Malware Analysis Report

2025-01-19 06:50

Sample ID 241222-c3p8bazqaj
Target dd4bce9274cabcbcb2f3ea2b00867932399ad0de9b923896a70ac03076231efa.apk
SHA256 dd4bce9274cabcbcb2f3ea2b00867932399ad0de9b923896a70ac03076231efa
Tags
antidot banker collection credential_access discovery evasion execution persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dd4bce9274cabcbcb2f3ea2b00867932399ad0de9b923896a70ac03076231efa

Threat Level: Known bad

The file dd4bce9274cabcbcb2f3ea2b00867932399ad0de9b923896a70ac03076231efa.apk was found to be: Known bad.

Malicious Activity Summary

antidot banker collection credential_access discovery evasion execution persistence

Antidot family

Antidot payload

Checks if the Android device is rooted.

Reads the contacts stored on the device.

Reads the content of the SMS messages.

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries information about running processes on the device

Queries the phone number (MSISDN for GSM devices)

Makes use of the framework's Accessibility service

Performs UI accessibility actions on behalf of the user

Requests dangerous framework permissions

Declares services with permission to bind to the system

Legitimate hosting services abused for malware hosting/C2

Makes use of the framework's foreground persistence service

Queries the mobile country code (MCC)

Queries the unique device ID (IMEI, MEID, IMSI)

Queries information about active data network

Requests disabling of battery optimizations (often used to enable hiding in the background).

Declares broadcast receivers with permission to handle system events

Schedules tasks to execute at a specified time

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks memory information

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-22 02:36

Signatures

Antidot family

antidot

Antidot payload

Description Indicator Process Target
N/A N/A N/A N/A

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application a broad access to external storage in scoped storage. android.permission.MANAGE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to read image files from external storage. android.permission.READ_MEDIA_IMAGES N/A N/A
Allows an application to read video files from external storage. android.permission.READ_MEDIA_VIDEO N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-22 02:36

Reported

2024-12-22 02:38

Platform

android-x86-arm-20240910-en

Max time kernel

140s

Max time network

151s

Command Line

com.b551a.off

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /sbin/su N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Reads the contacts stored on the device.

collection
Description Indicator Process Target
URI accessed for read content://com.android.contacts/data/phones N/A N/A

Reads the content of the SMS messages.

collection
Description Indicator Process Target
URI accessed for read content://sms/ N/A N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.b551a.off

com.b551a.off:remote

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.202:443 tcp
GB 142.250.178.14:443 tcp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.78:443 android.apis.google.com tcp
GB 172.217.169.74:443 tcp
US 1.1.1.1:53 android.bugly.qq.com udp
CN 119.147.179.152:443 android.bugly.qq.com tcp
US 1.1.1.1:53 ynadmwss.top udp
US 1.1.1.1:53 log-service-5531086119413148-cn-hongkong.cn-hongkong.log.aliyuncs.com udp
HK 47.244.67.197:443 log-service-5531086119413148-cn-hongkong.cn-hongkong.log.aliyuncs.com tcp
US 1.1.1.1:53 h5.ynadm.top udp
ID 147.139.241.73:8081 ynadmwss.top tcp
ID 147.139.241.73:8081 ynadmwss.top tcp
ID 147.139.241.73:8081 ynadmwss.top tcp
ID 147.139.241.73:8081 ynadmwss.top tcp
ID 147.139.241.73:8081 ynadmwss.top tcp
ID 147.139.241.73:443 ynadmwss.top tcp
US 172.67.188.193:443 h5.ynadm.top tcp
US 1.1.1.1:53 raw.githubusercontent.com udp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 1.1.1.1:53 admin.ynadm.top udp
US 104.21.65.36:443 admin.ynadm.top tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
CN 14.22.7.140:443 android.bugly.qq.com tcp
CN 14.22.7.199:443 android.bugly.qq.com tcp
US 1.1.1.1:53 android.bugly.qq.com udp
CN 14.22.7.199:443 android.bugly.qq.com tcp
GB 142.250.187.202:443 semanticlocation-pa.googleapis.com tcp
GB 142.250.200.2:443 tcp
GB 172.217.169.74:443 semanticlocation-pa.googleapis.com tcp

Files

/data/data/com.b551a.off/app_crashrecord/1004

MD5 c65a3b814af2fa37f759b874b7355774
SHA1 6c1be77a3c3d1fa36e17722c41550ffe66ac8089
SHA256 088cd2d2090fd26e3acc61eeb509817ef28f7297c297ec691c95bcef51c44184
SHA512 f9176ddf9664879a5c0b6c3a90530549e70db45dcce5f5c2a1cd9ca56301f560582a017e2369b589641a0e641612bf2447dd8ff9e88417a64a1e88e94379abfa

/data/data/com.b551a.off/app_crashrecord/1004

MD5 0d210bfb2a0e1f1b4c082a6a0f79de07
SHA1 bb8ed9e364db79d1d9f2fcde3f15091893222faa
SHA256 988722c23d78a46021d0e7ca9deee7aa8bb83288269174ffacb7316f381cca1d
SHA512 536e9867b0df29b15b789f8949be6ab37fcdeccb9d39ded981da7dc2052c9533d0ec0e6f9a5444132977605d372e1463d91bdde41b528ff2ca3f65ab152325c1

/data/data/com.b551a.off/databases/bugly_db_-journal

MD5 2298b66fc8cb30448478dfd4724f59fb
SHA1 62a1c3b9679a6624e87b53ff79c9065950b8bda4
SHA256 7cded87b23d8a84b7cb5a1f102b582b03e92f60288eb8b7797a0976fbfb64e91
SHA512 fd83cb915c17df4f62a3245219568d04158c9396845d05b0d9035dbeb5d418887fee3dc35c0e860e45bb81eed0b1faf9473ee7af1c46f7669801a231f05973e3

/data/data/com.b551a.off/databases/bugly_db_

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.b551a.off/databases/bugly_db_-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.b551a.off/databases/bugly_db_-wal

MD5 62b441762c3cdb812c6b248597d8460d
SHA1 e2445dada6329eeca3ba83ed3cd50e3f5a1b984d
SHA256 e3a7c411290a138095e06b82d4a82c62fbd0bb24a1b0772dd8fd6316bbb8d2b9
SHA512 2d1e4fa7fbf0788173aff9504e8eed631872d2c0deebc12b1b8b7ead4993c42ebaa23a1b9c9cd7c30f69ba984895a016a419a541c0d4c1b157f0a9f94475b621

/data/data/com.b551a.off/files/mmkv/mmkv.default

MD5 620f0b67a91f7f74151bc5be745b7110
SHA1 1ceaf73df40e531df3bfb26b4fb7cd95fb7bff1d
SHA256 ad7facb2586fc6e966c004d7d1d16b024f5805ff7cb47c7a85dabd8b48892ca7
SHA512 2d23913d3759ef01704a86b4bee3ac8a29002313ecc98a7424425a78170f219577822fd77e4ae96313547696ad7d5949b58e12d5063ef2ee063b595740a3a12d

/data/data/com.b551a.off/files/bugly_last_us_up_tm

MD5 278ccac91bb494fdf97967207fac0cc4
SHA1 a8439673fb6f51dbaac6e85842570d9f3a656ddc
SHA256 97c49a3307c7e97e5a76a89da1b039fed59ddd7916375cb555aeb538cc8611ea
SHA512 e2f1de3c80ea51960419b6a879a7cc44bbfad5b27c59077592344b4e50dab80e2130849e198a57f1f187abef0680f519f47aa2918ced6e67eac60f7b71095108

/storage/emulated/0/Android/data/com.b551a.off/files/log_data_000

MD5 6728922617c7fea98b939eb2f97d4d7e
SHA1 c77baf473446cab3a4eb970f7a2017e97666ce5d
SHA256 e0dbb7fa53890ec4bc1ec00a62e3a7984e91fefa02e25705c726b8eecc02dd80
SHA512 f7d0477f3638350f14345876d417ba1f232417f5c959bf6a4ca426163fdebf1ea401627ef0e1930bb3c0bb8dac265ff673439ad86d5784a8482652a2d135750f

/storage/emulated/0/Android/data/com.b551a.off/files/log_data.idx

MD5 6db30b1cf79c176c4cc2224af20f3ab3
SHA1 146e00e9c50a3c5481242aae9da1e792b2e78037
SHA256 27007059b7da6a21946737dc301921bf8e56bd8ce9fe1c9d04c0c7aab083f165
SHA512 7068ea8005bd732b16106423eef9ade52bcef72a3c5c052b5d7be5330fa29c2496b1fe8ae81666250f877a12198d2307450b51a35ff5d27ca27245047d4b2371

/data/misc/profiles/cur/0/com.b551a.off/primary.prof

MD5 a81bfd722e19875319e1048f2ffb532c
SHA1 b523ab69b9dd213ceb34cd2a490bb47da36ba034
SHA256 a859168e87efd619794c6c469dfca4bb6719e042696793a4b94673354db8af4e
SHA512 48ff5829510df2760b42acb3bf756dcd43629fbdd448a0001d963a9f9390492235ef581eb7480ae20df92d8770aad0c17b7a94a0c8bb6b1edaffb9e064883644

/data/data/com.b551a.off/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 a2835da7923730b0943e64a5b0aeda44
SHA1 77a86604f2d0df334d21222e117093d9b371648e
SHA256 6414d32778c2cfad4088ff88bd405818cba394c16b236c74f160f696db2d3767
SHA512 07e2b70ce6d8691a9a52380d2bd00901590abec2c96ae8413d5d9915c1142c702e9adf0b6ca08c2af7fde747635e1350108b5d6c4a3f814b0982c408dc4654ea

/data/data/com.b551a.off/files/profileInstalled

MD5 9c17fc19995ba210db5f7bb1b27a7886
SHA1 f2d5b94a6fe6c156c964b9b2560e080d8e9d715f
SHA256 3b54c8c65d9a81bd747df3874e569551a6108323b6b69dfa89932f09b31fd579
SHA512 a35ee0e479f3ad9f0b31e222b0c567ad1153baa40b37019f0896faf58759cfb56998138e6a494346893c34079d3756f874a383b549d03be972ec3366827468c2

/data/data/com.b551a.off/cache/wp.jpeg

MD5 5dc1983554a88c2a224ee046bb7314ec
SHA1 5b09273776014bf32fd8aa7bca9ce151d2c7d98f
SHA256 6a4d32e8ef673e70a8a4963124417be10eb09089f3aa049e1e3c7de515c69f21
SHA512 5ce30ef36c25d33f3416006c103608057a9cc88f2d88fe37de3bd895d68a005644d74aca0abd5bef02f2ed17709a38ae249b0dabeaa16d1c46c8a8c9d85c7e88

/data/misc/profiles/cur/0/com.b551a.off/primary.prof

MD5 b4a753f2860ef9e8ffb15a83363d951f
SHA1 6e17d14bedc5fcdcb1576f540efa8da0023bf6dd
SHA256 41b8cc26c9419160e455b9b6fb09861c0ec95541ceacd5af3e8866f566a87cf4
SHA512 8075e7d19d47ffc14951356a8f084d1b53af7be6f9c919880b8bdacd628a2c17098fdf61594529053a58cc45e3cb7793c061bbcddddab6b26846f89f05f84437