Resubmissions

21-12-2024 23:02

241221-21ca4ssqhy 10

20-12-2024 07:27

241220-jalsratphm 10

Analysis

  • max time kernel
    116s
  • max time network
    113s
  • platform
    android_x64
  • resource
    android-33-x64-arm64-20240624-en
  • resource tags

    androidarch:arm64arch:x64image:android-33-x64-arm64-20240624-enlocale:en-usos:android-13-x64system
  • submitted
    21-12-2024 23:02

General

  • Target

    bayadoje.apk

  • Size

    7.6MB

  • MD5

    baf3c550534acd7dce3795cb7176d738

  • SHA1

    2f99a11bedeaa8357b75414e0797d8cfb337aa7d

  • SHA256

    129240b79c82258e10643b16f0947b2ccbb88e6fea642176a85f8d21d94a2ab6

  • SHA512

    c3180ee141d9080aa97c38936dfb9bb164a8151912f2b9594275566eb8f107dfbd8bd167e8e2472a7a53562f34b5f3be88ccc501efe37ae404c4b8ddfa346f34

  • SSDEEP

    98304:so/Krg4JmdxU1g9hZB0/HRCQoR9cKzqtKsRm2ieSyeTgnrSs2a+5nWKCYFWY:sJmdxU1IN0J6zqNBYErSs2a+xH

Malware Config

Signatures

  • Antidot

    Antidot is an Android banking trojan first seen in May 2024.

  • Antidot family
  • Antidot payload 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

    Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 2 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Requests modifying system settings. 1 IoCs
  • Requests uninstalling the application. 1 TTPs 1 IoCs
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.kofisahoke.access
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Obtains sensitive information copied to the device clipboard
    • Performs UI accessibility actions on behalf of the user
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Requests uninstalling the application.
    • Schedules tasks to execute at a specified time
    • Checks CPU information
    • Checks memory information
    PID:4357

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.kofisahoke.access/app_unaware/Mu.json

    Filesize

    948KB

    MD5

    ecc6d6a9a8f8d60c9f6a2806ad244142

    SHA1

    71c977dd3d4636fc54621fefaa0ea93865d23c17

    SHA256

    2150b3bae123782e01c06a7b449f5b1f6aa4475efa4205546efd35a1908b867b

    SHA512

    a140c0e5aaea771bc269639af9fe25c04d69954e6a02942fc6d6277590018b65a99820bff65c692513c06105798ca05b5c625b23f1cdfc96d41f34eab8fd9a48

  • /data/data/com.kofisahoke.access/app_unaware/Mu.json

    Filesize

    948KB

    MD5

    649b032a2e5ba2989a825f13c899dcb2

    SHA1

    c85ed2b78dac1fcac281d88d37805065096ccb3e

    SHA256

    b89bbafed6409577b07257c0c044a2e6aeb33eaeac0dd69d02b8159b381ab464

    SHA512

    ca2734109574ac148726d11fea2e1c491d220ba115337aec468054356f0076527c9cc3e09e3be28fa21826e5031714cb3a02cc4ad2042b9c7b5618f9e25d5197

  • /data/data/com.kofisahoke.access/app_unaware/oat/Mu.json.cur.prof

    Filesize

    2KB

    MD5

    085005047e9802ca2654534121b698f8

    SHA1

    f7683ab5b2075eed44300963c96ea1ee67040fe3

    SHA256

    7a480568768cca0d356cb3214cd984d863b49bab90b5b40af988a97788f7e198

    SHA512

    77a8bcfa125589d95a149d3234478cbc738d72f1e2e8f933046ac24d89bedb40efb0d3d27842c95d80104a9205b53961d5c6e6f598a9ca3f954f9223dad42365

  • /data/data/com.kofisahoke.access/app_unaware/oat/x86_64/Mu.vdex

    Filesize

    36KB

    MD5

    ec623d47e9c877e6e252c4b026f5c237

    SHA1

    a18ca80405565d778c1141119e4ffcf835fda747

    SHA256

    fe36fa07594d6f6c1aad0f1151df17380a96b33b328dab700ae86e93ac1113f6

    SHA512

    c082f860adca2325d780474ee3fd9aaf6639be3c29395206dfc510d4e9c5cb87629d041547e74ad44462704da53412afdbb090fe0ccfb59bae4c2d75d9eba10c

  • /data/data/com.kofisahoke.access/files/profileInstalled

    Filesize

    24B

    MD5

    92a09f87ff81ec480a2658381df59bf6

    SHA1

    5c172c7c11c5efc5f0e9541cf62b6b48b949cb3d

    SHA256

    cca4716e73746bd8bdf0263f5ad15e60469d0b5767c8cc431d7691c88ef4b7a3

    SHA512

    9ef6b2306450a95143c467a60e8be04e2c0f6ee41b4efb805e6133bababd9980be9ab40284e629bd73e236f874ceca4c651ffb01ab7334cf38cec3ca00669034

  • /data/data/com.kofisahoke.access/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

    Filesize

    8B

    MD5

    8ba55ee053292b3a67ad3cd68cc3c60e

    SHA1

    e20a9842d40cb999cb6ebd08517f07680bf92eca

    SHA256

    1accb08cd1de6273521895f4dab4a2b6eea6bb820e3cdbc28074090b0d31de48

    SHA512

    07995fe1446c04d1baba4be779d2bce7a2ad35fbb7eb46c48fa3e353e819bf004b1cbd0da391c7f57760c64733f17d2e55891a87724012402396d47d82542cbb

  • /data/data/com.kofisahoke.access/no_backup/androidx.work.workdb

    Filesize

    104KB

    MD5

    5bdf76ccdf7d139619f4d364528a9f63

    SHA1

    6187e0376289a45fe316fe0b2567e9b8c7162eb4

    SHA256

    233719a5916d730f4fbc781a2221baaa26a458732f130873f84e6f2b1d762ee3

    SHA512

    aaa243a08d42db25e81f7c9aea613d6620d211dd4289729c3507bf6cb67e84f854d1fe30df3d669d78c24aabdeeea8b78f9f876e7b654eee2032cf5aa5536527

  • /data/data/com.kofisahoke.access/no_backup/androidx.work.workdb-journal

    Filesize

    512B

    MD5

    e83597a038613442d1fa4947eb8d3aa9

    SHA1

    a187f77b73490dd9ca3b78cbfebf3ae19cfc1fab

    SHA256

    accd5e3486c4f8ca03de18ac68891b9d8436e313ad32afb4da514c6810f97d3d

    SHA512

    7d88788d850c2423a8db6d03e017558e72322770b74f57f6c9e9a154147c03b849efd7177170e78b20c62403241dd47a9bf09e34bf1c0212daf9828e9e390177

  • /data/data/com.kofisahoke.access/no_backup/androidx.work.workdb-shm

    Filesize

    32KB

    MD5

    bb7df04e1b0a2570657527a7e108ae23

    SHA1

    5188431849b4613152fd7bdba6a3ff0a4fd6424b

    SHA256

    c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

    SHA512

    768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

  • /data/data/com.kofisahoke.access/no_backup/androidx.work.workdb-wal

    Filesize

    116KB

    MD5

    abd3c2c321f9f5ea3054dcc440f6b2d4

    SHA1

    44bde159fd8662199c6bee648f8e2e5ff61fa779

    SHA256

    2de06b01ef158767038a24f3e4d7eb4b07c1c46fc00bdeead655be0f5c9e7b63

    SHA512

    0265da0e7b6bd645422457350eb1ebc0a7bf03fb676b485ef48f7bfd098d397cbbf9cab3f457fb71000f5c78f87b41c9770a9ee592c08e38ddb6062157467ae9

  • /data/data/com.kofisahoke.access/no_backup/androidx.work.workdb-wal

    Filesize

    446KB

    MD5

    de532137a7f65f3e6c61cefb70bc1bb6

    SHA1

    af342f2a51fcfd20749e1e1a9ab19a2d6ce191ef

    SHA256

    a5184876fac0902565121d6a78f0077162972ef59606c59a9f77eda8ba902719

    SHA512

    b4349ffca532a5356876ddef37e838ee65d476cac6e9321562105fb33f9ba4b4cf4766f132bddf31346308aff7771e31d9a67fd6508ca9dd702d77540230552c

  • /data/data/com.kofisahoke.access/no_backup/androidx.work.workdb-wal

    Filesize

    16KB

    MD5

    b4b563273834f4c6c926d19f3537eae0

    SHA1

    2a454a023aaee0a0ce6196225548a65bbc2bae8e

    SHA256

    d77578e3d2fce95c41612394226fddc30714929bc8a60eb6b7612c7011999fcc

    SHA512

    b4ffc18ddc2b0433f3ff02ff5e330c673456185c06937ade49b2991ad0d9b03f74be941f4f1363e76b56986f8c1135f5bd37255a8fa0be39db269f0a0f932b3a

  • /data/misc/profiles/cur/0/com.kofisahoke.access/primary.prof

    Filesize

    1KB

    MD5

    3a8e6e8cc1fa2a0dd153567ff1dc74e4

    SHA1

    6d141fbe4d4bbca2ad3c7969a5fc0e4e3eea8b0b

    SHA256

    5574c15b32a157ebfd2343dc1da97ea271e281813c31b50b5a109a79e3d22772

    SHA512

    c2e52cd18457638bd99c05c4d0fda2b240b41663bddd294ef0ec4ecc175451d6f31f8b7b74f11ccd14c181b16f3a5f3748d0c2f34c4f940e2b8cd6a05501d46e

  • /data/misc/profiles/cur/0/com.kofisahoke.access/primary.prof

    Filesize

    250B

    MD5

    214d9fcf613a7910276e126cfd5182c4

    SHA1

    120f4a76c0887966c6ecbffab2258caccb7d7f7f

    SHA256

    fd91b9dc4cc4040d7106bbbba79d1ffcf59f1790e4ae60708bb8abfb0230eaeb

    SHA512

    c2ab097bd9ab2e74094c99dd211fe01d4e5e12fe030d4829b74c174162182e5ccf27493e6818acc3c0ea4ed17b7fccfdd55f863ec77c18e5e4e5b8f02cdec589

  • /data/user/0/com.kofisahoke.access/app_unaware/Mu.json

    Filesize

    2.0MB

    MD5

    93a2f2cec2f35cf80741cbd0cdfe992d

    SHA1

    057cbdc968d110c278adf0695a4cb258d6c8d3ef

    SHA256

    a07a5e5dff06e2ad058d50f17e9a1fb475af0cb16e6b90565ba7d61220838d5a

    SHA512

    0c2a4e54559ba05f8965ccebf33284a041454f81ede8ba43ecec013438ca8a2b64befa551a3123a8fa160342bb2cdd0aba67e194f6ae0c98d780bd21b3b45fc6