Malware Analysis Report

2025-01-19 06:50

Sample ID 241221-ckjykszlbz
Target M-Pajak.apk
SHA256 07da124f1f4ba891e7917082bdfa74c580e78543164df2fec86e8b0c3ab0211e
Tags
antidot banker collection credential_access discovery evasion execution persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

07da124f1f4ba891e7917082bdfa74c580e78543164df2fec86e8b0c3ab0211e

Threat Level: Known bad

The file M-Pajak.apk was found to be: Known bad.

Malicious Activity Summary

antidot banker collection credential_access discovery evasion execution persistence

Antidot payload

Antidot family

Queries the phone number (MSISDN for GSM devices)

Reads the contacts stored on the device.

Reads the content of the SMS messages.

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries information about running processes on the device

Makes use of the framework's Accessibility service

Queries the mobile country code (MCC)

Requests dangerous framework permissions

Performs UI accessibility actions on behalf of the user

Declares services with permission to bind to the system

Legitimate hosting services abused for malware hosting/C2

Requests disabling of battery optimizations (often used to enable hiding in the background).

Queries information about active data network

Makes use of the framework's foreground persistence service

Queries the unique device ID (IMEI, MEID, IMSI)

Declares broadcast receivers with permission to handle system events

Registers a broadcast receiver at runtime (usually for listening for system events)

Schedules tasks to execute at a specified time

Checks CPU information

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-21 02:08

Signatures

Antidot family

antidot

Antidot payload

Description Indicator Process Target
N/A N/A N/A N/A

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application a broad access to external storage in scoped storage. android.permission.MANAGE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to read image files from external storage. android.permission.READ_MEDIA_IMAGES N/A N/A
Allows an application to read video files from external storage. android.permission.READ_MEDIA_VIDEO N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-21 02:08

Reported

2024-12-21 02:10

Platform

android-x86-arm-20240624-en

Max time kernel

140s

Max time network

156s

Command Line

com.paeed8age.pak

Signatures

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Reads the contacts stored on the device.

collection
Description Indicator Process Target
URI accessed for read content://com.android.contacts/data/phones N/A N/A

Reads the content of the SMS messages.

collection
Description Indicator Process Target
URI accessed for read content://sms/ N/A N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.paeed8age.pak

com.paeed8age.pak:remote

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 ynadmwss.top udp
US 1.1.1.1:53 log-service-5531086119413148-cn-hongkong.cn-hongkong.log.aliyuncs.com udp
HK 47.244.67.197:443 log-service-5531086119413148-cn-hongkong.cn-hongkong.log.aliyuncs.com tcp
ID 147.139.241.73:8081 ynadmwss.top tcp
ID 147.139.241.73:8081 ynadmwss.top tcp
ID 147.139.241.73:8081 ynadmwss.top tcp
ID 147.139.241.73:8081 ynadmwss.top tcp
ID 147.139.241.73:8081 ynadmwss.top tcp
US 1.1.1.1:53 pajakh5.ynadm.top udp
US 104.21.65.36:443 pajakh5.ynadm.top tcp
US 104.21.65.36:443 pajakh5.ynadm.top tcp
US 1.1.1.1:53 admin.ynadm.top udp
ID 147.139.241.73:443 ynadmwss.top tcp
US 172.67.188.193:443 admin.ynadm.top tcp
US 1.1.1.1:53 raw.githubusercontent.com udp
US 185.199.111.133:443 raw.githubusercontent.com tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp

Files

/data/data/com.paeed8age.pak/app_crashrecord/1004

MD5 222b9a34f70d78c18cc095b3b7ab073e
SHA1 35dd30c92397fd5a12725fcd9195296ce0d7aae9
SHA256 27c57023d7b1bed475702e4f247cc05bae90e20bd0459f2946e48300bdad58b2
SHA512 b3334a73ad0472792194f6cd7e3d369463c31191536bc0e9b40afd332b68f5dd26ec659a855cd236b7813ff1f1621da209fbbff3409226d575dcdca0cff75f3c

/data/data/com.paeed8age.pak/app_crashrecord/1004

MD5 0d210bfb2a0e1f1b4c082a6a0f79de07
SHA1 bb8ed9e364db79d1d9f2fcde3f15091893222faa
SHA256 988722c23d78a46021d0e7ca9deee7aa8bb83288269174ffacb7316f381cca1d
SHA512 536e9867b0df29b15b789f8949be6ab37fcdeccb9d39ded981da7dc2052c9533d0ec0e6f9a5444132977605d372e1463d91bdde41b528ff2ca3f65ab152325c1

/data/data/com.paeed8age.pak/databases/bugly_db_-journal

MD5 a91379a091704a7d2ed394d58907ed30
SHA1 354720039f1b65cdc352fe7e67dddda1a437485a
SHA256 d7df2fe352325b1147741fa7d4578055eb0477e84d338f7b20aa40720113354c
SHA512 9a702e0a621641b45e0c92e0353fc2eea2c2a7ad6ddbcf3d3620ca6fc00a77641950a0358b45ea9c5ebee4a72f2444c4d3c37450d4187699f72248a332cba4ab

