Analysis
-
max time kernel
118s -
max time network
122s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system -
submitted
21-12-2024 23:02
Static task
static1
Behavioral task
behavioral1
Sample
8919f2c84bccb75b94393010ea857a4d28754354cbaf7043f49d47ff89318f7c.apk
Resource
android-33-x64-arm64-20240624-en
Behavioral task
behavioral2
Sample
8919f2c84bccb75b94393010ea857a4d28754354cbaf7043f49d47ff89318f7c.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral3
Sample
bayadoje.apk
Resource
android-33-x64-arm64-20240624-en
Behavioral task
behavioral4
Sample
bayadoje.apk
Resource
android-x86-arm-20240624-en
General
-
Target
bayadoje.apk
-
Size
7.6MB
-
MD5
baf3c550534acd7dce3795cb7176d738
-
SHA1
2f99a11bedeaa8357b75414e0797d8cfb337aa7d
-
SHA256
129240b79c82258e10643b16f0947b2ccbb88e6fea642176a85f8d21d94a2ab6
-
SHA512
c3180ee141d9080aa97c38936dfb9bb164a8151912f2b9594275566eb8f107dfbd8bd167e8e2472a7a53562f34b5f3be88ccc501efe37ae404c4b8ddfa346f34
-
SSDEEP
98304:so/Krg4JmdxU1g9hZB0/HRCQoR9cKzqtKsRm2ieSyeTgnrSs2a+5nWKCYFWY:sJmdxU1IN0J6zqNBYErSs2a+xH
Malware Config
Signatures
-
Antidot
Antidot is an Android banking trojan first seen in May 2024.
-
Antidot family
-
Antidot payload 1 IoCs
resource yara_rule behavioral4/memory/4343-0.dex family_antidot -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.kofisahoke.access/app_unaware/Mu.json 4343 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.kofisahoke.access/app_unaware/Mu.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.kofisahoke.access/app_unaware/oat/x86/Mu.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/com.kofisahoke.access/app_unaware/Mu.json 4316 com.kofisahoke.access -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.kofisahoke.access -
Requests uninstalling the application. 1 TTPs 1 IoCs
description ioc Process Intent action android.intent.action.DELETE com.kofisahoke.access -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.kofisahoke.access -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule com.kofisahoke.access -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.kofisahoke.access -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo com.kofisahoke.access
Processes
-
com.kofisahoke.access1⤵
- Loads dropped Dex/Jar
- Queries the mobile country code (MCC)
- Requests uninstalling the application.
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Checks CPU information
- Checks memory information
PID:4316 -
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.kofisahoke.access/app_unaware/Mu.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.kofisahoke.access/app_unaware/oat/x86/Mu.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4343
-
Network
MITRE ATT&CK Mobile v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
948KB
MD5ecc6d6a9a8f8d60c9f6a2806ad244142
SHA171c977dd3d4636fc54621fefaa0ea93865d23c17
SHA2562150b3bae123782e01c06a7b449f5b1f6aa4475efa4205546efd35a1908b867b
SHA512a140c0e5aaea771bc269639af9fe25c04d69954e6a02942fc6d6277590018b65a99820bff65c692513c06105798ca05b5c625b23f1cdfc96d41f34eab8fd9a48
-
Filesize
948KB
MD5649b032a2e5ba2989a825f13c899dcb2
SHA1c85ed2b78dac1fcac281d88d37805065096ccb3e
SHA256b89bbafed6409577b07257c0c044a2e6aeb33eaeac0dd69d02b8159b381ab464
SHA512ca2734109574ac148726d11fea2e1c491d220ba115337aec468054356f0076527c9cc3e09e3be28fa21826e5031714cb3a02cc4ad2042b9c7b5618f9e25d5197
-
Filesize
2KB
MD512eb5f0e17859f64e3cc128a14e5255e
SHA192738ea3e6746a4b3ce45b0480801e5f645eced6
SHA256e5568ca979b7ae37f6323e9f8bcd856df7b77af148781e6330921beb2b949059
SHA512c75ff1101f2cfcf7ef25465e9ea771728bd0f0451718f40a1816627c070a1790386e35352de63ae5a72562d1d8dd700eb1c0fa9840dcf12e0516b03ae66d514d
-
Filesize
24B
MD57d34634363eb98c09d5134ddd85bd0e0
SHA13c0c37662d8a0c6642f435dd9dcadc010088f82b
SHA2560e639b45559cd9e97696c793509973ddcf5b5d1b7cd773eee0903900e6db2040
SHA51224c60a9ab3ee08235c96d244cc2cfa11c3de2d16a4253a7352023b9ff67ed22130164f760c0a015a3120b588ee18e6c047449f889e2b41fec732bfa9320e563d
-
Filesize
8B
MD53bcbb97d9dd4a46978d107c25a3e9a11
SHA18f12a5604b4007b6b4dae3d3380b84c8455c7df4
SHA256e1803d13271897b9d746d9ba412b779af2b5785705ad8a53206db01bb11ea2f0
SHA512bf8d4c4efd999524995f1c2158acb6b599219c3f06221220fb7c5daed69ea2ccd9f7d3f7eefea8c22b981420a8732d4021ca85bd218ac19a647a63bd48bc64a4
-
Filesize
104KB
MD511906e8abe5fd52f7fd215f7596d07a8
SHA15a71d2a8bb3d7029cd3434509537a60df7c5c1b1
SHA256768eabbd33ca396d653613fa343afe0c0e989b7e2fc030aa56948809358a6d54
SHA5122074236889cd8ffd68b4f49c626e07c3c9854a81a38e13ea889dc49aa4c1abe725d7d3be5fe276d552fabb58002457e3878b31c13a730c33e961897111bd695f
-
Filesize
512B
MD5f06302c3369abe1c2ce9e75fd235fa8f
SHA189237c55f1370b8460af0c837941e6d8ff26edc2
SHA2564a30d6b1b1d1e2d2a3969dacc7b61ebe4aa4a5841fc4d6ad574b1013888a0100
SHA512ec4dee52868f65f880a57a28511d5dee2c8e1ede344e1aed027e1f2a587cb8338820a989ee4ee5f228be77de361ccf515331b71d1843ab1a23b81e9da75b91ac
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
16KB
MD543e452889cff4fcfee430f18b00e63c6
SHA1e5d47834db1d8e7586a438ffddddadeee6d07066
SHA256eb4854512f8387104c46bc545fb004b407cf2d9af5abe971a646fb64adb66829
SHA5125b199dcf50c64c2a20ea9597df682c953c14f5421b4d2b154c1867657dce311eb7cd2a13eceb6a16849858321260bb18ef263a5e5df0ee19eab6bce0a2f25910
-
Filesize
116KB
MD56bd1bfbb4648e705bd68af40e229fb52
SHA1df6c575c13c41c33d0adea64fd9b79d8a4e34d9c
SHA256d8d1d2ad2ebca7f18b39a38b47c01617e91afb416f35c3c8c4a7880949f1621a
SHA51214300d6053902feb45ef6aad3b24d4190780329121edb8a019baffa9e5c329bcc88210999a10d409fa59a9c131acf47b1c2b077611e67abf069df3f03190f1b7
-
Filesize
430KB
MD5dced8d98e6b6c28e9fbd2cb86e98bebd
SHA1ada7a87cd4aa5b3aedb11ff71e47c17cf13f66c8
SHA256fd62a7fec96e14a4555ba6eb0d97dc9e31b9830eba05c4b4831da055e9a89332
SHA5125b718e4eabb9d92ee790c0d273f56fb761a9669da7c444ece4f525840ea2ca3c3a815b3bcda26794d3b958653b63f420a2ce20f67ea29646808cf413d5fde07a
-
Filesize
1KB
MD5b857651d0451ea6fa6230d53541cbf7e
SHA1e7b53f3973ccf560f6ecf5c4daaeb508e262603f
SHA2565b9255ec3ee186fc0a5c1fd636f3c57feeb8e5418823778d145a01d16831f79b
SHA5124a98c9b07f6c5f26d4610737e3d50b58623cd089fbdeda65d8c16c7827b667a1eaeeb8b82751b8829c59836f870317b89d77b504f1002c711119ffe8c999d9ad
-
Filesize
189B
MD5ef71df0bb31be1e7dad13b560da80c24
SHA1f259cb90e200a96774a81a30628856dac37b7df2
SHA2566f23907c931fc9792e1b0a23bb855917a3a8ed0bc272ebd04bda1177291ea6aa
SHA5126eef510be76814c04a3d9ddc03ad87d3a31d613a3c47d11eaf9a9145bdeeba609795e18677de6c338179d58730687d2926bb0ddbf6db7d5952f76854b0508b54
-
Filesize
2.0MB
MD5493ae2ad556a14c57013773d079f407a
SHA1b82ab695640137214286098e20e1aefa9edbe087
SHA2564b5e81074c06c2d5841f6b67274b10a516e2d0772cab20389262628c2c1b7cd3
SHA5125e806342063300726e0e4ded7b74da692c9bef2a4640bd4ef9b2074275b6c3a9e717b2c672ba8261ee2c2c981c9b9003a0bec6486635afc1d2edc53f75606ae0
-
Filesize
2.0MB
MD593a2f2cec2f35cf80741cbd0cdfe992d
SHA1057cbdc968d110c278adf0695a4cb258d6c8d3ef
SHA256a07a5e5dff06e2ad058d50f17e9a1fb475af0cb16e6b90565ba7d61220838d5a
SHA5120c2a4e54559ba05f8965ccebf33284a041454f81ede8ba43ecec013438ca8a2b64befa551a3123a8fa160342bb2cdd0aba67e194f6ae0c98d780bd21b3b45fc6