antidot | c87e9f6e8d1a099e015bffa68ed157792cb0c6de562ccbf20607f30772adb512

Analysis

max time kernel
136s
max time network
146s
platform
android_x64
resource
android-x64-20240624-en
resource tags

androidarch:x64arch:x86image:android-x64-20240624-enlocale:en-usos:android-10-x64system
submitted
29-11-2024 12:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c87e9f6e8d1a099e015bffa68ed157792cb0c6de562ccbf20607f30772adb512.apk
Size

8.3MB
MD5

bf5284bde7432eed1d3235e8f8c8a552
SHA1

a7435be13d888dfa67a093a8896288effc5c4e3d
SHA256

c87e9f6e8d1a099e015bffa68ed157792cb0c6de562ccbf20607f30772adb512
SHA512

bed6124909fe7c3c668c929174ab932dcb3e576639d594442cffad833e6f53d14bee645a3e0e7dc9d69887249e54e961330956b3c4247307d0ad03f91356fcca
SSDEEP

196608:vIU9mDrvGCm0GcqeVU7/HOUe5iO0VIKp0cpUJ8:l0+CseVU7Wb5iRVI1cf

Score

10^/10

antidot banker collection credential_access discovery evasion execution impact infostealer persistence trojan

Malware Config

Signatures

Antidot
Antidot is an Android banking trojan first seen in May 2024.
banker trojan infostealer antidot
Antidot family
antidot

Antidot payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4974-0.dex	family_antidot

Loads dropped Dex/Jar 1 TTPs 1 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

Processes:

com.cebugoyi.boot

ioc	pid	Process
/data/user/0/com.cebugoyi.boot/app_security/qYqbtti.json	4974	com.cebugoyi.boot

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

Processes:

com.cebugoyi.boot

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	com.cebugoyi.boot

Checks the application is allowed to request package installs through the package installer 1 TTPs 1 IoCs

Checks the application is allowed to install additional applications (Might try to install applications from unknown sources).

evasion

Code Signing Policy Modification

T1632.001

Processes:

com.cebugoyi.boot

description	ioc	Process
Framework service call	android.content.pm.IPackageManager.canRequestPackageInstalls	com.cebugoyi.boot

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

Processes:

com.cebugoyi.boot

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.cebugoyi.boot

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

Processes:

com.cebugoyi.boot

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.cebugoyi.boot

Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

execution persistence

Scheduled Task/Job

T1603

Processes:

com.cebugoyi.boot

description	ioc	Process
Framework service call	android.app.job.IJobScheduler.schedule	com.cebugoyi.boot

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

Processes:

com.cebugoyi.boot

description	ioc	Process
File opened for read	/proc/cpuinfo	com.cebugoyi.boot

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

Processes:

com.cebugoyi.boot

description	ioc	Process
File opened for read	/proc/meminfo	com.cebugoyi.boot

com.cebugoyi.boot
1⤵
- Loads dropped Dex/Jar
- Obtains sensitive information copied to the device clipboard
- Checks the application is allowed to request package installs through the package installer
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Checks CPU information
- Checks memory information
PID:4974

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Subvert Trust Controls

T1632

Code Signing Policy Modification

T1632.001

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Clipboard Data

T1414

Discovery

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Clipboard Data

T1414

Command and Control

Exfiltration

Impact

Data Manipulation

T1641

Transmitted Data Manipulation

T1641.001

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.cebugoyi.boot/app_security/oat/qYqbtti.json.cur.prof

Filesize
1KB

MD5
a48b20b1a71d65ae00cea1d4ce58cd05

SHA1
b133edb9367dac47b7bb554d7695eb3104051a62

SHA256
2d159af8dc8d7fcf50ea9dc592749c9c85923bb9ac1cf17e811f8bd3cb012774

SHA512
c39b243c50601a31be7f5dddddc16497117459ce78fbe8c1544b2306047619362bb2513f1525ffa18a9b289404b943ba7b6eb3b047d89fce06194393c29f2fcf

Download Submit
/data/data/com.cebugoyi.boot/app_security/oat/qYqbtti.json.cur.prof

