antidot | 3a67cd052d4489d80b891515fb628bb1055d1d36f1098f2e1f8d531f37495239

Analysis

max time kernel
149s
max time network
152s
platform
android-11_x64
resource
android-x64-arm64-20240910-en
resource tags

arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system
submitted
22/03/2025, 00:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

wilacayuzeti.apk
Size

7.6MB
MD5

42bdb83e42a9fada855b991c7cbb1c86
SHA1

d363089380fb259c3fc071ad04cbd2662ffd53a2
SHA256

f5de4bc0a114ad6e47beb3ed90df7071326d87976b9bab6670ecaab6222e6850
SHA512

c1d01c7a393ca2b936da476bad5abe3faea517a4683fa48275e4c70d28814050a00c379c944576651b830028f99c17cf40fc640b0103492ba81c1b1d68ad8cb2
SSDEEP

98304:qo/KrTKdFp/WvLPzQlNmxbi3K2ea76TIyIIiB2ieSyeTgnrSsnrBQaOVTXMyebi8:/dFp/KLPzZBUgIydYErSsrixdwiaLt

Score

10^/10

antidot banker collection credential_access defense_evasion evasion execution impact infostealer persistence trojan

Malware Config

Signatures

Antidot
Antidot is an Android banking trojan first seen in May 2024.
banker trojan infostealer antidot
Antidot family
antidot

Antidot payload 1 IoCs

resource	yara_rule
behavioral6/memory/4781-0.dex	family_antidot

Loads dropped Dex/Jar 1 TTPs 1 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.zumaju.dynamic/app_shield/FtbPN.json	4781	com.zumaju.dynamic

Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection defense_evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.zumaju.dynamic
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.zumaju.dynamic
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.zumaju.dynamic

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	com.zumaju.dynamic

Performs UI accessibility actions on behalf of the user 1 TTPs 3 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.zumaju.dynamic
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.zumaju.dynamic
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.zumaju.dynamic

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

defense_evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.zumaju.dynamic

Requests modifying system settings. 1 IoCs

defense_evasion

description	ioc	Process
Intent action	android.settings.action.MANAGE_WRITE_SETTINGS	com.zumaju.dynamic

Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

execution persistence

Scheduled Task/Job

T1603

description	ioc	Process
Framework service call	android.app.job.IJobScheduler.schedule	com.zumaju.dynamic

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.zumaju.dynamic

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.zumaju.dynamic

com.zumaju.dynamic
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Performs UI accessibility actions on behalf of the user
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests modifying system settings.
- Schedules tasks to execute at a specified time
- Checks CPU information
- Checks memory information
PID:4781

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Hide Artifacts

T1628

User Evasion

T1628.002

Impair Defenses

T1629

Prevent Application Removal

T1629.001

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

System Information Discovery

T1426

Lateral Movement

Collection

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Manipulation

T1641

Transmitted Data Manipulation

T1641.001

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.zumaju.dynamic/app_shield/FtbPN.json

Filesize
993KB

MD5
1dc773b6acf83071f6516d605bc63d10

SHA1
a31d6a0cfb1cb020cdb87ee6f1a8d36160b85715

SHA256
040ef48945c9df2e08d495db83a6f47351e44dc5f7f05979c2e39c6f98b927ba

SHA512
7bb039958532b3b6cbed3a4fd3a9fdd3bfb6129bf8e2966ed57f4605437f3a85b9422ff29c51a7b5a5dc83052266bf9cf875289e028190afcc6177124b0dac6c

Download Submit
/data/data/com.zumaju.dynamic/app_shield/FtbPN.json

Filesize
993KB

MD5
8c52882e3cf4ca705c3164c40c9d1e96

SHA1
7ffdbff27a2ad5cb0c076b332849ebfa2ffecd31

SHA256
c6d4eee4725eae1fd5577c6e5642c551a0aa4347c6d3c195c124237a48fdceb7

SHA512
afecdceb4857d8e12100d8d3c4a39beb460d93bdb5026eead2a3ac893238ce1c16aa24d0ae27f3eee5283a6bba2de2d0f60c8dde59c01ee0330772bc4fdecb44

Download Submit
/data/data/com.zumaju.dynamic/app_shield/oat/FtbPN.json.cur.prof

Filesize
3KB

MD5
2f9d26513f772b4949aa178bd7065f2c

SHA1
c8f9c5d8948b09b0e8adb5609f70b017f35d6e20

SHA256
f7536362dece291e8b409ec7bae4661b4646a982b3f644b14b6d1827897c4b21

SHA512
086bef18c7f382a899caced580ef7495ec6a467a91068251cc903e1869f8ebb06d456a2802ca4dbccb3b06facd94fadcfd390a9d1a1b012ebfed03409d3a20d5

Download Submit
/data/data/com.zumaju.dynamic/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

Filesize
8B

MD5
1c3a84cfcb7981786c042d48c0bf7627

SHA1
5a83df70cbc2f5aaa2c2bbc612a734d50544fada

SHA256
74b48e1ae534ab7fc31b2e97f27d8607cec3a9dc74d57b5625b02106bbe976c2

SHA512
036a3f9085d2609e2a2b7cc91f081e97393fc7cebe2d9e1dc9e050c98eaa6ff7988d31fec29b7e5acac1992c9278f7a9295f8aa7fe029c1ff03ac09f7e51596c

Download Submit
/data/data/com.zumaju.dynamic/no_backup/androidx.work.workdb

Filesize
104KB

MD5
e7f92ba2473c5e76ca132ac2a154f04f

SHA1
90460c124fa703892ee122790a972876436c6b37

SHA256
2f634fc40e49b9fd90fca77b57ef808d3e4efde2fff44f5e6fd4b5519a08e8ee

SHA512
a6175b90e8e84d2be8c638faa7d9baab16e4e6774e068f6a7dba18b43030160615983294498c303fdf674ae0c1223d48696c80215cea09cc860d15e1fabab732

Download Submit
/data/data/com.zumaju.dynamic/no_backup/androidx.work.workdb-journal

Filesize
512B

MD5
7416f0debc2869037bd0d1325f771239

SHA1
da4e8cce11f96680da70ddbbaa1ebbb3fee1e87b

SHA256
bea088d43cff0d9b84ea3b17b2ba81755dcf15b2024e8668eea7e3e8e8dac0df

SHA512
e7911d9fd71db214a2864309a43a588fa2ee2d0329b13116b01cedcd8961ae251365159178f69e9ec5a822609a3fdf04baba228b2992fc15309553b7846c4c2d

Download Submit
/data/data/com.zumaju.dynamic/no_backup/androidx.work.workdb-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/com.zumaju.dynamic/no_backup/androidx.work.workdb-wal

Filesize
426KB

MD5
4d01f4f4f0b6b1d7926250f7501cd755

SHA1
986b4d96eb1192b821978f5c9822d0ef238a0b12

SHA256
1bb8d65502534447ef2b07b9ef834bc502fdc48bc663798ed51e4391e5b2803b

SHA512
16c327cf74b52908601075def7106019543f79e6bdd92803d891ebbda465c04fa9560d0e853cbeab98b236f233b8870d7f39888d4ebdbec710ba880a1e68fafe

Download Submit
/data/data/com.zumaju.dynamic/no_backup/androidx.work.workdb-wal

Filesize
16KB

MD5
0803a5e27739b389efd842befbd7e252

SHA1
f43ab5d116fb899e391c415a2ce96fcdb460ef55

SHA256
5abebe929e150b1e7a74ba695294e0fe399aea67db25d38a5f14ba4070a19bf1

SHA512
54894186558d6b95eeb4a4c72f04feab9043b2445103dd54a87fa4db63f399ec4d69d503d9bdbf1a1cefb79cd9ed0a87c12e982c6aa9294bdb1b6ea0a21adc6d

Download Submit
/data/data/com.zumaju.dynamic/no_backup/androidx.work.workdb-wal

Filesize
116KB

MD5
525612e12bc3a5993db03e4a251dc993

SHA1
80ab354449ed5b5b55723fc7f017e5fe22329a50

SHA256
54b946f14061c007c63c0f806962f3352ba720aeb9e4539a9f55d0c843ab4d87

SHA512
39ee6b6cb75336a755c29d2147631d989b549d9f3a641a32154ec6599ae768cf92e8125dd8e3caa8cb90e2cd355e59c1f858ff2b10b5fa7d4ac2244b69f9be8b

Download Submit
/data/misc/profiles/cur/0/com.zumaju.dynamic/primary.prof

Filesize
1KB

MD5
cd95702fcf186bb33493c17508fd711b

SHA1
517cf7916e1dcfc6bea4d637b7a97b177e8057c7

SHA256
44bb217cbe60317fa024590c7d1bb9dc1bdd755abf0df770ddceddd4ea7ed716

SHA512
dbff21e3cc5909dac2a69a7c88c61e78d46e31786efb9f7ddbdc037cdd98e9395afb9923ff803a85131b16d43aff9b246c9e6d3f1eece0ac2e6df070790f2db5

Download Submit
/data/misc/profiles/cur/0/com.zumaju.dynamic/primary.prof

Filesize
191B

MD5
df490dd7146922f8f8b5c53a4cd15f1b

SHA1
6055746db5c6dc5005c14eee650ee0a6b169eb27

SHA256
7b7cf2a69dd156284558075bb8a5b8390396066bfbf8c082890c0ef89045b76c

SHA512
de37cc24e458e61bddcc752d4ef7b94fec8b7ab08a5ec47c2fde06c7df9ba66f32d67bdec1336c6c03bf8dda125fa671d3b16bf56cbd21bc3af0927356ac994e

Download Submit
/data/user/0/com.zumaju.dynamic/app_shield/FtbPN.json

Filesize
2.1MB

MD5
94c30eae3921878ae3e8a3a495b7a85f

SHA1
9606d33fedfcfa807474c035b3aa0c59b1621166

SHA256
f215e32736c7d47be0b97ebc3292b4767c1e439ddb65a41f09d7e97de39e21a7

SHA512
634401055fd3c9653727b6ad32cddb3e605222b6f521b544ba6f148e2ce8b84a5d8e9f0b7218e979395f2fed59b3ba90a99ff66e88ad76413b43e95aacfeb8d0

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads