antidot | 1f0e2b0a9ede1f1b99764e79b49f9ec8f709da7b0ac501ce3505b7db9fe25caa

Analysis

max time kernel
149s
max time network
149s
platform
android_x86
resource
android-x86-arm-20240624-es
resource tags

androidarch:armarch:x86image:android-x86-arm-20240624-eslocale:es-esos:android-9-x86system
submitted
27-11-2024 10:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dexizuzi.apk
Size

11.2MB
MD5

4d2d8be66cefc3008f2ea85ea4f933d3
SHA1

f492eddbdd49930308ddf8424c629d515fe2d29d
SHA256

86f8ca31bddccc5c65cc6de18a9e8801e65e7e6169b6734bc1bfe4cea0fd9071
SHA512

671fe2bd7c25b0a7755ee8fb24a5ac0de92559271608245a8e80d9b051a0a07dc4ec8e75ec727301dfce6b6d5606d3ecae46684a117fba0dfd965871f79dc884
SSDEEP

196608:LowNHsXbyO9yeieCROoarJ4xNK1YErSsl:LgbCeieCglVgKHrSw

Score

10^/10

antidot banker collection credential_access discovery evasion execution infostealer persistence trojan

Malware Config

Signatures

Antidot
Antidot is an Android banking trojan first seen in May 2024.
banker trojan infostealer antidot
Antidot family
antidot

Antidot payload 1 IoCs

Processes:

resource	yara_rule
behavioral8/memory/4262-0.dex	family_antidot

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

Processes:

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.kokevugopa.backup/app_work/MSrQZQH.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.kokevugopa.backup/app_work/oat/x86/MSrQZQH.odex --compiler-filter=quicken --class-loader-context=&com.kokevugopa.backup

ioc	pid	Process
/data/user/0/com.kokevugopa.backup/app_work/MSrQZQH.json	4262	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.kokevugopa.backup/app_work/MSrQZQH.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.kokevugopa.backup/app_work/oat/x86/MSrQZQH.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.kokevugopa.backup/app_work/MSrQZQH.json	4235	com.kokevugopa.backup

Makes use of the framework's Accessibility service 4 TTPs 1 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

Processes:

com.kokevugopa.backup

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.kokevugopa.backup

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

Processes:

com.kokevugopa.backup

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.kokevugopa.backup

Requests enabling of the accessibility settings. 1 IoCs

Processes:

com.kokevugopa.backup

description	ioc	Process
Intent action	android.settings.ACCESSIBILITY_SETTINGS	com.kokevugopa.backup

Requests uninstalling the application. 1 TTPs 1 IoCs

evasion

Uninstall Malicious Application

T1630.001

Processes:

com.kokevugopa.backup

description	ioc	Process
Intent action	android.intent.action.DELETE	com.kokevugopa.backup

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

Processes:

com.kokevugopa.backup

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.kokevugopa.backup

Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

execution persistence

Scheduled Task/Job

T1603

Processes:

com.kokevugopa.backup

description	ioc	Process
Framework service call	android.app.job.IJobScheduler.schedule	com.kokevugopa.backup

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

Processes:

com.kokevugopa.backup

description	ioc	Process
File opened for read	/proc/cpuinfo	com.kokevugopa.backup

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

Processes:

com.kokevugopa.backup

description	ioc	Process
File opened for read	/proc/meminfo	com.kokevugopa.backup

com.kokevugopa.backup
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Queries the mobile country code (MCC)
- Requests enabling of the accessibility settings.
- Requests uninstalling the application.
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Checks CPU information
- Checks memory information
PID:4235
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.kokevugopa.backup/app_work/MSrQZQH.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.kokevugopa.backup/app_work/oat/x86/MSrQZQH.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4262

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Indicator Removal on Host

T1630

Uninstall Malicious Application

T1630.001

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.kokevugopa.backup/app_work/MSrQZQH.json

Filesize
945KB

MD5
89d3aa39d5633f0cfa22b048a9634b87

SHA1
d970800618282248195d94f7c49ba78410aa8832

SHA256
5bd6add73e8898a8ab316357e6cc4a8cb98d05ef314f1576de0f3e227852045f

SHA512
7a7923f258e61c0c619b8731fe6d2bde5237b732cb09c28d8af9aa759f431c12e8207008bbeef72894df9222be044801c7b683ca4d266beab9915adc04767a28

Download Submit
/data/data/com.kokevugopa.backup/app_work/MSrQZQH.json

Filesize
945KB

MD5
6cfbb48353b6d9b96774e4f142d66d24

SHA1
dc296970a251a4fc9413c6f03f23e433bbcd6c23

SHA256
69b4eacd73f0fb5b52bd6ed6e8fa6bea4f20f3449c371e87330a504ba954b1f0

SHA512
651e5f569fbbf82fedcf7c7f4fa5ed20c5b133ac6bb710818c6dd0de0185142f8c1b1e914e4961ab55deec600da33a097a57290adcc61f7d1432715d872b1711

Download Submit
/data/data/com.kokevugopa.backup/app_work/oat/MSrQZQH.json.cur.prof

Filesize
2KB

MD5
0084685c133961a5107198e95437dc1b

SHA1
07ccc9828e49555605920933be65266069f2deea

SHA256
8892d71fd9d501228b7012615b8b8f41d71748e287b3f06b9bed720723efff6f

SHA512
cb275eae3fcd749a73bbd3bfd24512054b46f174e5b784465bbafa60209d6b29af8471cbb5d4d77f519453308e3dd3382a612dbaf38c7439f885a12f40c08a8a

Download Submit
/data/data/com.kokevugopa.backup/app_work/oat/MSrQZQH.json.cur.prof

Filesize
2KB

MD5
1cd6cdd2e05d92c67f65f9ca2aa4bf8f

SHA1
72a181f98b8eecbc3e9b18c50bbc1ef6d98175c4

SHA256
9d7d5734772aae7171bcdd2922fb60969fa8cc0ab32022613e8c9b809baae7ef

SHA512
438e3d3430908d1ce60572fa6f4c51110b0b543618c48231d4a3d414cbc30d5f5151b540f2e3719508b95c9b2f797a327040d38dc48983ba84a99bf894d0864e

Download Submit
/data/data/com.kokevugopa.backup/app_work/oat/MSrQZQH.json.cur.prof

Filesize
2KB

MD5
b6b2884819e30103c32dfafc50ffb620

SHA1
04cc86fb8821683a391445268ebc18b13f9771be

SHA256
ce8b30122028bbafa3a576f22a7d5f9b65d9a9f566a5a11bac0fd32068b6dc7b

SHA512
260bcb20bc22447372fa46c43e3edc903b22377f987561d63a4e2540e2ec5811030168a5c08793007c0d9c2d48e7a74dce917d915e549528c16197ec6fc1f750

Download Submit
/data/data/com.kokevugopa.backup/files/profileInstalled

Filesize
24B

MD5
477283bf214c558d96d46a8dd6e02a34

SHA1
73b8f0147282bfe5c9539313f2549d562e088069

SHA256
05a7855b86b9238fc9679e847f5ed969faffa5a37f1327cf5211a4504e070dce

SHA512
ccc16664ba9f3a1e6135c63abbbc822f3bd394453a1399743a9d90c655f8f0b4aa13c424ac9f22100b7d7fb10a251c8d541fcf2255824518b4e4dac3505813ac

Download Submit
/data/data/com.kokevugopa.backup/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

Filesize
8B

MD5
693151679c573bf949dd6fd3a29147b3

SHA1
8d237830f0679f71784b1f67cbcc179611d45d05

SHA256
e4a413ad9963aebeff23507482a85fe23b670c59efa96689f1874d78b80d2b37

SHA512
ae2b03edeb47062a3cee8fdf40398372e9baadfb9672bfedc95926c3edca6b6fe4521cc3a3b1b1a57de3cc541d93f4df4ba1182d8af233909411761094131b6b

Download Submit
/data/data/com.kokevugopa.backup/no_backup/androidx.work.workdb

Filesize
104KB

MD5
54e3bcf7722564a20c85348595ea3da3

SHA1
ab3a193814d3aa2c40b4d78f7948760d53a7e19f

SHA256
872870eeb9027375f0eb2d24af45e8c65d1fdb6659856859ce86bfc60c396403

SHA512
79ff1aade8a2bdd0cbc171a2224752b43477e084f3b9895fc9ddc2e94f2fabc4049b5d6d2e3e5dcb95d4e96a129a81c0913df12076dcde7df680b0f2d18ea336

Download Submit
/data/data/com.kokevugopa.backup/no_backup/androidx.work.workdb-journal

Filesize
512B

MD5
2066222dbf402259f62bed2ea32f0f2d

SHA1
88acc04aadab6cd45479476883ba3c9c7d2f5390

SHA256
4475a1694f4fbb6c3494bf42d199a2934c33d75b14685e0262405df25563d32f

SHA512
96a836ad024089a3dcb7b783634d7af2730d77b55a1dc672f26893e67f57f82b5bed3cf6dde94b5ae1544904164d9ccc2e1431f0a4601959ea1ebbe3a7873e6b

Download Submit
/data/data/com.kokevugopa.backup/no_backup/androidx.work.workdb-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/com.kokevugopa.backup/no_backup/androidx.work.workdb-wal

Filesize
16KB

MD5
58eaf3bb153777bc0934e98b6706fd0a

SHA1
b096b6720c221ae020d5275d5d1303fe539b54f9

SHA256
984a3c399d8236ce9c838ed3da62f0a59086011e73f4258fbd3ccd4949f49813

SHA512
1a2c3d722453523bca319da2edd7813204d8d956ce9fdebccf9d625e10e7a44dde4c066e8043e03a94f3128595d8e41a8634067b3b325b49f1591eec3fc47c12

Download Submit
/data/data/com.kokevugopa.backup/no_backup/androidx.work.workdb-wal

Filesize
116KB

MD5
fac8e50dacd1a40cd7a28ac178be970e

SHA1
5eebb626b4bbc118a45f9f7a4fd0230476ee245c

SHA256
2c7a5c7fffcd562025c9382d83fd0b997369f0670e5805028918aefe77393798

SHA512
0b246dc043bb30a62787745b724ecc9ab28df4ed7f141a141985490076d5eafb989343ed9959712dfcb61696e692866276dd74ae5ae5d1ec802e846d386e17e1

Download Submit
/data/data/com.kokevugopa.backup/no_backup/androidx.work.workdb-wal

Filesize
434KB

MD5
d00e54f090c170f896a02b691187c90a

SHA1
233459d89432aa9946edb2af37c9de6ab09a9ab0

SHA256
cdebc2377525acc3e1eabc68b986acd6526d90721ba04baf649920ba8676c2e0

SHA512
a3698b304ec0ed32582fc4160e601313ec54a94d692c2df3bc0a91679c190234deaab714edf1fb61e89418aac618ef9a7daf647c8eda20a2d1a151988a89ec78

Download Submit
/data/misc/profiles/cur/0/com.kokevugopa.backup/primary.prof

Filesize
1KB

MD5
7b6f2ad56e47077a0afa331b208da3bb

SHA1
9ced7c791fee3f19a6405a6b31d0ea3e6cce3826

SHA256
8d290c1341eb12a456a8c73462b52a634d0dd59aa9bcc433b57b2c2fe2553bb8

SHA512
9118957aacda3d68a938a2f99181591c84403dd6107a0399f34948f8a812ecde5d13c5224b74ad0f17d233d23fcd237c7dd28aafe71dc690f41cc833d3e6994a

Download Submit
/data/misc/profiles/cur/0/com.kokevugopa.backup/primary.prof

Filesize
206B

MD5
2e1c524bda4b8c6592f9f96e69837496

SHA1
35d950beddb281b51259ee256cb868a3ee6719a7

SHA256
617487b5e97e226dd556f72cb843db400a6a19ea68e46daed0000ff3020c60b2

SHA512
96d7bf7ffbbcf3126476a7d3e88dbf5888137d2af819fdfbedb4bf4d1618a283e39c59e43210b970748ce9bd51c73277ac7859ba7966fe36291702d360c201d6

Download Submit
/data/user/0/com.kokevugopa.backup/app_work/MSrQZQH.json

Filesize
2.0MB

MD5
e7b8533f4790d9fa167afac04452da7c

SHA1
7a067dbf80f8d9a80862b6376940b04ff27ceb05

SHA256
ed7cd8bacd88207804d3382ce761f42b59e3dc4ba18cda57ebcd28375a183764

SHA512
3feeb3a35eef87160d123636aa2cf3ac820f716a3b9d7dd74b73d3c020368c75b44797fed3f15de30ec84cc0c832540ca873afff4ebde38717ab1524ab7c690d

Download Submit
/data/user/0/com.kokevugopa.backup/app_work/MSrQZQH.json

Filesize
2.0MB

MD5
cc1b3bc580852eef88b69702c457cf00

SHA1
6f55e9bd7ff350de3539ad443f12e022f1380e1f

SHA256
50de312cc6850fe9cfc6d4ee6b85281b3441fa833be072cfce2d1d9aa4972784

SHA512
48684c11a5daafecaa274fe443a680a4c8d575c2dc6572e13273cec7aa7d41bce5882e99053cac0f42175258a4000f7edabb1140f589624c3ba8d7e19eacea33

Download Submit