antidot | 400743ebcbb56f4f00a7339cff9b769e1c53788e7276803753dc4eb9f8af5563

General

Target

400743ebcbb56f4f00a7339cff9b769e1c53788e7276803753dc4eb9f8af5563.apk
Size

2.7MB
MD5

55d2c5ba2c8b7b9f60ade9873c9930a2
SHA1

9b84ad59e396a134f429eab29c29eefef71e1860
SHA256

400743ebcbb56f4f00a7339cff9b769e1c53788e7276803753dc4eb9f8af5563
SHA512

422c5c54958f273bacef679d463db04f23c890c2ab0a5bebc491068fdf08aee813bd1992cb79118191394b4093e900fab7ff152721365952f0b732dcac5b98e4
SSDEEP

49152:dTtAv5xDCr6U2LaaB6YBuXParrVp4g3oSZUv1SRdcJ73wz6srK0HaCi/yJ5ITQGE:dTtg5La3MDGtSRW73oRPXCyJ5ITQGdW

Score

10^/10

antidot banker discovery evasion impact infostealer persistence trojan

Malware Config

Signatures

Antidot
Antidot is an Android banking trojan first seen in May 2024.
banker trojan infostealer antidot
Antidot family
antidot

Antidot payload 1 IoCs

resource	yara_rule
behavioral1/files/fstream-1.dat	family_antidot

Loads dropped Dex/Jar 1 TTPs 6 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/dev.decryptapks.downloader.qwertymods/app_ded/6llz3R6LVLhMaBtgGe8yfdRLaQA5O2mf.dex	4222	dev.decryptapks.downloader.qwertymods
/data/user/0/dev.decryptapks.downloader.qwertymods/app_ded/6llz3R6LVLhMaBtgGe8yfdRLaQA5O2mf.dex	4248	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/dev.decryptapks.downloader.qwertymods/app_ded/6llz3R6LVLhMaBtgGe8yfdRLaQA5O2mf.dex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/dev.decryptapks.downloader.qwertymods/app_ded/oat/x86/6llz3R6LVLhMaBtgGe8yfdRLaQA5O2mf.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/dev.decryptapks.downloader.qwertymods/app_ded/6llz3R6LVLhMaBtgGe8yfdRLaQA5O2mf.dex	4222	dev.decryptapks.downloader.qwertymods
/data/user/0/dev.decryptapks.downloader.qwertymods/app_ded/QfZF5BzeOoj0QleOT2wyTNW8RFeLXK0I.dex	4222	dev.decryptapks.downloader.qwertymods
/data/user/0/dev.decryptapks.downloader.qwertymods/app_ded/QfZF5BzeOoj0QleOT2wyTNW8RFeLXK0I.dex	4306	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/dev.decryptapks.downloader.qwertymods/app_ded/QfZF5BzeOoj0QleOT2wyTNW8RFeLXK0I.dex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/dev.decryptapks.downloader.qwertymods/app_ded/oat/x86/QfZF5BzeOoj0QleOT2wyTNW8RFeLXK0I.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/dev.decryptapks.downloader.qwertymods/app_ded/QfZF5BzeOoj0QleOT2wyTNW8RFeLXK0I.dex	4222	dev.decryptapks.downloader.qwertymods

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	dev.decryptapks.downloader.qwertymods

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	dev.decryptapks.downloader.qwertymods

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	dev.decryptapks.downloader.qwertymods

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	dev.decryptapks.downloader.qwertymods

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	dev.decryptapks.downloader.qwertymods

dev.decryptapks.downloader.qwertymods
1⤵
- Loads dropped Dex/Jar
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4222
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/dev.decryptapks.downloader.qwertymods/app_ded/6llz3R6LVLhMaBtgGe8yfdRLaQA5O2mf.dex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/dev.decryptapks.downloader.qwertymods/app_ded/oat/x86/6llz3R6LVLhMaBtgGe8yfdRLaQA5O2mf.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4248
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/dev.decryptapks.downloader.qwertymods/app_ded/QfZF5BzeOoj0QleOT2wyTNW8RFeLXK0I.dex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/dev.decryptapks.downloader.qwertymods/app_ded/oat/x86/QfZF5BzeOoj0QleOT2wyTNW8RFeLXK0I.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4306
- rm -r/data/user/0/dev.decryptapks.downloader.qwertymods/app_ded/oat/x86/QfZF5BzeOoj0QleOT2wyTNW8RFeLXK0I.vdex
  2⤵
  PID:4329
- rm -r/data/user/0/dev.decryptapks.downloader.qwertymods/app_ded/oat/x86/6llz3R6LVLhMaBtgGe8yfdRLaQA5O2mf.vdex
  2⤵
  PID:4343
- rm -r/data/user/0/dev.decryptapks.downloader.qwertymods/app_ded/oat/x86/QfZF5BzeOoj0QleOT2wyTNW8RFeLXK0I.odex
  2⤵
  PID:4362
- rm -r/data/user/0/dev.decryptapks.downloader.qwertymods/app_ded/oat/x86/6llz3R6LVLhMaBtgGe8yfdRLaQA5O2mf.odex
  2⤵
  PID:4381
- rm -r/data/user/0/dev.decryptapks.downloader.qwertymods/app_ded/6llz3R6LVLhMaBtgGe8yfdRLaQA5O2mf.dex
  2⤵
  PID:4401
- rm -r/data/user/0/dev.decryptapks.downloader.qwertymods/app_ded/QfZF5BzeOoj0QleOT2wyTNW8RFeLXK0I.dex
  2⤵
  PID:4427

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

1

T1624

Broadcast Receivers

1

T1624.001

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1

T1407

Virtualization/Sandbox Evasion

2

T1633

System Checks

2

T1633.001

Credential Access

Discovery

System Information Discovery

2

T1426

System Network Configuration Discovery

1

T1422

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

1

T1471

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/dev.decryptapks.downloader.qwertymods/app_ded/6llz3R6LVLhMaBtgGe8yfdRLaQA5O2mf.dex

Filesize
1.7MB

MD5
6cfa2ce4e3329ec470c094110b2bbd50

SHA1
ca5341cc8bb1b52e42c9569b4d3c8897dbd93f1c

SHA256
46eaf8c41981a560d1590bab5a2b4c4cdf11c5f4ec0e0faf07023244262a0be7

SHA512
f19e181e1aac80cf47dac0f819e25c97547c4145361a1dec9a82a405fd78e34aa1858d3c3b193b44cd512066b4e836673801901456e1dcc498d15be4e3450296

Download Submit
/data/data/dev.decryptapks.downloader.qwertymods/app_ded/QfZF5BzeOoj0QleOT2wyTNW8RFeLXK0I.dex

Filesize
96KB

MD5
6c9e4d1af5d241e76116e05b07e8e0e3

SHA1
4a33d452e68e310e36e9ceeb2c7f355b97d82f7d

SHA256
58816ebafa9d2f8893a646e41dc7006612e3abed88f73b022e951d367775d5d3

SHA512
10ec6e2ae11a6db830ae2d2ced1f91e9a18b7ad6b8a67171418888b1bbaeea1492ef04fd15333b75a06d4bf9aa93b1aa2261f5533f2c368b4942ad98d214389f

Download Submit
/data/data/dev.decryptapks.downloader.qwertymods/files/profileInstalled

Filesize
24B

MD5
a1341b33384157c72c96c53f8026d794

SHA1
a059896e2091887ee61390429ebde40c0382dd65

SHA256
0f3c6fcef137f683ad68fc13bf0b633cea51f166b23401f9075a92d6099d81f8

SHA512
ad4ce786096213a0a941f5f1a3dc967cc42bdf463d265190807f715ed94301a67d2174e3cac5bac6d3afcf11203a246d0abbd731716707550f6a5d850a4ddcd1

Download Submit
/data/user/0/dev.decryptapks.downloader.qwertymods/app_ded/6llz3R6LVLhMaBtgGe8yfdRLaQA5O2mf.dex

Filesize
1.7MB

MD5
29eaacc6aa31b983c9e8ecb6a8c6d994

SHA1
2838034463c3dea564b2e0ffcdffc702c7855641

SHA256
e4f32caf58be8c081324ba44bfd9c3edf138714e11ec62c118b01e51440e8ea4

SHA512
ba8b74ccfbcb667975c8956d11119cfe435ae3a70fae2a6fa41befe2d27a573abca2d840ea51a5db5db0be0c69b65d533488d7c368f73c888f3cb94838af1e54

Download Submit
/data/user/0/dev.decryptapks.downloader.qwertymods/app_ded/QfZF5BzeOoj0QleOT2wyTNW8RFeLXK0I.dex

Filesize
96KB

MD5
ed8add114246c548a4b8d51e6cd7c6ba

SHA1
844bc8f6fd2c6f12f657b7a169ffa4805771a63a

SHA256
bd4ce48926e62021eeb45313181bf96293b37bfe09af4b11237aa8458bdd97d2

SHA512
7955ace6cecf990964b14f9412835418ae883306b329a32d74162326f959b4ab33f58a0544928817a4d3b7c27e0f8160d654eab1f859f5324af01f66a4ea180e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads