Malware Analysis Report

2025-01-19 06:50

Sample ID 241221-21ca4ssqhy
Target 8919f2c84bccb75b94393010ea857a4d28754354cbaf7043f49d47ff89318f7c.apk
SHA256 8919f2c84bccb75b94393010ea857a4d28754354cbaf7043f49d47ff89318f7c
Tags
antidot banker collection credential_access evasion execution impact infostealer persistence trojan discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8919f2c84bccb75b94393010ea857a4d28754354cbaf7043f49d47ff89318f7c

Threat Level: Known bad

The file 8919f2c84bccb75b94393010ea857a4d28754354cbaf7043f49d47ff89318f7c.apk was found to be: Known bad.

Malicious Activity Summary

antidot banker collection credential_access evasion execution impact infostealer persistence trojan discovery

Antidot payload

Antidot

Antidot family

Loads dropped Dex/Jar

Obtains sensitive information copied to the device clipboard

Makes use of the framework's Accessibility service

Requests uninstalling the application.

Queries the mobile country code (MCC)

Requests allowing to install additional applications from unknown sources.

Performs UI accessibility actions on behalf of the user

Requests disabling of battery optimizations (often used to enable hiding in the background).

Requests modifying system settings.

Checks the application is allowed to request package installs through the package installer

Declares services with permission to bind to the system

Requests dangerous framework permissions

Schedules tasks to execute at a specified time

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-21 23:02

Signatures

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by call screening services to bind with the system. Allows apps to filter and manage incoming phone calls. android.permission.BIND_SCREENING_SERVICE N/A N/A
Required by autofill services to bind with the system. Allows apps to autofill information in forms. android.permission.BIND_AUTOFILL_SERVICE N/A N/A
Required by input method services to bind with the system. Allows apps to provide custom input methods (keyboards). android.permission.BIND_INPUT_METHOD N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-12-21 23:02

Reported

2024-12-21 23:05

Platform

android-33-x64-arm64-20240624-en

Max time kernel

116s

Max time network

113s

Command Line

com.kofisahoke.access

Signatures

Antidot

banker trojan infostealer antidot

Antidot family

antidot

Antidot payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.kofisahoke.access/app_unaware/Mu.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Requests uninstalling the application.

evasion
Description Indicator Process Target
Intent action android.intent.action.DELETE N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.kofisahoke.access

Network

Country Destination Domain Proto
GB 216.58.201.100:443 udp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
N/A 224.0.0.251:5353 udp
GB 216.58.204.78:443 tcp
GB 216.58.204.78:443 tcp
GB 216.58.204.78:443 udp
US 1.1.1.1:53 rcs-acs-tmo-us.jibe.google.com udp
US 216.239.36.155:443 rcs-acs-tmo-us.jibe.google.com tcp
US 1.1.1.1:53 venusimperativa.online udp
DE 185.92.181.90:8620 venusimperativa.online tcp
DE 185.92.181.90:8620 venusimperativa.online tcp
US 1.1.1.1:53 remoteprovisioning.googleapis.com udp
GB 172.217.169.42:443 remoteprovisioning.googleapis.com tcp
GB 216.58.201.100:443 tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp
US 172.64.41.3:443 tcp
US 172.64.41.3:443 tcp
GB 142.250.187.227:443 tcp
US 172.64.41.3:443 udp
GB 142.250.187.227:443 udp
GB 216.58.201.100:443 udp
DE 185.92.181.90:8620 venusimperativa.online tcp
US 1.1.1.1:53 venusimperativa.online udp
DE 185.92.181.90:8620 venusimperativa.online tcp

Files

/data/data/com.kofisahoke.access/app_unaware/Mu.json

MD5 ecc6d6a9a8f8d60c9f6a2806ad244142
SHA1 71c977dd3d4636fc54621fefaa0ea93865d23c17
SHA256 2150b3bae123782e01c06a7b449f5b1f6aa4475efa4205546efd35a1908b867b
SHA512 a140c0e5aaea771bc269639af9fe25c04d69954e6a02942fc6d6277590018b65a99820bff65c692513c06105798ca05b5c625b23f1cdfc96d41f34eab8fd9a48

/data/data/com.kofisahoke.access/app_unaware/Mu.json

MD5 649b032a2e5ba2989a825f13c899dcb2
SHA1 c85ed2b78dac1fcac281d88d37805065096ccb3e
SHA256 b89bbafed6409577b07257c0c044a2e6aeb33eaeac0dd69d02b8159b381ab464
SHA512 ca2734109574ac148726d11fea2e1c491d220ba115337aec468054356f0076527c9cc3e09e3be28fa21826e5031714cb3a02cc4ad2042b9c7b5618f9e25d5197