/data/data/com.paeed8age.pak/databases/bugly_db_

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.paeed8age.pak/databases/bugly_db_-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.paeed8age.pak/databases/bugly_db_-wal

MD5 30906b6b52b3e297218bda6a21fe5ffb
SHA1 69097aba7a22ca44796b5bf55fafbb35b4a1f8cb
SHA256 0acb6c2cd3e7c15fee9ec851b85df17f99123bd0cc71a851c7382fae2dad625a
SHA512 dd98e1b9b7960413fc72c9352596b55cedab22d3649108ad9a5206f4a420fcc7c53f611b34fd65aee855a4a649701c43afe3c19668f15625993d4e5da9d11ba4

/data/data/com.paeed8age.pak/files/mmkv/mmkv.default

MD5 620f0b67a91f7f74151bc5be745b7110
SHA1 1ceaf73df40e531df3bfb26b4fb7cd95fb7bff1d
SHA256 ad7facb2586fc6e966c004d7d1d16b024f5805ff7cb47c7a85dabd8b48892ca7
SHA512 2d23913d3759ef01704a86b4bee3ac8a29002313ecc98a7424425a78170f219577822fd77e4ae96313547696ad7d5949b58e12d5063ef2ee063b595740a3a12d

/storage/emulated/0/Android/data/com.paeed8age.pak/files/log_data_000

MD5 e5e978117bdde04690425234b8f97202
SHA1 c8bcb2a6744041cfe600dffca7834f9c30c6a30f
SHA256 1c296716719f1b144bbe60b27d883acf2478a5f7ee37e1b46b1f6f81a5e61a2a
SHA512 52e058433d35acec69217ede8ca83a65325e464e688c20c754e2ce618a844fbb5c829816986c3c87ed32e886238ee3a4bef981ed81c70067324bf5221c4738c0

/storage/emulated/0/Android/data/com.paeed8age.pak/files/log_data.idx

MD5 b79799966f1ca477495b061be31ec388
SHA1 fe94ddb56c5d511ff0ac282a48394251121857d8
SHA256 f9d676bd758f4b87466ccdf1f249bc61c82c956e7e825f78321d4d6c3515f241
SHA512 63d8f62f805e95ca59ad1323dc9aa10ae42ffc81cdc9ba78f47550d67351cdda58cc11892fa699bc3c7184c082619c23c7a4c58af7ce1ca787d24d4b5362fd76

/data/misc/profiles/cur/0/com.paeed8age.pak/primary.prof

MD5 00f4874e0c70b7cbc9ebb3d71070c820
SHA1 1d1065ffbf73901b042b34cba677d35cd7686fd5
SHA256 485b4c3fd4d0b96bb05d5edc48132120b3a609fe03aa0c7b8d3c9905ab6e3cff
SHA512 29e431e4726ba2c414d938a8a78347e0845f27f6412dfa8d4cdf95bda52b7e662f66a3da173e4ce4325e66784b33680224f4db0cdc4a2efd1314ec8585183afe

/data/data/com.paeed8age.pak/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 3ebbff5ab6b86ad9d114b0d0b129b6aa
SHA1 3d8e5ff5edfa94ae84eb9236dbcfa20d98ecd6f9
SHA256 4c4a335444b77c0256aa8f359015869203be2a371f2a3c062eb34a34a84fb2e7
SHA512 242006e4519ac6911e3f7743273d74a1896ca9f18f68cb44c5bc576d4f21094692fb9917ab80f0dd086dc33402582db2535e9507b4cbf3f27f8e744b1b0b8a54

/data/data/com.paeed8age.pak/files/profileInstalled

MD5 1855353ce43f1dbce2b263cd0401733a
SHA1 31952bfceb0aa484fe90cdf363731e9c8a5c1f1b
SHA256 3cefe92e9039415765bfe6a38af93bd10c7d4287a88766fb235d2800b4fe5662
SHA512 b302d3a72bbde5c2e33f58357cbcd9d4efa52dcb0846284aeb3e08cc96f8abea0d3dae65ae975c693d9e42a6493ce47a1126ce435956bad74bbe93c4bc82d798

/data/data/com.paeed8age.pak/cache/wp.jpeg

MD5 5dc1983554a88c2a224ee046bb7314ec
SHA1 5b09273776014bf32fd8aa7bca9ce151d2c7d98f
SHA256 6a4d32e8ef673e70a8a4963124417be10eb09089f3aa049e1e3c7de515c69f21
SHA512 5ce30ef36c25d33f3416006c103608057a9cc88f2d88fe37de3bd895d68a005644d74aca0abd5bef02f2ed17709a38ae249b0dabeaa16d1c46c8a8c9d85c7e88

/data/misc/profiles/cur/0/com.paeed8age.pak/primary.prof

MD5 4639e60c33e0b3424e3ec4cf52555b62
SHA1 a74ef84bb73ea8b4b1b753f11a7bf09421ecdc56
SHA256 51bf69fbda5d9a9eda9fa227a338c393f1b5315ad2af4c9ad3c7fc2fa71e380a
SHA512 202f92005a527546f02b9d0cfee8da57b96cd3451b8e83dc018de496468a0f5270e348ac97989693dbd26ac4a812a9dc45588a0fda351849454927318387ec40