Analysis
-
max time kernel
136s -
max time network
147s -
platform
android_x64 -
resource
android-x64-20240624-en -
resource tags
androidarch:x64arch:x86image:android-x64-20240624-enlocale:en-usos:android-10-x64system -
submitted
19-12-2024 02:29
Static task
static1
Behavioral task
behavioral1
Sample
2e6c7354f7b4dce59752054929731c5055df15301ed094820bdbbcd5c0cfa12e.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
2e6c7354f7b4dce59752054929731c5055df15301ed094820bdbbcd5c0cfa12e.apk
Resource
android-x64-20240624-en
General
-
Target
2e6c7354f7b4dce59752054929731c5055df15301ed094820bdbbcd5c0cfa12e.apk
-
Size
7.7MB
-
MD5
125591b1ba792dc40478fba12b09970c
-
SHA1
db165b084b44f98cd47540f4c73a8ab8feb05660
-
SHA256
2e6c7354f7b4dce59752054929731c5055df15301ed094820bdbbcd5c0cfa12e
-
SHA512
c4133747d64d31d578ad11d20f61bd138171b9254496bb40628821c78ce98c685a054d6f3bd26a6857a0b14d0eb8d83223bc74979e95f4044e1d8c168e38c552
-
SSDEEP
196608:egbAsJ3OmCt1AsyRLm5Mymhnl6m4955q45z+YK:d8sFYUsUm2yEnl6mmjqYzm
Malware Config
Extracted
trickmo
http://skyfrostweb.cn.com/c
Signatures
-
TrickMo
TrickMo is an Android banking trojan with the capability to intercept 2FA codes first seen in September 2019.
-
Trickmo family
-
Loads dropped Dex/Jar 1 TTPs 4 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/nilheart.ptur744.lens/app_huge/CQ.json 5048 nilheart.ptur744.lens /data/user/0/nilheart.ptur744.lens/app_huge/CQ.json!classes2.dex 5048 nilheart.ptur744.lens /data/user/0/nilheart.ptur744.lens/app_huge/CQ.json!classes3.dex 5048 nilheart.ptur744.lens /data/user/0/nilheart.ptur744.lens/app_huge/CQ.json!classes4.dex 5048 nilheart.ptur744.lens -
Makes use of the framework's Accessibility service 4 TTPs 1 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId nilheart.ptur744.lens -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
description ioc Process Framework service call android.content.IClipboard.addPrimaryClipChangedListener nilheart.ptur744.lens -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone nilheart.ptur744.lens -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver nilheart.ptur744.lens -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule nilheart.ptur744.lens -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal nilheart.ptur744.lens -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo nilheart.ptur744.lens -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo nilheart.ptur744.lens
Processes
-
nilheart.ptur744.lens1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:5048
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Scheduled Task/Job
1Defense Evasion
Download New Code at Runtime
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.2MB
MD5226e709c8643b778efddd5fe1e195790
SHA19ef8bb653086f9b3aa8bd444239fdb842a82cb34
SHA256b289bdcd27abeb414fe50ba4081ae04f990bcf1a6f1ccc011d8101dbd5fc7ef8
SHA512c7fa9e4e5b2e690202e50d09a2a01ec453ba6d3fd54384f50f5395b8a0a909635946ee1ccc4b1bac858e31d201d2a4f6f83d17f561af9b0bdf143a46fbb7345c
-
Filesize
5.2MB
MD50aa7fa04a36ff1e94535c808c1ad7257
SHA1f683f87e93a04b3f7e7ef65e9d8b54c58acc36c3
SHA256cce222d0fa0635f95300a3dbe2f07fef123eed04f6333774f7edc112b326456e
SHA5123aaad794700cd9e56db310aa0f65930a6c7d875a859881ac83f043af7a4bfdbffb8c6d496cf65829072c8a5a69abd5b427f255bde957892bdcd014ef09ced888
-
Filesize
17KB
MD5d780f836fe54e51872bf31220a4dcb77
SHA15136aa7fe35fb70c9bf0ab00bbe7f79cf65705ae
SHA25632abf05fd8eb1edb10fd93e2c0bd9b308d109e5686c06b39f4d173847a0efe17
SHA51262842bd62ea2f1a71880415d84501bc2cde8eb857d4baec4e357f3c4c4a74d2d0418bfcc6431789cce207d5290ceb4b1fee31f206ac527a8727176523c0bc635
-
Filesize
20KB
MD593e7f88ba7fd4f0152e8e5dc56f1acc0
SHA1f29883585567a32fe4d487e5df14173c39c09e65
SHA256dc6bc98e7f294d8994b3120cb87c0ed1d998e559daab810a68323a8968c60c2c
SHA512be40cb85f75181627e2e4f7fb01e371ad4ce5051416d7e931ae45479a1357526e89a017aa461de03076c0b650eb5c851c239e88556677e859bb9b7c28e48d745
-
Filesize
512B
MD5aaa6cc092545d05dc89a0022bcd47823
SHA1324d1696e0dfdf2f4e51bf35a09ed18c00ce67b4
SHA256fbd42fc5c63b8cb217623faea8c2a1ffe156b8d2b47f316c1cb3acfed6da48b3
SHA512b48f7371e2d270a7787e2b5a17783365b85b448ec9b2ce239b1d978f48bbb1aef1b53dca541c7e773ab4f93df10fcd46ec3072f7cbfb072f857202b62a4160a9
-
Filesize
8KB
MD5dde48d28170d1c49d4143f03c457ddf3
SHA1501127da44d27956bbb670a7fc6ff4f6a7d47b17
SHA256b1e32a90b3fea04dcd74890aeb3f0eedc110c1eff703ca4dfadf83f4ac9cbbdc
SHA5123e3cc1fee2935e291106b1511fe3b35d6477d8589a7c23bf2765efa05fcc91484bf2d64ab93596513cff3651467fce891345b2414d58dd9b877aafeb79db3d7b
-
Filesize
8KB
MD57a79918fd87cbbcaa06ad795db5c6113
SHA154c2b31b7e29c3514735b1b4cbee006bf4234005
SHA256c1275a7541b9d339298fcece3736635bb481dbbd7c8245e7c5d6d0762e798d6d
SHA512e2eb71fc38ec2fc1c579624b1fc86d31d1448aef7359c191d60fe2f04e49bcc384cdd4182b11edb83a98a9241fcfd15ee6f655f7c5a8d631ccf76b61ad97ad69
-
Filesize
256B
MD5177af887ce616184a9f2ddfc0ad63f09
SHA10b4d71dbbd9a9fc44d1d67ff24baa086fdf98878
SHA256a72115fe178e23b334cde982dbcfbf0db8861d9b0833011159743f27166ad741
SHA512bd3990c1efa27d3fb18abe1874b1907d1e1de5e167924df187135e895300ec181f1aaa20cec053aecd8d3c030f43f5e37bbfd3dffd4d7b3809da32a150811c1f
-
Filesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
Filesize
512B
MD58d87f4c5420bbe5aa3eec24e6e71630f
SHA11de8930934c3a5709bad4f93f5dc6ac3b8fe25b7
SHA25630b5c8bf78638b38215c9d9c03b2d5ec47eb362df7042f5a9e70c96fb568420e
SHA512e80230231b6b3c13d866109d3f585f80b1ec41f67d645150056bb080f01b2ec582eff8267bc94eae1eebde3e310b3b5c0adffdf574fe6dc444fa32e97e3d305e
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
173KB
MD578c7137c60710e389241a41a2552fb98
SHA111d70aadf301b1d1c5038cd39017f0ad82ca7f95
SHA256a9518b6e118c36b47a5d5e4e095221bad484c6347d8fbd060d9ce31cd11b6867
SHA512c308418b9de89d6a9eef431d53d55531afff40c71b4a12089a8d4cbefa507bfc3f14ff467f695bb26942f0196dd3ae718f805285c7b38271092cbeb9996f4f29
-
Filesize
16KB
MD521b3fa35defaef2e26ceef4e98e29114
SHA16e07c648b03a0f4fe9890cd675bbf5164fd7b379
SHA2567dd47a6304f0eedc5bfbbf3c39b978ebf169340d60e02dcbcae3261165158d16
SHA5128e621d745e6bc673da5bfc6e026f7171cc8926046c4bccc00f020d89c01bfe9ad4381b33591b3d2a6419c11941b5e67f6ca58718b96f9b45b911247a0ca46b6a
-
Filesize
108KB
MD5d7acc7ddd3376686e93a40bba8812136
SHA1e80e1772ea62520a5f20b5c075a0d7ca2cf626b9
SHA256f1eebe7f1880ae8f4cbe1acf1e42f38e67ef2c8e84e560c123b71c47ae2004c9
SHA51236acf041a8695695922639f7fc8a9f68d5eecf4aac5571e251a90c539b871b0a55ade155e583d606fc527d208eadc4f52fb08ec33b0f6b254fb45abbb670e636
-
Filesize
11.1MB
MD528041432b0c51e3e887643272629c83e
SHA1fbea5dfc62f03e1ff784b410ec0d547de0e8156b
SHA25685c845feaa13eb5b0d02b64a996bf1a84b3aa77b6cf616f3db8ae5b4c70e9902
SHA5127e69a4dffce031e990827d655b83ce66bfca72ecdc5bba4a264f877e0a3788953c41e2f6766e8327127d1b68b63775569648340fda09b4ce13684f0aaca6438f
-
Filesize
351KB
MD5fc03e38b9df1aecdaa7ad9582a3007fa
SHA17ab8f6c8c79015f5eb4809f85987afa91206ed3b
SHA256b4a3a76ea11bdd51239bf96f452dfa1e7eb73fd3b34607bf903ba8810820baea
SHA5127639ce7f817c0b4a926c61f1dfae18e843e2ad85188df9d5d9711961d5d9761d46f16fb36a06a9a60bbd0d0a33b6435fa7e5ff299fb287828ce8e9fa5ce127d3
-
Filesize
258KB
MD5dbb329a8075c9e01b2cb16c0ca1e7021
SHA1c165f196aa9fc7f8812244dc029318720b3e6a75
SHA256d39fcf9a729d1ac899369481f0d28fb6b5f7213bfd9d1c1aca11afb8a5bbac4c
SHA512d57013a783a28a2c6d116f57d60bdcee6958ffcd2402b3ebb5be57506ff73d85c9db8dda4b6d33000140c206e7fb54d3fbbaf55693af1de4155d6a085cfce15f
-
Filesize
1.9MB
MD52d73c5997273e3910c1ac1d8db7ba145
SHA125737e75ed15863e69d02a14efa781370dfec798
SHA256411c3194c11f6254e4bb6cdbf247518a4696ce9bffc6d373ba7e949889db9965
SHA5127adca729d74394232c26ee76272a85342fd88c9101d417ba3a0b1018f29cdbe4a852a3458548e4e333db55520cf8b0a7700f6bcb3cfee77a12ec3d272c4dc13a
-
Filesize
83B
MD5a88e353f5b4717a63fdca8971fedcec6
SHA1f34d2cc03f9961f32d05e7f51778b48f452cb85d
SHA25671af622f2e54a6d3be640b4d25ee26ca47f64f3221ba30de4f8944f6e2283c7f
SHA5127552637f86c081a98df37bd3b7ecd5983c332d672bb0da83c626075a31779a158bec049c07816e922134fcadf2357d59dedc1544d6c4aebec3a82d2d4cf3abca