/data/user/0/com.kofisahoke.access/app_unaware/Mu.json

MD5 93a2f2cec2f35cf80741cbd0cdfe992d
SHA1 057cbdc968d110c278adf0695a4cb258d6c8d3ef
SHA256 a07a5e5dff06e2ad058d50f17e9a1fb475af0cb16e6b90565ba7d61220838d5a
SHA512 0c2a4e54559ba05f8965ccebf33284a041454f81ede8ba43ecec013438ca8a2b64befa551a3123a8fa160342bb2cdd0aba67e194f6ae0c98d780bd21b3b45fc6

/data/data/com.kofisahoke.access/app_unaware/oat/x86_64/Mu.vdex

MD5 ec623d47e9c877e6e252c4b026f5c237
SHA1 a18ca80405565d778c1141119e4ffcf835fda747
SHA256 fe36fa07594d6f6c1aad0f1151df17380a96b33b328dab700ae86e93ac1113f6
SHA512 c082f860adca2325d780474ee3fd9aaf6639be3c29395206dfc510d4e9c5cb87629d041547e74ad44462704da53412afdbb090fe0ccfb59bae4c2d75d9eba10c

/data/data/com.kofisahoke.access/no_backup/androidx.work.workdb-journal

MD5 e83597a038613442d1fa4947eb8d3aa9
SHA1 a187f77b73490dd9ca3b78cbfebf3ae19cfc1fab
SHA256 accd5e3486c4f8ca03de18ac68891b9d8436e313ad32afb4da514c6810f97d3d
SHA512 7d88788d850c2423a8db6d03e017558e72322770b74f57f6c9e9a154147c03b849efd7177170e78b20c62403241dd47a9bf09e34bf1c0212daf9828e9e390177

/data/data/com.kofisahoke.access/no_backup/androidx.work.workdb

MD5 5bdf76ccdf7d139619f4d364528a9f63
SHA1 6187e0376289a45fe316fe0b2567e9b8c7162eb4
SHA256 233719a5916d730f4fbc781a2221baaa26a458732f130873f84e6f2b1d762ee3
SHA512 aaa243a08d42db25e81f7c9aea613d6620d211dd4289729c3507bf6cb67e84f854d1fe30df3d669d78c24aabdeeea8b78f9f876e7b654eee2032cf5aa5536527

/data/data/com.kofisahoke.access/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.kofisahoke.access/no_backup/androidx.work.workdb-wal

MD5 b4b563273834f4c6c926d19f3537eae0
SHA1 2a454a023aaee0a0ce6196225548a65bbc2bae8e
SHA256 d77578e3d2fce95c41612394226fddc30714929bc8a60eb6b7612c7011999fcc
SHA512 b4ffc18ddc2b0433f3ff02ff5e330c673456185c06937ade49b2991ad0d9b03f74be941f4f1363e76b56986f8c1135f5bd37255a8fa0be39db269f0a0f932b3a

/data/data/com.kofisahoke.access/no_backup/androidx.work.workdb-wal

MD5 abd3c2c321f9f5ea3054dcc440f6b2d4
SHA1 44bde159fd8662199c6bee648f8e2e5ff61fa779
SHA256 2de06b01ef158767038a24f3e4d7eb4b07c1c46fc00bdeead655be0f5c9e7b63
SHA512 0265da0e7b6bd645422457350eb1ebc0a7bf03fb676b485ef48f7bfd098d397cbbf9cab3f457fb71000f5c78f87b41c9770a9ee592c08e38ddb6062157467ae9

/data/data/com.kofisahoke.access/no_backup/androidx.work.workdb-wal

MD5 de532137a7f65f3e6c61cefb70bc1bb6
SHA1 af342f2a51fcfd20749e1e1a9ab19a2d6ce191ef
SHA256 a5184876fac0902565121d6a78f0077162972ef59606c59a9f77eda8ba902719
SHA512 b4349ffca532a5356876ddef37e838ee65d476cac6e9321562105fb33f9ba4b4cf4766f132bddf31346308aff7771e31d9a67fd6508ca9dd702d77540230552c

/data/misc/profiles/cur/0/com.kofisahoke.access/primary.prof

MD5 3a8e6e8cc1fa2a0dd153567ff1dc74e4
SHA1 6d141fbe4d4bbca2ad3c7969a5fc0e4e3eea8b0b
SHA256 5574c15b32a157ebfd2343dc1da97ea271e281813c31b50b5a109a79e3d22772
SHA512 c2e52cd18457638bd99c05c4d0fda2b240b41663bddd294ef0ec4ecc175451d6f31f8b7b74f11ccd14c181b16f3a5f3748d0c2f34c4f940e2b8cd6a05501d46e

/data/data/com.kofisahoke.access/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 8ba55ee053292b3a67ad3cd68cc3c60e
SHA1 e20a9842d40cb999cb6ebd08517f07680bf92eca
SHA256 1accb08cd1de6273521895f4dab4a2b6eea6bb820e3cdbc28074090b0d31de48
SHA512 07995fe1446c04d1baba4be779d2bce7a2ad35fbb7eb46c48fa3e353e819bf004b1cbd0da391c7f57760c64733f17d2e55891a87724012402396d47d82542cbb

/data/data/com.kofisahoke.access/files/profileInstalled

MD5 92a09f87ff81ec480a2658381df59bf6
SHA1 5c172c7c11c5efc5f0e9541cf62b6b48b949cb3d
SHA256 cca4716e73746bd8bdf0263f5ad15e60469d0b5767c8cc431d7691c88ef4b7a3
SHA512 9ef6b2306450a95143c467a60e8be04e2c0f6ee41b4efb805e6133bababd9980be9ab40284e629bd73e236f874ceca4c651ffb01ab7334cf38cec3ca00669034

/data/misc/profiles/cur/0/com.kofisahoke.access/primary.prof

MD5 214d9fcf613a7910276e126cfd5182c4
SHA1 120f4a76c0887966c6ecbffab2258caccb7d7f7f
SHA256 fd91b9dc4cc4040d7106bbbba79d1ffcf59f1790e4ae60708bb8abfb0230eaeb
SHA512 c2ab097bd9ab2e74094c99dd211fe01d4e5e12fe030d4829b74c174162182e5ccf27493e6818acc3c0ea4ed17b7fccfdd55f863ec77c18e5e4e5b8f02cdec589

/data/data/com.kofisahoke.access/app_unaware/oat/Mu.json.cur.prof

MD5 085005047e9802ca2654534121b698f8
SHA1 f7683ab5b2075eed44300963c96ea1ee67040fe3
SHA256 7a480568768cca0d356cb3214cd984d863b49bab90b5b40af988a97788f7e198
SHA512 77a8bcfa125589d95a149d3234478cbc738d72f1e2e8f933046ac24d89bedb40efb0d3d27842c95d80104a9205b53961d5c6e6f598a9ca3f954f9223dad42365

Analysis: behavioral4

Detonation Overview

Submitted

2024-12-21 23:02

Reported

2024-12-21 23:05

Platform

android-x86-arm-20240624-en

Max time kernel

118s

Max time network

122s

Command Line

com.kofisahoke.access

Signatures

Antidot

banker trojan infostealer antidot

Antidot family

antidot

Antidot payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.kofisahoke.access/app_unaware/Mu.json N/A N/A
N/A /data/user/0/com.kofisahoke.access/app_unaware/Mu.json N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Requests uninstalling the application.

evasion
Description Indicator Process Target
Intent action android.intent.action.DELETE N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.kofisahoke.access

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.kofisahoke.access/app_unaware/Mu.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.kofisahoke.access/app_unaware/oat/x86/Mu.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 venusimperativa.online udp
DE 185.92.181.90:8620 venusimperativa.online tcp
DE 185.92.181.90:8620 venusimperativa.online tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
DE 185.92.181.90:8620 venusimperativa.online tcp
US 1.1.1.1:53 venusimperativa.online udp
DE 185.92.181.90:8620 venusimperativa.online tcp

Files

/data/data/com.kofisahoke.access/app_unaware/Mu.json

MD5 ecc6d6a9a8f8d60c9f6a2806ad244142
SHA1 71c977dd3d4636fc54621fefaa0ea93865d23c17
SHA256 2150b3bae123782e01c06a7b449f5b1f6aa4475efa4205546efd35a1908b867b
SHA512 a140c0e5aaea771bc269639af9fe25c04d69954e6a02942fc6d6277590018b65a99820bff65c692513c06105798ca05b5c625b23f1cdfc96d41f34eab8fd9a48

/data/data/com.kofisahoke.access/app_unaware/Mu.json

MD5 649b032a2e5ba2989a825f13c899dcb2
SHA1 c85ed2b78dac1fcac281d88d37805065096ccb3e
SHA256 b89bbafed6409577b07257c0c044a2e6aeb33eaeac0dd69d02b8159b381ab464
SHA512 ca2734109574ac148726d11fea2e1c491d220ba115337aec468054356f0076527c9cc3e09e3be28fa21826e5031714cb3a02cc4ad2042b9c7b5618f9e25d5197

/data/user/0/com.kofisahoke.access/app_unaware/Mu.json

MD5 93a2f2cec2f35cf80741cbd0cdfe992d
SHA1 057cbdc968d110c278adf0695a4cb258d6c8d3ef
SHA256 a07a5e5dff06e2ad058d50f17e9a1fb475af0cb16e6b90565ba7d61220838d5a
SHA512 0c2a4e54559ba05f8965ccebf33284a041454f81ede8ba43ecec013438ca8a2b64befa551a3123a8fa160342bb2cdd0aba67e194f6ae0c98d780bd21b3b45fc6

