Analysis
-
max time kernel
97s -
max time network
137s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system -
submitted
19-12-2024 02:29
Static task
static1
Behavioral task
behavioral1
Sample
2e6c7354f7b4dce59752054929731c5055df15301ed094820bdbbcd5c0cfa12e.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
2e6c7354f7b4dce59752054929731c5055df15301ed094820bdbbcd5c0cfa12e.apk
Resource
android-x64-20240624-en
General
-
Target
2e6c7354f7b4dce59752054929731c5055df15301ed094820bdbbcd5c0cfa12e.apk
-
Size
7.7MB
-
MD5
125591b1ba792dc40478fba12b09970c
-
SHA1
db165b084b44f98cd47540f4c73a8ab8feb05660
-
SHA256
2e6c7354f7b4dce59752054929731c5055df15301ed094820bdbbcd5c0cfa12e
-
SHA512
c4133747d64d31d578ad11d20f61bd138171b9254496bb40628821c78ce98c685a054d6f3bd26a6857a0b14d0eb8d83223bc74979e95f4044e1d8c168e38c552
-
SSDEEP
196608:egbAsJ3OmCt1AsyRLm5Mymhnl6m4955q45z+YK:d8sFYUsUm2yEnl6mmjqYzm
Malware Config
Extracted
trickmo
http://skyfrostweb.cn.com/c
Signatures
-
TrickMo
TrickMo is an Android banking trojan with the capability to intercept 2FA codes first seen in September 2019.
-
Trickmo family
-
Loads dropped Dex/Jar 1 TTPs 8 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/nilheart.ptur744.lens/app_huge/CQ.json 4280 /system/bin/dex2oat --debuggable --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --debuggable --generate-mini-debug-info --dex-file=/data/user/0/nilheart.ptur744.lens/app_huge/CQ.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/nilheart.ptur744.lens/app_huge/oat/x86/CQ.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/nilheart.ptur744.lens/app_huge/CQ.json!classes2.dex 4280 /system/bin/dex2oat --debuggable --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --debuggable --generate-mini-debug-info --dex-file=/data/user/0/nilheart.ptur744.lens/app_huge/CQ.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/nilheart.ptur744.lens/app_huge/oat/x86/CQ.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/nilheart.ptur744.lens/app_huge/CQ.json!classes3.dex 4280 /system/bin/dex2oat --debuggable --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --debuggable --generate-mini-debug-info --dex-file=/data/user/0/nilheart.ptur744.lens/app_huge/CQ.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/nilheart.ptur744.lens/app_huge/oat/x86/CQ.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/nilheart.ptur744.lens/app_huge/CQ.json!classes4.dex 4280 /system/bin/dex2oat --debuggable --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --debuggable --generate-mini-debug-info --dex-file=/data/user/0/nilheart.ptur744.lens/app_huge/CQ.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/nilheart.ptur744.lens/app_huge/oat/x86/CQ.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/nilheart.ptur744.lens/app_huge/CQ.json 4253 nilheart.ptur744.lens /data/user/0/nilheart.ptur744.lens/app_huge/CQ.json!classes2.dex 4253 nilheart.ptur744.lens /data/user/0/nilheart.ptur744.lens/app_huge/CQ.json!classes3.dex 4253 nilheart.ptur744.lens /data/user/0/nilheart.ptur744.lens/app_huge/CQ.json!classes4.dex 4253 nilheart.ptur744.lens -
