antidot | f5fdc1672088ee29affc4817986e722765c4f03af4dcde8fc603b25544bae62d

Resubmissions

24/03/2025, 20:33

250324-zbyfyaypv8 10

21/03/2025, 22:49

250321-2rnmsasvgx 10

Analysis

max time kernel
25s
max time network
28s
platform
android-11_x64
resource
android-x64-arm64-20240910-en
resource tags

arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system
submitted
21/03/2025, 22:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

wibemuse.apk
Size

10.4MB
MD5

8e03e90022214eda8f01ce735d8fe972
SHA1

0a5fb8dba68751a01aaa113f92b2db9225dd24a2
SHA256

5acb5ebdd0e4c8fbafb44a88e66e741f1c94a72e3f07f5adc454687010634848
SHA512

40f1415f69ef72ba6ec53745c2192cea7a82e4d1c028cdf0b636af163a0246a3d201d67ddb60f8552733239ebac82673bac179de179cc78656b9d9cef1e2fde8
SSDEEP

196608:mB12mtwTYrqOBcjvLDxLB5WLDDKfYErSssdkpxHaNhJ/Ds:mBxmOBcjvLDxL2DKFrSuVaNbs

Score

10^/10

antidot banker collection credential_access defense_evasion evasion execution impact infostealer persistence trojan

Malware Config

Signatures

Antidot
Antidot is an Android banking trojan first seen in May 2024.
banker trojan infostealer antidot
Antidot family
antidot

Antidot payload 1 IoCs

resource	yara_rule
behavioral6/memory/4775-0.dex	family_antidot

Loads dropped Dex/Jar 1 TTPs 1 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.belasaba.guard/app_sense/LyBDIN.json	4775	com.belasaba.guard

Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection defense_evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.belasaba.guard
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.belasaba.guard
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.belasaba.guard

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	com.belasaba.guard

Performs UI accessibility actions on behalf of the user 1 TTPs 3 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.belasaba.guard
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.belasaba.guard
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.belasaba.guard

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

defense_evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.belasaba.guard

Requests modifying system settings. 1 IoCs

defense_evasion

description	ioc	Process
Intent action	android.settings.action.MANAGE_WRITE_SETTINGS	com.belasaba.guard

Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

execution persistence

Scheduled Task/Job

T1603

description	ioc	Process
Framework service call	android.app.job.IJobScheduler.schedule	com.belasaba.guard

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.belasaba.guard

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.belasaba.guard

com.belasaba.guard
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Performs UI accessibility actions on behalf of the user
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests modifying system settings.
- Schedules tasks to execute at a specified time
- Checks CPU information
- Checks memory information
PID:4775

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Hide Artifacts

T1628

User Evasion

T1628.002

Impair Defenses

T1629

Prevent Application Removal

T1629.001

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

System Information Discovery

T1426

Lateral Movement

Collection

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Manipulation

T1641

Transmitted Data Manipulation

T1641.001

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.belasaba.guard/app_sense/LyBDIN.json

Filesize
945KB

MD5
211771a5071821646415d372d9df992b

SHA1
88cc9303bfc9f1c4684d9052a82f6887a9e32d31

SHA256
05b15fb490d264ffb6708d3ca6c95b5eddf1a5cdbbf58c8320dddf549db49cd0

SHA512
9b1b89dc1dfc810b4e3d05d384971c614c4ff0e020cb7d5a85da46efc88655d8592bdb18cc8bd5a91073fd456969c63ec55c5f7d1528737bec000eb67fbd7dd5

Download Submit
/data/data/com.belasaba.guard/app_sense/LyBDIN.json

Filesize
945KB

MD5
6083abc4cd5e5452335f2d97cbdca967

SHA1
1995692c5fe9a01fdb4c9dfef8b4cd4fe8276a90

SHA256
394bfc698a39070118f178e3c11e24d78c0f4ec3e6a3e02f32929402933482c5

SHA512
f067518fa5d5d4ff8a9e253e32e16664d52ba09e4aeeaac5410fc09d5ccd4e2443ce35112e72fd49e900171b43c9d90b8cc696223f76ea6858be4fd547bfc1dc

Download Submit
/data/data/com.belasaba.guard/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

Filesize
8B

MD5
727218a7a09b70855603fd5a8e9381e1

SHA1
82bcacdec816b4dc349ba0fc9260cce84d8142bf

SHA256
3bdc59f8822d2cab54df923b89a810165249966e32405a4e165e2540ec2368ed

SHA512
2259969a9229ed28bf6ec4009809708b71ecb483391b85df8718b1cf8099cb9f8cfe21405d5a923e08e11b31de458da3ce81ddea9e0e978ea750236838cc0fa2

Download Submit
/data/data/com.belasaba.guard/no_backup/androidx.work.workdb

Filesize
104KB

MD5
90936f11e05f8b0f7db5dd73dafd334e

SHA1
a0b035a9f65f023ef9d908dc373d30ba768079d1

SHA256
0d9163418a1a969b8eb97a2ce3181a01d71d1d09e7f43adf713dc09d21bc972b

SHA512
735a447a3c797f1dc2f9af1e9d007c83f3d1ce4359bdbe3e5872293da7838f2fd158e88d1abd7d6a3046fd5bc5e2e4f1eebd0f864a8a2f94754402b13c1c5423

Download Submit
/data/data/com.belasaba.guard/no_backup/androidx.work.workdb-journal

Filesize
512B

MD5
1809abb41ed2b1c89a71721b0478851a

SHA1
767bbd9e6fd2cafb2992c942d3a2a41c95bc6ff6

SHA256
2d824d884a4a0f472d25d101b5e037fc33334398f8518cb5c3b132253c018138

SHA512
6a47d83f8b9e6e29dda2e623319f4fcb55898f41bff85f5f22ad71c6ac5c869b27c2fff64a3020ef0042ae2e76fafc39613cd49ba1466396cfebe82f1b131560

Download Submit
/data/data/com.belasaba.guard/no_backup/androidx.work.workdb-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/com.belasaba.guard/no_backup/androidx.work.workdb-wal

Filesize
426KB

MD5
b5aceef6b2fc3545df3c4398fe1e7266

SHA1
71ac5e4927b11b852d402b17f2857d8b78459d58

SHA256
590468ada1a55adc9d079f50e63d43365c0fa430f074d60ac7a9c92f0016d11d

SHA512
36c089543b54dff5c303af8bc613f946428c9a25991f0c7a4bf81bf0532445996955ffc6eaaa097e93807676676301562a33885386c54c76ba1687987d8a969c

Download Submit
/data/data/com.belasaba.guard/no_backup/androidx.work.workdb-wal

Filesize
16KB

MD5
f42f1b1846f13872c930f16c5ff3914c

SHA1
9f6d3870d1040a8b092191f0db1e6a02dbcfd05d

SHA256
aa4cb98be911a50bbe41688a155c66b91fe7bb5250bdbbec35e14db2245e3acd

SHA512
334ef1ad282082142063854edeacbcd8396c4ffa6c5901bec54be0189d34a835e5727dfa358ef5dc10c0bd8df13784c08b84e2a9165159c141c57327a3717755

Download Submit
/data/data/com.belasaba.guard/no_backup/androidx.work.workdb-wal

Filesize
116KB

MD5
727f3e018f289c2e2851f0eb248ce3e3

SHA1
e5a344aff82b6cdf600356383caf3c8d0b13886d

SHA256
0f2779f4a48917a286a90380525b275fe2c140eb9e4b757193ef32021771d2cc

SHA512
4d91210fa9d73199abeedcf93960e99ed24b317a531246f74a25df5cf920ac1f844fe904c3a7ec190db3dccdd33707516ea91e1333e70bfe4cbac4cc796e8dc7

Download Submit
/data/misc/profiles/cur/0/com.belasaba.guard/primary.prof

Filesize
1KB

MD5
55020e8f639d39ea05fd432ff0e490ec

SHA1
e363b94d622814c2ad9296ef518cf73b9aa0d526

SHA256
34d8f04da6b2a8e397efe6ea01f1f466b716c1c6f14770a86f0493d96226ee5b

SHA512
109ba08189331c1cc172eca777b17b7b51465abb4b5c2bda371b4de11261e8be64321066c459b866c1437d637bd06596f2e860051daecc316995810173f9e593

Download Submit
/data/user/0/com.belasaba.guard/app_sense/LyBDIN.json

Filesize
2.0MB

MD5
14729c3618a03cf849b664361086962b

SHA1
5d2065692e55e6340826b4670e93743fe4ebf49f

SHA256
bdaa4680b58d117f7cb4e4ed89a61119e0cacd5c6bd375af912d2bac4c83fc14

SHA512
0cb89089293565ce3b89476395be51cfc4103f69aa76671e7f3af4e1abc705d437dd4dfcd81d60c94b3ed4ddfe8c3296dfe7a6972267934a7a1109b9d81f4afb

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads