Resubmissions
05/02/2025, 11:04
250205-m584bavngp 1005/02/2025, 11:01
250205-m4n2ravnbr 1005/02/2025, 10:18
250205-mcbmcatmck 10Analysis
-
max time kernel
38s -
max time network
173s -
platform
android_x64 -
resource
android-x64-20240624-en -
resource tags
androidarch:x64arch:x86image:android-x64-20240624-enlocale:en-usos:android-10-x64system -
submitted
05/02/2025, 11:04
Static task
static1
Behavioral task
behavioral1
Sample
cfa37c111d5d86aa348a8411c39fe1c54034c437a5c15777a42638c6a9d03eb0.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
cfa37c111d5d86aa348a8411c39fe1c54034c437a5c15777a42638c6a9d03eb0.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral3
Sample
cfa37c111d5d86aa348a8411c39fe1c54034c437a5c15777a42638c6a9d03eb0.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
cfa37c111d5d86aa348a8411c39fe1c54034c437a5c15777a42638c6a9d03eb0.apk
-
Size
8.1MB
-
MD5
c889e75eb26de5a53531ca1d799a777e
-
SHA1
4c9ae2c8bc9a2bc02926ee2a9a49730881907a69
-
SHA256
cfa37c111d5d86aa348a8411c39fe1c54034c437a5c15777a42638c6a9d03eb0
-
SHA512
cbe94441f6ea06b1c9c9de0933e9755d3ac7deb3197d795570cde4d0680c87f25c8c3e34c189a8b8d898b8afa9140093dfbf731852cbc6bf02cfc03c00bd5941
-
SSDEEP
196608:5erveQWOfAMidD+traG/iYVS9MEY2HWv7ecSb5xW:47eQqMidD+hjpVSe/2Uu2
Malware Config
Extracted
trickmo
http://mainworkapp.com/c
Signatures
-
TrickMo
TrickMo is an Android banking trojan with the capability to intercept 2FA codes first seen in September 2019.
-
Trickmo family
-
Loads dropped Dex/Jar 1 TTPs 4 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/aner.fos540.ex/app_fragile/py.json 4974 aner.fos540.ex /data/user/0/aner.fos540.ex/app_fragile/py.json!classes2.dex 4974 aner.fos540.ex /data/user/0/aner.fos540.ex/app_fragile/py.json!classes3.dex 4974 aner.fos540.ex /data/user/0/aner.fos540.ex/app_fragile/py.json!classes4.dex 4974 aner.fos540.ex -
Makes use of the framework's Accessibility service 4 TTPs 1 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId aner.fos540.ex -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
description ioc Process Framework service call android.content.IClipboard.addPrimaryClipChangedListener aner.fos540.ex -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone aner.fos540.ex -
Reads information about phone network operator. 1 TTPs
-
Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
description ioc Process Framework API call android.hardware.SensorManager.registerListener aner.fos540.ex -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver aner.fos540.ex -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule aner.fos540.ex -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal aner.fos540.ex -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo aner.fos540.ex -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo aner.fos540.ex
Processes
-
aner.fos540.ex1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Queries the mobile country code (MCC)
- Listens for changes in the sensor environment (might be used to detect emulation)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4974
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Scheduled Task/Job
1Defense Evasion
Download New Code at Runtime
1Hide Artifacts
1User Evasion
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Information Discovery
2System Network Configuration Discovery
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.9MB
MD5aae2fff1e66e2ed7098e6a244c9fafc9
SHA1cb45aa08a26f26d57e4ff2c38c87445baddd88bf
SHA2561f4ecd2ff4e128f1ff3da8e59d77d3b64eda9ba8514d76abae1f786bbe65420b
SHA512757310e3bb6855040b4b2a631f221e806721f5666257add6bf834c29b37a19fb953c42d3d04bbeedcd53d1ae1a2337bc61e36db046e46f1de18103e324fefb73
-
Filesize
4.9MB
MD5ad4a8dddb4b956662516a5353912f97c
SHA152b4eee991f8eac17572bc57f2b06dba9a6fddce
SHA25619fd2538eb94df4e5713d9bca304527c08f27a84118ee583fc263cda1ef3b10d
SHA51237ce05314e1e2a0edbe07f91208265e3c35a63142da54f60732736aa9cb8201dc78025682cb489e0e607826a21df38932ddbaa199fc86d246a91f42a614b2dd4
-
Filesize
17KB
MD5d780f836fe54e51872bf31220a4dcb77
SHA15136aa7fe35fb70c9bf0ab00bbe7f79cf65705ae
SHA25632abf05fd8eb1edb10fd93e2c0bd9b308d109e5686c06b39f4d173847a0efe17
SHA51262842bd62ea2f1a71880415d84501bc2cde8eb857d4baec4e357f3c4c4a74d2d0418bfcc6431789cce207d5290ceb4b1fee31f206ac527a8727176523c0bc635
-
Filesize
20KB
MD5077767b0c219361860d0d8bb5e19ab00
SHA1eab3fc4c9db16b36629eb24ff0c03493f783b8ab
SHA25626b1bf55b5111486cc63bb1b4582c467b4829d618201804cb6fafdc24b221c09
SHA5123f8cd81f8176aaba7712469809c03a31be2495a6588d84da9f38dea712ddc003afc203dcccdf47f494472d6738269b9e7d29793bfa4cbe7f9041294df41e67b1
-
Filesize
512B
MD5e444ac4851351123a7ededd2b41f0f01
SHA16ddee5ff4aac9ca357ebf8f53c4840deee8e1d9c
SHA2565933b653aef6b5b1a95544e89472c8edeb61410b5b5d132319bedf7e1d3ea813
SHA51219489e58b516e2697a157fbfdf66939fe9649e65542222d3a08151347cf11c66b1c77ae8d520a6d0dc337c3ce5e33a493f78b763b28f08c3ad7dfa62c5c7b7b0
-
Filesize
8KB
MD59f47f2ec89998db38942dee9b63258f2
SHA1bb15ede3e33d3be61e668e81c19cf469f7a67c42
SHA2561e9a249d1b046350dfbc99feabb9563d742480a5c7f439aaf0e3d85296d69d91
SHA512b422769799733ec4fb4e563bb08025ed77d513db5c8eb6a31002a942a6309912b66d36bb9eef9d49935713ad5a898474b2f1d7ef584424dd2203811218222359
-
Filesize
8KB
MD53e2faa2fe0a24dd713a25f67d520dd71
SHA1540ec0059fa1bb670ee140b7b4d93e25cf1dc965
SHA25657dc824f5d88856cad1fa84154c0a909992e17d47f50b310885fa71e79e45ced
SHA512fca51e5cf53dd685df663d125477afb0823d089c2589ba343c799fa0a53ad9e916158464057618ccb9b5b89e2da3ab5219740e00584d1c2ddeef132e2a277527
-
Filesize
12KB
MD55e90d4237136a94b456c3bfd1cd379ca
SHA114c00877a34f26e74632b9e6d0a069355f6b0042
SHA25698770ceb9972b5c0e98838f3213609c1de4cbaf4720130af0675ea6d603b640f
SHA512be76db9e85d5e36d4e53aeffedcfaadbf95b5f4ba3cf567a4bb28cb7452153f09c67ffecf86c8c2727524f2a1bd095030b29be2c5a2beb8197c0243f2be6860c
-
Filesize
256B
MD5f95ed38373d6483fbe9f5714435f8016
SHA1ee72bfd1687cad4d427627378773e8773d69f487
SHA25654f6cbaa0ea612f9f184b87e71a5f25d1ba68f0aebb3c2fec1a6f8ed935f6927
SHA51213954351294a7c398c5466194ae0893f28c0ca684a28e901e57d53a9aca659b795bdd31eb92ff39efd27f3c986f6a68e7d338a1133d44a637ffae60cd9f396c3
-
Filesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
Filesize
512B
MD54cfc63d60f83646ae4b56206bcb0e94a
SHA1b7982b7547eef21d7d293fa3fd5285a9997b4b5d
SHA25629afc13909d82388834f70786a6511c001dbfa903ffc75aa1e0e09a0f9154649
SHA512956ddaff1123749e2f5f3835595dc259ff81c9b90a27d547b098a02ea1b08ba242890c044d3691667f01b7664062242f321f6fd2fb1eec2a21929ec493720093
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
173KB
MD5d329427a2d2e124bd6956efdb4ea3419
SHA1ea675c4c173eaf72b4dea7d34f6f9eb3a72b9ede
SHA2568919d5a53f3aa16f96a57c40314032dd0fec1fac37b4a9cab94dded8c1495e1b
SHA5126b98e9637db99f4acc7b4a23b2503f0efe00b77ccb43ac5941cbfbec01710c5c6c19ed33d947e40a81c19d35fd86632a9242708890db0c42d165a048bde58230
-
Filesize
16KB
MD5d82df6ffe0a5056a3fa03154a10f9bdf
SHA1ba4d7d02e1e8de058813c5e99a50a67e4b7f98ad
SHA2561eafc2bcef3907850e513450a613c1f10563a63ea73bef70dc853fd40506cea2
SHA512e635085020750182ca9f098e83287c3f936b891ae4efe5f93ef6e16aac71c767aeca58a799616d7827a6e103e4636dd319958bd0be7c6d5fc47beb3c5d0a29ed
-
Filesize
108KB
MD5259fca18ef1a4d6e4d0e7b242b0e3fd0
SHA1b29e13ba763c0eab1983127dbc664d5423ff6b63
SHA25639473c8c7f280dbc3ee0aa632faaf810c784b140111ba22dfc9da5ce2d3915f8
SHA51242ad0142da0a831444842847dc1e1fe67bace6fdbe8101cd4706924e775a804d9e9e521cff57d59ca30002e77e49a7709c3237140e57771a46ea97bcdc7c9898
-
Filesize
10.9MB
MD535d4cda95e19e9be467673c78e1e2fa2
SHA13868d4dda794c360f57ba650c332b39ce5c68d8e
SHA2566c84643bdddc36a15b515e72e8b768ba64ff6b8966492db9bce6660934f09746
SHA512577272d92633303f248c8545b67a5205489623ce44d746fcdc906ca29c0cdb26f83140f013510c356b709ead230da79fdd8b04654370a2c18275a3ac98344dd7
-
Filesize
308KB
MD587fbf4277c7b1354b07ab66e7841e5fc
SHA1f171167c1e22209bfe6f8e826763fbba7e2dd195
SHA256d604f9e58075636656da343d9efe1c1af4f225def49e4d288fc8a7442cb07555
SHA512c74f9f44d6b8d4b3c78b79a2710b66ebf851c6401b8e01926f910e44e4be7ce911286b385558797802eba7ae26b0d0ed06faee79e9e8bbe8ca798f7ce4e4f9fa
-
Filesize
264KB
MD5336b36c9bac9108ef167e46ecd780cf8
SHA12f2053b4858cbc16a7fd71634187b829e816e3ec
SHA256f144ad2da806b72948617d8d35426c21fb682d58c20c5002b3d41eefd80a07b2
