antidot | 176c15abd8129000e3aca8533e284861787a531e33ea0880de5653769ebaa218

Analysis

max time kernel
23s
max time network
28s
platform
android-13_x64
resource
android-33-x64-arm64-20240910-en
resource tags

arch:arm64arch:x64arch:x86image:android-33-x64-arm64-20240910-enlocale:en-usos:android-13-x64system
submitted
21/03/2025, 16:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sitiriviyapi.apk
Size

6.9MB
MD5

37b18d5c27edaf96d3d23f0dc6db55e3
SHA1

c1c9d6f407eeb159ec90c1601d5486375aa9314e
SHA256

65e49b30e5a3ed351a2e9fd2ec40ced992136a19451a2af6322c7955f64458af
SHA512

070b2349ef41ffe17788b801d18296fc74308003e86fbc392884b9631f3dd359a1e03098326776f5966b04cf35411f079893a27b2b5de50c934c3f0a5624b79a
SSDEEP

98304:sD7Gt0stmNCpTrVJBQ8vDo/KrZLeRxGm/ttVJyCw7OR9:U3ApFJ1eRxGm/ttV47O3

Score

10^/10

antidot banker collection credential_access defense_evasion evasion execution impact infostealer persistence trojan

Malware Config

Signatures

Antidot
Antidot is an Android banking trojan first seen in May 2024.
banker trojan infostealer antidot
Antidot family
antidot

Antidot payload 1 IoCs

resource	yara_rule
behavioral3/memory/4511-0.dex	family_antidot

Loads dropped Dex/Jar 1 TTPs 1 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.hejanuni.backup/app_raise/hUAobM.json	4511	com.hejanuni.backup

Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection defense_evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.hejanuni.backup
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.hejanuni.backup
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.hejanuni.backup

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	com.hejanuni.backup

Performs UI accessibility actions on behalf of the user 1 TTPs 2 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.hejanuni.backup
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.hejanuni.backup

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

defense_evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.hejanuni.backup

Requests modifying system settings. 1 IoCs

defense_evasion

description	ioc	Process
Intent action	android.settings.action.MANAGE_WRITE_SETTINGS	com.hejanuni.backup

Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

execution persistence

Scheduled Task/Job

T1603

description	ioc	Process
Framework service call	android.app.job.IJobScheduler.schedule	com.hejanuni.backup

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.hejanuni.backup

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.hejanuni.backup

com.hejanuni.backup
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Performs UI accessibility actions on behalf of the user
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests modifying system settings.
- Schedules tasks to execute at a specified time
- Checks CPU information
- Checks memory information
PID:4511

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Hide Artifacts

T1628

User Evasion

T1628.002

Impair Defenses

T1629

Prevent Application Removal

T1629.001

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

System Information Discovery

T1426

Lateral Movement

Collection

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Manipulation

T1641

Transmitted Data Manipulation

T1641.001

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.hejanuni.backup/app_raise/hUAobM.json

Filesize
962KB

MD5
13612ae6116ccc34a1de83aaf8e77383

SHA1
1e752ee8836e370d7c7d5f8da6cafc9081396990

SHA256
f97dce87958361004a06cb8b24b396244a7e7107cca818d54f6b1947e14f9499

SHA512
3b29cbe1675cf553a132bbec1f7a10a244bca847a80f8ea5411bec361050c4925a1c038e50075319aa0675b316ebc603c685a45e9f4446f0992db1b05097b8d4

Download Submit
/data/data/com.hejanuni.backup/app_raise/hUAobM.json

Filesize
962KB

MD5
3e5902eec354c14bb41fe724e3ce2b2b

SHA1
0bded00aa749a535109df79aca75818e64e0c07e

SHA256
78e92dbad031b64dd16c6cb101603931f2607e1dc7897bd0e559769d6a4e615f

SHA512
10b4f721effc0674876d6a5646defe51edead1bb5bb96b6749221e1645d56ea4db916360f84fe5e193c7b4ff2bd7ea7c98ec279740a8c9d585d165d8bc59247e

Download Submit
/data/data/com.hejanuni.backup/app_raise/oat/x86_64/hUAobM.vdex

Filesize
39KB

MD5
b9e53177c909939db72913994b8ce9f2

SHA1
e8017d07ae20faf8af0f88c80b2f417eb8cea399

SHA256
b2458126be7743109a0f1aa7240c0a78b26d3a974fe6b7c2db5151e9f64e9d54

SHA512
c4ff592f588db448661359f6a2f633265037522c924d5655e84e58ddfdeb381e1f52ab2135a4fbe0e78e0c239bce894cc5c9122892ad9666142b4d12f0f00c6a

Download Submit
/data/data/com.hejanuni.backup/files/profileInstalled

Filesize
24B

MD5
9bd66a39a1992f4f927903a775b4f99a

SHA1
7ad78b20286ea77b85681090e6403cee58e79f3d

SHA256
e6c7bda7d84ce0cd33d884e9179701e6ba528e3f805f76192fc17702c1b07a90

SHA512
13811f81f6384846e84912e6362f251e48a64e8607d33257bb5a6182c19fb90f4410764d7c54acce1ed306ba9d51f822e5bb31a03449c95fa5f01c5c5b26e9df

Download Submit
/data/data/com.hejanuni.backup/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

Filesize
8B

MD5
1ff7f334a22135a71a7829d57db4ff87

SHA1
d0cd9ce4034489b49b406111556c6274b3c4abf9

SHA256
dda66654ac56283d76254ed16217243351287a67655d5936a42a22a90c9b2fb2

SHA512
be632b26e87fadf3987a4f3666020b9f5db92a2baf16db4439b66a87bad6ac22046b82131a5503cbf15babe4cb9b61c9d45f905c14c82c2b2880a857cde9eb75

Download Submit
/data/data/com.hejanuni.backup/no_backup/androidx.work.workdb

Filesize
104KB

MD5
b5e49f68d4ba68ab5a9b2b5941657081

SHA1
79d8e9c4a42ab8ed2c78dc25319d8f8abc58bc1e

SHA256
f14275163ad1dcf1780f5ca5e0a1382fc6e4bb59530877de0898674b0de17fed

SHA512
9254a0ecaf7f608653cb5edd6ec61874b5c93dc90f1bdb2fc4fcd57be534af3489f3b3634b408e37f14e3d86a2953f566369cdf17f41830c02365576b9381e70

Download Submit
/data/data/com.hejanuni.backup/no_backup/androidx.work.workdb-journal

Filesize
512B

MD5
d76ac314373c42879465b83404a58fee

SHA1
517250d798fb54ef6f6f87525480516be57c4c4c

SHA256
75c686365326072fb696b9d1fe244639b14dd1a3245f15e3cf27e3921131d24a

SHA512
f9fdae7e8d4fe8430b65bb3b7db9fbb7b80fc0b461aff72201ea9ccac608f7f9e33622a5a9f80192a6869ab021da6f6d79cedb3a130879a645615b7f18f74574

Download Submit
/data/data/com.hejanuni.backup/no_backup/androidx.work.workdb-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/com.hejanuni.backup/no_backup/androidx.work.workdb-wal

Filesize
116KB

MD5
6456dbb26841144be6bf43009d909051

SHA1
5b4a6126a2121e7cbede1c393d9f1107e35ff72f

SHA256
52a117fc95b24a1a2a7fa5b258118ad4736932ad33019583253d0a32d11a9ffa

SHA512
8824cffa67b80d96ee3c367c83539e864b3ccad35a50b1e633fb0e23fbdd9cd12684ac9660fae35d14af167a0b03ee51171831bb27ef3ac4c5862399b9260acd

Download Submit
/data/data/com.hejanuni.backup/no_backup/androidx.work.workdb-wal

Filesize
430KB

MD5
e4982f270aa7913210a59ceb9f30ecaa

SHA1
f0fdd5c927a195a4eed71cb4d231ce0700495d01

SHA256
d7bddfd720ac474ab5cd82ef8f52f684888c84b636e25799f220898f7900f898

SHA512
9491088b1d0d2127f30ef6152e1b49b167420f10b347385ca6e958f1f6d0628d5cdccc2b430ea31ba5ac5848aa1c670dd1d6287289ffe025a913ec744d4dd7ac

Download Submit
/data/data/com.hejanuni.backup/no_backup/androidx.work.workdb-wal

Filesize
16KB

MD5
000e96bb6887c8fe600c15b5e314e226

SHA1
d750ba87110e205f2dbd985b2e2f76b3ca85f70f

SHA256
8b4f864b8a63ff4a5eaffa8452b1673efad7ebf82358664c2ea189130b5577e9

SHA512
1b7b4c158d18496c788f65cc06b8299236c3ea50d54b61780759597dad1c3d50994ff5a644d489e489c7124146680394d7abe3d89dd6039d13fec52eb83d8673

Download Submit
/data/misc/profiles/cur/0/com.hejanuni.backup/primary.prof

Filesize
1KB

MD5
db4c458505af4b826cd967433f8cdd09

SHA1
67b50ba0bfd01f2fb745d6984b6384ae807b9b3b

SHA256
c75a9bcbbe1499599eaab7de59709fae1fe6e7f439850cf7bb51865fa480539c

SHA512
9cfe993e870e252d80b8bc4e173b27729f86ee7686596afd56f9807240ec6c16d5e16dcc987ac631fb974eab8a72a682be2053b4f71f3e7cc3c816487ec9ffa5

Download Submit
/data/user/0/com.hejanuni.backup/app_raise/hUAobM.json

Filesize
2.1MB

MD5
9ee668485e5a11a95d70387de47094d5

SHA1
45308543ea23c1dab4a8e81125c47dab2a79d66c

SHA256
e18f1a1eb718eccc8fe2562d123a82554b83eac3eabfc73775efeb222b5649ed

SHA512
96c6e26af80d9ddd5fde7f4add3817af28bafac756a1134c40d4304e177a16455a5978ffa782f4dfe2bf3f289ca561e8245e822c322d09c4188733973e865f5b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads