Malware Analysis Report

2025-01-19 06:50

Sample ID 241222-cf29csyphn
Target 07da124f1f4ba891e7917082bdfa74c580e78543164df2fec86e8b0c3ab0211e.apk
SHA256 07da124f1f4ba891e7917082bdfa74c580e78543164df2fec86e8b0c3ab0211e
Tags
antidot banker collection credential_access discovery evasion execution persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

07da124f1f4ba891e7917082bdfa74c580e78543164df2fec86e8b0c3ab0211e

Threat Level: Known bad

The file 07da124f1f4ba891e7917082bdfa74c580e78543164df2fec86e8b0c3ab0211e.apk was found to be: Known bad.

Malicious Activity Summary

antidot banker collection credential_access discovery evasion execution persistence

Antidot payload

Antidot family

Checks if the Android device is rooted.

Queries information about running processes on the device

Reads the contacts stored on the device.

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries the phone number (MSISDN for GSM devices)

Reads the content of the SMS messages.

Makes use of the framework's Accessibility service

Legitimate hosting services abused for malware hosting/C2

Queries the mobile country code (MCC)

Requests disabling of battery optimizations (often used to enable hiding in the background).

Performs UI accessibility actions on behalf of the user

Enumerates running processes

Makes use of the framework's foreground persistence service

Queries information about active data network

Queries the unique device ID (IMEI, MEID, IMSI)

Requests dangerous framework permissions

Declares services with permission to bind to the system

Declares broadcast receivers with permission to handle system events

Schedules tasks to execute at a specified time

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks memory information

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-22 02:02

Signatures

Antidot family

antidot

Antidot payload

Description Indicator Process Target
N/A N/A N/A N/A

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application a broad access to external storage in scoped storage. android.permission.MANAGE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to read image files from external storage. android.permission.READ_MEDIA_IMAGES N/A N/A
Allows an application to read video files from external storage. android.permission.READ_MEDIA_VIDEO N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-22 02:01

Reported

2024-12-22 02:04

Platform

android-x86-arm-20240624-en

Max time kernel

142s

Max time network

152s

Command Line

com.paeed8age.pak

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /sbin/su N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Reads the contacts stored on the device.

collection
Description Indicator Process Target
URI accessed for read content://com.android.contacts/data/phones N/A N/A

Reads the content of the SMS messages.

collection
Description Indicator Process Target
URI accessed for read content://sms/ N/A N/A

Enumerates running processes

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.paeed8age.pak

com.paeed8age.pak:remote

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.10:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 android.bugly.qq.com udp
CN 14.22.7.140:443 android.bugly.qq.com tcp
US 1.1.1.1:53 ynadmwss.top udp
US 1.1.1.1:53 log-service-5531086119413148-cn-hongkong.cn-hongkong.log.aliyuncs.com udp
HK 47.244.67.197:443 log-service-5531086119413148-cn-hongkong.cn-hongkong.log.aliyuncs.com tcp
ID 147.139.241.73:8081 ynadmwss.top tcp
ID 147.139.241.73:8081 ynadmwss.top tcp
ID 147.139.241.73:8081 ynadmwss.top tcp
ID 147.139.241.73:8081 ynadmwss.top tcp
ID 147.139.241.73:8081 ynadmwss.top tcp
US 1.1.1.1:53 pajakh5.ynadm.top udp
US 104.21.65.36:443 pajakh5.ynadm.top tcp
US 1.1.1.1:53 raw.githubusercontent.com udp
US 1.1.1.1:53 admin.ynadm.top udp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 104.21.65.36:443 admin.ynadm.top tcp
ID 147.139.241.73:443 ynadmwss.top tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
CN 14.22.7.199:443 android.bugly.qq.com tcp
CN 119.147.179.152:443 android.bugly.qq.com tcp
GB 172.217.169.14:443 tcp
GB 142.250.187.194:443 tcp
US 1.1.1.1:53 android.bugly.qq.com udp
CN 119.147.179.152:443 android.bugly.qq.com tcp

Files

/data/data/com.paeed8age.pak/app_crashrecord/1004

MD5 c80c048d098892ae199d71c4e5e54f0a
SHA1 438db96adc7c24cecc65065b3cfcae59dc96886a
SHA256 def2396329ba6188032482d22e1a743c1cc3513a227f2b409d7db4252586fd1d
SHA512 22efbaafb43a30d7df43b37ba8e02f3f48ec9a86f181d37facce966a968e323e3dc16e7553335d8f5cadb00e3c11e463ef19d20b3e9124e9c470cae35ffe89f2

/data/data/com.paeed8age.pak/app_crashrecord/1004

MD5 0d210bfb2a0e1f1b4c082a6a0f79de07
SHA1 bb8ed9e364db79d1d9f2fcde3f15091893222faa
SHA256 988722c23d78a46021d0e7ca9deee7aa8bb83288269174ffacb7316f381cca1d
SHA512 536e9867b0df29b15b789f8949be6ab37fcdeccb9d39ded981da7dc2052c9533d0ec0e6f9a5444132977605d372e1463d91bdde41b528ff2ca3f65ab152325c1

/data/data/com.paeed8age.pak/databases/bugly_db_-journal

MD5 c500b7c1be678e3e89f9199f53c3fc5f
SHA1 6fd88064fae21f9a69c1deb441e96af19da99bcb
SHA256 184115cdad5a2304eb0f122d4d63ff396789cee86c9da41a0604cfe6f281f242
SHA512 ccc9d420f18b962b1de650c6884ed2c499416482e5cd9cf2f91831dffa54d19a8abc95c1dbd5fc9afd4742decff34ec8d9a94341810d985b1f557b02357347e7

/data/data/com.paeed8age.pak/databases/bugly_db_

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.paeed8age.pak/databases/bugly_db_-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.paeed8age.pak/databases/bugly_db_-wal

MD5 1605ed1108a86f7a80a0806f36b2d3c5
SHA1 1567a9b2ead845dc479af8c41564ab2eb976ccb2
SHA256 ce2947306140cf9aeb4eb22145cfef16ad0d910b8464518cd73b12fe2387e6c3
SHA512 a2a8017b0a4deee784b004b7028cfca1dc8a8c143cde3e7a1d25d9ce65b5a4888d2bbaae78fba7391060ef3eff49fac5a0214aaaf283e5b6ebf7296ddc0a4f73

/data/data/com.paeed8age.pak/files/mmkv/mmkv.default

MD5 620f0b67a91f7f74151bc5be745b7110
SHA1 1ceaf73df40e531df3bfb26b4fb7cd95fb7bff1d
SHA256 ad7facb2586fc6e966c004d7d1d16b024f5805ff7cb47c7a85dabd8b48892ca7
SHA512 2d23913d3759ef01704a86b4bee3ac8a29002313ecc98a7424425a78170f219577822fd77e4ae96313547696ad7d5949b58e12d5063ef2ee063b595740a3a12d

/data/data/com.paeed8age.pak/files/bugly_last_us_up_tm

MD5 41f2b920a307e994be1d31135704c669
SHA1 f5345feded4b76a7bb9b92df3b84805616017b27
SHA256 b274e8d42c4428ad60c9a180a2a1332bfd963204a94088e783475881139c0301
SHA512 75a998ff1b1ab193cfdff661f54648fcb5f11f26bbbab447c23bf6a846ea8249082bb13b26d1df9dac2751e5890f98ba16b9d27e940f91ed037efecd7499b719

/storage/emulated/0/Android/data/com.paeed8age.pak/files/log_data_000

MD5 f35e785a267deb45ec74050ccbbc772c
SHA1 805f15acdb480b5d9efefda6700f1b203d056469
SHA256 90e4207393fde14dd2225c22a36da331cfd285416310e08b82aa83296ff29483
SHA512 534017d2a77fdd6a131434929065f6603e1d981730f884e4a072bbc23d4832839accf845945abf923ab684af0649029eefb0e9120bc72f2a991bdbad0093864f

/storage/emulated/0/Android/data/com.paeed8age.pak/files/log_data.idx

MD5 3aa9991a8af8aa33fdbb020ccc6c5afa
SHA1 1c881619ed22001d21a33fb5dbe106d878f0c235
SHA256 ac10cb0974aa7518eccf7832000c2996e1a19650a01449783c8b2ea0422c0ee7
SHA512 7b8315b2e2393ca05c2cdb5cd18fd3098c796934fb2cc8a2c58a1e9860c821eceb3e1e21bbbd98473b83ad58d4e24d89024e48915d286a67ede6ac6c63ceac44

/data/misc/profiles/cur/0/com.paeed8age.pak/primary.prof

MD5 00f4874e0c70b7cbc9ebb3d71070c820
SHA1 1d1065ffbf73901b042b34cba677d35cd7686fd5
SHA256 485b4c3fd4d0b96bb05d5edc48132120b3a609fe03aa0c7b8d3c9905ab6e3cff
SHA512 29e431e4726ba2c414d938a8a78347e0845f27f6412dfa8d4cdf95bda52b7e662f66a3da173e4ce4325e66784b33680224f4db0cdc4a2efd1314ec8585183afe

/data/data/com.paeed8age.pak/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 d2279c5de233a9c24c781d1f0a2f2b72
SHA1 327c9ff8dae4cfe914297b6198098ba251a05968
SHA256 faf97d88212c46b58c8d03eddc83c067e979e4157eb5303fb603d0a77b970d40
SHA512 831201a95d4a977b8422827df1782312aa39cb66a4c76e44c7c0a815ad3fe017d1c09348df0bd229a451fdb66448b2db9145de13eae3032dd1031cc44be9233e

/data/data/com.paeed8age.pak/files/profileInstalled

MD5 ea709f79e75c8dc20030dc942aac7c59
SHA1 7e429680ca837e0cdaf364388e036e96772607f6
SHA256 7c6a4cfd0f172fe252b3a099bdba25e0c538387e171728c565e0e6af6b02456d
SHA512 da7c8cbf53c739eeef96581cad5e2920a292ae8705006ca7783f605bb598e65f9b2ff5f3800b38b083971ecac0569f66523cf538fb317fb98ca749630f4c5a5d

/data/data/com.paeed8age.pak/cache/wp.jpeg

MD5 5dc1983554a88c2a224ee046bb7314ec
SHA1 5b09273776014bf32fd8aa7bca9ce151d2c7d98f
SHA256 6a4d32e8ef673e70a8a4963124417be10eb09089f3aa049e1e3c7de515c69f21
SHA512 5ce30ef36c25d33f3416006c103608057a9cc88f2d88fe37de3bd895d68a005644d74aca0abd5bef02f2ed17709a38ae249b0dabeaa16d1c46c8a8c9d85c7e88

/data/misc/profiles/cur/0/com.paeed8age.pak/primary.prof

MD5 0564490b5df05ac2390c9fe78cd167e8
SHA1 a4e7cd9cebf748550083c56b3cd057491ef9fc8a
SHA256 57675299a8ad77fe5c7f20193f3c59070b4dc4bcdf5dca3dd4018a4e4b509d83
SHA512 20769f8382b2553c557b0d0e1de8f4d44a1f3f125d0bd68c2627931bf23afb902c21aebcfd26909057ed0d3e95a5e0bbfc11ed01f74d7ca70439b6c29b3856ed