Analysis
-
max time kernel
149s -
max time network
134s -
platform
android_x64 -
resource
android-33-x64-arm64-20240624-en -
resource tags
androidarch:arm64arch:x64image:android-33-x64-arm64-20240624-enlocale:en-usos:android-13-x64system -
submitted
18-12-2024 15:38
Static task
static1
Behavioral task
behavioral1
Sample
12.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
12.apk
Resource
android-33-x64-arm64-20240624-en
General
-
Target
12.apk
-
Size
7.7MB
-
MD5
125591b1ba792dc40478fba12b09970c
-
SHA1
db165b084b44f98cd47540f4c73a8ab8feb05660
-
SHA256
2e6c7354f7b4dce59752054929731c5055df15301ed094820bdbbcd5c0cfa12e
-
SHA512
c4133747d64d31d578ad11d20f61bd138171b9254496bb40628821c78ce98c685a054d6f3bd26a6857a0b14d0eb8d83223bc74979e95f4044e1d8c168e38c552
-
SSDEEP
196608:egbAsJ3OmCt1AsyRLm5Mymhnl6m4955q45z+YK:d8sFYUsUm2yEnl6mmjqYzm
Malware Config
Extracted
trickmo
http://skyfrostweb.cn.com/c
Signatures
-
TrickMo
TrickMo is an Android banking trojan with the capability to intercept 2FA codes first seen in September 2019.
-
Trickmo family
-
Loads dropped Dex/Jar 1 TTPs 4 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/nilheart.ptur744.lens/app_huge/CQ.json 4309 nilheart.ptur744.lens /data/user/0/nilheart.ptur744.lens/app_huge/CQ.json!classes2.dex 4309 nilheart.ptur744.lens /data/user/0/nilheart.ptur744.lens/app_huge/CQ.json!classes3.dex 4309 nilheart.ptur744.lens /data/user/0/nilheart.ptur744.lens/app_huge/CQ.json!classes4.dex 4309 nilheart.ptur744.lens -
Makes use of the framework's Accessibility service 4 TTPs 1 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId nilheart.ptur744.lens -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
description ioc Process Framework service call android.content.IClipboard.addPrimaryClipChangedListener nilheart.ptur744.lens -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS nilheart.ptur744.lens -
Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
description ioc Process Framework API call android.hardware.SensorManager.registerListener nilheart.ptur744.lens -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule nilheart.ptur744.lens -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal nilheart.ptur744.lens -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo nilheart.ptur744.lens -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo nilheart.ptur744.lens
Processes
-
nilheart.ptur744.lens1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Listens for changes in the sensor environment (might be used to detect emulation)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4309
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Hide Artifacts
2User Evasion
2Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Information Discovery
2System Network Configuration Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.2MB
MD5226e709c8643b778efddd5fe1e195790
SHA19ef8bb653086f9b3aa8bd444239fdb842a82cb34
SHA256b289bdcd27abeb414fe50ba4081ae04f990bcf1a6f1ccc011d8101dbd5fc7ef8
SHA512c7fa9e4e5b2e690202e50d09a2a01ec453ba6d3fd54384f50f5395b8a0a909635946ee1ccc4b1bac858e31d201d2a4f6f83d17f561af9b0bdf143a46fbb7345c
-
Filesize
5.2MB
MD50aa7fa04a36ff1e94535c808c1ad7257
SHA1f683f87e93a04b3f7e7ef65e9d8b54c58acc36c3
SHA256cce222d0fa0635f95300a3dbe2f07fef123eed04f6333774f7edc112b326456e
SHA5123aaad794700cd9e56db310aa0f65930a6c7d875a859881ac83f043af7a4bfdbffb8c6d496cf65829072c8a5a69abd5b427f255bde957892bdcd014ef09ced888
-
Filesize
17KB
MD5d780f836fe54e51872bf31220a4dcb77
SHA15136aa7fe35fb70c9bf0ab00bbe7f79cf65705ae
SHA25632abf05fd8eb1edb10fd93e2c0bd9b308d109e5686c06b39f4d173847a0efe17
SHA51262842bd62ea2f1a71880415d84501bc2cde8eb857d4baec4e357f3c4c4a74d2d0418bfcc6431789cce207d5290ceb4b1fee31f206ac527a8727176523c0bc635
-
Filesize
20KB
MD591af32c14839a2828ca58297e0861362
SHA1bd758cc0bb47b570da2061d4633aa998a87ed971
SHA2565d8e556cf9230390a2ea6e8fe0300bf0d3c28397a75d4d5d1138cf25713d5923
SHA5129810060201633366b6d13e9b81a2d9fe1adb61e027a215cd05454bbefaa7f6e1a17aae3781eedd8095a398a05f3c7cf03b589f29d1ac4789dfbf61bce25b9fb7
-
Filesize
20KB
MD5c27670b421d0923744ca4bdfeacb51e0
SHA11e13e8c633138ddba6cc95af3bd277e43afb329f
SHA2566c758db0618047e470e728d15582dfed942cb2cea3738a9894de4404c19c4691
SHA512a3055c46376e8060eeaddb62b5e102417c0aa7a16b8c2fcdeff76d290efcdee91c0f7a97c042dbe7118fc9bcab2f9e412986af7ea01b9ed73550b981117016c5
-
Filesize
16KB
MD533d0d80f4f6979739246e2857f72c106
SHA1d62058f54d7f11edfb498d732a1f5385896d3f8a
SHA256cb053c3486ce0addf68e21473d75dfa21046dbf59e4938c98ff887b365cfd771
SHA5126396b8656090aa21f34d89ff825c7ac1f82601aae2fde9f6a9490ec24c9117bf6affabad4466c85d4ad4640e88099b06d6ea0bf489e0924decf217d744f5c0a7
-
Filesize
512B
MD555d8f809978e1d795d431e349ff879e2
SHA1da4da2fa94c61bdf1782963f74c26899adf8a841
SHA256cfaada4a4ca5cf0c0114a24a920bcdb9e0be8becd6ff64a6eb00d5452b0914c3
SHA51251a3968716553a724c6a05c9fd136b786e7561a18b87a6d3413ec65cc0597377d79a5d832c83488cf28b6326e2157f18a1c425e2bbc878923df5540783394d08
-
Filesize
8KB
MD54851796ec37483644e579d1b0034b125
SHA1abc29278ea684e207b9a91400ef4ddb61d721591
SHA256de9500b7e394b0becb52507a89fe673f1a46d2beada78e1cec7bdadc39d442d5
SHA5125cbb0a3ac0cdb31788ea821d6ae9f36f14f02c55cd5984a649c9199ca99f9559c813d88bb2d21ffa8a8a29604f2e1887795d13b34a20f8b7a926b9eaae113c8f
-
Filesize
8KB
MD5ac2bb64ea80adb71a8eab0f11ccc98ee
SHA162baee9f9086d192bbb4e49685c17fb42ae955a4
SHA2568d6b56e37259098dab7bbbe3b2f4b55fe78244309d960f7222221f353628aba3
SHA51247cea3281202269da44ad412156a9b8244f562c8efd01369b39c64de81e84293ee8eb6640288eef0672a2d8e83d1e45cf42655ecbeac9a96a5602db45c81a075
-
Filesize
12KB
MD5e38cafff90719cacaa3bbe95005a30de
SHA12572dd7177c4cce0c6f9dddb35e15e0ce0c6f6de
SHA2567561ce38b44045314f09b9680abd693860933987a92867be20dc409e2ebcacfc
SHA512fdc347fd0678d117e2a9ec57a26eb23463869872ea7df3e51da5861919d04cefab9a769712d2f8b0817a315699112ce8a7ee85a675afc88424f57b0421563fe9
-
Filesize
8KB
MD5ca66ee38308ba89b9d5c1e8225688bb4
SHA19888fef4b8c90c6e1c44783c29abcb0a4a186283
SHA2569d0a503b72fa5319e5ee81ce31006b0ed060f1b53a8819dda4ca0b64c910d0fa
SHA512ad92a31377c5c4b1f798e76a0de5b5659d61c471408ab58581790f0c39355a6546110d5964e88d7c5e86239b78255b9ccbc7662025bf54a8bc0d76aeb7a1fbf1
-
Filesize
256B
MD58a19c15ce87e233fa656d3b3bdae593b
SHA123f089716839329e2c42acd80885938068aab75b
SHA256f91f1759ec179e98b7f0bc95528fee613ef2d85e215fa9e3985cdccd44fab1fd
SHA5123ef4d8230c1936af3d515c9117ec30817f91048846a87cddeb607a5fbf94f62a51ac6bd3c0b9391cdfbbe718741277471612ec08811a537bdcc61e2607998359
-
Filesize
4KB
MD50eb157e1a86d4d00aa601dd2f6ff3ee3
SHA1fee434f784e73cc7916322e949f727caf8363102
SHA256b9a8194b71a046e8c0eb30995827b582b4bea834f630a5df2483b778a7d7d8a4
SHA512b9b79b8c3af8a3f140df230fd89e95206358ba50ff214e7323a2dbbe2937b795f970e588302ffd5d721318bd597ce0a27af26d6cdb07f45569c30209845082a8
-
Filesize
512B
MD5eec83f9ba4cd8693dabd26ef496a96e4
SHA10a16bb4aa3543cb303a7766ebf2a6e38006c20e3
SHA25694d10425c61ef7f27ce5164d3d1315293c55e4120c0024e4298cd7fa3fdc569c
SHA512556b75ae98e84874fb84aad7f08e22a0eb3a26e8d3f8da583afd92f416dfcbd29a4b3ecd65f21a3c2ce9a04172d27df636f9b98cebbab61954bf43f79ced4c3e
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
173KB
MD5ab55b4a1fefd2021f31e94ce9264fec1
SHA10e8461c9067e91e1d350505d6b2f9b33a5a9a4ea
SHA256bf77fb767d2a887bdaea14636c3bf99c912cf28bcac3e790cb2cf243986f88ab
SHA5128e503ae4aaafdcdee20d9195e59d3d38e73868adcdb06ca21c84c13a97c182e073793722b7ada13291d102f5033a12afc25a7e855b9d6ed8dbaf8657ec3915fa
-
Filesize
16KB
MD513275efa242a80158e6d5ee6248d339b
SHA143c0560c4d61470543a768bc9e40d5729d03e8f9
SHA256ed767b9e282572a8a44e3cf5b11635130cd7b43cbe5407f03afefd7e07ef96e5
SHA51226d5f5387684c9155ae4fc5d21278f9e6b8334079925a7cf9ec7af8eb2836b99db607e1aa170805c7ec7e70ee41a1c69964dd67331e294bc1788420ad6bed0b1
-
Filesize
108KB
MD569dc6af8370319b18826aa4de7e431df
SHA1faa8e6b7741ed7b4249277b2866eb95847911154
SHA2569ec04348a5e50bb9e1ff679ca05b3c298831a016f8bc22a0d5022fc6b5571925
SHA512ecf1d416d46850286313da73d1c9e32a3cc9553d8a5ced6f6b01cbf69a7aea1ebe99488c5599eecbbd98865fcdf835d83a9c1b29546245608e362f5ed12748c0
-
Filesize
11.1MB
MD528041432b0c51e3e887643272629c83e
SHA1fbea5dfc62f03e1ff784b410ec0d547de0e8156b
SHA25685c845feaa13eb5b0d02b64a996bf1a84b3aa77b6cf616f3db8ae5b4c70e9902
SHA5127e69a4dffce031e990827d655b83ce66bfca72ecdc5bba4a264f877e0a3788953c41e2f6766e8327127d1b68b63775569648340fda09b4ce13684f0aaca6438f
-
Filesize
351KB
MD5fc03e38b9df1aecdaa7ad9582a3007fa
SHA17ab8f6c8c79015f5eb4809f85987afa91206ed3b
SHA256b4a3a76ea11bdd51239bf96f452dfa1e7eb73fd3b34607bf903ba8810820baea
SHA5127639ce7f817c0b4a926c61f1dfae18e843e2ad85188df9d5d9711961d5d9761d46f16fb36a06a9a60bbd0d0a33b6435fa7e5ff299fb287828ce8e9fa5ce127d3
-
Filesize
258KB
MD5dbb329a8075c9e01b2cb16c0ca1e7021
SHA1c165f196aa9fc7f8812244dc029318720b3e6a75
SHA256d39fcf9a729d1ac899369481f0d28fb6b5f7213bfd9d1c1aca11afb8a5bbac4c
SHA512d57013a783a28a2c6d116f57d60bdcee6958ffcd2402b3ebb5be57506ff73d85c9db8dda4b6d33000140c206e7fb54d3fbbaf55693af1de4155d6a085cfce15f
-
Filesize
1.9MB
MD52d73c5997273e3910c1ac1d8db7ba145
SHA125737e75ed15863e69d02a14efa781370dfec798
SHA256411c3194c11f6254e4bb6cdbf247518a4696ce9bffc6d373ba7e949889db9965
SHA5127adca729d74394232c26ee76272a85342fd88c9101d417ba3a0b1018f29cdbe4a852a3458548e4e333db55520cf8b0a7700f6bcb3cfee77a12ec3d272c4dc13a
-
Filesize
153B
MD5e4caf02694c558225c11da75bd4fdf20
SHA19260fa514d959788ccccebd859e3a1c84925e5be
SHA256c7f5c9fffaa4e9f86e88444b3c010d01ecf0bb447116ddcf7ada4db1b691d421
SHA5125dc24231320741e09bd0caad02ece44b87e49ef8a91697d7430f200b663394edee1f8f6a8daad8169b681e5406c25c996f85c1313c45ecf0db03a6dc2cd2deaf
-
/storage/emulated/0/Android/data/nilheart.ptur744.lens/cache/records/com.android.settings_2024-12-18-15-38-39.txt
Filesize31KB
MD54d571fc789875ef5fbdf95d15daf1d6b
SHA1d7e2096fca873394820abe099092d20f19cb87b5
SHA25602b1676e97d515c7212e11f941b3f9344a4c4f8669a96b6dfe2ec792a688b829
SHA5127458bb1795fb07949eb12cc9ad9aca8a440be09b547e67387657cd84f93ba276fa231d97f085926528ea52115a5e72646a071c82b74e10c45d74bdef52b1b2dc
-
/storage/emulated/0/Android/data/nilheart.ptur744.lens/cache/records/com.android.settings_2024-12-18-15-38-39.txt
Filesize47KB
MD5e8943cbe24ace749fb6a0af0bb0e2b14
SHA139eab11241fcb6b7e82fa38e164b23a89cfd5857
SHA25648d19341b41ea55ad91c7a7e701abb96fa6b1020545a92255bb9de0e64b6dc8e
SHA5120df50110351c936c295a0c9dfdb23b9eb47bcd43d670cf73ed14b952d8f16e321b6553a92177bd717cb325923e731bdb96212e187e9a8af871860680a735a363
-
/storage/emulated/0/Android/data/nilheart.ptur744.lens/cache/records/com.android.settings_2024-12-18-15-38-39.txt
Filesize63KB
MD510c0d008b9d385ee63ef7ca2f83e6e44
SHA1331ec41eebab37c074297b6a3c347d7d1e9b1866
SHA2565a386669fc6f93c8ffc187059049bcf5f45e16593fd6201aa4cf81ba8a695dc3
SHA5122c41e286f548ead7147315d926268ee33b2bfbab49eb43c9878e1eba3a380907a3e7a8d48355589d11401507dcc0b59bab5c256d6be813c5a68d9ddae11f2565
-
/storage/emulated/0/Android/data/nilheart.ptur744.lens/cache/records/com.android.settings_2024-12-18-15-38-39.txt (deleted)
Filesize15KB
MD592a4e81ee3928b07259cd453ab3ab905
SHA1fb9f3cb0812300f938103f57e88bf37a1fb83c5d
SHA256c3f2dd371c85335ac453f781b346a65e54d7348bbcc8b393328921b1e14fd368
SHA51240b477700e33ed3af3b4425a177a7ecd66682d10f263fc3f50607836cca3afa27860889678de530bbcacdead185c94484c4a79495ce7bb698b3b1bc2539846fd
-
/storage/emulated/0/Android/data/nilheart.ptur744.lens/cache/records/com.android.settings_2024-12-18-15-38-39.txt.zip (deleted)
Filesize2KB
MD5cc85f7ada5e4f83d88f4f5806690db7f
SHA17e1490529f2f684545730ab4eeff80500613b054
SHA256d2060f3b628948206a3d68ec260139695020c720258c4834b4ad873aca96a276
SHA5126cf6b6d5d581cb545dc814ae423596587bd68663dfc29cc61b50744f5803de73dc5f15a4f73dd4a458b07ca4510d2f9968479706648c50881e3eb0b6a0c44de4
-
/storage/emulated/0/Android/data/nilheart.ptur744.lens/cache/records/com.google.android.permissioncontroller_2024-12-18-15-38-33.txt
Filesize1001B
MD51c56b419f043be564ccf85c040ba4758
SHA128c97c81599d098b2034aa18abfc72c6c26ea956
SHA256e37f82553044557524cb0b7d2de8623384e03ba01d61cf1de79b2335577c00e5
SHA512ccdc36a1535485c1b62c64ed3ab1f1ae630494e4590506147468bbf0cddd5f5aad538a576a124da28637cd6e138c25ef91433d048ae8422b0d40772d6ae6fd24
-
/storage/emulated/0/Android/data/nilheart.ptur744.lens/cache/records/com.google.android.permissioncontroller_2024-12-18-15-38-33.txt (deleted)
Filesize5KB
MD5584048bd533afc7f42e29025676194ca
SHA1e9695ac7f7d4fa54aed6b455183fddac38d3e72d
SHA256bf756181f39f52bb38d2f4f7154b11fcf4336b17c1d8bf9b62878cdb4aa207bd
SHA5125561e0474eedd6a0042c7c5a1763df63d50ef68b09a415c485bf0c746d570112c5065f9368bacfe0891af133cbd5332ebe118bdc704d5f432018be38704d199f
-
/storage/emulated/0/Android/data/nilheart.ptur744.lens/cache/records/com.google.android.permissioncontroller_2024-12-18-15-38-33.txt.zip (deleted)
Filesize974B
MD58b642d05d75ad1cc949a77e82a13fbd7
SHA17f3a7631635d55745ce0232e434e933dff2cf0e7
SHA256362a89d9b684883bb28be5576854907a6b1958b95d0c1ca0f82044cce33ba697
SHA512b286e0c75dcfb150e40f1a7c312faa11d4e2c05420d4626beacf6acb963267788fd1e45fe27b792347c813b468e6bdaebf02e24b4579d0ae56b393d04331a1bd