/data/user/0/com.kofisahoke.access/app_unaware/Mu.json

MD5 493ae2ad556a14c57013773d079f407a
SHA1 b82ab695640137214286098e20e1aefa9edbe087
SHA256 4b5e81074c06c2d5841f6b67274b10a516e2d0772cab20389262628c2c1b7cd3
SHA512 5e806342063300726e0e4ded7b74da692c9bef2a4640bd4ef9b2074275b6c3a9e717b2c672ba8261ee2c2c981c9b9003a0bec6486635afc1d2edc53f75606ae0

/data/data/com.kofisahoke.access/no_backup/androidx.work.workdb-journal

MD5 f06302c3369abe1c2ce9e75fd235fa8f
SHA1 89237c55f1370b8460af0c837941e6d8ff26edc2
SHA256 4a30d6b1b1d1e2d2a3969dacc7b61ebe4aa4a5841fc4d6ad574b1013888a0100
SHA512 ec4dee52868f65f880a57a28511d5dee2c8e1ede344e1aed027e1f2a587cb8338820a989ee4ee5f228be77de361ccf515331b71d1843ab1a23b81e9da75b91ac

/data/data/com.kofisahoke.access/no_backup/androidx.work.workdb

MD5 11906e8abe5fd52f7fd215f7596d07a8
SHA1 5a71d2a8bb3d7029cd3434509537a60df7c5c1b1
SHA256 768eabbd33ca396d653613fa343afe0c0e989b7e2fc030aa56948809358a6d54
SHA512 2074236889cd8ffd68b4f49c626e07c3c9854a81a38e13ea889dc49aa4c1abe725d7d3be5fe276d552fabb58002457e3878b31c13a730c33e961897111bd695f

/data/data/com.kofisahoke.access/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.kofisahoke.access/no_backup/androidx.work.workdb-wal

MD5 43e452889cff4fcfee430f18b00e63c6
SHA1 e5d47834db1d8e7586a438ffddddadeee6d07066
SHA256 eb4854512f8387104c46bc545fb004b407cf2d9af5abe971a646fb64adb66829
SHA512 5b199dcf50c64c2a20ea9597df682c953c14f5421b4d2b154c1867657dce311eb7cd2a13eceb6a16849858321260bb18ef263a5e5df0ee19eab6bce0a2f25910

/data/data/com.kofisahoke.access/no_backup/androidx.work.workdb-wal

MD5 6bd1bfbb4648e705bd68af40e229fb52
SHA1 df6c575c13c41c33d0adea64fd9b79d8a4e34d9c
SHA256 d8d1d2ad2ebca7f18b39a38b47c01617e91afb416f35c3c8c4a7880949f1621a
SHA512 14300d6053902feb45ef6aad3b24d4190780329121edb8a019baffa9e5c329bcc88210999a10d409fa59a9c131acf47b1c2b077611e67abf069df3f03190f1b7

/data/data/com.kofisahoke.access/no_backup/androidx.work.workdb-wal

MD5 dced8d98e6b6c28e9fbd2cb86e98bebd
SHA1 ada7a87cd4aa5b3aedb11ff71e47c17cf13f66c8
SHA256 fd62a7fec96e14a4555ba6eb0d97dc9e31b9830eba05c4b4831da055e9a89332
SHA512 5b718e4eabb9d92ee790c0d273f56fb761a9669da7c444ece4f525840ea2ca3c3a815b3bcda26794d3b958653b63f420a2ce20f67ea29646808cf413d5fde07a

/data/misc/profiles/cur/0/com.kofisahoke.access/primary.prof

MD5 b857651d0451ea6fa6230d53541cbf7e
SHA1 e7b53f3973ccf560f6ecf5c4daaeb508e262603f
SHA256 5b9255ec3ee186fc0a5c1fd636f3c57feeb8e5418823778d145a01d16831f79b
SHA512 4a98c9b07f6c5f26d4610737e3d50b58623cd089fbdeda65d8c16c7827b667a1eaeeb8b82751b8829c59836f870317b89d77b504f1002c711119ffe8c999d9ad

/data/data/com.kofisahoke.access/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 3bcbb97d9dd4a46978d107c25a3e9a11
SHA1 8f12a5604b4007b6b4dae3d3380b84c8455c7df4
SHA256 e1803d13271897b9d746d9ba412b779af2b5785705ad8a53206db01bb11ea2f0
SHA512 bf8d4c4efd999524995f1c2158acb6b599219c3f06221220fb7c5daed69ea2ccd9f7d3f7eefea8c22b981420a8732d4021ca85bd218ac19a647a63bd48bc64a4

/data/data/com.kofisahoke.access/files/profileInstalled

MD5 7d34634363eb98c09d5134ddd85bd0e0
SHA1 3c0c37662d8a0c6642f435dd9dcadc010088f82b
SHA256 0e639b45559cd9e97696c793509973ddcf5b5d1b7cd773eee0903900e6db2040
SHA512 24c60a9ab3ee08235c96d244cc2cfa11c3de2d16a4253a7352023b9ff67ed22130164f760c0a015a3120b588ee18e6c047449f889e2b41fec732bfa9320e563d

/data/misc/profiles/cur/0/com.kofisahoke.access/primary.prof

MD5 ef71df0bb31be1e7dad13b560da80c24
SHA1 f259cb90e200a96774a81a30628856dac37b7df2
SHA256 6f23907c931fc9792e1b0a23bb855917a3a8ed0bc272ebd04bda1177291ea6aa
SHA512 6eef510be76814c04a3d9ddc03ad87d3a31d613a3c47d11eaf9a9145bdeeba609795e18677de6c338179d58730687d2926bb0ddbf6db7d5952f76854b0508b54

/data/data/com.kofisahoke.access/app_unaware/oat/Mu.json.cur.prof

MD5 12eb5f0e17859f64e3cc128a14e5255e
SHA1 92738ea3e6746a4b3ce45b0480801e5f645eced6
SHA256 e5568ca979b7ae37f6323e9f8bcd856df7b77af148781e6330921beb2b949059
SHA512 c75ff1101f2cfcf7ef25465e9ea771728bd0f0451718f40a1816627c070a1790386e35352de63ae5a72562d1d8dd700eb1c0fa9840dcf12e0516b03ae66d514d

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-21 23:02

Reported

2024-12-21 23:04

Platform

android-33-x64-arm64-20240624-en

Max time kernel

67s

Max time network

70s

Command Line

com.mocereti.fill

Signatures

Antidot

banker trojan infostealer antidot

Antidot family

antidot

Antidot payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.mocereti.fill/app_immense/MdIfb.json N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Checks the application is allowed to request package installs through the package installer

evasion
Description Indicator Process Target
Framework service call android.content.pm.IPackageManager.canRequestPackageInstalls N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.mocereti.fill

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.228:443 udp
GB 142.250.187.228:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
US 1.1.1.1:53 rcs-acs-tmo-us.jibe.google.com udp
US 216.239.36.155:443 rcs-acs-tmo-us.jibe.google.com tcp
GB 142.250.187.238:443 tcp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 remoteprovisioning.googleapis.com udp
GB 172.217.16.234:443 remoteprovisioning.googleapis.com tcp
GB 142.250.187.228:443 tcp
GB 142.250.178.4:443 tcp
GB 142.250.178.4:443 tcp
US 162.159.61.3:443 tcp
US 162.159.61.3:443 tcp
US 162.159.61.3:443 udp
GB 142.250.180.3:443 tcp
GB 142.250.180.3:443 udp
GB 142.250.187.228:443 udp

Files

/data/data/com.mocereti.fill/app_immense/MdIfb.json

MD5 9080ca780268b1ee82128c85ab15992d
SHA1 8bb3c2f182766a24e00165a0c2c914fc908061d3
SHA256 36ed39f8f6f10c12d1e75864b3f1a86ac04090e72e055668b94db57cfc131d94
SHA512 1b22981c3dc7d268d923e0b5a9279997211bd3026382cca374ece9db26fa3c8dd4dc798fee89a6bfb55315fa5e6fc0562f91cf12ff68c64ecb29de95ae6410aa

/data/data/com.mocereti.fill/app_immense/MdIfb.json

MD5 65665fc5d83e79c8e4a9598a0918efce
SHA1 ac791de882b6503b494fa51f162c34ef7d53fd47
SHA256 28b07087989fd0439b4653c94f1cf2e4afcfa94845a7e96b3aeacfc3c95ddeb6
SHA512 852c00f3212f722db4bedf1b23c6c0a05824057ac5145323331fdbf579d9a267fc7d3b321e5605dc1483ca334115e8d521975f72e3774f4467e48e3ac6f10973

/data/user/0/com.mocereti.fill/app_immense/MdIfb.json

MD5 ff2a5bc76bd956c9621454e9829ad34a
SHA1 3e41bd7ed5c73e133f753a89800d324d760e74b0
SHA256 92ba383ed156984ebcdb8c06e29b16b290b26abe0f226a5325775a0eaee7c63c
SHA512 35d9df3b1c912c9f0feec823d8722884adbed93275283c87990c793859af1dfb831f9386f03e0a736b290e30734d6961a18c8428144df6a0982c2d2c4054db47

/data/data/com.mocereti.fill/no_backup/androidx.work.workdb-journal

MD5 127f62886d1f547dc31f4b44c93a85e4
SHA1 66e090439783116e79eb057bea31df07f0c8c677
SHA256 6d5cbfe5586ac6cc873d25c197db677deeebcd04b98272a7a046b792e7bb8fe9
SHA512 d58816691c7b30af27cc3cbae9dcea90755863f98058160311797a9bf7daa851b4ecb9b629775cb727d6e0984304afcc618d4fea1dd423160f2f4de240e28b38

/data/data/com.mocereti.fill/app_immense/oat/x86_64/MdIfb.vdex

MD5 47f6f9745201e6b3915d1dac58e5d520
SHA1 09dac46d23f6577bc1f917af2ea786fe98d7a45f
SHA256 024dada2b9b380353cd45a1073a1dd16017165ec328e3105972f4dfec296bdf7
SHA512 33cccf35a07ac7f4b4c5cab7898ee485d2922ede40240dd785d728df02370af8c322c81ca54a7fc07e287d56d1ecbe230a75e61772fe5947419f87d4030be3aa

/data/data/com.mocereti.fill/no_backup/androidx.work.workdb

MD5 8b72fe8d6cff81c27a04db8e3264b8fd
SHA1 0d245522de0e1800f5d3a66f12ad478835745cd1
SHA256 09600499af3fc4aa315d386a6898ea2e759036cebeb10ebe15da05312713d4dd
SHA512 b5a790b3f67d1aae4353f4effbabee8fc2efae2742da405f4ea3b266cdd708f6bdd15879a1a0c897d7358b66d399f707b6d876a4900da4719327514bd157b05e

/data/data/com.mocereti.fill/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.mocereti.fill/no_backup/androidx.work.workdb-wal

MD5 5d952db8e4df2475941d6bd6873dea14
SHA1 5a2dbf2c6a3b3597e96a293a59fd29a3b920a2b3
SHA256 c87a29a9e106d41aba1d0a31c979afce3df89b1e96bc851135001a64c3465d8a
SHA512 f533afdec3432e1ac5ce494423715f6c208d37d10a0fde3e257f57b48d8775eb6bbf915ea4a000374000bb11751d24279c72048aff52ec507900f95e12ebf1fe

/data/data/com.mocereti.fill/no_backup/androidx.work.workdb-wal

MD5 68dbfe51c9d8a5e18805c3d7ead3f233
SHA1 8435c1940a4a830e0a008d3900ceb96cd1790de3
SHA256 9eecae611b655b627396e4a661aa144b75e0d4a08804635e28f63156b911ec44
SHA512 2add7e5ab169a0d999483e5291d9f041d0477bcb18a2e4b9563f0adeb07372003919cc189b596806fe948ec898e4d4657b19d90550229f4147efd235dda5d0e4

/data/data/com.mocereti.fill/no_backup/androidx.work.workdb-wal

MD5 261c06dfa499f36d8e9dba6658d44797
SHA1 6effdab060329d37f8e6de06728c525f37250d0f
SHA256 b685caab9907accd375f7449979f658f9503c1a38d4c2e668cb2f65f25052ed8
SHA512 ce795a18d53f681cdecb065189a9e205d144cb4fe648424e98a9e78a335c241c797d72524ac1329dbbb6021d529e777f45abbe7fb94ab1824ffcede45c7d121e

/data/misc/profiles/cur/0/com.mocereti.fill/primary.prof

MD5 b8840362daf4195a9b6c02d0083afb35
SHA1 48ac97c4ddf769875f9f7796a192748db189b134
SHA256 0b1d84c347bfdf1337d3fe8c597b34319ea9f499122fccc615afcbb210a4164d
SHA512 43194e44785be1817c1d61f8db871923b298dbc2a9749846afe933d1125085200898e7c3195ef872faa23f7121d26ad4aabee721ef03821a36a29cd88e4a8e60

/data/data/com.mocereti.fill/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 74a5ea2999f4a08a6ff79ff4707c5fc1
SHA1 5e08a437360bb5c262dff1fb9f25a79b34ce7b9b
SHA256 82d30915f66405125c2f0c9b7a07b69714e4f594da247ed6b43c690b7942d075
SHA512 94e50ac02a2748cdec6619aa3b5d50918e2d09d1f458b0c0dca0ab38731e4a3220d086a708940c79fe49a60d5be8e881224a98a8b9275c043702466dfc63eca6

/data/data/com.mocereti.fill/files/profileInstalled

MD5 70cc682a6df62facb86f6b1a54ea62ed
SHA1 4310b8187dceda57720d019546ab7d7c2d785b85
SHA256 719a0ecae74950bc8a7343070d006bd5daef583841b09f0cae10d0aa25c86a44
SHA512 7d4b01d3b1a63d9c3ca43fc1266b5c885fd7265ad2086468c89a3efbdfa25a00e211d1d621f4c0ea328b55fcce6b440793bd5744c77cf4c366ab3101c9f4b138

/data/misc/profiles/cur/0/com.mocereti.fill/primary.prof

MD5 e3bb08ed8997094431a8e9740781159e
SHA1 7e46c85a9bfb8160ea452f934aca6681edae0ff4
SHA256 11fbff9034a8c9fb6dc668ba999bb35b75f08250725833fa42c0440d278802e0
SHA512 a005a673ba1ecc3b32ab1df814df3550cc0c9459eb001d7d3448d4093e6bff4219eb79d20cb31607a59a86bb8fe6abbbe3e558eba38b1faddc8c6feec40fb774

/data/data/com.mocereti.fill/app_immense/oat/MdIfb.json.cur.prof

MD5 0091ba7713e7e0f61fc68cea27be2ec7
SHA1 14bb10d8d21c41581a2fde7a1c3b1b33e0ba0dfc
SHA256 84eda49dadce94455e52aafebc9f3aff1fd227c55999a89c0d1704771903f677
SHA512 f2e52f41a954cc49c602f00df9ed334bafc434128c34b0772a6d90a652b69fa82c49b30a104748dc3261f4cc340d3b7ce61fa9d7718c5f406c7c61999b776ffb

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-21 23:02

Reported

2024-12-21 23:04

Platform

android-x86-arm-20240624-en

Max time kernel

72s

Max time network

74s

Command Line

com.mocereti.fill

Signatures

Antidot

banker trojan infostealer antidot

Antidot family

antidot

Antidot payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.mocereti.fill/app_immense/MdIfb.json N/A N/A
N/A /data/user/0/com.mocereti.fill/app_immense/MdIfb.json N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Requests allowing to install additional applications from unknown sources.

evasion
Description Indicator Process Target
Intent action android.settings.MANAGE_UNKNOWN_APP_SOURCES N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.mocereti.fill

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.mocereti.fill/app_immense/MdIfb.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.mocereti.fill/app_immense/oat/x86/MdIfb.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
US 1.1.1.1:53 venusimperativa.online udp
DE 185.92.181.90:8620 venusimperativa.online tcp
DE 185.92.181.90:8620 venusimperativa.online tcp
GB 142.250.200.2:443 tcp
GB 216.58.204.78:443 tcp

Files

/data/data/com.mocereti.fill/app_immense/MdIfb.json

MD5 9080ca780268b1ee82128c85ab15992d
SHA1 8bb3c2f182766a24e00165a0c2c914fc908061d3
SHA256 36ed39f8f6f10c12d1e75864b3f1a86ac04090e72e055668b94db57cfc131d94
SHA512 1b22981c3dc7d268d923e0b5a9279997211bd3026382cca374ece9db26fa3c8dd4dc798fee89a6bfb55315fa5e6fc0562f91cf12ff68c64ecb29de95ae6410aa

/data/data/com.mocereti.fill/app_immense/MdIfb.json

MD5 65665fc5d83e79c8e4a9598a0918efce
SHA1 ac791de882b6503b494fa51f162c34ef7d53fd47
SHA256 28b07087989fd0439b4653c94f1cf2e4afcfa94845a7e96b3aeacfc3c95ddeb6
SHA512 852c00f3212f722db4bedf1b23c6c0a05824057ac5145323331fdbf579d9a267fc7d3b321e5605dc1483ca334115e8d521975f72e3774f4467e48e3ac6f10973

/data/user/0/com.mocereti.fill/app_immense/MdIfb.json

MD5 ff2a5bc76bd956c9621454e9829ad34a
SHA1 3e41bd7ed5c73e133f753a89800d324d760e74b0
SHA256 92ba383ed156984ebcdb8c06e29b16b290b26abe0f226a5325775a0eaee7c63c
SHA512 35d9df3b1c912c9f0feec823d8722884adbed93275283c87990c793859af1dfb831f9386f03e0a736b290e30734d6961a18c8428144df6a0982c2d2c4054db47

/data/user/0/com.mocereti.fill/app_immense/MdIfb.json

MD5 7b75b01b4ca746608ebd1bf25fc0c474
SHA1 884d12e9dc86283031a6344e59b474ac8ee1c172
SHA256 d62ff678e20355994765eda98a27feb443fbb841d3b7c0d22c4d78b407cdf2bb
SHA512 bf388d83867323388cdffa3f45aea3cb64f4958a40a4545b7214fb1217828bae2ea46a8d70ad5a526312835bd4ba37ffa53b6c0b7de6e28fd9dc3b59a4679974

/data/data/com.mocereti.fill/no_backup/androidx.work.workdb-journal

MD5 69594731e14d99d364b25f4d564314d6
SHA1 3f907bbbb0d5ed2fb59852ef8aceef30c40ac6c9
SHA256 4742cada475f00dc3cdfce95434ece1ee875a4f2ad970ecea8ae8b98de4d04f4
SHA512 d82a41029259690d4fe7ba286c4431b00abdb7dc50f8e36bd97f424912ba66f2b55dff63a03d13e96737de74e37908c82bb8caf5072fc210ff871bf8bd3ec3ac

/data/data/com.mocereti.fill/no_backup/androidx.work.workdb

MD5 912b3d7553c540e7493498ab269bd0d6
SHA1 d1d78a418e473259439a239ba1b3b72763acfc2f
SHA256 2188bc2bc4e1ac121d6f001e5fc6cb6b895eadfa15309d7d86085d74b2af781a
SHA512 8582aebcdd5e3f28fa4261aebb607026bc9dd81429b692d03535e3eaded76fbf8da6b25819018610da8466cf87ced0f393f9d2b578a01bbf62ee13a842f8b28f

/data/data/com.mocereti.fill/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.mocereti.fill/no_backup/androidx.work.workdb-wal

MD5 79cf3bfb60e4dd9c12fa9a52e79c12b5
SHA1 595c33a200b04508ebdfbd7906944e71a5e8182a
SHA256 a9251560dfbbe8531abb9397e8b7420aa6caa8acf1f49cc09ac9bb5025dfde0f
SHA512 2d7ceb7407666cd2c2b2a7ea5d495b7825f61beeb09127f72b5a610715aefb266efd53c6983a212e05ddec1fdda95fcbfab3dd0ef5cf0c7ef7eaaeb36676038f

/data/data/com.mocereti.fill/no_backup/androidx.work.workdb-wal

MD5 301b4bf7faa7c7f7b1820feb471392fd
SHA1 3335a7b89249d1757457400e2665ec4b8fdc71c1
SHA256 967703206883ae85a9e1680641b168a9a6c7a429b46c62d548b4e689aef53899
SHA512 6ab83e7f8ad1010a086c3b251f06007c5100bdcad6339ed35275c96d2cd9d5d3bc0db7f47c89e0250d980a0e3bf887b70923b1d8c1af462d21e4629b44a89f1c

/data/data/com.mocereti.fill/no_backup/androidx.work.workdb-wal

MD5 2c4c86fdf6cbb6b1f7655064ddea2079
SHA1 43821a2130b05a3ddd2e8a8000b770758c15836b
SHA256 845c3a8d565445bf51f1792b12872d601dda586e341895a32be812f9006309bb
SHA512 19485cc5e19e7e77ce4a83aa2df2084c71874f87a7b49502dbeeccb45e304c55aef931d409f7f8facf1eb94b7a5a5f8e6ce7314796020913d0a5e2081681c3e7

/data/misc/profiles/cur/0/com.mocereti.fill/primary.prof

MD5 183e6648d5b0a33984e42a402dd1dd92
SHA1 364b98afd052eeec4813093ff2613c82b1d61509
SHA256 140f8b5a089bec63de2b716250644ab42b581002851be3c1dffa8c9408ae45db
SHA512 d4ba69c870a95a3b10ac14d1889abe22fed31c14903c00b864bf0c09b34384e82d5ad25412463563a64e29c1ee71237997af9fa0e2c0d221ccc5a9693edf0b48

/data/data/com.mocereti.fill/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 9860bb3f76c2309a666cb39f5b7e3676
SHA1 17d465f9463e892f992bd7dadaa24fd45fa85c82
SHA256 fc98f41dcfb0e36ee5c1ffd885aa2af907b0e045ff313304b16a1a3ebe689a58
SHA512 cfae426fa4ce31455c14ffe8de97556bf4865492c7691519a8e674cff33b2daf42935f24798d7d669d205d30d76e467053074b9100052cc54af29acf73b79768

/data/data/com.mocereti.fill/files/profileInstalled

MD5 6de3c72e7309701662911db6911d3f6d
SHA1 f618ce5c9fd43df7260ccff55e7794964bff3081
SHA256 a319f4a75c7a2aad7cb97428f096138df64acc3f59806a9dbee64b9650cb58f2
SHA512 dea48ce5b867c08040fa67562af04e78d177514915479347ffaa397454ca3dcb14371e0b352f3eae04815edb5e597fed142de547f7b2b329e2aa9355a428982e

/data/misc/profiles/cur/0/com.mocereti.fill/primary.prof

MD5 d2ad0c020d41f891dda41c09db650e12
SHA1 7657136a9c2a2aad830958b67519c94053773678
SHA256 504940c5b0ecb6eae1a3339e004d8717c5e50b8d5ec37972d35c853f986d92ab
SHA512 a126216cc64d1612b7133634ddf972a1c635aa62283e60616766dc718ce822dff5d1a1092def8b396f32f529507a71e8f260d055c12ce5e7987d9e709dff36ff

/data/data/com.mocereti.fill/app_immense/oat/MdIfb.json.cur.prof

MD5 5e0f5e96cbcf3a1ce11e8439e9b77810
SHA1 1c9570e01d40fbf7042fa08736953b0961b2ef7b
SHA256 662b8d67640fff186ee2f4acee11a67619e85837a209e93c0662f2423be9fed5
SHA512 77911b76cb183b4b48f6e6106316a604474a837d6475ebad1d5b1e59593aaaa2a9d01296d54600276a6ccca686c856c6501418804366ee079254383a80fe2b60