79b49f9ec8f709da7b0ac501ce3505b7db9fe25caa

Analysis

max time kernel
149s
max time network
134s
platform
android_x64
resource
android-33-x64-arm64-20240624-es
resource tags

androidarch:arm64arch:x64image:android-33-x64-arm64-20240624-eslocale:es-esos:android-13-x64system
submitted
27-11-2024 10:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f0e2b0a9ede1f1b99764e79b49f9ec8f709da7b0ac501ce3505b7db9fe25caa.apk
Size

10.2MB
MD5

4982e66fcc1ad470d0a93022b3c7dcc0
SHA1

07f382fb173f77be877de9f77fc92b52ba8b270a
SHA256

1f0e2b0a9ede1f1b99764e79b49f9ec8f709da7b0ac501ce3505b7db9fe25caa
SHA512

03a418077f362133c4631aa7f170973b724d1d56ac07fd1d3e5db17d4c23abe56182680de9c309ad92c33bc421aa0875da107a4aec386ab1bcd4a2cacb1e69fa
SSDEEP

196608:0oopuBYsGq7W4tjN2OfH8I1jWMMh7QNNjDNcAGoVQGlRlo1TvWM:MHOW4tjN2M1jkFgjD2+VQonoBvWM

Score

10^/10

antidot banker collection credential_access evasion execution impact infostealer persistence trojan

Malware Config

Signatures

Antidot
Antidot is an Android banking trojan first seen in May 2024.
banker trojan infostealer antidot
Antidot family
antidot

Antidot payload 1 IoCs

Processes:

resource	yara_rule
behavioral3/memory/4241-0.dex	family_antidot

Loads dropped Dex/Jar 1 TTPs 1 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

Processes:

com.redewabobo.ASCII

ioc	pid	Process
/data/user/0/com.redewabobo.ASCII/app_afraid/YHfPRq.json	4241	com.redewabobo.ASCII

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

Processes:

com.redewabobo.ASCII

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	com.redewabobo.ASCII

Checks the application is allowed to request package installs through the package installer 1 TTPs 1 IoCs

Checks the application is allowed to install additional applications (Might try to install applications from unknown sources).

evasion

Code Signing Policy Modification

T1632.001

Processes:

com.redewabobo.ASCII

description	ioc	Process
Framework service call	android.content.pm.IPackageManager.canRequestPackageInstalls	com.redewabobo.ASCII

Requests allowing to install additional applications from unknown sources. 1 TTPs 1 IoCs

evasion

Code Signing Policy Modification

T1632.001

Processes:

com.redewabobo.ASCII

description	ioc	Process
Intent action	android.settings.MANAGE_UNKNOWN_APP_SOURCES	com.redewabobo.ASCII

Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

execution persistence

Scheduled Task/Job

T1603

Processes:

com.redewabobo.ASCII

description	ioc	Process
Framework service call	android.app.job.IJobScheduler.schedule	com.redewabobo.ASCII

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

Processes:

com.redewabobo.ASCII

description	ioc	Process
File opened for read	/proc/cpuinfo	com.redewabobo.ASCII

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

Processes:

com.redewabobo.ASCII

description	ioc	Process
File opened for read	/proc/meminfo	com.redewabobo.ASCII

com.redewabobo.ASCII
1⤵
- Loads dropped Dex/Jar
- Obtains sensitive information copied to the device clipboard
- Checks the application is allowed to request package installs through the package installer
- Requests allowing to install additional applications from unknown sources.
- Schedules tasks to execute at a specified time
- Checks CPU information
- Checks memory information
PID:4241

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Subvert Trust Controls

T1632

Code Signing Policy Modification

T1632.001

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Clipboard Data

T1414

Discovery

System Information Discovery

T1426

Lateral Movement

Collection

Clipboard Data

T1414

Command and Control

Exfiltration

Impact

Data Manipulation

T1641

Transmitted Data Manipulation

T1641.001

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.redewabobo.ASCII/app_afraid/YHfPRq.json

Filesize
609KB

MD5
6d4147d5dc237d47e6047e7c9e143a1f

SHA1
88a3ca6e99ed83b181ac91925ce79a2bf64e29d3

SHA256
a6127a9f0f4f6b4b8e926a67ed03fa06223a5244c1429e71ff4b600d761f89aa

SHA512
f2c4ef369841d60d92e3030c64c495712bd0300d1a82f4d86af44e4f888b216fbea5ac6d082d61413798094ed4fed6ad3e802f2d06b388d7e3fe1753c7d0b469

Download Submit
/data/data/com.redewabobo.ASCII/app_afraid/YHfPRq.json

Filesize
609KB

MD5
d29ff5767cac5e17ea2ad5110aa71597

SHA1
62ad19dbe39d41afae9f78e423eb182da8a89c85

SHA256
70a1ede06d781289b40d4980a35041d9e58504e5a4d55209360469ba70491cf3

SHA512
f8dd1eb911e8f591131d162d38dc2a29b24f87f0e052de2005abfb43a2560c0641ee48c2b587739a4a469322847ecf6c7ec8e2a88aa3af8ec654868443e1b1f1

Download Submit
/data/data/com.redewabobo.ASCII/app_afraid/oat/YHfPRq.json.cur.prof

Filesize
1KB

MD5
0366aa19192ce59fa3159ac1774b4331

SHA1
70eb54479f13d16e1057a1c58ec4ba76d0337ab6

SHA256
6313f3c979520a267925f3b589593e172906dd06238f17c6e4f52407fbc28a7c

SHA512
b73eafe07a51dcfb806f357fea3af299d8fe36ce89d9398f1ddfe479a54b82dbcc6c2fa51b6038ed3fd429cdb418218850a57638fdad7d430daa78161f496408

Download Submit
/data/data/com.redewabobo.ASCII/app_afraid/oat/x86_64/YHfPRq.vdex

Filesize
29KB

MD5
d47966f3b79344a2b9f4b60115cbd3a6

SHA1
aeecc867505f6004ddbc5eca2f2ff0c62041c7c6

SHA256
ebf69da3e21acbab50aa2fcde26832fd2730440a47b0be5cdca928c913fd32fc

SHA512
a6f13580b35a43d32b58e233592b33df11436dcfae3f5d60225defbc0462583bfc18f4f599b67cd330a07ae6b3c2bf24e4b1a3922fbfa966755852f727337e17

Download Submit
/data/data/com.redewabobo.ASCII/files/profileInstalled

Filesize
24B

MD5
d1397676cf2dbbaf864116e778c1077a

SHA1
d7ffe90413ae9ce271bd7169901fc85cf5316c0f

SHA256
73c71083da243755d2283cf75e98dabf9d42f2e5a144b8c6ee6d48f2ef343ef1

SHA512
550d2c6082d019b7acd7ec02587542f6ad5c923fe411d912cff494de3d42ad695dd6aac5fdf0a52741856b8330b2c5d511092412aeb1c9e4a1c41879c8ffeb3a

Download Submit
/data/data/com.redewabobo.ASCII/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

Filesize
8B

MD5
ceb581e33645cf15b3ff8939bc18531a

SHA1
4095483c7320aed417a3f87f2be6bfb8886faf0e

SHA256
ba5387eb316351f1a23e0f966d75c4c64f896ea55923818b2320ab3facdacd72

SHA512
7a3ea9cba5405575c802ec90c950bb5a98f44e80d4d9a158b88176c5e1f8edecf0c9c7c1cbde5a4401abe7a056a669e088a5dc13bf0d65263cdd2eab3bf4270c

Download Submit
/data/data/com.redewabobo.ASCII/no_backup/androidx.work.workdb

Filesize
140KB

MD5
a4f723510611cd77795d39d6b92d501c

SHA1
7fd776a4414606ab5878b9a0063a0a8ba6bf6e4a

SHA256
3f8deb913b19b8a53846a37f5e21c18139b3fa9070b6e4aade5aa545299c66ac

SHA512
0c2266c4e464dd5fae01b8e8729109545002019bcd5724a2f61f1f582ac36a5c58313da8d8b7a56b9f87e39b341009c8281a87084ea2ce51d411fa42a28cceba

Download Submit
/data/data/com.redewabobo.ASCII/no_backup/androidx.work.workdb-journal

Filesize
512B

MD5
94e01475b57c6424bf3f5a3927030e0a

SHA1
37ac304cd12fbe4ed4ab6610beb52ba07f72f417

SHA256
fd4e96760ba090dff1a74d4f4a68874b28b82b884b91a36972b5f25c2b437627

SHA512
6c37e6b17abeb6acb6ec335611cd7e52af90947a16d02828064f85a18d9afa2f2b06c0a9a99c9d4657812522ceaae712dced145c25036ec5968c8b89ac1e7274

Download Submit
/data/data/com.redewabobo.ASCII/no_backup/androidx.work.workdb-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/com.redewabobo.ASCII/no_backup/androidx.work.workdb-wal

Filesize
116KB

MD5
b9a65d0cd5c9f46e51a51eb5211ac010

SHA1
a5c5b39d7ddeac77b428f3bf4f6402ba6831e1a7

SHA256
023601c3b5304649c1c98a13736844152fa55c082f0a2a50862188a4a6b20b4b

SHA512
9d4c730cd3cd8020bf082201d821208c5016c4fea09f0c2da35e087b0fec9d852c62d3066b9cb9455431658d9d2b450568f49638e484b9b3d59c47bfddf8acd5

Download Submit
/data/data/com.redewabobo.ASCII/no_backup/androidx.work.workdb-wal

Filesize
434KB

MD5
35b0da6f7831058c5e489b4fd8201555

SHA1
ac29cc57dd0c11bda2f96dcb29f845a654cd3d77

SHA256
4bad6ad55b19beda10818dc66f48aab29e06140378c6be2d0b3ead1b04b9e224

SHA512
0903078bd5f823d6d0603c53459890379341c7709abdf82a47b9c4db803854f74583c829df67c70efaa99f4681619fb90c50f4628fb066627a2941b33268ce37

Download Submit
/data/data/com.redewabobo.ASCII/no_backup/androidx.work.workdb-wal

Filesize
16KB

MD5
0586d8d382187a161b948914d7855da0

SHA1
6bdfad1965756fc3d26085850a13602e2666e268

SHA256
44e4eb2a3647b9e3d06d3e419d812937017276cfb92f60fec4afd7d06a6637d1

SHA512
c8f2d70494eafe3f923caa7db7be74ffb20550f5f2cd5d4278135ee7fbbf529fb6b0c35b74dc81e679bda5a3e277c9d688aa88bb965ab76ede70482a312a1d62

Download Submit
/data/misc/profiles/cur/0/com.redewabobo.ASCII/primary.prof

Filesize
1KB

MD5
6633686c3903e16ea18e7cc0a548f3a7

SHA1
4af8ea2210880c30629ac173faf058f92c619d56

SHA256
01f8cc5151a31665eb2955efacef6840dfeb4dba468bab1884427bef17570584

SHA512
c513321678a761973798a4327740b892f2d3763e6d076373ecc44876e401fa1fbafc44747bab5113a3ae793e8ccc0fe1cecf4540874729211c0f08b96fe835f1

Download Submit
/data/misc/profiles/cur/0/com.redewabobo.ASCII/primary.prof

Filesize
247B

MD5
dd9b633aa6bc26fcf66462babdb73c23

SHA1
1ee7bca64de691fe490818a39b930a35fa9ac2ca

SHA256
52bef6a472ccc637a45a6fe1e52d83acac52bcd743cfba72d1fb790ac21b638f

SHA512
9ed5fb60dc518c720271e521544be7b2e3e1bce56e37ac9ffafca2944b21253c9d1db166497a4d07b929fdad9cb5ea2e01ab006ec048ad81f195f2f35403f3ea

Download Submit
/data/user/0/com.redewabobo.ASCII/app_afraid/YHfPRq.json

Filesize
1.3MB

MD5
c32af470fb777428515b5c01369fd81f

SHA1
72e65e062280b2a13b4792630119392bfd451860

SHA256
8c110fecd6d2f3d6b22ec6885d03199e64bba8e79d6d0acc8ad16f6cfb4a05a5

SHA512
bb40e7eac8d0861a060a37632ce6d679503972309cf510267ede98e7d9e0b14b252bd222300db3ed1e696e69d6f47c852129f8d52eff29fb34319cefc1dbb500

Download Submit