Malware Analysis Report

2025-01-19 06:51

Sample ID 241204-kewdesvmaj
Target CRM.apk
SHA256 c98aed544aed512f1f96d7dcb5068473f1a8359e9602b791df64a04edd0efa69
Tags
antidot banker collection credential_access discovery evasion execution infostealer persistence trojan impact
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c98aed544aed512f1f96d7dcb5068473f1a8359e9602b791df64a04edd0efa69

Threat Level: Known bad

The file CRM.apk was found to be: Known bad.

Malicious Activity Summary

antidot banker collection credential_access discovery evasion execution infostealer persistence trojan impact

Antidot

Antidot payload

Antidot family

Loads dropped Dex/Jar

Obtains sensitive information copied to the device clipboard

Makes use of the framework's Accessibility service

Performs UI accessibility actions on behalf of the user

Requests modifying system settings.

Checks the application is allowed to request package installs through the package installer

Requests dangerous framework permissions

Queries the mobile country code (MCC)

Declares services with permission to bind to the system

Requests disabling of battery optimizations (often used to enable hiding in the background).

Registers a broadcast receiver at runtime (usually for listening for system events)

Schedules tasks to execute at a specified time

Checks memory information

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-04 08:31

Signatures

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by call screening services to bind with the system. Allows apps to filter and manage incoming phone calls. android.permission.BIND_SCREENING_SERVICE N/A N/A
Required by autofill services to bind with the system. Allows apps to autofill information in forms. android.permission.BIND_AUTOFILL_SERVICE N/A N/A
Required by input method services to bind with the system. Allows apps to provide custom input methods (keyboards). android.permission.BIND_INPUT_METHOD N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-12-04 08:31

Reported

2024-12-04 08:34

Platform

android-x86-arm-20240624-en

Max time kernel

149s

Max time network

156s

Command Line

com.bukune.query

Signatures

Antidot

banker trojan infostealer antidot

Antidot family

antidot

Antidot payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.bukune.query/app_nation/XhFPw.json N/A N/A
N/A /data/user/0/com.bukune.query/app_nation/XhFPw.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.bukune.query

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.bukune.query/app_nation/XhFPw.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.bukune.query/app_nation/oat/x86/XhFPw.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.213.10:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 goldjonseyrjd.me udp
US 23.27.6.201:5911 goldjonseyrjd.me tcp
US 23.27.6.201:5911 goldjonseyrjd.me tcp
US 23.27.6.201:5911 goldjonseyrjd.me tcp
US 23.27.6.201:5911 goldjonseyrjd.me tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.238:443 android.apis.google.com tcp
US 23.27.6.201:5911 goldjonseyrjd.me tcp
US 23.27.6.201:5911 goldjonseyrjd.me tcp
US 23.27.6.201:5911 goldjonseyrjd.me tcp
US 23.27.6.201:5911 goldjonseyrjd.me tcp
US 23.27.6.201:5911 goldjonseyrjd.me tcp
US 23.27.6.201:5911 goldjonseyrjd.me tcp
US 23.27.6.201:5911 goldjonseyrjd.me tcp
US 23.27.6.201:5911 goldjonseyrjd.me tcp
US 23.27.6.201:5911 goldjonseyrjd.me tcp
US 23.27.6.201:5911 goldjonseyrjd.me tcp
US 23.27.6.201:5911 goldjonseyrjd.me tcp
US 23.27.6.201:5911 goldjonseyrjd.me tcp
US 23.27.6.201:5911 goldjonseyrjd.me tcp
US 23.27.6.201:5911 goldjonseyrjd.me tcp
US 23.27.6.201:5911 goldjonseyrjd.me tcp
US 23.27.6.201:5911 goldjonseyrjd.me tcp
US 23.27.6.201:5911 goldjonseyrjd.me tcp
US 23.27.6.201:5911 goldjonseyrjd.me tcp
US 23.27.6.201:5911 goldjonseyrjd.me tcp
US 23.27.6.201:5911 goldjonseyrjd.me tcp
US 23.27.6.201:5911 goldjonseyrjd.me tcp
US 23.27.6.201:5911 goldjonseyrjd.me tcp
US 23.27.6.201:5911 goldjonseyrjd.me tcp
US 23.27.6.201:5911 goldjonseyrjd.me tcp
US 23.27.6.201:5911 goldjonseyrjd.me tcp
US 23.27.6.201:5911 goldjonseyrjd.me tcp
US 23.27.6.201:5911 goldjonseyrjd.me tcp
US 23.27.6.201:5911 goldjonseyrjd.me tcp
US 23.27.6.201:5911 goldjonseyrjd.me tcp
US 23.27.6.201:5911 goldjonseyrjd.me tcp

Files

/data/data/com.bukune.query/app_nation/XhFPw.json

MD5 4811c66de49bb6059214cfdc2765a060
SHA1 f2033663fb6057097766a548fd081a3e15451ebb
SHA256 3a234b0b65c424b9e351daa44d7f40b6af0f7ef90b4e70f4337c23575accd4bf
SHA512 bc76a7285e19ded9041b30729e4eda59ee0a04e164214ce3655f162eed53396f9e328edd6e8ce5540bcd5cc92ae65d68828df6e23866c4588b937878da0e3aab

/data/data/com.bukune.query/app_nation/XhFPw.json

MD5 ad044134019a852cb98dc39dc192af64
SHA1 2a7c9a70434e4ce4ef7becf110f12f37f30e73d3
SHA256 5664a95af335a42ae70314e1d41fe8907f73d2d5a16e57e4a7cfe34c701edb72
SHA512 69f077037f95c872d17cf79b58f5cd60679616eca2f5e2f33b04b232db8a325788b81b0faae92907f843f032092d20840eba78aa5c93fe3ce79636385ba81ed1

/data/user/0/com.bukune.query/app_nation/XhFPw.json

MD5 39ee3b709dce70e0334d1adc65f16cbb
SHA1 51d1b253af9e51a17e595d609ef4726a4ad69cfc
SHA256 1bf6d3866ab70230320261a361606e3d4176e0eb30eff5662a7cd2dfa4e6e574
SHA512 56e6dfecce12bf6b1a38d31ac1c91bf1a7b89a4336135ae3937d7b63728d18418a4d38e92bbe455ea42d60c47748d53bcbe6718afa3358089dfca619073d1602

/data/user/0/com.bukune.query/app_nation/XhFPw.json

MD5 cad3344b70e0f78f2a72503d9ee4dc00
SHA1 cbbe1b60debb54cf951aa6269350ad2f85b955e3
SHA256 30864a61943e9c5975c60a3324f7b119afb20015c081cfe0417364a67dfd9860
SHA512 02c92d4e7b30472cdfcc3ae4e499ab8ebee828345a01c90e228a4b7025a817d0d3b77a2be7a7031b1bf2b2cca8b886fe93fdd4c3e1257aeea2ca03975d450b87

/data/data/com.bukune.query/no_backup/androidx.work.workdb-journal

MD5 88bf1a14100997bd84370372f2e74453
SHA1 0ca1d26a57e8cb8ce8a2d50cabf237262bc021b0
SHA256 4549ea6c459f95b3c226990e81645b3f4a8b820403abe1a527196d7b7adaba1b
SHA512 fcc428184c2eff600560e23ab9595eb530593329ac16be8cef1ee7d43806a9189f355432f6bbfedfaa2a25edd8d7f818f13c88b4c4950d430f7e0199c69cf994

/data/data/com.bukune.query/no_backup/androidx.work.workdb

MD5 90899ee5e1638251a8191b5fdd6645b5
SHA1 a7eabdb3d05fb898223a6e4964eec2960a78bd28
SHA256 398c660a9274cc34efce6c4ca6081a46b586731375e1ba037bd190ceac4dc34b
SHA512 377983915a716e4fb13daec68713e8df99b3a320f0397bea5a31c66357c89c43e6e9cb572f5a0df2ec2eef9aaacf9512ef7c10887883b5e803b9cf1af04435e8

/data/data/com.bukune.query/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.bukune.query/no_backup/androidx.work.workdb-wal

MD5 c6ac6b6dc021cb6ee8c68f6bf3a673ac
SHA1 635c277f35491c3fcc15c00ddf479573171e91de
SHA256 9ab4ad97eecf36970090989ef0ca70083346e2097803c5e3d8dd312c7ad6e758
SHA512 042e47891570517be654ac758372657e4cad2ffd0098052ba0baafc516f06d9c7e41729d4bfd5384b72286e2ed56c2741895fe7685e691e034304c98a278f807

/data/data/com.bukune.query/no_backup/androidx.work.workdb-wal

MD5 2ad3e7c871be8ebc40d7fcb6628be3e1
SHA1 609384fde6af866ee76165546264be9f54a30b17
SHA256 fac87eb86cbf20c118ee1a03ad16b4c3bae43b2780e14661c9cb4c12c4337066
SHA512 3a899bf698799fc56d8f48d3604231a3bbcb4a1ed1b7053c80080b18c77e96d1f515c91d41e0d566d1a4ed41a1e3422883f6807a016e6282bbacabddc633fbad

/data/data/com.bukune.query/no_backup/androidx.work.workdb-wal

MD5 a03dfb8a08fbe224c038972876fcb6bd
SHA1 af7b8eebba4f2a2d810b007743e82f7c64c9be0f
SHA256 e5568f0e647098b32ef60bdd989485ffc58b8482f98439b3dbea3d80b894c48d
SHA512 6763141e331e9ca244fa55cca940c88fd170b41f93932b2ff25e78349bb3ea85f4bef95ef5f3aa2a3347c66c8c194e0f4f0890a98355246ef3e576fe5badc695

/data/misc/profiles/cur/0/com.bukune.query/primary.prof

MD5 d048ea619527435e4f749ffdc498841c
SHA1 e7fefc7920af2221b3981b035f0f7d4544651715
SHA256 9a7e6432603a2e0a56ace0d539528cb8da936f3964f7b0763a821b0bc26137bc
SHA512 8014b98f08e29bbbd738ba0011a6580e88e64870b4cc0189cb21b2dd59e5c9e2e97d5d5ead05abc1a76f6c62c003312b647c04ccd611219c414be3126f262be3

/data/data/com.bukune.query/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 36126c864be3f52b025b06c8afaaf944
SHA1 f4899910416969436793e1cb48cdfd257cbcfdae
SHA256 a702e766961f66136330d0227f47faef847a40b386724c3e366a029fa7a777b9
SHA512 824962c6bf8b9c20ed31d4e400a4a5176c1dbf462035fcff3c78bbfa882db0e784255555e3567aaa4491bede04235e8a8c293353fdd37c0ac2d82bd7fcaf1147

/data/data/com.bukune.query/files/profileInstalled

MD5 06d064a120068b496ca3d067ba7d17e9
SHA1 1177827757de2eaa772916f1bb93911d14ac6c66
SHA256 cb5fff98a494f5c153f94ac69f52eb8113cd5f4b0bc38df5ff2d527d2aef6061
SHA512 c551621994a61c2837e7dffbe0b0b4e5d1f551cc46256fda89927c0b350475d20b799449ddfa180bc22c849ead396972f9aa13fdc5dd1a6d5f9b829bdf220f03

/data/misc/profiles/cur/0/com.bukune.query/primary.prof

MD5 f2c53fd2dca0a0941927e488339e9a54
SHA1 76b8cb80e4bfe2a0aada002d529d616a4e7cf41b
SHA256 00fae2bfca8b15a2606c0d5d1fbcbfcdf2e90230425dd1799e96cce997c967c6
SHA512 e4b52081ce50d3fc73786d540eafbe70ee979bd971b0e48f098d95beccc6b6e2b60765039452571f1f8eb012541b45e7ce327ac4013c04011b26209d23af3db1

/data/data/com.bukune.query/app_nation/oat/XhFPw.json.cur.prof

MD5 4b0bef8a11acf6e673c0bfd90fee441c
SHA1 f79a165273dbf28306a64b1fe0c71c0a94f12770
SHA256 a8eef425dda7ff6b292952ad8cdb8327d393f069be092ea48703309216e36e57
SHA512 ac5234201b4e3cc152447ba7482cbfe8543c54eda0e5a59ee8bbb5aa2e019d7cd5fafd4d02fac4eb71d125dcd20b4aa60a756ed62391400015ff858f3af35090

/data/data/com.bukune.query/app_nation/oat/XhFPw.json.cur.prof

MD5 ceaca590b985e780df1f714faab46320
SHA1 0139dcc3d1b3ccf2ba000011f168f190b17bb8e4
SHA256 6af3b309ea375886067a436c7002c8747776803370bf0a901d3203c2e035d525
SHA512 91ff11436eb67bfc2e20d1daa05fa82b7b4d020e541dc379901d0ccf215eb78bf4b285140d27995abc1cad4a225c1ac67ac7361f7ec5ed50f7ffeb623f3e2e5c

/data/data/com.bukune.query/app_nation/oat/XhFPw.json.cur.prof

MD5 345b54b9321f8e544aade154c88de8f7
SHA1 33614128a4289fcfb5da328e1c9d6110fa4e0066
SHA256 28cd00629c288de87e28edccc46b4b29c5b18a5690776466f37210f6dbc1c518
SHA512 9429a2947626f040dc8173f226ff8658a72178c1c60b6e5eb738eb1d45cf37551fba9bc761d91e3ff77859ed1c169bf63bf5de9b109e89917c8c93dea2df18b8

Analysis: behavioral5

Detonation Overview

Submitted

2024-12-04 08:31

Reported

2024-12-04 08:34

Platform

android-x64-20240624-en

Max time kernel

149s

Max time network

156s

Command Line

com.bukune.query

Signatures

Antidot

banker trojan infostealer antidot

Antidot family

antidot

Antidot payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.bukune.query/app_nation/XhFPw.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.bukune.query

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.179.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 goldjonseyrjd.me udp
US 23.27.6.201:5911 goldjonseyrjd.me tcp
US 23.27.6.201:5911 goldjonseyrjd.me tcp
US 23.27.6.201:5911 goldjonseyrjd.me tcp
US 23.27.6.201:5911 goldjonseyrjd.me tcp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 23.27.6.201:5911 goldjonseyrjd.me tcp
US 23.27.6.201:5911 goldjonseyrjd.me tcp
US 23.27.6.201:5911 goldjonseyrjd.me tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 172.217.169.42:443 semanticlocation-pa.googleapis.com tcp
US 23.27.6.201:5911 goldjonseyrjd.me tcp
US 23.27.6.201:5911 goldjonseyrjd.me tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
US 23.27.6.201:5911 goldjonseyrjd.me tcp
GB 172.217.16.234:443 semanticlocation-pa.googleapis.com tcp
US 23.27.6.201:5911 goldjonseyrjd.me tcp
US 23.27.6.201:5911 goldjonseyrjd.me tcp
US 23.27.6.201:5911 goldjonseyrjd.me tcp
US 23.27.6.201:5911 goldjonseyrjd.me tcp
GB 172.217.169.42:443 semanticlocation-pa.googleapis.com tcp
US 23.27.6.201:5911 goldjonseyrjd.me tcp
US 23.27.6.201:5911 goldjonseyrjd.me tcp
US 23.27.6.201:5911 goldjonseyrjd.me tcp
US 23.27.6.201:5911 goldjonseyrjd.me tcp
GB 142.250.200.34:443 tcp
GB 216.58.204.78:443 tcp
US 23.27.6.201:5911 goldjonseyrjd.me tcp
US 23.27.6.201:5911 goldjonseyrjd.me tcp
US 23.27.6.201:5911 goldjonseyrjd.me tcp
US 23.27.6.201:5911 goldjonseyrjd.me tcp
US 23.27.6.201:5911 goldjonseyrjd.me tcp
US 23.27.6.201:5911 goldjonseyrjd.me tcp
US 23.27.6.201:5911 goldjonseyrjd.me tcp
US 23.27.6.201:5911 goldjonseyrjd.me tcp
US 23.27.6.201:5911 goldjonseyrjd.me tcp
US 23.27.6.201:5911 goldjonseyrjd.me tcp
US 23.27.6.201:5911 goldjonseyrjd.me tcp
US 23.27.6.201:5911 goldjonseyrjd.me tcp
US 23.27.6.201:5911 goldjonseyrjd.me tcp
US 23.27.6.201:5911 goldjonseyrjd.me tcp
US 23.27.6.201:5911 goldjonseyrjd.me tcp

Files

/data/data/com.bukune.query/app_nation/XhFPw.json

MD5 4811c66de49bb6059214cfdc2765a060
SHA1 f2033663fb6057097766a548fd081a3e15451ebb
SHA256 3a234b0b65c424b9e351daa44d7f40b6af0f7ef90b4e70f4337c23575accd4bf
SHA512 bc76a7285e19ded9041b30729e4eda59ee0a04e164214ce3655f162eed53396f9e328edd6e8ce5540bcd5cc92ae65d68828df6e23866c4588b937878da0e3aab

/data/data/com.bukune.query/app_nation/XhFPw.json

MD5 ad044134019a852cb98dc39dc192af64
SHA1 2a7c9a70434e4ce4ef7becf110f12f37f30e73d3
SHA256 5664a95af335a42ae70314e1d41fe8907f73d2d5a16e57e4a7cfe34c701edb72
SHA512 69f077037f95c872d17cf79b58f5cd60679616eca2f5e2f33b04b232db8a325788b81b0faae92907f843f032092d20840eba78aa5c93fe3ce79636385ba81ed1

/data/user/0/com.bukune.query/app_nation/XhFPw.json

MD5 39ee3b709dce70e0334d1adc65f16cbb
SHA1 51d1b253af9e51a17e595d609ef4726a4ad69cfc
SHA256 1bf6d3866ab70230320261a361606e3d4176e0eb30eff5662a7cd2dfa4e6e574
SHA512 56e6dfecce12bf6b1a38d31ac1c91bf1a7b89a4336135ae3937d7b63728d18418a4d38e92bbe455ea42d60c47748d53bcbe6718afa3358089dfca619073d1602

/data/data/com.bukune.query/no_backup/androidx.work.workdb-journal

MD5 db0de30cf5c31b44d2e044b7df6ced4d
SHA1 4d459af6dd0de13cbd276d581ed12b615c3dd502
SHA256 a884be6998f17a9da2322dc36413df391dd38a647d20faa7e2a9c8a3975754b7
SHA512 72c51a6047b9eb56879c527097a791515a4f495014ed55b2ce5f6d27cf68591b9918d14bffd4704ce841c6466abc395690d15480aa519be0e2575a82153c3a34

/data/data/com.bukune.query/no_backup/androidx.work.workdb

MD5 20159c38b63923bf610716374067202e
SHA1 3449c3787ba7f0795b156853ce5023e552f37514
SHA256 1ab6671ba5a3fb3b0df4df9955de236f914bc8f54bcc4135db9c8f9e96021d06
SHA512 223b51f433f6ec76a4405c62c47b892abdde38740e8405e9d6c39df8d5712e378a24ea61faac8b29ca157097e60c1b013735b5108130b75c4b7a0f9b2ca81678

/data/data/com.bukune.query/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.bukune.query/no_backup/androidx.work.workdb-wal

MD5 3074717ada26fbb7d87ccdf7427a447b
SHA1 5200525a7dc013c6d294e498b8b94bb62eb9b9fe
SHA256 289d77e691d70c32cc7f1ae742f541c6f69bac8c933f173e30d912c5bfb92f7a
SHA512 b80814fafaa5f8a56d74a4bf92aae551c72be7238b05d063a98ed050243c0579e24f9b8ff51e18843e993c86a5dd50da6706593c8dd801902aeb90f6c868f9ea

/data/data/com.bukune.query/no_backup/androidx.work.workdb-wal

MD5 1136c782696e583217e8e87f4cc21364
SHA1 ad1871a3310fc7c7c322eab6ac57a1c99d9ce010
SHA256 d54556cf37df198ea5ea9eeaea7ef001b1a107ba2371848b6818046cc8f935b7
SHA512 87bf20dcfc4887e7114f2a67fbb6603e0baa2b93430f75833f20f621cbe8eee19bca14f379d09ae10e43363aa3c8f5fb2cb9e6cbabb07db8a878f70296ce7ce0

/data/data/com.bukune.query/no_backup/androidx.work.workdb-wal

MD5 6a674fc84ca2829516688505657415e5
SHA1 9ea82eb76aa30da53a4247d46f674f01bb4c8c58
SHA256 041fc3a6ff3a139452c30f1a487c164a34c82fdb7284643083843bbace93474a
SHA512 903ff692f2cec6c5b80142acce22d67196a58a98abb11afde0c9424231a573c06a8e39ecfe39e59e92f234581f9b206dc5a5207d4efcf47735e01f4baa61e244

/data/misc/profiles/cur/0/com.bukune.query/primary.prof

MD5 d048ea619527435e4f749ffdc498841c
SHA1 e7fefc7920af2221b3981b035f0f7d4544651715
SHA256 9a7e6432603a2e0a56ace0d539528cb8da936f3964f7b0763a821b0bc26137bc
SHA512 8014b98f08e29bbbd738ba0011a6580e88e64870b4cc0189cb21b2dd59e5c9e2e97d5d5ead05abc1a76f6c62c003312b647c04ccd611219c414be3126f262be3

/data/data/com.bukune.query/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 ed4c785dda39ef0844d60f6268646792
SHA1 7314765520b3b9b857714564c827eecba5df64a3
SHA256 260445155c404e86b522c8ff6cabc5c2b7eab88a5560770c3e03ef6d18b19000
SHA512 5b5de12c6b788bca23497c1dcd9733dba33cd3477592026d162864fed3136f3939d8728eb91dcc75be037c7ed2e0a9e02284800bbc0bd21ca86b5776d81c2ca6

/data/data/com.bukune.query/files/profileInstalled

MD5 d60f95b120c6088506fa12bb79d1ec6d
SHA1 ea80c1332a127a71693f61fe8f927d96efc60408
SHA256 a9b77730b7d192bc8a9215081941d34ba8225e378650f09376e089674d2486e6
SHA512 07c1df4bbbf43290b2902957df319f4b8fe3b19e0ff1441486c0e40c42c073524d1fcd8f8d37f8a40a3d7cba2e70d3e1e3b7450d59836aa9c85d1fe044e444b0

/data/misc/profiles/cur/0/com.bukune.query/primary.prof

MD5 b9d9e0f8902d129e1aeebff0ae7b725b
SHA1 cb0d2b4c9dd60a5c1fc6261fb581bcd3416fe781
SHA256 25a822139d06016af8be1296c0242b60e35074f94c713e03323636be1162ce91
SHA512 f158a9dc753e0cb41f71a98714ff02198c576bacdd792a6153fdaf6f9a7b52d8cfb6d09099a269d0c1b0d31e2ea5a307ea1db85115bdc6797887a6de36d597f6

/data/data/com.bukune.query/app_nation/oat/XhFPw.json.cur.prof

MD5 33047783ee8b51ad2d15c97e626ec8a1
SHA1 274f1e6d4a9479d609c95d43d3ab5a48e8cd36d7
SHA256 c0b4e81ed50859ce4bbfb6b8b474ef90db30c334d6e2ef3228c2a280b29010f5
SHA512 12cd17af32a379a7a89b69434cb14bab94f956a41d8c508813cbc3edffbfb1109a3279d423f62a7234387dd744d662458005bce595712b65c7fde1cb6683df7f

Analysis: behavioral6

Detonation Overview

Submitted

2024-12-04 08:31

Reported

2024-12-04 08:34

Platform

android-x64-arm64-20240624-en

Max time kernel

145s

Max time network

158s

Command Line

com.bukune.query

Signatures

Antidot

banker trojan infostealer antidot

Antidot family

antidot

Antidot payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.bukune.query/app_nation/XhFPw.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.bukune.query

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 goldjonseyrjd.me udp
US 23.27.6.201:5911 goldjonseyrjd.me tcp
US 23.27.6.201:5911 goldjonseyrjd.me tcp
US 23.27.6.201:5911 goldjonseyrjd.me tcp
US 23.27.6.201:5911 goldjonseyrjd.me tcp
US 23.27.6.201:5911 goldjonseyrjd.me tcp
US 23.27.6.201:5911 goldjonseyrjd.me tcp
US 23.27.6.201:5911 goldjonseyrjd.me tcp
US 23.27.6.201:5911 goldjonseyrjd.me tcp
US 23.27.6.201:5911 goldjonseyrjd.me tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
US 23.27.6.201:5911 goldjonseyrjd.me tcp
US 23.27.6.201:5911 goldjonseyrjd.me tcp
US 23.27.6.201:5911 goldjonseyrjd.me tcp
US 23.27.6.201:5911 goldjonseyrjd.me tcp
US 23.27.6.201:5911 goldjonseyrjd.me tcp
US 23.27.6.201:5911 goldjonseyrjd.me tcp
US 23.27.6.201:5911 goldjonseyrjd.me tcp
US 23.27.6.201:5911 goldjonseyrjd.me tcp
US 23.27.6.201:5911 goldjonseyrjd.me tcp
US 23.27.6.201:5911 goldjonseyrjd.me tcp
US 23.27.6.201:5911 goldjonseyrjd.me tcp
US 23.27.6.201:5911 goldjonseyrjd.me tcp
US 23.27.6.201:5911 goldjonseyrjd.me tcp
US 23.27.6.201:5911 goldjonseyrjd.me tcp
US 23.27.6.201:5911 goldjonseyrjd.me tcp
US 23.27.6.201:5911 goldjonseyrjd.me tcp
US 23.27.6.201:5911 goldjonseyrjd.me tcp
US 23.27.6.201:5911 goldjonseyrjd.me tcp
US 23.27.6.201:5911 goldjonseyrjd.me tcp
US 23.27.6.201:5911 goldjonseyrjd.me tcp
US 23.27.6.201:5911 goldjonseyrjd.me tcp
US 23.27.6.201:5911 goldjonseyrjd.me tcp
US 23.27.6.201:5911 goldjonseyrjd.me tcp
US 23.27.6.201:5911 goldjonseyrjd.me tcp
US 23.27.6.201:5911 goldjonseyrjd.me tcp
US 23.27.6.201:5911 goldjonseyrjd.me tcp

Files

/data/data/com.bukune.query/app_nation/XhFPw.json

MD5 4811c66de49bb6059214cfdc2765a060
SHA1 f2033663fb6057097766a548fd081a3e15451ebb
SHA256 3a234b0b65c424b9e351daa44d7f40b6af0f7ef90b4e70f4337c23575accd4bf
SHA512 bc76a7285e19ded9041b30729e4eda59ee0a04e164214ce3655f162eed53396f9e328edd6e8ce5540bcd5cc92ae65d68828df6e23866c4588b937878da0e3aab

/data/data/com.bukune.query/app_nation/XhFPw.json

MD5 ad044134019a852cb98dc39dc192af64
SHA1 2a7c9a70434e4ce4ef7becf110f12f37f30e73d3
SHA256 5664a95af335a42ae70314e1d41fe8907f73d2d5a16e57e4a7cfe34c701edb72
SHA512 69f077037f95c872d17cf79b58f5cd60679616eca2f5e2f33b04b232db8a325788b81b0faae92907f843f032092d20840eba78aa5c93fe3ce79636385ba81ed1

/data/user/0/com.bukune.query/app_nation/XhFPw.json

MD5 39ee3b709dce70e0334d1adc65f16cbb
SHA1 51d1b253af9e51a17e595d609ef4726a4ad69cfc
SHA256 1bf6d3866ab70230320261a361606e3d4176e0eb30eff5662a7cd2dfa4e6e574
SHA512 56e6dfecce12bf6b1a38d31ac1c91bf1a7b89a4336135ae3937d7b63728d18418a4d38e92bbe455ea42d60c47748d53bcbe6718afa3358089dfca619073d1602

/data/data/com.bukune.query/no_backup/androidx.work.workdb-journal

MD5 2e3db5d836cf2e9d9a29e15e87626f3e
SHA1 dcd0fd126d9559a579dd63c144eb5d73a0c5d1ed
SHA256 d71e033d4d48b32c09e9c2b0ef71ad4c5f25a4c78109380fcfdc66e702c527a0
SHA512 186843464bc6c79e48ce3fd61b0a8add396e019cfa94f4049973d79c265f08d6aea00c514ebc4648a26a45ef8ebf5ee9e9c55f5a59744be3537fe4000171670d

/data/data/com.bukune.query/no_backup/androidx.work.workdb

MD5 0b706418088aef120d20d42cd84a400e
SHA1 128062701d0cf80a865732ee0040421f3a9b2f60
SHA256 e024455b491b5a6a8c2c856fb3a28340189fbb065cd1969323fd45c17108ac3c
SHA512 bc1db9d379a057113aeca3b0d8d8b4955e387e3bf98ac83c34421b8ac38ad22dc9c37305a4c3f963333c900ff793fcfb7d3f7fd5e6ead22167a2b1df3374e8c7

/data/data/com.bukune.query/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.bukune.query/no_backup/androidx.work.workdb-wal

MD5 494029334945e0dffb2d8f3d723647d1
SHA1 cb980ebe9e73d8a452c9db058c5847060e1b886b
SHA256 63062aa4c2d3247befd7cb52ff8aed381ac3b547b07cfa9bac5b60801ce9ac0f
SHA512 a7ae3c25a23dda5de47ba759d138c430693ff7e92989aa804b65a116d6a9a90340e567b58a854602dbe2c9d76f56f3a16cfb6b5ed7269d28a9084c6d6f6564f2

/data/data/com.bukune.query/no_backup/androidx.work.workdb-wal

MD5 ccb6dc1e94a1b6cc77a13798eaa0c13d
SHA1 56b6e820c3a8e67a0572d41068d287c2991c1479
SHA256 5f014f6b8f060c412e7896a718805fc158830a468b4cded619f46c77cf9c7e9c
SHA512 52844656004c9833e7cbf48e776144be73a902f152a5ac5929a3d459fa7c93368f7cd21ffc2e6259a760987f17c1613b0e533baccdd1a6e5cd6697ae4323344b

/data/data/com.bukune.query/no_backup/androidx.work.workdb-wal

MD5 76337381689be81e71638fb1389c4e27
SHA1 0136120edcd54f7f53393d1eb7f22fc2ac3ec844
SHA256 93b10baa1d487cf054a1ad2ab582cbbaa5f35c7899ea23e974e23adf97305c42
SHA512 504ccdc2f8abde046357f42c2282535ce4766c192e3c008064e64f416fa8920f88d838a9ba2c1c079e0247892ccc3a607105b173b5a34890330e01876440c773

/data/misc/profiles/cur/0/com.bukune.query/primary.prof

MD5 d048ea619527435e4f749ffdc498841c
SHA1 e7fefc7920af2221b3981b035f0f7d4544651715
SHA256 9a7e6432603a2e0a56ace0d539528cb8da936f3964f7b0763a821b0bc26137bc
SHA512 8014b98f08e29bbbd738ba0011a6580e88e64870b4cc0189cb21b2dd59e5c9e2e97d5d5ead05abc1a76f6c62c003312b647c04ccd611219c414be3126f262be3

/data/data/com.bukune.query/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 9ec98b813bcd92fab743900d054d5c19
SHA1 4c507443e8a2e1811137364151d6780e4175b9e0
SHA256 064981b4df7d6f39876422b14673b495c5926dc606fbc3e18003dd65ca57747e
SHA512 bb50ee8e5a0cccd6c4035eeb61471193edc6ba7d8c551e46c6572fe3c4425cce8515735e77eba3c8372c1ffab11e8e4b25489922f1fa084b7b6df3b85483ac10

/data/misc/profiles/cur/0/com.bukune.query/primary.prof

MD5 fe71dc9bc817cb37f37a3d4a5861ea04
SHA1 9578b31e691d016d28afa9a4bd56a137dc9ed3ce
SHA256 f0a3031aff7511d43f0062c17641d322a43def60fb76e65e9afdb1ae4451e7ec
SHA512 26499170985a7d43963de7d7c6448ca0b1b0edb3396e3a492243ff9020a18f70c54430e2ea9f72f9d51fe17f6d169f85f98147fce11f3a95c5fdb6e6b15d17c1

/data/data/com.bukune.query/app_nation/oat/XhFPw.json.cur.prof

MD5 539ba5733cae4c146334b0f2ebb50596
SHA1 f178b507d8d0ec197cf91757ee14b436a829a8f0
SHA256 053450ebcea4869b738873adb3e79cd3ef3faf308bb3896f76c36aa7e871a13a
SHA512 2ecc32631e827fd5fbb7d009f9d894ab62ddb700369f652bd06841f9b6b280d200c2096d81a8ed41073f1bbd95a9b989ba549082d09f4adced69920169740def

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-04 08:31

Reported

2024-12-04 08:34

Platform

android-x86-arm-20240624-en

Max time kernel

149s

Max time network

133s

Command Line

com.muvuyixu.applet

Signatures

Antidot

banker trojan infostealer antidot

Antidot family

antidot

Antidot payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.muvuyixu.applet/app_rebel/Ao.json N/A N/A
N/A /data/user/0/com.muvuyixu.applet/app_rebel/Ao.json N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.muvuyixu.applet

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.muvuyixu.applet/app_rebel/Ao.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.muvuyixu.applet/app_rebel/oat/x86/Ao.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp

Files

/data/data/com.muvuyixu.applet/app_rebel/Ao.json

MD5 779a2c95ae516f7b575f59867213e0c6
SHA1 913fabaf8285498777417b2e6a5e57c0380b02f8
SHA256 19d45a93985acedffac0406304ff55157897c362facadf7e4c3e5616133613fb
SHA512 f9fa5e1b6fdcecb31840c8cc76f8d2d728442d7f1c64b9fe9c75a5d673de24f3ea66f59694446d9ae55e12a5f6085ada46f3901a682a65784075e6eaf1407d32

/data/data/com.muvuyixu.applet/app_rebel/Ao.json

MD5 1dcd921ee918b48c1fc68fb40d1b3f1b
SHA1 0d485c0b3c35809b2d76176c0eee65c036455257
SHA256 2e9d167ced21e98d6c8f698aec66778d99d887b2f32bd3c57c32fda029f718d8
SHA512 466ca3f63d6fa97337d00a51272d889964bac4023128721533ce49f7a0e6d16f58dc9f3b26eac0300c1facaca3eeebb4f6c32899c8ed66c54c2fc601a098d45e

/data/user/0/com.muvuyixu.applet/app_rebel/Ao.json

MD5 5c137d5e4e9ebef2b0f588fdff82cef5
SHA1 94d6f291a7f773b6071c7705e2f67fd0a8cb399a
SHA256 7ea4a9e833dcfc7d6a16239b0b90e7d1edc85954738769a41ce380be3d9c8c9a
SHA512 1681329af00e0082525d26b1e4e1902196a0bfd0e18a89df828cbca7b239ad06c134c94b6dcd4f4a43cff6ae777576e8e9209281892e1a14be771cb566537f6c

/data/user/0/com.muvuyixu.applet/app_rebel/Ao.json

MD5 cf361d2e8dfe0d9893223514b7d3163b
SHA1 4664981f4958649c8e7b715b30800af314da37ed
SHA256 b03058075b07c64def0ca2f368b76473430c9411804593bb92a50a042d34b6fe
SHA512 574093119df3491dfa3ffb3e662bdc52dff7a6a456cc507c897e0f35b01a940d97c0d41b4e94313de4d38315b4676e59e7e4701e2db9702249b122bd515ef5f4

/data/data/com.muvuyixu.applet/no_backup/androidx.work.workdb-journal

MD5 9c581520bb6ddc0b0dad4ada9e756649
SHA1 849ac2bca6195c0fdb20cee7dda57c43d7f08ff4
SHA256 5ee212808f6ff36bd57af3219de5ec44e776850c6473dbd7c248dce2c60d0f60
SHA512 7bffe7923079fc83e2074830fa46286153f1631c44bbeeb82814d0ed155b135756df903715753cb773d40f927bafbbd5268d63c94961fa99c63a9bc6af82b17f

/data/data/com.muvuyixu.applet/no_backup/androidx.work.workdb

MD5 1e4982b5ee4b0e3770fef22eeff00f0e
SHA1 06ba900f7be81269fb690d6744c6c2a0c8225b71
SHA256 41288a187465aac4b4ce44475da1bdd1ed310b0249e2122380094093016a3f75
SHA512 ad6a812ccbe1f530b0a1d36ae3fee4f7897a1b2218875b5771d00809c1d3a2b477db644dcdb5fdddff968d84a005969ed6afd0f5bdc4bb36d8cbf2c35cb6d424

/data/data/com.muvuyixu.applet/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.muvuyixu.applet/no_backup/androidx.work.workdb-wal

MD5 b796734a27056903b2963e65ce6134ef
SHA1 95438fa5388ab644b0fd33bf2c2b9d68d073514d
SHA256 74a64cfd9777c46f872155214a4a44ce5c5f60ca69ab365500af481d0ce0d68e
SHA512 831d41c424c8c669e441ab06f861c55342b67c79bdf5154d27eb3814aba30255abff26aa16d28a6b51f67306af5b69f401001e311c2682d18c49ee312151aae2

/data/data/com.muvuyixu.applet/no_backup/androidx.work.workdb-wal

MD5 88cdff8565a863d3fda2cb2ef2d8dd9c
SHA1 e000e70caa948fc5dadc9503814ec3d520f156f2
SHA256 eec5961208e9f1085e1389f18aaa34d399a37863477dce399d16adc6f951afbb
SHA512 5d9c2c35910b8f8c3659e1cda2eed0ac35bc3d8ad7b126d1ce577716ba1fed121ee89ae532205b469e07fe1958156e63a8e1f45ea1de5cc06d8d50d0b2286001

/data/data/com.muvuyixu.applet/no_backup/androidx.work.workdb-wal

MD5 dd7e01e44a7223e84ef079954305c34e
SHA1 606a0e508d6dee8f939dec38e4446233ecd6034d
SHA256 a120a4ead7aa64bdb5b4eff66ec69ce9f252bc5f0c7f87ada8928c9ab7f3ba82
SHA512 c34a8bb0f08eaa1901a9d71982486fe2a9ec5ef07f56c18588aab3b82568a90f4672f8d3106e0bf0106572f44de346c0772a4cd550aa293859fdcffacc3734a0

/data/misc/profiles/cur/0/com.muvuyixu.applet/primary.prof

MD5 4eddc909b4229e9d172b174dbe4eb084
SHA1 a75918631e2627e609ed61bc1e3a776df13d43cc
SHA256 9db642cc308455ab090e33bff513239f3c8d2d3e51ea66cc539d72f6e2a376c8
SHA512 9ef2d4efa692f4ead9c4ad93d4407f15882ce0b0c8b5d19c56b98c8e6ee95d468190a000f47d4bb55d9bf77e63aaa0eab96e8406863919d4913444141577245d

/data/data/com.muvuyixu.applet/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 baa5505b11a62cae0b0547179d5d1149
SHA1 eccc56fb184c0a9a8b21ad8b97fb1dd6b8216816
SHA256 0506fa25478fa6e241c4d6490cc4851c33475c0610a29a4057b0f61a48547956
SHA512 4d624a535ca900cd637f85f828d50c19101eeedfab62bb81b8314a5480e7db3d0720047bd1dbf51076146083862716e98692e90c32a08d085bf12f28ff18c074

/data/data/com.muvuyixu.applet/files/profileInstalled

MD5 a11730d8d3db23877313e48c3a6717f0
SHA1 6f6d6273f66d2edc137e89412611dbae3356692b
SHA256 f2817d6b089ff0283f0c8b89237e54899dca5ea2ccf00669d3775828459d3380
SHA512 a2ff693fa357ed697006ea16434a66fd0c913065fc25fd38f6822286259dae410a3f017643e8cb154b2c5030e08580a7ea90b33418db0b4281fdf497b5275803

/data/misc/profiles/cur/0/com.muvuyixu.applet/primary.prof

MD5 4683ea3ebd45c456a3ee8ae947c8c1ed
SHA1 cfe69cafb679ae260679be8d8359a2472a75e2f0
SHA256 cef878ff012bc9c95573318b65239c07da6a686c55b66d525821e6ed87f9e5a2
SHA512 3118540147b041c6bb4582d994bd687cf2cf883d3a5361181aedc004e11390ac459f915b5a4eef534bf8b4312d22138c75ccc6c29f370edaa144f08a5ef79bf6

/data/data/com.muvuyixu.applet/app_rebel/oat/Ao.json.cur.prof

MD5 19a6b8ca1d9d50e5f2727f78aa353614
SHA1 6081c8cd8f6643b106bbd697965422aa811a7858
SHA256 7ceca1088c3895c21b524180a9e686295ce003b3060c9bd45b06f4aac6dedf19
SHA512 2cf4393c269bb0e60493ce8aeae65f78a8a25bd29cbe47897cf3715a27e5d2a541e61b3c92129e228bb00c1a8441ffd274f5069d58eaee0c9cf4de737e4abfa7

/data/data/com.muvuyixu.applet/app_rebel/oat/Ao.json.cur.prof

MD5 18295c398a630bc1f347f2ed6c78e1a0
SHA1 8635159ce95ab6b1373b5046fba9bc856bc1b342
SHA256 cf8f68fe95adef2c520f3741b9fba7ad4e70866b31cbfd5fc77aee1778c7ef49
SHA512 5d93899002a8b858494cd27c2d276d2b2f72b9d0ec16a48ea6c247b931d9a0334e739d4d89332031432732e64d05ea41e72751ad7a33f8ab3ea6d811084ad282

/data/data/com.muvuyixu.applet/app_rebel/oat/Ao.json.cur.prof

MD5 3431faca1a4cc09a9712dfdb66ac190e
SHA1 4b55bb4e7764ff1919e2c5520aa18f89ea8ad040
SHA256 4078fd5840384104e1e5450154883533c96298aa4ac83030b87d6551a81e2362
SHA512 2e39bbc2a95deacd1b6a60a835ef5b7260903a5efbe8471869c21145fd54118ecacd4979fe3410ff9edb2cfba43fca6c17eb726afa772b93ab8d72472446645d

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-04 08:31

Reported

2024-12-04 08:34

Platform

android-x64-20240624-en

Max time kernel

149s

Max time network

139s

Command Line

com.muvuyixu.applet

Signatures

Antidot

banker trojan infostealer antidot

Antidot family

antidot

Antidot payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.muvuyixu.applet/app_rebel/Ao.json N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Checks the application is allowed to request package installs through the package installer

evasion
Description Indicator Process Target
Framework service call android.content.pm.IPackageManager.canRequestPackageInstalls N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.muvuyixu.applet

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp

Files

/data/data/com.muvuyixu.applet/app_rebel/Ao.json

MD5 779a2c95ae516f7b575f59867213e0c6
SHA1 913fabaf8285498777417b2e6a5e57c0380b02f8
SHA256 19d45a93985acedffac0406304ff55157897c362facadf7e4c3e5616133613fb
SHA512 f9fa5e1b6fdcecb31840c8cc76f8d2d728442d7f1c64b9fe9c75a5d673de24f3ea66f59694446d9ae55e12a5f6085ada46f3901a682a65784075e6eaf1407d32

/data/data/com.muvuyixu.applet/app_rebel/Ao.json

MD5 1dcd921ee918b48c1fc68fb40d1b3f1b
SHA1 0d485c0b3c35809b2d76176c0eee65c036455257
SHA256 2e9d167ced21e98d6c8f698aec66778d99d887b2f32bd3c57c32fda029f718d8
SHA512 466ca3f63d6fa97337d00a51272d889964bac4023128721533ce49f7a0e6d16f58dc9f3b26eac0300c1facaca3eeebb4f6c32899c8ed66c54c2fc601a098d45e

/data/user/0/com.muvuyixu.applet/app_rebel/Ao.json

MD5 5c137d5e4e9ebef2b0f588fdff82cef5
SHA1 94d6f291a7f773b6071c7705e2f67fd0a8cb399a
SHA256 7ea4a9e833dcfc7d6a16239b0b90e7d1edc85954738769a41ce380be3d9c8c9a
SHA512 1681329af00e0082525d26b1e4e1902196a0bfd0e18a89df828cbca7b239ad06c134c94b6dcd4f4a43cff6ae777576e8e9209281892e1a14be771cb566537f6c

/data/data/com.muvuyixu.applet/no_backup/androidx.work.workdb-journal

MD5 5b0d72892b9996760a22baee8441db70
SHA1 dc30c78e388a94ee00006a72c0565cc82a216918
SHA256 1683f2c9a19482fafc801a16fb39feab6880835afd6c43ce63719d4fe7c01fde
SHA512 2ada74d4b70b6ca5335ab4c27f92bc53899c625548b027542e9b0370d4dc9be91149d1c6eaacc8e16c1553a54cc10d9f7a4c19f6095c40ad1872992ba0e7561d

/data/data/com.muvuyixu.applet/no_backup/androidx.work.workdb

MD5 6cc38383476a56019bca074dfadda003
SHA1 983cd50d557c4653dbc2670ebf9ebceb41a47ef2
SHA256 f795464f0896419529d8f84ccb4d38316e7c0ba05400e21d8501c731a4301291
SHA512 523771f3c79050cc417c677d77fdf8343934dcddf659fc7086f6af027f37b10070b9529db9df78dea7e6a2917fe524ebd99120fce2357eb7914f74d38546d035

/data/data/com.muvuyixu.applet/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.muvuyixu.applet/no_backup/androidx.work.workdb-wal

MD5 4181f7f26e5949eb574edc60b09ad8e8
SHA1 2dc4f300f7707eb9c7f16073b37f2e9c6000ca2e
SHA256 37134cc0364971a8bc1744fe320bf13c775f20fda7d38450f0b3b9500843954f
SHA512 4b790a68165af4cccb3012b89901ba50e3ed6552b45eaf1a32439ad3cb0e1ab2091850df0560a6675a716586c200b9e6f4894348b04594b13d3d092bcb5f289e

/data/data/com.muvuyixu.applet/no_backup/androidx.work.workdb-wal

MD5 1428d9d134c3708d30801d4504a0bc63
SHA1 90327e0f34eae2f1c086385d2722ee4892bd04a1
SHA256 b7a13b3423f7bc628952082c8187a1b883a8437d14f930449ffb827bc3f1e6e4
SHA512 2a2094090784fc25e5674c9a035c16d445e29549688b3ffd0a28d017f2da89dcd662cdba4065dfd347afa39e6e84031072dd0d29f5aae6255571ef605efb1b83

/data/data/com.muvuyixu.applet/no_backup/androidx.work.workdb-wal

MD5 e9558edc8b06ce771f51365974f13065
SHA1 95ffda9ca1a042218fdc39d8cc4b6cb7a906e8ac
SHA256 19d0493c80a26c5605b7b9ca63c013130d4f52a6d2753d3406e55658fcde769b
SHA512 3165efd47288c9bf8042c89bc813e749cd80e5aaec8c5ea4c8a591d2c4a2fac46551a7037a244887f99903be479168849daca1878d48f55f607f0e82e96b3124

/data/misc/profiles/cur/0/com.muvuyixu.applet/primary.prof

MD5 4eddc909b4229e9d172b174dbe4eb084
SHA1 a75918631e2627e609ed61bc1e3a776df13d43cc
SHA256 9db642cc308455ab090e33bff513239f3c8d2d3e51ea66cc539d72f6e2a376c8
SHA512 9ef2d4efa692f4ead9c4ad93d4407f15882ce0b0c8b5d19c56b98c8e6ee95d468190a000f47d4bb55d9bf77e63aaa0eab96e8406863919d4913444141577245d

/data/data/com.muvuyixu.applet/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 2d98ab9a16b1c260f076b2b774978c0d
SHA1 4273c5521744f3b86a337f4d7b977d786c7f27b3
SHA256 506c2f9ff9266a65b0fbcfef9a3ec40f37d18f467eda86f1d4d3116e54ad1f54
SHA512 3fedcd519ace012aa130541c4dc4b2d38105eaeea1409cff3c2e797290287741de55ce059c34d2fbc3dde099913d30be10b687e68ec1cae6e735e6fe2fa7606b

/data/data/com.muvuyixu.applet/files/profileInstalled

MD5 fb90b3ec9a7065ff19f2fa20f29042b3
SHA1 6a9d0cdfb1a9951031f01ba5f5d13e4934dac766
SHA256 50cb22b5e8dd9daff366bb1dce3f6b825ead152d8f35361e8cebc91ea20e55b2
SHA512 4048e66231ce5e8b70deaca7f2c584ab281fc34be3828ef7ee4cc3c00f1d9211f8bd818e5b9f807c8800c5a4a9cb97ae894c78d7588e18961c730acee7cd9ae5

/data/misc/profiles/cur/0/com.muvuyixu.applet/primary.prof

MD5 4683ea3ebd45c456a3ee8ae947c8c1ed
SHA1 cfe69cafb679ae260679be8d8359a2472a75e2f0
SHA256 cef878ff012bc9c95573318b65239c07da6a686c55b66d525821e6ed87f9e5a2
SHA512 3118540147b041c6bb4582d994bd687cf2cf883d3a5361181aedc004e11390ac459f915b5a4eef534bf8b4312d22138c75ccc6c29f370edaa144f08a5ef79bf6

/data/data/com.muvuyixu.applet/app_rebel/oat/Ao.json.cur.prof

MD5 574d8390023ba65a4cf3ec5a529b97eb
SHA1 49cdc07ce838203c710c9e0205e72925f666a816
SHA256 0f3b76f520cc1fb72b9e15fd410c09181a05ee5e4535d8879a33a380636dd860
SHA512 5b2068eb823e0e148f2aa1ca40b45781f59782f3d2661f2d0337bd6c8b211eaac576c4bd68e49c79758b058e8659970adabe164ff211576ed0731a73ed9e3245

Analysis: behavioral3

Detonation Overview

Submitted

2024-12-04 08:31

Reported

2024-12-04 08:34

Platform

android-x64-arm64-20240624-en

Max time kernel

150s

Max time network

134s

Command Line

com.muvuyixu.applet

Signatures

Antidot

banker trojan infostealer antidot

Antidot family

antidot

Antidot payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.muvuyixu.applet/app_rebel/Ao.json N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Checks the application is allowed to request package installs through the package installer

evasion
Description Indicator Process Target
Framework service call android.content.pm.IPackageManager.canRequestPackageInstalls N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.muvuyixu.applet

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
GB 172.217.16.238:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.201.104:443 ssl.google-analytics.com tcp
GB 142.250.187.196:443 tcp
GB 142.250.187.196:443 tcp

Files

/data/data/com.muvuyixu.applet/app_rebel/Ao.json

MD5 779a2c95ae516f7b575f59867213e0c6
SHA1 913fabaf8285498777417b2e6a5e57c0380b02f8
SHA256 19d45a93985acedffac0406304ff55157897c362facadf7e4c3e5616133613fb
SHA512 f9fa5e1b6fdcecb31840c8cc76f8d2d728442d7f1c64b9fe9c75a5d673de24f3ea66f59694446d9ae55e12a5f6085ada46f3901a682a65784075e6eaf1407d32

/data/data/com.muvuyixu.applet/app_rebel/Ao.json

MD5 1dcd921ee918b48c1fc68fb40d1b3f1b
SHA1 0d485c0b3c35809b2d76176c0eee65c036455257
SHA256 2e9d167ced21e98d6c8f698aec66778d99d887b2f32bd3c57c32fda029f718d8
SHA512 466ca3f63d6fa97337d00a51272d889964bac4023128721533ce49f7a0e6d16f58dc9f3b26eac0300c1facaca3eeebb4f6c32899c8ed66c54c2fc601a098d45e

/data/user/0/com.muvuyixu.applet/app_rebel/Ao.json

MD5 5c137d5e4e9ebef2b0f588fdff82cef5
SHA1 94d6f291a7f773b6071c7705e2f67fd0a8cb399a
SHA256 7ea4a9e833dcfc7d6a16239b0b90e7d1edc85954738769a41ce380be3d9c8c9a
SHA512 1681329af00e0082525d26b1e4e1902196a0bfd0e18a89df828cbca7b239ad06c134c94b6dcd4f4a43cff6ae777576e8e9209281892e1a14be771cb566537f6c

/data/data/com.muvuyixu.applet/no_backup/androidx.work.workdb-journal

MD5 64beffd83533f49a651e6e9a9e586230
SHA1 3f7da59e8342c3fede40112038922347e29c91d3
SHA256 4ba1d3c47a42ac21f91106b1adb7b2f1db3ca7a32d322a7921a63d0846491fc2
SHA512 6abaabed0b679ba76b7896d0b29caf8c194b9a1b902f08b1c7d6b593d9194e618c1721640c8a4af5aa5eb9bd6e9045b51bba600e8af40eee2039f12b55361ae2

/data/data/com.muvuyixu.applet/no_backup/androidx.work.workdb

MD5 630f193e9100af367420e3bbe84121d5
SHA1 5e49a938dff07b68f412b0346c44b77db1f54037
SHA256 c983fe8876b4899ecd12a74aa1efbb4e3a68ed868f7fefa0be716dfdb2028979
SHA512 642fae6787621887042868b10c7b784e9eb7d46bfebfd7b6ed89368eefefaf1b194408f30a411cd7aa9c4f5975bd130a41a08b5508b7b51ad737b22ebd860177

/data/data/com.muvuyixu.applet/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.muvuyixu.applet/no_backup/androidx.work.workdb-wal

MD5 a5e4eb10d207db2476a72791b0e26dd5
SHA1 af0b1957e27d502e8f0124fdf57177ce314f94bd
SHA256 9c9429cb2db24260434d3e961e1d377e687361c83e585c63b99525d9afdf382a
SHA512 704dfd01d5d6ebb3187111cefa17c65d865e72bc8247a7fe87bfd1c3641a1f916478c9e51598738da05b065e28c01a49a7a598dcb4d59ac5ec19a55bcbb53335

/data/data/com.muvuyixu.applet/no_backup/androidx.work.workdb-wal

MD5 0773bea76d3dbb463bdc13525f0807fd
SHA1 b56c7c4fb6c35e5719c46239676f0acdec8b5b7f
SHA256 8b9664b5fb596a8d64005c7649099ca57d2e7e86706546a5919b2d3c5b930e05
SHA512 c9ae8920593108c53e3cd438b81596e1b533c52ca3b4438d848f917184dd86cbc5d278eb12d40e8c13848c1819b7e3881388a671ef1359fd9cbe0aeba9d9739b

/data/data/com.muvuyixu.applet/no_backup/androidx.work.workdb-wal

MD5 2a103de9d756d347a798d5985b2d1921
SHA1 2ebfec41ba44d6049e97a0def20793afbe13cdfc
SHA256 3721f5b2f944ba7f56a15e3b5eec744c1cfea25eb6ebaa0c638a2874188accd3
SHA512 12c979146f1917b041acc8ddf9f0cad4ce691b7edc39fb6b67f5e5464ea0686200726299a4b3ca125d0b63ebfb4327fef4b28da4eb45dfcbc224b3d322efa5a5

/data/misc/profiles/cur/0/com.muvuyixu.applet/primary.prof

MD5 4eddc909b4229e9d172b174dbe4eb084
SHA1 a75918631e2627e609ed61bc1e3a776df13d43cc
SHA256 9db642cc308455ab090e33bff513239f3c8d2d3e51ea66cc539d72f6e2a376c8
SHA512 9ef2d4efa692f4ead9c4ad93d4407f15882ce0b0c8b5d19c56b98c8e6ee95d468190a000f47d4bb55d9bf77e63aaa0eab96e8406863919d4913444141577245d

/data/data/com.muvuyixu.applet/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 7ac00dcf8c21527d2769c96e04ba3541
SHA1 97d6575ef14fdb5358e63ef0fc035ff2fd53db66
SHA256 def559c5156146df75559f188cbb51d12ecdd4ba2256ad14efd80b0ce285536a
SHA512 5d6714d6445c7f874873ea402376db825af2f3198ed40aa9a2f62f14876aae49cd6feda1baf61156a82032089ef46836b3e0d401e8817505211477056dfe9d2f