antidot | c87e9f6e8d1a099e015bffa68ed157792cb0c6de562ccbf20607f30772adb512

Analysis

max time kernel
149s
max time network
133s
platform
android_x64
resource
android-33-x64-arm64-20240624-en
resource tags

androidarch:arm64arch:x64image:android-33-x64-arm64-20240624-enlocale:en-usos:android-13-x64system
submitted
29-11-2024 12:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c87e9f6e8d1a099e015bffa68ed157792cb0c6de562ccbf20607f30772adb512.apk
Size

8.3MB
MD5

bf5284bde7432eed1d3235e8f8c8a552
SHA1

a7435be13d888dfa67a093a8896288effc5c4e3d
SHA256

c87e9f6e8d1a099e015bffa68ed157792cb0c6de562ccbf20607f30772adb512
SHA512

bed6124909fe7c3c668c929174ab932dcb3e576639d594442cffad833e6f53d14bee645a3e0e7dc9d69887249e54e961330956b3c4247307d0ad03f91356fcca
SSDEEP

196608:vIU9mDrvGCm0GcqeVU7/HOUe5iO0VIKp0cpUJ8:l0+CseVU7Wb5iRVI1cf

Score

10^/10

antidot banker collection credential_access evasion execution impact infostealer persistence trojan

Malware Config

Signatures

Antidot
Antidot is an Android banking trojan first seen in May 2024.
banker trojan infostealer antidot
Antidot family
antidot

Antidot payload 1 IoCs

Processes:

resource	yara_rule
behavioral3/memory/4348-0.dex	family_antidot

Loads dropped Dex/Jar 1 TTPs 1 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

Processes:

com.cebugoyi.boot

ioc	pid	Process
/data/user/0/com.cebugoyi.boot/app_security/qYqbtti.json	4348	com.cebugoyi.boot

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

Processes:

com.cebugoyi.boot

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	com.cebugoyi.boot

Checks the application is allowed to request package installs through the package installer 1 TTPs 1 IoCs

Checks the application is allowed to install additional applications (Might try to install applications from unknown sources).

evasion

Code Signing Policy Modification

T1632.001

Processes:

com.cebugoyi.boot

description	ioc	Process
Framework service call	android.content.pm.IPackageManager.canRequestPackageInstalls	com.cebugoyi.boot

Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

execution persistence

Scheduled Task/Job

T1603

Processes:

com.cebugoyi.boot

description	ioc	Process
Framework service call	android.app.job.IJobScheduler.schedule	com.cebugoyi.boot

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

Processes:

com.cebugoyi.boot

description	ioc	Process
File opened for read	/proc/cpuinfo	com.cebugoyi.boot

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

Processes:

com.cebugoyi.boot

description	ioc	Process
File opened for read	/proc/meminfo	com.cebugoyi.boot

com.cebugoyi.boot
1⤵
- Loads dropped Dex/Jar
- Obtains sensitive information copied to the device clipboard
- Checks the application is allowed to request package installs through the package installer
- Schedules tasks to execute at a specified time
- Checks CPU information
- Checks memory information
PID:4348

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Subvert Trust Controls

T1632

Code Signing Policy Modification

T1632.001

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Clipboard Data

T1414

Discovery

System Information Discovery

T1426

Lateral Movement

Collection

Clipboard Data

T1414

Command and Control

Exfiltration

Impact

Data Manipulation

T1641

Transmitted Data Manipulation

T1641.001

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.cebugoyi.boot/app_security/oat/qYqbtti.json.cur.prof

Filesize
1KB

MD5
adb2e4aec2bf4a0443ca82402649e8a3

SHA1
ae186957c5fa08119840b1dc7c5bd3911b2069ee

SHA256
181e4fc5407d046da4c7cfa03f5962790f855f11e938771bc39e67092a3f0701

SHA512
5e73fd0ab2bfc41f0167258e7001861722bac203b4038fc891a3c6269b9da5640cad58f495cef79a975a8243a88687a8abe1ba9d50d139b4895451d28ff36ab5

Download Submit
/data/data/com.cebugoyi.boot/app_security/oat/x86_64/qYqbtti.vdex

Filesize
29KB

MD5
562af73f702c80ec1a6a516a0de8a06f

SHA1
083c0ccec4d07a406d465c376de9ec4d7fcc02c0

SHA256
3c488de633e76b564376220533e464809b7a07305ea8a0353fd97706de58d383

SHA512
b9012832048a3034039a76acda737ddcba7b68f846370c31779e9943d1aeb8bdde297b83f2a5af40e0806cccbba1dc08bf3d76bc2047bd44e532a11d5b2fcd5f

Download Submit
/data/data/com.cebugoyi.boot/app_security/qYqbtti.json

Filesize
640KB

MD5
080271ce7feb60cae959fd4d7deff760

SHA1
c998597ff824b12616176ed54accb799d8a3ab61

SHA256
09cafd41f55569d1479180e82f5fc49edc4753b433f1966e29f7741ef5a1e678

SHA512
76479896532a7f44fb23b2dc8ef809c7d534b579e6dddc84a9023c441b505d326c80a402925bc0b10db562af11827635cfda50129a45603abb067e90db6a9723

Download Submit
/data/data/com.cebugoyi.boot/app_security/qYqbtti.json

Filesize
640KB

MD5
5b66d9d1f5c2a9685a266a1e90a08ae4

SHA1
0f466553e006602563fbea49628dc6e1ef16d393

SHA256
5ad06bc979c18c250d45bb10d76a109aa07dacbf6165f999b384466313fd62e7

SHA512
3c6e47c5caaf6b50bb02572b6eb7d7417286b822abdebef15a87f4bd4907dab571e74a33b41dc0bb401a6804837fbd76ac9e939a9f21a60ae818c45d11926dfe

Download Submit
/data/data/com.cebugoyi.boot/files/profileInstalled

Filesize
24B

MD5
0c5a922bc0975b19b2a6fa4928169a0c

SHA1
cd974a47c2d04bd95d6928c4295d33279f93b81b

SHA256
cd79ab70ea5c948c2de2c87ca771c93cbaab68dd29f6f290db446ec972d394c6

SHA512
f1392b6d135dac74d471d35e078c5a2a728d37d6688fe58e6b9e91290db70b992eaa0a9eaeda5362aba4b8d8cd6f99e7bab4551916f8ba722ab9270230b96ad6

Download Submit
/data/data/com.cebugoyi.boot/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

Filesize
8B

MD5
e526be5e2253b82ccac25965819ff8b5

SHA1
bb08c3ee9786625cbb5f3c939176e3b971dcdccb

SHA256
9e22c508bff2bff05be6664528b6cdc364a27bd1344309219232b438b7d4589a

SHA512
4781d18a3a6758153806e8a87bb4939c323be691fd62b37d428fe7490444e2fbfed8799fdcb18de1e225db99b3a316891ce3370780232d4742a473b81d92db24

Download Submit
/data/data/com.cebugoyi.boot/no_backup/androidx.work.workdb

Filesize
140KB

MD5
dba73700b9c929743a6f8e794304b983

SHA1
fc801a4657f92920ca426ea90f12a50b0834ad09

SHA256
912d447a17d4a41edd74e3e5e3866c9ea43ca6fb13086221f421ed9c430f7be7

SHA512
c8164467a9939559facd00ac775fde938b4ddbd055a87f10603e12bb0c76f925549580347d484a71e987fe54173f3cbcb719e59d35d27003bb19de1676ccbeb8

Download Submit
/data/data/com.cebugoyi.boot/no_backup/androidx.work.workdb-journal

Filesize
512B

MD5
8ee4dccb28ed729a694975e35e794f51

SHA1
cdf3adb47a4c1f4b08291d081bc371df863abce8

SHA256
af9a9438f37e91a7f685313376df34f61a737a3bc725c81afe4ee1a66d6f8144

SHA512
4999a548e4013b4a99460b0bfed5555f9f175ace92a1c2e6fa486b6a68759d857264f24dffe124a37797c9328782acd1aedee5f887c2faf068c86b9781454124

Download Submit
/data/data/com.cebugoyi.boot/no_backup/androidx.work.workdb-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/com.cebugoyi.boot/no_backup/androidx.work.workdb-wal

Filesize
116KB

MD5
b9b563ceeeac7d87b3bf0498a9df2f68

SHA1
f3572ded6062b2a8caa299f584e2cbc2737d550a

SHA256
27c5b204c00864aee3fc9eddb9bfdf70c1b2524fc30eac204357ca3659277b61

SHA512
5e253b24c5c2eccf4eb121e65fb9e1d8a333812b8b2ca512d8ff0e382364aee645046005860c2aac637ea9945243ffc5b5ae1aae06229020b449d123ca39b401

Download Submit
/data/data/com.cebugoyi.boot/no_backup/androidx.work.workdb-wal

Filesize
426KB

MD5
66f5c02e4244153da3cc8f059b13a754

SHA1
4e9a8d0f4ae7ce0b1ec882501094177d306cb11c

SHA256
cdd6124cdb6256e4a7feb33fa2fb58ec71584620247bd5243fc4e3bded9606df

SHA512
30eee4d7e5ba479cb36df3cd2fa13ff852a997ac90efd9cd6615255376eef3f70e7da13e65740a4a19ef13e3b7d06ff755f1f1ec2f975c6557d3f7b9a405597e

Download Submit
/data/data/com.cebugoyi.boot/no_backup/androidx.work.workdb-wal

Filesize
16KB

MD5
d7090c091de0b4fb0fac8c76a64215b9

SHA1
10ee207917c082984149a58563f452c2e9a39acf

SHA256
e3824766acfcc1e8627a0935295d4f414e3655c543557ae1d264f04a3987c76f

SHA512
bddd63643107ab7cc59d4f9ba7272b3946d2eb9a44668f0854aa92dae64fed72fdba43f7247d5a7c0cdaafea1aa8fc83fac74403a173c645d8ea14aa2fee1c4d

Download Submit
/data/misc/profiles/cur/0/com.cebugoyi.boot/primary.prof

Filesize
1KB

MD5
d2116dd0a6733a5c79866af78474959a

SHA1
b80e2a8cfccfcf7453bb7e8cb3d0d314a8d584e9

SHA256
66e7b1bcd17c1141d39edd06086269cf61e0d9e9868a2545c9e95a58cf956b58

SHA512
9661cbf85e53cd6794889b59f0976289cd85ffcf8f1b11efe5d6638b26ca9f1cbfa5445645c374c2c41996f571681bd556bf5b904dc3cb185e7aea6fcaa18058

Download Submit
/data/misc/profiles/cur/0/com.cebugoyi.boot/primary.prof

Filesize
252B

MD5
f743dce63c082268f98f936f980fd9de

SHA1
a0f07574f4dec95ba5f0f4ad3ae26f01ef3a6b30

SHA256
178eedb172d2bec98042e8c128fb2cb2deedbf442aacc513731351bc83f82844

SHA512
d74f4d3dec2f0576fe64df96a3f6c42d6b605c5a7c19be29c27641762f13ea60294afca272304cab6edf35644bba19d30166e138cde55946378c004b9804eccd

Download Submit
/data/user/0/com.cebugoyi.boot/app_security/qYqbtti.json

Filesize
1.4MB

MD5
63fe37a8e582054fe3a02be377b86386

SHA1
adecc8c1c1a3e194bf33263aaf6dd46ebf19575f

SHA256
134a686b6041351fb4911124112977e8d0531c40e3803e5a4557745afa62f7be

SHA512
6f3ebb038d464c6e960777d31c4cb8d974be79db58ca0123bb99ffed09d0eea67f183023579a738bbd4621a3837bc4fc019d5ba5ba4796901f9a7b70e61c5a6b

Download Submit