Overview

overview

10

Static

static

6

Install Pro.apk

android-9-x86

10

Install Pro.apk

android-10-x64

10

Install Pro.apk

android-11-x64

10

kovobopipe.apk

android-9-x86

10

kovobopipe.apk

android-10-x64

10

kovobopipe.apk

android-11-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    151s
  • platform
    android-11_x64
  • resource
    android-x64-arm64-20240910-en
  • resource tags

    arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system
  • submitted
    24/01/2025, 16:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    kovobopipe.apk

  • Size

    8.7MB

  • MD5

    02af81325aaddd54feb7f0e8fc84ee7b

  • SHA1

    3161e43ca8dd405de2df79eb03edc601b52a7ec4

  • SHA256

    e8bad4b9a036d34bd196b09ad1ed225a94b46e6b7d41ccd250281208ed87b040

  • SHA512

    8f194cae88c8759545bc1456166478e66b5f23492652088de9504b6b2612e4d0227e1133f7a21cd8301a158b80718a32206c86ab120de10a80bd680f6f74c807

  • SSDEEP

    98304:so/Kr2VeTADQyKmLqUoDp3j8qkG07zjaY5YZBPxeV2BUsCYsTh2ieSyeTgnrSs+:BeTADQX0at80vZMPfn0YErSs+

Score
10/10
antidotbankercollectioncredential_accessdefense_evasiondiscoveryevasionexecutionimpactinfostealerpersistencetrojan

Malware Config

Signatures

  • Antidot

    Antidot is an Android banking trojan first seen in May 2024.

    bankertrojaninfostealerantidot
  • Antidot family
    antidot
  • Antidot payload 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectiondefense_evasioncredential_access
  • Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

    Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

    collectioncredential_accessimpact
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Performs UI accessibility actions on behalf of the user 1 TTPs 3 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries information about active data network 1 TTPs 1 IoCs
    discovery
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    defense_evasion
  • Requests modifying system settings. 1 IoCs
    defense_evasion
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

    executionpersistence
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.nemuwebexe.address
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Obtains sensitive information copied to the device clipboard
    • Performs UI accessibility actions on behalf of the user
    • Queries information about active data network
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Schedules tasks to execute at a specified time
    • Checks CPU information
    • Checks memory information
    PID:4853

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

1
T1603

Persistence

Scheduled Task/Job

1
T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Hide Artifacts

1
T1628

User Evasion

1
T1628.002

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Virtualization/Sandbox Evasion

2
T1633

System Checks

2
T1633.001

Credential Access

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Software Discovery

1
T1418

Security Software Discovery

1
T1418.001

System Information Discovery

2
T1426

System Network Connections Discovery

1
T1421

Lateral Movement

Collection

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Manipulation

1
T1641

Transmitted Data Manipulation

1
T1641.001

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.nemuwebexe.address/app_OHUKweROnnUiUZcg/zwlofSjg
    Filesize

    910KB

    MD5

    9e4e312e6ab0def28129463bb4e9f83f

    SHA1

    76ff6aaa863c86ab5f5bb251eaa698ad127d3cb7

    SHA256

    a3773172ca5d6093b8cf23c642450f3c5933eb4503683a4d7508a2504f45a3f8

    SHA512

    8b27e9b6e1f9bb859913a05e35f93e3c38a7a925432692f4c1eb3b0ed0d257f43a87d37698828afa04a7be234fb9cf69caf6f6d638c716e2eaf364d41c6b41d4

    Download Submit

  • /data/data/com.nemuwebexe.address/app_chair/kwusiN.json
    Filesize

    949KB

    MD5

    254b588682b5c750660b91ab03f26869

    SHA1

    2efb70710eb70785ea48713b4ca03b1d481faf6d

    SHA256

    85725d73debea23a1ebc06799b4235c45cb1d001b9ca3254cd9a89c4911517d7

    SHA512

    f688c55c96cb1c5d231ba7aedf04d5998b8c2f521c2bcecd7acef9cba51e01017429d9d5a98f22b51538d4ea43d7836a3094b7a12a815bf122a4d46f233dd743

    Download Submit

  • /data/data/com.nemuwebexe.address/app_chair/kwusiN.json
    Filesize

    949KB

    MD5

    dbff78014cc2cefe06032c4537b6fbd5

    SHA1

    ca02f8c265bc2a67215f0bbe42cdfb0ecab65375

    SHA256

    025523db1f46f1868210882652d7ee70bc0bbe53e7a1150476f2cd8a5394afcf

    SHA512

    ad6a9e3f5092db9bcfa88ad2fb8f152d8656ea0d680e7e677883be17945f33b71db19bdb2a2f1409b6ac7984921689008c8f812555b2b495b39f6b74c46632e3

    Download Submit

  • /data/data/com.nemuwebexe.address/app_chair/oat/kwusiN.json.cur.prof
    Filesize

    3KB

    MD5

    3435e45c7429d5e90dfdc74bccdd7949

    SHA1

    13d6c27893632e59a73beab76a5021518d07edd4

    SHA256

    2333f440ef131839d0a7122ede1a7fe68559a1e39ddd8514e940bae5a8bdac88

    SHA512

    08a19e0b730ce4715768e74685dea61b26e3c4727ed47ca41833394855608a6564ee9b692305552c4c181809b153f948dfba11d08c38c98f7a4f8ef3cb5d9643

    Download Submit

  • /data/data/com.nemuwebexe.address/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat
    Filesize

    8B

    MD5

    bf1dd56cbd4d2ea4950432a6016bf225

    SHA1

    ed48cfbb9122687c9a3fe6776c1895679b4869ec

    SHA256

    d746459e40e6c44d4f5a88639b87ee1235cfd008017cf946d4d4576d532f6cab

    SHA512

    eea59fc730a3aedbaef2ef08396bb13965ec37a01bb131df1d7cabd37f9bf5ebd6a2a101867d09ed80095d449f41e0606900ab64ece2b132467e486aa4ee1f18

    Download Submit

  • /data/data/com.nemuwebexe.address/no_backup/androidx.work.workdb
    Filesize

    104KB

    MD5

    ea8a44bae0bdd2ebbb3d96c34fb5657c

    SHA1

    fc6c3aeb511dcbee865a511cc1f61e5d398d0852

    SHA256

    f7febeef2eeb9b25ecfcc73c7042df0ebef27874c3027cf71770bfb14e8948f4

    SHA512

    ec86b07155ccb2ab726c1bfc0d9d5a2056e9f042762ea97506dd863da784b8fa93555bc275e772416e30466f383060c4de514d797a677441cab9462006af9a39

    Download Submit

  • /data/data/com.nemuwebexe.address/no_backup/androidx.work.workdb-journal
    Filesize

    512B

    MD5

    499f5df242f9a38a9ac5814b4de4c4e6

    SHA1

    09678da43c696c9d23636d9be91faa29d1f21a58

    SHA256

    218edccf6f7e74dc5fabbbde20e4d0386a1f1c32d3de2e1c7ff5861788a07f97

    SHA512

    119088adce6782e119a81b86d5cf7596436e6233e092a570fd49346d17078056d4beb538e5b03aa77a58a8dc79c17b6e9cf52e08ae26c51c8c3222439471d42c

    Download Submit

  • /data/data/com.nemuwebexe.address/no_backup/androidx.work.workdb-shm
    Filesize

    32KB

    MD5

    bb7df04e1b0a2570657527a7e108ae23

    SHA1

    5188431849b4613152fd7bdba6a3ff0a4fd6424b

    SHA256

    c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

    SHA512

    768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

    Download Submit

  • /data/data/com.nemuwebexe.address/no_backup/androidx.work.workdb-wal
    Filesize

    426KB

    MD5

    3a4181fd1d1c496a1570a1b38c9980a1

    SHA1

    7b936eb5428a3f1fdf002df31fdc5a21e3d1916e

    SHA256

    3a267419d8d85530c3d4087dd3c29101929f02e24280c3ccdc897b91856ce117

    SHA512

    92062e29c0ca20eec9727c7e0f9d5346cf12c619e44d0a009114c69fbbae94c854b0f045d64d998b41a30a83b1be52d490007f4e8a5139ae888ebed6dfe3d551

    Download Submit

  • /data/data/com.nemuwebexe.address/no_backup/androidx.work.workdb-wal
    Filesize

    16KB

    MD5

    ad05524681500c582a24dd918f1f7f69

    SHA1

    5bd194643bdfe886a3c76e461b97263f1b421979

    SHA256

    752cddf9219eb7785e9a8f51ef9e70a96703f6cb388bf50ee6dab2528bc430f2

    SHA512

    edc5936e093468506cc32ffad8114a8d6732e2aaa98d2be04718e6f50f36a6923cfce699bce11db37b33442f55789949b833531dbb02be44fd94b34d2e4a06c7

    Download Submit

  • /data/data/com.nemuwebexe.address/no_backup/androidx.work.workdb-wal
    Filesize

    116KB

    MD5

    ac81e8abca515cdc9ac1804c98e20525

    SHA1

    e3ae25c052efe22d4529837b38df6174ae638602

    SHA256

    34fe9633abba6701d8c5f6a7dcd09358a07eed1a1fd814ccfe1b4f6f226b410b

    SHA512

    ed85442113ab70ac788523555f4e0f8efde4500eebe89c95fe81eeb78c7e3fde5b5289c96b173332e283f69b50f792d06e3703824ac720ea854559f3aeb31398

    Download Submit

  • /data/misc/profiles/cur/0/com.nemuwebexe.address/primary.prof
    Filesize

    1KB

    MD5

    7eb5d81ed2323308d49d03673b9900b1

    SHA1

    0f90f803e36871d649140e50ecbc5da3f49c6d4f

    SHA256

    91cc83617647094d051b6611da7a89a2d3c681b654daad736eaf55538dc90d97

    SHA512

    e938e87a7edce750af151d57d40bb15181000bcf33ee8fcafaaf6c32cc19fc02da74ccbf025fc9a2f198f2ee1bfdd1f032aae6175268547ae88373aa24168bee

    Download Submit

  • /data/misc/profiles/cur/0/com.nemuwebexe.address/primary.prof
    Filesize

    178B

    MD5

    48e2049e89b918f07845dcf6a6fbf5bf

    SHA1

    ad89a38f49748f98e5ac9f2fcf3c0a756558c123

    SHA256

    2467e83c147e32afdca024a670b7d28792c729cca33a491a3b7a9cac1a0a68bc

    SHA512

    a511e8c1a54966b721afd3719e31579158f25171050565e3aa3ae022c27a65479d109ffadf8198fe91b9b098e9ad7f636f4456d4fc827c3a1ecfbca050db82d9

    Download Submit

  • /data/user/0/com.nemuwebexe.address/app_chair/kwusiN.json
    Filesize

    2.0MB

    MD5

    a3387bde9897ff87c15d2d12693f5fe0

    SHA1

    e58b46892df1c51363a193ab3d732aba4b045463

    SHA256

    3fb8284d341271ba0d1227dd41e87e07312cafb2c98d8b6b9666c7d17c77822d

    SHA512

    457b30af651d6efc9636ea498bef9a7dc3d10added39927caaf238f5a86fd642a807457e7edbf2429732e3e1a46ea1696c255d90e7e66755ac2c8477ac03c74e

    Download Submit