Analysis
-
max time kernel
140s -
max time network
153s -
platform
android-9_x86 -
resource
android-x86-arm-20240910-en -
resource tags
arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system -
submitted
20-12-2024 07:27
Static task
static1
Behavioral task
behavioral1
Sample
8919f2c84bccb75b94393010ea857a4d28754354cbaf7043f49d47ff89318f7c.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral2
Sample
8919f2c84bccb75b94393010ea857a4d28754354cbaf7043f49d47ff89318f7c.apk
Resource
android-x64-arm64-20240624-en
Behavioral task
behavioral3
Sample
8919f2c84bccb75b94393010ea857a4d28754354cbaf7043f49d47ff89318f7c.apk
Resource
android-33-x64-arm64-20240910-en
Behavioral task
behavioral4
Sample
8919f2c84bccb75b94393010ea857a4d28754354cbaf7043f49d47ff89318f7c.apk
Resource
android-x86-arm-20240910-en
Behavioral task
behavioral5
Sample
bayadoje.apk
Resource
android-x64-20240910-en
Behavioral task
behavioral6
Sample
bayadoje.apk
Resource
android-x64-arm64-20240624-en
Behavioral task
behavioral7
Sample
bayadoje.apk
Resource
android-33-x64-arm64-20240910-en
Behavioral task
behavioral8
Sample
bayadoje.apk
Resource
android-x86-arm-20240910-en
General
-
Target
bayadoje.apk
-
Size
7.6MB
-
MD5
baf3c550534acd7dce3795cb7176d738
-
SHA1
2f99a11bedeaa8357b75414e0797d8cfb337aa7d
-
SHA256
129240b79c82258e10643b16f0947b2ccbb88e6fea642176a85f8d21d94a2ab6
-
SHA512
c3180ee141d9080aa97c38936dfb9bb164a8151912f2b9594275566eb8f107dfbd8bd167e8e2472a7a53562f34b5f3be88ccc501efe37ae404c4b8ddfa346f34
-
SSDEEP
98304:so/Krg4JmdxU1g9hZB0/HRCQoR9cKzqtKsRm2ieSyeTgnrSs2a+5nWKCYFWY:sJmdxU1IN0J6zqNBYErSs2a+xH
Malware Config
Signatures
-
Antidot
Antidot is an Android banking trojan first seen in May 2024.
-
Antidot family
-
Antidot payload 1 IoCs
resource yara_rule behavioral8/memory/4355-0.dex family_antidot -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.kofisahoke.access/app_unaware/Mu.json 4355 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.kofisahoke.access/app_unaware/Mu.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.kofisahoke.access/app_unaware/oat/x86/Mu.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/com.kofisahoke.access/app_unaware/Mu.json 4330 com.kofisahoke.access -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.kofisahoke.access -
Requests enabling of the accessibility settings. 1 IoCs
description ioc Process Intent action android.settings.ACCESSIBILITY_SETTINGS com.kofisahoke.access -
Requests uninstalling the application. 1 TTPs 1 IoCs
description ioc Process Intent action android.intent.action.DELETE com.kofisahoke.access -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.kofisahoke.access -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule com.kofisahoke.access -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.kofisahoke.access -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo com.kofisahoke.access
Processes
-
com.kofisahoke.access1⤵
- Loads dropped Dex/Jar
- Queries the mobile country code (MCC)
- Requests enabling of the accessibility settings.
- Requests uninstalling the application.
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Checks CPU information
- Checks memory information
PID:4330 -
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.kofisahoke.access/app_unaware/Mu.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.kofisahoke.access/app_unaware/oat/x86/Mu.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4355
-
Network
MITRE ATT&CK Mobile v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
948KB
MD5ecc6d6a9a8f8d60c9f6a2806ad244142
SHA171c977dd3d4636fc54621fefaa0ea93865d23c17
SHA2562150b3bae123782e01c06a7b449f5b1f6aa4475efa4205546efd35a1908b867b
SHA512a140c0e5aaea771bc269639af9fe25c04d69954e6a02942fc6d6277590018b65a99820bff65c692513c06105798ca05b5c625b23f1cdfc96d41f34eab8fd9a48
-
Filesize
948KB
MD5649b032a2e5ba2989a825f13c899dcb2
SHA1c85ed2b78dac1fcac281d88d37805065096ccb3e
SHA256b89bbafed6409577b07257c0c044a2e6aeb33eaeac0dd69d02b8159b381ab464
SHA512ca2734109574ac148726d11fea2e1c491d220ba115337aec468054356f0076527c9cc3e09e3be28fa21826e5031714cb3a02cc4ad2042b9c7b5618f9e25d5197
-
Filesize
3KB
MD55d7a80f7bb9591bc0c3338463ddddc6f
SHA15be04b3aff2a9d16237a189dab4c7c6a93ee9de3
SHA2569f55cd2e03483d5a7de8b58f7a2f8be497bf6e11e263148aba3a12cea31fc1ee
SHA512445d2cbd8e47bdec87eda98b46564218c3ab12cd66ee6c706b048de1ad0d83133df1326f33bcf45a53bb0ecc4f7eb618b87d20fad46dde4aad69b94aa141ffe3
-
Filesize
24B
MD5f954841b327e6ee83b11c6d363c5c727
SHA159f2ea07bcaf025566dbc805e645e8e696fd3df0
SHA2564e6eaafabe9918bf9e4597bb2ab040c55cf3f13df1c0d8d799e512ea171c07a3
SHA512f19961f3aa22e9424c388448bc6455e117e9891edfba1fbdd5deffbf9c133320610487a2a8e0ab3ee40b81821ff49aed52329618ff862288e589715aaf891873
-
Filesize
8B
MD5457d870ad43c82dbe4a0950c3357c4b8
SHA1795961cea7198bb2725d0bde3c9d3f42e12f9902
SHA2564e000b5f1a2d0cea8052c082cb45e2a5dfcd373123fbd8e597862da624f45a89
SHA5122303d85f24a77861d81cf98918d48cefa917494a2542d91569ff7e25da7c9c0f2641b19bfbbbf7fed8deae22e27ca9b1ec0b9c5e5743bbbc5b50c4934ac123a0
-
Filesize
104KB
MD5ca81ff762861d1352190e675e9b76b3b
SHA1450c316600b69b8cc2a4d2f64b59d9d9cf2fc5e9
SHA2566f9733d6f32b949474b4e86bd9bc251c1581ba43bd8056b0a9edab9ee85f39cf
SHA5123293568f1917db033094ca32fe33e389adb25cdfa10c4cb4da830aa11e2f56ea5f814fb92c3c5856fcbdcfb78e13789ca307bf19beee56801b20ee1057cf8f76
-
Filesize
512B
MD522cfa2b53255e22a056f17bee0384925
SHA117aa5655aee8a044a3decdab554f170a73235987
SHA2561fecc8ce08cd940d453c9e830e4ac4c197c17060a3c2d8bb7c60ffbe15b92063
SHA51205ffefe677e47304adbc67f7dbba7f39ba31ecca77fda310c8efc9bebb895d44bfc42ba609bdb261773323cdc4d333c63d421dcd2ee27a1288e9ae92ee4e5cdd
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
16KB
MD511b8e14140ed867ef745394f06a7dcf3
SHA19217866e639af683543a1c93a2353b0b18d00655
SHA256bcea3e6c7363af2187929e15737c54194e6dc77ee65b4a25b1d324111f2f1470
SHA512508e524bb378c3da234966615ae9c17ac2dbaaa487bec3feff83fbc3af4cb5d60be9845de5004e36658fc623caaf0bcedcc1f04d652d718288d31a66f0809e9a
-
Filesize
116KB
MD55601e323ffea90adb461294e0275a901
SHA153eac7c049139ece8b60d728350434e28a3ade45
SHA256ad662b828ce98a4957c7c384946be94b3d8fa43ab0d555c53116cab2ccbdc126
SHA5124424c55dd34345eece9235b86e0baeab78fec0a9311b7fd89bdc4d9e863103d107f0a47707af281d0e9ae9122664866c2bb21ed8bd4d466daabfb82eca9c370d
-
Filesize
430KB
MD595b445efbc2d00d0047d7430f38963a6
SHA1aa69c30647b913736eca0a6d68527aaecc20a84e
SHA256b6c39145764dd9c5c3b5de6de8a80d18043771a1062b39ba7bb237bec7b0a455
SHA5120e44d580020a91bb177127600da2ab68665305febbd5921c4a027fd2b6db1a810df93b70e86fd82797dcb5b38e077f1b32e4559f962538b9daba4d5c8622f378
-
Filesize
1KB
MD5b857651d0451ea6fa6230d53541cbf7e
SHA1e7b53f3973ccf560f6ecf5c4daaeb508e262603f
SHA2565b9255ec3ee186fc0a5c1fd636f3c57feeb8e5418823778d145a01d16831f79b
SHA5124a98c9b07f6c5f26d4610737e3d50b58623cd089fbdeda65d8c16c7827b667a1eaeeb8b82751b8829c59836f870317b89d77b504f1002c711119ffe8c999d9ad
-
Filesize
189B
MD5ef71df0bb31be1e7dad13b560da80c24
SHA1f259cb90e200a96774a81a30628856dac37b7df2
SHA2566f23907c931fc9792e1b0a23bb855917a3a8ed0bc272ebd04bda1177291ea6aa
SHA5126eef510be76814c04a3d9ddc03ad87d3a31d613a3c47d11eaf9a9145bdeeba609795e18677de6c338179d58730687d2926bb0ddbf6db7d5952f76854b0508b54
-
Filesize
2.0MB
MD5493ae2ad556a14c57013773d079f407a
SHA1b82ab695640137214286098e20e1aefa9edbe087
SHA2564b5e81074c06c2d5841f6b67274b10a516e2d0772cab20389262628c2c1b7cd3
SHA5125e806342063300726e0e4ded7b74da692c9bef2a4640bd4ef9b2074275b6c3a9e717b2c672ba8261ee2c2c981c9b9003a0bec6486635afc1d2edc53f75606ae0
-
Filesize
2.0MB
MD593a2f2cec2f35cf80741cbd0cdfe992d
SHA1057cbdc968d110c278adf0695a4cb258d6c8d3ef
SHA256a07a5e5dff06e2ad058d50f17e9a1fb475af0cb16e6b90565ba7d61220838d5a
SHA5120c2a4e54559ba05f8965ccebf33284a041454f81ede8ba43ecec013438ca8a2b64befa551a3123a8fa160342bb2cdd0aba67e194f6ae0c98d780bd21b3b45fc6