Makes use of the framework's Accessibility service 4 TTPs 1 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId nilheart.ptur744.lens -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone nilheart.ptur744.lens -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver nilheart.ptur744.lens -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule nilheart.ptur744.lens -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal nilheart.ptur744.lens -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo nilheart.ptur744.lens -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo nilheart.ptur744.lens
Processes
-
nilheart.ptur744.lens1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4253 -
/system/bin/dex2oat --debuggable --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --debuggable --generate-mini-debug-info --dex-file=/data/user/0/nilheart.ptur744.lens/app_huge/CQ.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/nilheart.ptur744.lens/app_huge/oat/x86/CQ.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4280
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Scheduled Task/Job
1Defense Evasion
Download New Code at Runtime
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.2MB
MD5226e709c8643b778efddd5fe1e195790
SHA19ef8bb653086f9b3aa8bd444239fdb842a82cb34
SHA256b289bdcd27abeb414fe50ba4081ae04f990bcf1a6f1ccc011d8101dbd5fc7ef8
SHA512c7fa9e4e5b2e690202e50d09a2a01ec453ba6d3fd54384f50f5395b8a0a909635946ee1ccc4b1bac858e31d201d2a4f6f83d17f561af9b0bdf143a46fbb7345c
-
Filesize
5.2MB
MD50aa7fa04a36ff1e94535c808c1ad7257
SHA1f683f87e93a04b3f7e7ef65e9d8b54c58acc36c3
SHA256cce222d0fa0635f95300a3dbe2f07fef123eed04f6333774f7edc112b326456e
SHA5123aaad794700cd9e56db310aa0f65930a6c7d875a859881ac83f043af7a4bfdbffb8c6d496cf65829072c8a5a69abd5b427f255bde957892bdcd014ef09ced888
-
Filesize
17KB
MD5d780f836fe54e51872bf31220a4dcb77
SHA15136aa7fe35fb70c9bf0ab00bbe7f79cf65705ae
SHA25632abf05fd8eb1edb10fd93e2c0bd9b308d109e5686c06b39f4d173847a0efe17
SHA51262842bd62ea2f1a71880415d84501bc2cde8eb857d4baec4e357f3c4c4a74d2d0418bfcc6431789cce207d5290ceb4b1fee31f206ac527a8727176523c0bc635
-
Filesize
512B
MD50c2536e9876f2a002bd67f7e6650527b
SHA1d0895b6f5ca97ee36c2e2c594b04376a6c1a6db5
SHA25637f8b63a74afbbeb774a7c36d5a59a83942ac1c716705e0e6bd137d17136e6db
SHA51243023c4601f1e4d45bd68bfaef0d97470d8bb533ca0336a27d6f851b0a5db19894374b5452be7c64d13c0f1095612e3a4548e857c3d0e581a9e2383c4bb6efdc
-
Filesize
32KB
MD5487419fdc8799f4158d79ea7c020600d
SHA165e85a00a3fec04022ee51a74de940fa4f57409d
SHA2561cf50254bb0706fc15316e4e419f84d8d1059c979790b97d076382c866276d89
SHA512090e122d06976ea07d7cf3a9e20fa0adda76c59bec7e09330644f406b11a801dbd4a85a143005a83c226a320c20d1060b54daf742790041f4a478ea496a05ba6
-
Filesize
256B
MD5bbf39e74bc98c93f05d4b7518148e90d
SHA1389576c7ab0d3fd1ebf6224b13ff520a0365359b
SHA2562c907f7646bf2dd49d0feeee7ad13926052f23609779bb0580a18db917dc88c0
SHA512140366a3815f4a0871fa9b81a684e0e3093647254d4617930c250047a98cf7e0c0d1f8c9869815e23d563ee1cfbb512b8b9f2f5b28c882c0cdad4bb2ce17d85d
-
Filesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
Filesize
512B
MD51a53c06dda5dda3f501c42842c51e7ef
SHA189688228f303d1031ee6b03d5988386be1101506
SHA256c8d1178c7e16e343210d21a6e65104109f9f3b1cbb0ff8c174469386e951045a
SHA5120b583261413ed4933c865b31d9cc7b85ba5287af9c7dbd2014a4aaae76959e3b0d011ec334c213a548da757d05651cf6126ffb7a44cc46d845eff11a44bb3337
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
108KB
MD5e949cc68243b194a9a85f77301480dd8
SHA1f0df44c3d73f25de2b43c8bb17d5cfc4894bfe7a
SHA2566f8c7fcd119c2de8c5eca6f93bb137a0e4aa1193b5fb7b63281f2d73450c938a
SHA51289967a8c09ad033663a1d905b5a617e4df37fab1974fb34ba5d25848a4da2106b7aee34a3832adc2f072519d033721aea1bd40714f87eb960cb6037989a759f5
-
Filesize
173KB
MD52df9c51e82f1a598bf9fbc1039dac88c
SHA18305e46333145d957a0255c1002bf3c20adf2c96
SHA2567c90b21a0646e22cb0088e09758af7ef78370e88ed3a0b20969c1d8310aa40ed
SHA512a966544d48f94c537c807b7f3a25f2a65c45f8a854f6368ab60207fa8dd64dd634500eb964e375cb0f619978c3cd65df2d311d0eeca72c61da87fe73576903c1
-
Filesize
16KB
MD5d58fad398fc8647ef6f613a76d1aa07a
SHA150611688e94c1de6d8e3fef32780614307829633
SHA256510993b629845f915530152ee10182facbb4c66535858e92100fee71229e25e7
SHA5129274ab730477fb6badda2411efdd86ef3cb9c60eec8c447b5c9d248b0e6b20671d9dc6bb93ade7ec5b2d52cb740477aa20a11444788a149907f50db98e4d206f
-
Filesize
11.1MB
MD528041432b0c51e3e887643272629c83e
SHA1fbea5dfc62f03e1ff784b410ec0d547de0e8156b
SHA25685c845feaa13eb5b0d02b64a996bf1a84b3aa77b6cf616f3db8ae5b4c70e9902
SHA5127e69a4dffce031e990827d655b83ce66bfca72ecdc5bba4a264f877e0a3788953c41e2f6766e8327127d1b68b63775569648340fda09b4ce13684f0aaca6438f
-
Filesize
351KB
MD5fc03e38b9df1aecdaa7ad9582a3007fa
SHA17ab8f6c8c79015f5eb4809f85987afa91206ed3b
SHA256b4a3a76ea11bdd51239bf96f452dfa1e7eb73fd3b34607bf903ba8810820baea
SHA5127639ce7f817c0b4a926c61f1dfae18e843e2ad85188df9d5d9711961d5d9761d46f16fb36a06a9a60bbd0d0a33b6435fa7e5ff299fb287828ce8e9fa5ce127d3
-
Filesize
258KB
MD5dbb329a8075c9e01b2cb16c0ca1e7021
SHA1c165f196aa9fc7f8812244dc029318720b3e6a75
SHA256d39fcf9a729d1ac899369481f0d28fb6b5f7213bfd9d1c1aca11afb8a5bbac4c
SHA512d57013a783a28a2c6d116f57d60bdcee6958ffcd2402b3ebb5be57506ff73d85c9db8dda4b6d33000140c206e7fb54d3fbbaf55693af1de4155d6a085cfce15f
-
Filesize
1.9MB
MD52d73c5997273e3910c1ac1d8db7ba145
SHA125737e75ed15863e69d02a14efa781370dfec798
SHA256411c3194c11f6254e4bb6cdbf247518a4696ce9bffc6d373ba7e949889db9965
SHA5127adca729d74394232c26ee76272a85342fd88c9101d417ba3a0b1018f29cdbe4a852a3458548e4e333db55520cf8b0a7700f6bcb3cfee77a12ec3d272c4dc13a
-
Filesize
83B
MD57dbd4575a85de446244fbc9cf0a01651
SHA1cfcb83d95636323d7da866ee1e90427311f1b2fa
SHA256a9e055b4a3ddbd09babbf985c9c643857c1a2134028492822f9fc899ae6ddeda
SHA5122d83aa579854fa64276e736896c4e74a3c3b99929255cdff4efc46dc93d7718cb5ae13f42bb0d3d8f311fade28bd7bd838bfb6eb5e188d1e3ad5cc20e54327fb