Filesize
2KB

MD5
b7e7ae4892826d4638e0c127595c7941

SHA1
247a7c5f738c3c630811107e3b808917baa1a56a

SHA256
1cafdd1dca773b2e38c43146b63e686fd210cf7badeafe712beefd80d3c02e7c

SHA512
93f1e72ae121a3404cbcddf78b1abac05603ec6fb9a38a18e51907ffb3d8b7eeb776958d459162997db650d3229dd39653dd6eeae2a760edb724d2711bf49a1c

Download Submit
/data/data/com.cebugoyi.boot/app_security/oat/qYqbtti.json.cur.prof

Filesize
2KB

MD5
9f37ec70b4aa6881ff697867f521d69a

SHA1
767019ceb2485ef35b6c6de3b8656b8870d136dd

SHA256
e7f12afcde8b66f6c3ba94a88a3e7f8721062a0c85fe3af774c973a918da37f1

SHA512
d4c98ba8c081b36a7ac82193cba4e13da9e4971cc00cca10725c13c142096c56f9a9b654f86250eea774abfcd958816e51f4eea9921bc67e984a681a87503bfb

Download Submit
/data/data/com.cebugoyi.boot/app_security/qYqbtti.json

Filesize
640KB

MD5
080271ce7feb60cae959fd4d7deff760

SHA1
c998597ff824b12616176ed54accb799d8a3ab61

SHA256
09cafd41f55569d1479180e82f5fc49edc4753b433f1966e29f7741ef5a1e678

SHA512
76479896532a7f44fb23b2dc8ef809c7d534b579e6dddc84a9023c441b505d326c80a402925bc0b10db562af11827635cfda50129a45603abb067e90db6a9723

Download Submit
/data/data/com.cebugoyi.boot/app_security/qYqbtti.json

Filesize
640KB

MD5
5b66d9d1f5c2a9685a266a1e90a08ae4

SHA1
0f466553e006602563fbea49628dc6e1ef16d393

SHA256
5ad06bc979c18c250d45bb10d76a109aa07dacbf6165f999b384466313fd62e7

SHA512
3c6e47c5caaf6b50bb02572b6eb7d7417286b822abdebef15a87f4bd4907dab571e74a33b41dc0bb401a6804837fbd76ac9e939a9f21a60ae818c45d11926dfe

Download Submit
/data/data/com.cebugoyi.boot/files/profileInstalled

Filesize
24B

MD5
012153ac5681278678e4def04b92f85a

SHA1
b43f92263a629a7d542612f53125947f2a0d692a

SHA256
093474a90a1a1180fd91d6d4359bc8663387f8ff8c80a96f7446d62641a895d1

SHA512
c66631d05a7210264dd76cf8835a05d247f703dcb83019e84680d8f9b6ae76183525938f6ed7c2e3981f01d49dcf72d64c1f6f717a635113b729784fa6a2cebe

Download Submit
/data/data/com.cebugoyi.boot/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

Filesize
8B

MD5
9f49f1458d39629031ef3f2d10f3c339

SHA1
ecd8afbf5cead4b390dd8641615e5ea21e19bd83

SHA256
091ae03a97e73158b69e405011e10cc66dfc4df407f3b292a4cfdfb6557db58a

SHA512
e32a70e0aeec806b3421ee4d801bf3f9fbfa9cac46b3ef5eccc81bfdf06abbf87327ba4113cecb7a6f7ea471a948d0b63acfc9cd1168d1afe5d33ca14e22c42d

Download Submit
/data/data/com.cebugoyi.boot/no_backup/androidx.work.workdb

Filesize
136KB

MD5
fb67b0f318044340a21f23336d06ee83

SHA1
24a247b59c96db33a789aed9db8a7de7cacebb3b

SHA256
41ab099677b30a7f82e053e8230741ed60b7703a4fe2e261eff08ba2efa58f68

SHA512
54d72141eb4ea2c29a8f46da7b28f7103c394623035b22b11a928278d1f1913f6e40d013a7a4d52e734d17c7c7e59098b20de23d7a5c67d25b60c6dfa4cd6c97

Download Submit
/data/data/com.cebugoyi.boot/no_backup/androidx.work.workdb-journal

Filesize
512B

MD5
f786b0be28cbab9eef27003a8a7a60e6

SHA1
07d3f14b4fedca86dcd43fa238d450a34a5d36be

SHA256
46fa8d50ef1d97d0a1a0c428ea6d418dc15ce32acca200b387ed896f6b8970a6

SHA512
264f2335b578a302d22fcddfd7d3eaab4013424a365bc63b796513b42859ab502b2fe5b8a8a88710ef5d5a4202c9ba6c4f95d1b7122812f67f511f98f97a2c9f

Download Submit
/data/data/com.cebugoyi.boot/no_backup/androidx.work.workdb-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/com.cebugoyi.boot/no_backup/androidx.work.workdb-wal

Filesize
426KB

MD5
435f2eed411b2d5924e490916611f7ff

SHA1
8344b173ccc4292a83594d83c7180a2e3b617551

SHA256
22524cc7ec64f00f5fe57f97900dd90bead3019f74736f11717c63b79a4afbf2

SHA512
2ffb5814962c77a93c46d0ce9eebd22595e15f18b71323f4e5abbb5edc023f562c881ce3889b14949775f552fc0e8256021575ce1b825d9963234665dc113e55

Download Submit
/data/data/com.cebugoyi.boot/no_backup/androidx.work.workdb-wal

Filesize
16KB

MD5
fc5c002aa2c0dd3efd1c8d23cdb9a289

SHA1
733df72c4bfdbc435f99a9ac4857b925e82fa70e

SHA256
9d69944fea5c8bc870bbb991bed93b17371d0f12953f2424377657583230d539

SHA512
d088c8bd85a32099c2a66f7c8019dbcd5051a4d99b833986457e5e7d2e876066e707b4382df0b048ddfe63a4ccd776df97e0bf79f6ceb60ec6cba4ace67ad4ed

Download Submit
/data/data/com.cebugoyi.boot/no_backup/androidx.work.workdb-wal

Filesize
116KB

MD5
eff338745b6e422a98b757cbc8bc2942

SHA1
54b189e4aa41ec48bfe2a11aa50c854e3330eced

SHA256
b679f8aa3b9bb98bf4e9b3283fdaf385dc52af0586ff7a87c70b43bb59da5e3d

SHA512
b19bb3b6d3d151969056a151221e506d39409d28a5c9e1679048bcdd54cb118648f12eb793280922f77cefe21a2c296f8e4736857ef2a5a8cb7713af39ff3aec

Download Submit
/data/misc/profiles/cur/0/com.cebugoyi.boot/primary.prof

Filesize
999B

MD5
40daad7d244cefa8aceb8a8626083a5d

SHA1
a4e0363eefe23810f504d91c21208844610a8c0a

SHA256
39ce994e24fdbdd727e4456c32dc1c4242f9a2441125c8806efd34b7d7c4b09b

SHA512
bdfbd1b56f88e583aa02b17740e36697c9b2167bdabd7f51470fdf0fa4ee6c83c349f0e1b9a31982d91d6a02b45efe8beb5f319c91eefbc651b32f049a716e50

Download Submit
/data/misc/profiles/cur/0/com.cebugoyi.boot/primary.prof

Filesize
184B

MD5
fd00909f637dcad5264cd7771af72bf5

SHA1
e44b7d8c16b0b6141efe8e0b29c2b9e7bc0fc30e

SHA256
d61f650e568d47498a59ddcc3195d52a15901eda18c9d9fa7b1b03aa68fdd18c

SHA512
6d2439c3598befe0100bfe9670e0d82db1af893d1dd27c11354319e5fae0eaeddca3b074041c132d90a181d76dfc902de4571192ff7dc874214bfed0374bb8e5

Download Submit
/data/user/0/com.cebugoyi.boot/app_security/qYqbtti.json

Filesize
1.4MB

MD5
63fe37a8e582054fe3a02be377b86386

SHA1
adecc8c1c1a3e194bf33263aaf6dd46ebf19575f

SHA256
134a686b6041351fb4911124112977e8d0531c40e3803e5a4557745afa62f7be

SHA512
6f3ebb038d464c6e960777d31c4cb8d974be79db58ca0123bb99ffed09d0eea67f183023579a738bbd4621a3837bc4fc019d5ba5ba4796901f9a7b70e61c5a6b

Download Submit