Overview

overview

10

Static

static

6

4fcce7c445...9b.apk

android-9-x86

7

4fcce7c445...9b.apk

android-10-x64

7

4fcce7c445...9b.apk

android-11-x64

7

deper.apk

android-9-x86

10

deper.apk

android-10-x64

10

deper.apk

android-11-x64

10

Resubmissions

18/02/2025, 20:08 UTC

250218-ywn8bsxrc1 10

24/01/2025, 04:44 UTC

250124-fcwh7azqas 10

24/01/2025, 04:37 UTC

250124-e8zp2sznay 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    4fcce7c445d89d7de943ec0e0c2fc285d4b25a67950ad7d6bcb50dbcbc4ac29b.apk

  • Size

    10.5MB

  • Sample

    250124-fcwh7azqas

  • MD5

    8ebf4bdf9326073fa0577a2e1950e1af

  • SHA1

    7a30345f421c243cbef4dd42d60f5de45b99d580

  • SHA256

    4fcce7c445d89d7de943ec0e0c2fc285d4b25a67950ad7d6bcb50dbcbc4ac29b

  • SHA512

    006dd16eee88a56657bafed02d5585d8a04bc98139249f9fb0553382d284a23546071f3bff9e39881150d0ba802f92ac26b1fbd8fb6c5b20f1a6cd6301e40243

  • SSDEEP

    196608:3wGdnljZ/MLUBwiwOYTR8dhTVKZZRa+6Gz4+bpRdS388yngsaFf/FYd9r:3VRRZvai3YOBkRTz/RdS3886gl/FYdF

Score
10/10
trickmoandroidbankercollectioncredential_accessdefense_evasiondiscoveryevasionexecutionimpactinfostealerpersistencetrojan

Malware Config

Extracted

Family

trickmo

C2

http://traktortany.org/c

Targets

    • Target

      4fcce7c445d89d7de943ec0e0c2fc285d4b25a67950ad7d6bcb50dbcbc4ac29b.apk

    • Size

      10.5MB

    • MD5

      8ebf4bdf9326073fa0577a2e1950e1af

    • SHA1

      7a30345f421c243cbef4dd42d60f5de45b99d580

    • SHA256

      4fcce7c445d89d7de943ec0e0c2fc285d4b25a67950ad7d6bcb50dbcbc4ac29b

    • SHA512

      006dd16eee88a56657bafed02d5585d8a04bc98139249f9fb0553382d284a23546071f3bff9e39881150d0ba802f92ac26b1fbd8fb6c5b20f1a6cd6301e40243

    • SSDEEP

      196608:3wGdnljZ/MLUBwiwOYTR8dhTVKZZRa+6Gz4+bpRdS388yngsaFf/FYd9r:3VRRZvai3YOBkRTz/RdS3886gl/FYdF

    Score
    7/10
    evasion

    • Loads dropped Dex/Jar

      Runs executable file dropped to the device during analysis.

      evasion

    • Declares broadcast receivers with permission to handle system events

    • Declares services with permission to bind to the system

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Requests dangerous framework permissions

    behavioral1behavioral2behavioral3

    • Target

      deper.apk

    • Size

      6.8MB

    • MD5

      2d34dbb4167ebb371e33f3ce700fdbc8

    • SHA1

      4a20849866f90262f9a0b2793f84cc7d5e057656

    • SHA256

      c00419b21d10a236b47b43bb1eed3dbc5298e471cf9616848a84da5baae8e611

    • SHA512

      20365af814427670ea62987e750657a04d03c509382abe655f87952d6794981e7811c0b7aa9dede998263c2e2a98c5c008848324c4e653eba77517fc6c7c034b

    • SSDEEP

      196608:Lh1ZR29n2MKoRk+bB5fKnQgO5SS4xx3Dajo:9BgnzRL5fKnQgkSl3Dajo

    Score
    10/10
    trickmobankercollectioncredential_accessdefense_evasiondiscoveryevasionexecutionimpactinfostealerpersistencetrojan

    • TrickMo

      TrickMo is an Android banking trojan with the capability to intercept 2FA codes first seen in September 2019.

      trojaninfostealerbankertrickmo

    • Trickmo family

      trickmo

    • Loads dropped Dex/Jar

      Runs executable file dropped to the device during analysis.

      evasion

    • Makes use of the framework's Accessibility service

      Retrieves information displayed on the phone screen using AccessibilityService.

      collectiondefense_evasioncredential_access

    • Obtains sensitive information copied to the device clipboard

      Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

      collectioncredential_accessimpact

    • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

      bankerdiscovery

    • Queries the phone number (MSISDN for GSM devices)

      discovery

    • Queries the mobile country code (MCC)

      discovery

    • Reads information about phone network operator.

      discovery

    • Listens for changes in the sensor environment (might be used to detect emulation)

      defense_evasion
    behavioral4behavioral5behavioral6

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

1
T1603

Persistence

Event Triggered Execution

1
T1624

Broadcast Receivers

1
T1624.001

Scheduled Task/Job

1
T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Hide Artifacts

1
T1628

User Evasion

1
T1628.002

Input Injection

1
T1516

Virtualization/Sandbox Evasion

2
T1633

System Checks

2
T1633.001

Credential Access

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Software Discovery

1
T1418

Security Software Discovery

1
T1418.001

System Information Discovery

2
T1426

System Network Configuration Discovery

3
T1422

Lateral Movement

Collection

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

1
T1471

Data Manipulation

1
T1641

Transmitted Data Manipulation

1
T1641.001

Input Injection

1
T1516

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.