antidot | edcf2f02a491fab69c3c18610c9d72966567c632ff4d881e4dc6d7154019d8e3

Analysis

max time kernel
147s
max time network
151s
platform
android-13_x64
resource
android-33-x64-arm64-20240910-en
resource tags

arch:arm64arch:x64arch:x86image:android-33-x64-arm64-20240910-enlocale:en-usos:android-13-x64system
submitted
24/01/2025, 20:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

lohehocowa.apk
Size

9.0MB
MD5

a77510d5c5df5c2d445237895be28c26
SHA1

4733c9a24570b37fb03f97355c2016ef10d3d045
SHA256

a2c3c118dde0e9cbf7cc815ebe21258ec99a860eada0cd9fde6870b70d72f54e
SHA512

b3b5dc6687bea980f7a5bdff70494f0415de21d6bba09f0b98e8da0b6fa29f59d6607282d7d506bc3ce9436ef1c96b1570e393c1b0ef346cf7d02695f3a66472
SSDEEP

98304:3o/Kr9mcYvsb33zJoBUuJqn8e5KKg5nO6qelM1Bp9KeHFNuUZlMbtEgwwZZoDLcf:2cPb3DJoBULLlcUZBYErSsc

Score

10^/10

antidot banker collection credential_access defense_evasion evasion execution impact infostealer persistence trojan

Malware Config

Signatures

Antidot
Antidot is an Android banking trojan first seen in May 2024.
banker trojan infostealer antidot
Antidot family
antidot

Antidot payload 1 IoCs

resource	yara_rule
behavioral7/memory/4468-0.dex	family_antidot

Loads dropped Dex/Jar 1 TTPs 1 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.hokaru.reboot/app_duty/QYspC.json	4468	com.hokaru.reboot

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	com.hokaru.reboot

Requests uninstalling the application. 1 TTPs 1 IoCs

defense_evasion

Uninstall Malicious Application

T1630.001

description	ioc	Process
Intent action	android.intent.action.DELETE	com.hokaru.reboot

Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

execution persistence

Scheduled Task/Job

T1603

description	ioc	Process
Framework service call	android.app.job.IJobScheduler.schedule	com.hokaru.reboot

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.hokaru.reboot

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.hokaru.reboot

com.hokaru.reboot
1⤵
- Loads dropped Dex/Jar
- Obtains sensitive information copied to the device clipboard
- Requests uninstalling the application.
- Schedules tasks to execute at a specified time
- Checks CPU information
- Checks memory information
PID:4468

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Indicator Removal on Host

T1630

Uninstall Malicious Application

T1630.001

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Clipboard Data

T1414

Discovery

System Information Discovery

T1426

Lateral Movement

Collection

Clipboard Data

T1414

Command and Control

Exfiltration

Impact

Data Manipulation

T1641

Transmitted Data Manipulation

T1641.001

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.hokaru.reboot/app_duty/QYspC.json

Filesize
947KB

MD5
791d577165000d15f26d38279f330e23

SHA1
0d08594e9f245b17b9d9f145c46889090631c690

SHA256
7e5def266b86d93ce99ea2694a1edb400c8399204fd823d56c62ad8a503446e5

SHA512
4546dac6f59da3da6183ddeabac8a5c3dc2a758276bad37724e1d1e34e4c6bf2607229cc510f4d89b71d6b509e53662023b7b598290a46aab292367eab898c31

Download Submit
/data/data/com.hokaru.reboot/app_duty/QYspC.json

Filesize
947KB

MD5
716e01277d01725dd11a3061388c1b3c

SHA1
fde46a0176bc9daf3365cb00efb9480768b8cf16

SHA256
93205b4b48b4d0a4ef543c3095cccb36e3d3a5c6bab624503ab8f9ed90c96b1f

SHA512
bddb135a0190e3a9e6eeae1cdc9b94f6fb9529c52c3347e0fc806bec7b162879098561064f57a40edda016521c6eefffe93af4333c37e1cfb7cb6c688ea894fe

Download Submit
/data/data/com.hokaru.reboot/app_duty/oat/x86_64/QYspC.vdex

Filesize
36KB

MD5
fa243222a1512f45d0abc95d7ed8f38f

SHA1
2eea9c637044964c31b3a09010c52c1e9265047b

SHA256
637fe80be55abe1f1bf00023c02a032d0908124652a52a43477e0a9fc358ac3b

SHA512
e5c75875d8e055fb42920baa1d3da127b33ae3a5ba087b6eaa703032284d1c29f15b979d733d7cf38a49474b43bac294b5cea367142c52015253805b0a8f9744

Download Submit
/data/data/com.hokaru.reboot/files/profileInstalled

Filesize
24B

MD5
029a3d184830947228c75ede9260fd59

SHA1
3886145e3adcf29b1f4288c4f12f4a9720297824

SHA256
ba807fd8e32eb4ebf3c6eb1f800a0e08a15be1f6c7e293d42b6f24eab2bccdad

SHA512
8f4e9e92b91fe4dc6603de4ff5db1ac5a91748c8ca661e742c002acc9dd89785cfbec9689ed8a46807bb08d9a38a2b22a238aa2a05425672065392eedc2abe22

Download Submit
/data/data/com.hokaru.reboot/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

Filesize
8B

MD5
f3aefcfc59a4235dc3177585e4b19960

SHA1
bbc488548b04c48033ca7ff178db2251529dc5ad

SHA256
dc4175a8acd452900b72e9eed486957539006e18daed74e2c9b71a4bba6d3739

SHA512
8f680a9132a14c5bde7a7b9f9b8c10614ce0ad284aa576561824c00096773ae2e0e5730641c7a49867acd9d5ef00b080037112e981a0d056253544120164afec

Download Submit
/data/data/com.hokaru.reboot/no_backup/androidx.work.workdb

Filesize
104KB

MD5
7cc625a22de9ee5f4fcd26fd6733854e

SHA1
caccc9b6aead555b51a17d05a17077da1b8aa22b

SHA256
8c10a68e9584ce897cabe3e19d5e8ccde7a25c61a664c70499c1d7abd9dafc35

SHA512
6ce157e43993520500a0938bfe18b676da9ad493f2493857b908b53d43666b5450ba916e89ebf78a3ac7098b24639419d04ef471271ff199cdfda33cc0c03003

Download Submit
/data/data/com.hokaru.reboot/no_backup/androidx.work.workdb-journal

Filesize
512B

MD5
1c1e00105dd9b77e6889126f5554f3a2

SHA1
c8de85a4e6db71ce88f20abe006f7410dccae3ae

SHA256
ac183a34e7c202e48249466e27e9c2351170abb696ed4b00eb087de1951b60c8

SHA512
8215434c329b694afb562c13f2eaff0f7f3c6636fd20f189a24ab2f93ef131d03b74961e712ff831bf512621de1f64146fc87bebdba6dd84bc99df0ba46305d1

Download Submit
/data/data/com.hokaru.reboot/no_backup/androidx.work.workdb-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/com.hokaru.reboot/no_backup/androidx.work.workdb-wal

Filesize
116KB

MD5
3ce4e7780bde6174e1180e3e479c86d7

SHA1
f0fb712fa4d1d224918b50d7d48b6dc232577d14

SHA256
1da9dee19e1fa5e141ac5832489b55a715829cef39e0afa6492ec679af781818

SHA512
3ba0da155a93139e6315382a39f64dfc10385fce1d998bf44b2f87105656ef58ffdcc7686c2096acea2b945b4810e0b2d5ac0d6537711830bdb0681e3f53a596

Download Submit
/data/data/com.hokaru.reboot/no_backup/androidx.work.workdb-wal

Filesize
406KB

MD5
b0de88a11bc305508e219ac19681e72a

SHA1
4b44118e1c9c2d8d08e9b5979190c60c044507f1

SHA256
ca726571d790c8662a102da989400710da05ceb8af7cf36c9cd1819bb10278d4

SHA512
effe49985e1f254d8f97126437a40935dc98277c234a40a52052d3b69c82bdf495fcd8e7789852a4ac91d9cc8e61fb6e45783904f1b631387b780d39cc7c2683

Download Submit
/data/data/com.hokaru.reboot/no_backup/androidx.work.workdb-wal

Filesize
16KB

MD5
90790726f99d8fcd59ab464ceffa62f6

SHA1
8475aa2f951ad77e57038fcea882a4646e993780

SHA256
ccae699b85c0b420f3fabacf5a5681a21efb02c7bd3969475e0277f4b4030bfc

SHA512
da6bc485aaeac04d61b2f7b2ad5bb61c07faeed784e68194287fdea3557623f7c0ff016a8a17624d0e366ceb4bbb7d569b13506dd259c130c2c6e1c3536135dc

Download Submit
/data/misc/profiles/cur/0/com.hokaru.reboot/primary.prof

Filesize
1KB

MD5
efb731a489849cc17c419fb76e7dcd35

SHA1
edf25afa33a47138ae9beeb911d719b7efa907d6

SHA256
8376245539dcf5acab69735129b59e93c8c0ea5e3bcd37d457a3887b7e4171be

SHA512
1a470ec9ca792da6a79ff6d4875d5d898b6203e7a531795b8bdaafc1abfa716d160841f830c1f8321f5b91e048aaeba6f312d12f645ee38245f8e2be90f567fe

Download Submit
/data/user/0/com.hokaru.reboot/app_duty/QYspC.json

Filesize
2.0MB

MD5
e3c3fb178af9e6d8b918cd25b6195667

SHA1
cc59a12d63f9344293431d2097bb3d869dd63355

SHA256
98640005391efcdc7e33dd89ba31d08eccf9a2bf3ce0460d9d4272fbc94c4909

SHA512
ccfe6f589fa4a65eda056f6f9f61b8a7a710ef7688ba120dd5186136830285dec8d4db294fca94fd3679f7a37e859e95db824c52a827633ef0cc3d723852412d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads