Analysis
-
max time kernel
116s -
max time network
113s -
platform
android_x64 -
resource
android-33-x64-arm64-20240624-en -
resource tags
androidarch:arm64arch:x64image:android-33-x64-arm64-20240624-enlocale:en-usos:android-13-x64system -
submitted
21-12-2024 23:02
Static task
static1
Behavioral task
behavioral1
Sample
8919f2c84bccb75b94393010ea857a4d28754354cbaf7043f49d47ff89318f7c.apk
Resource
android-33-x64-arm64-20240624-en
Behavioral task
behavioral2
Sample
8919f2c84bccb75b94393010ea857a4d28754354cbaf7043f49d47ff89318f7c.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral3
Sample
bayadoje.apk
Resource
android-33-x64-arm64-20240624-en
Behavioral task
behavioral4
Sample
bayadoje.apk
Resource
android-x86-arm-20240624-en
General
-
Target
bayadoje.apk
-
Size
7.6MB
-
MD5
baf3c550534acd7dce3795cb7176d738
-
SHA1
2f99a11bedeaa8357b75414e0797d8cfb337aa7d
-
SHA256
129240b79c82258e10643b16f0947b2ccbb88e6fea642176a85f8d21d94a2ab6
-
SHA512
c3180ee141d9080aa97c38936dfb9bb164a8151912f2b9594275566eb8f107dfbd8bd167e8e2472a7a53562f34b5f3be88ccc501efe37ae404c4b8ddfa346f34
-
SSDEEP
98304:so/Krg4JmdxU1g9hZB0/HRCQoR9cKzqtKsRm2ieSyeTgnrSs2a+5nWKCYFWY:sJmdxU1IN0J6zqNBYErSs2a+xH
Malware Config
Signatures
-
Antidot
Antidot is an Android banking trojan first seen in May 2024.
-
Antidot family
-
Antidot payload 1 IoCs
resource yara_rule behavioral3/memory/4357-0.dex family_antidot -
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.kofisahoke.access/app_unaware/Mu.json 4357 com.kofisahoke.access -
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.kofisahoke.access Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.kofisahoke.access Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText com.kofisahoke.access -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
description ioc Process Framework service call android.content.IClipboard.addPrimaryClipChangedListener com.kofisahoke.access -
Performs UI accessibility actions on behalf of the user 1 TTPs 2 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.kofisahoke.access android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.kofisahoke.access -
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.kofisahoke.access -
Requests modifying system settings. 1 IoCs
description ioc Process Intent action android.settings.action.MANAGE_WRITE_SETTINGS com.kofisahoke.access -
Requests uninstalling the application. 1 TTPs 1 IoCs
description ioc Process Intent action android.intent.action.DELETE com.kofisahoke.access -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule com.kofisahoke.access -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.kofisahoke.access -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo com.kofisahoke.access
Processes
-
com.kofisahoke.access1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Performs UI accessibility actions on behalf of the user
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests modifying system settings.
- Requests uninstalling the application.
- Schedules tasks to execute at a specified time
- Checks CPU information
- Checks memory information
PID:4357
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Hide Artifacts
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Indicator Removal on Host
1Uninstall Malicious Application
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
948KB
MD5ecc6d6a9a8f8d60c9f6a2806ad244142
SHA171c977dd3d4636fc54621fefaa0ea93865d23c17
SHA2562150b3bae123782e01c06a7b449f5b1f6aa4475efa4205546efd35a1908b867b
SHA512a140c0e5aaea771bc269639af9fe25c04d69954e6a02942fc6d6277590018b65a99820bff65c692513c06105798ca05b5c625b23f1cdfc96d41f34eab8fd9a48
-
Filesize
948KB
MD5649b032a2e5ba2989a825f13c899dcb2
SHA1c85ed2b78dac1fcac281d88d37805065096ccb3e
SHA256b89bbafed6409577b07257c0c044a2e6aeb33eaeac0dd69d02b8159b381ab464
SHA512ca2734109574ac148726d11fea2e1c491d220ba115337aec468054356f0076527c9cc3e09e3be28fa21826e5031714cb3a02cc4ad2042b9c7b5618f9e25d5197
-
Filesize
2KB
MD5085005047e9802ca2654534121b698f8
SHA1f7683ab5b2075eed44300963c96ea1ee67040fe3
SHA2567a480568768cca0d356cb3214cd984d863b49bab90b5b40af988a97788f7e198
SHA51277a8bcfa125589d95a149d3234478cbc738d72f1e2e8f933046ac24d89bedb40efb0d3d27842c95d80104a9205b53961d5c6e6f598a9ca3f954f9223dad42365
-
Filesize
36KB
MD5ec623d47e9c877e6e252c4b026f5c237
SHA1a18ca80405565d778c1141119e4ffcf835fda747
SHA256fe36fa07594d6f6c1aad0f1151df17380a96b33b328dab700ae86e93ac1113f6
SHA512c082f860adca2325d780474ee3fd9aaf6639be3c29395206dfc510d4e9c5cb87629d041547e74ad44462704da53412afdbb090fe0ccfb59bae4c2d75d9eba10c
-
Filesize
24B
MD592a09f87ff81ec480a2658381df59bf6
SHA15c172c7c11c5efc5f0e9541cf62b6b48b949cb3d
SHA256cca4716e73746bd8bdf0263f5ad15e60469d0b5767c8cc431d7691c88ef4b7a3
SHA5129ef6b2306450a95143c467a60e8be04e2c0f6ee41b4efb805e6133bababd9980be9ab40284e629bd73e236f874ceca4c651ffb01ab7334cf38cec3ca00669034
-
Filesize
8B
MD58ba55ee053292b3a67ad3cd68cc3c60e
SHA1e20a9842d40cb999cb6ebd08517f07680bf92eca
SHA2561accb08cd1de6273521895f4dab4a2b6eea6bb820e3cdbc28074090b0d31de48
SHA51207995fe1446c04d1baba4be779d2bce7a2ad35fbb7eb46c48fa3e353e819bf004b1cbd0da391c7f57760c64733f17d2e55891a87724012402396d47d82542cbb
-
Filesize
104KB
MD55bdf76ccdf7d139619f4d364528a9f63
SHA16187e0376289a45fe316fe0b2567e9b8c7162eb4
SHA256233719a5916d730f4fbc781a2221baaa26a458732f130873f84e6f2b1d762ee3
SHA512aaa243a08d42db25e81f7c9aea613d6620d211dd4289729c3507bf6cb67e84f854d1fe30df3d669d78c24aabdeeea8b78f9f876e7b654eee2032cf5aa5536527
-
Filesize
512B
MD5e83597a038613442d1fa4947eb8d3aa9
SHA1a187f77b73490dd9ca3b78cbfebf3ae19cfc1fab
SHA256accd5e3486c4f8ca03de18ac68891b9d8436e313ad32afb4da514c6810f97d3d
SHA5127d88788d850c2423a8db6d03e017558e72322770b74f57f6c9e9a154147c03b849efd7177170e78b20c62403241dd47a9bf09e34bf1c0212daf9828e9e390177
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
116KB
MD5abd3c2c321f9f5ea3054dcc440f6b2d4
SHA144bde159fd8662199c6bee648f8e2e5ff61fa779
SHA2562de06b01ef158767038a24f3e4d7eb4b07c1c46fc00bdeead655be0f5c9e7b63
SHA5120265da0e7b6bd645422457350eb1ebc0a7bf03fb676b485ef48f7bfd098d397cbbf9cab3f457fb71000f5c78f87b41c9770a9ee592c08e38ddb6062157467ae9
-
Filesize
446KB
MD5de532137a7f65f3e6c61cefb70bc1bb6
SHA1af342f2a51fcfd20749e1e1a9ab19a2d6ce191ef
SHA256a5184876fac0902565121d6a78f0077162972ef59606c59a9f77eda8ba902719
SHA512b4349ffca532a5356876ddef37e838ee65d476cac6e9321562105fb33f9ba4b4cf4766f132bddf31346308aff7771e31d9a67fd6508ca9dd702d77540230552c
-
Filesize
16KB
MD5b4b563273834f4c6c926d19f3537eae0
SHA12a454a023aaee0a0ce6196225548a65bbc2bae8e
SHA256d77578e3d2fce95c41612394226fddc30714929bc8a60eb6b7612c7011999fcc
SHA512b4ffc18ddc2b0433f3ff02ff5e330c673456185c06937ade49b2991ad0d9b03f74be941f4f1363e76b56986f8c1135f5bd37255a8fa0be39db269f0a0f932b3a
-
Filesize
1KB
MD53a8e6e8cc1fa2a0dd153567ff1dc74e4
SHA16d141fbe4d4bbca2ad3c7969a5fc0e4e3eea8b0b
SHA2565574c15b32a157ebfd2343dc1da97ea271e281813c31b50b5a109a79e3d22772
SHA512c2e52cd18457638bd99c05c4d0fda2b240b41663bddd294ef0ec4ecc175451d6f31f8b7b74f11ccd14c181b16f3a5f3748d0c2f34c4f940e2b8cd6a05501d46e
-
Filesize
250B
MD5214d9fcf613a7910276e126cfd5182c4
SHA1120f4a76c0887966c6ecbffab2258caccb7d7f7f
SHA256fd91b9dc4cc4040d7106bbbba79d1ffcf59f1790e4ae60708bb8abfb0230eaeb
SHA512c2ab097bd9ab2e74094c99dd211fe01d4e5e12fe030d4829b74c174162182e5ccf27493e6818acc3c0ea4ed17b7fccfdd55f863ec77c18e5e4e5b8f02cdec589
-
Filesize
2.0MB
MD593a2f2cec2f35cf80741cbd0cdfe992d
SHA1057cbdc968d110c278adf0695a4cb258d6c8d3ef
SHA256a07a5e5dff06e2ad058d50f17e9a1fb475af0cb16e6b90565ba7d61220838d5a
SHA5120c2a4e54559ba05f8965ccebf33284a041454f81ede8ba43ecec013438ca8a2b64befa551a3123a8fa160342bb2cdd0aba67e194f6ae0c98d780bd21b3b45fc6