SHA512faaee8913953353783666ec7917e9cbb6774c024369e069de530904a3664cd96ddf7bb0a4b261f7aa8458b33028b39c3af7d66fb62bd3885e7f7fde001c67401
-
Filesize
1.7MB
MD530465152db261852e3a226a666ec4304
SHA1442a188e07db85653022734d0a8537d4312aef38
SHA256c79795ea1d8f93d6471a6a10ae92f079fa7c79b0736de04edb53c5c5ae4862e4
SHA5123b9b75f7030fa9280130172a7b1f17766b3399270ec49b899d7f4223e68ce7ee728a0ccd5217b98d276da8f84968f4d436b4e61c7fcd378c3be0a57f906dfa63
-
Filesize
83B
MD52f1620a6c0c4381e4d595d25172dee2e
SHA1c2958956e8016c05c1d2a7730c24aabbb7c83692
SHA2563922fe45ead5a0bf64f9246a51997cead1f82cf307ba3ca64bc477799a075839
SHA5127949cd04deb4f7e2d8d95e8ae582e0e7faf8ae364cebbeb0f577b5ef8d8bedffa27368b2dfcd6b7391367709ce4fe9d8735a416693c96a28a73e748dd63177bb
-
/storage/emulated/0/Android/data/aner.fos540.ex/cache/records/com.android.settings_2025-02-05-11-04-41.txt
Filesize1001B
MD51c56b419f043be564ccf85c040ba4758
SHA128c97c81599d098b2034aa18abfc72c6c26ea956
SHA256e37f82553044557524cb0b7d2de8623384e03ba01d61cf1de79b2335577c00e5
SHA512ccdc36a1535485c1b62c64ed3ab1f1ae630494e4590506147468bbf0cddd5f5aad538a576a124da28637cd6e138c25ef91433d048ae8422b0d40772d6ae6fd24
-
/storage/emulated/0/Android/data/aner.fos540.ex/cache/records/com.android.settings_2025-02-05-11-04-41.txt
Filesize19KB
MD563fdb6b3ad424516aea99cd6fd5bda11
SHA17fd44eae842aee74f54a39f2d4a65949500c46d6
SHA2560073f8b3cbedcfb77b00dd0a596e61e5bf92fe0e72cf698e14aa3f6c3b799737
SHA512d9ac65be51a4fc04376ace9e694647f079e7f9532fc58657ff4e248d10cf6009d79c1d3d8aee49168ad05a2b605f44b5c24e5b0b6815c475ea1d7d15c18e0907
-
/storage/emulated/0/Android/data/aner.fos540.ex/cache/records/com.android.settings_2025-02-05-11-04-41.txt
Filesize37KB
MD52d339b67def2c22acf2af687ddf6ecc7
SHA1f61c42a3db4596621c28025da9110eb8af1963f7
SHA256ff36a6ef44ae8391e37eac82adb519ddff3adc338c41d0721a71d2e99d3108ff
SHA51262a8747f1e195d7a68a7c8bd5f9ac55624ca19df55fb9f019ede72c8cc889e041778ff9cad6c696f190c5f588b72068792cfbbbe44038f01878ce463d8f7f405
-
/storage/emulated/0/Android/data/aner.fos540.ex/cache/records/com.android.settings_2025-02-05-11-04-41.txt
Filesize55KB
MD5b40465b4bd112d2bf1beed0492174326
SHA1b7ea2ff0c880cdac31ab7d58d3776b55e2c124ca
SHA25616988f1267568c48685cad77d3120310ea61be0f0a48b761322b99cee76f44b0
SHA51278385a29176e9b297a9092dbd7b1eb53df8ce4adcd495407903aac951374bae8ba19899d600700008506e013964191ac6673a57ba910a23f1531a4eca7f21636
-
/storage/emulated/0/Android/data/aner.fos540.ex/cache/records/com.android.settings_2025-02-05-11-04-41.txt
Filesize74KB
MD59e1f0e3e5c351d16bda43e40e28f9ab2
SHA1adccc76045df29b263bde90a0120d2b6d03b19e5
SHA25634e3a46d2a27dde4afa35521c65d4d04e62b8be7f8b20140e308e369b15838aa
SHA512993b155b878fdaebd829ce1e353bcf9bab3466574745d78fe049896e5503ac9bec21cd133311566ff1978942ea74f56820631135cc1d530b6d942f6182de518e
-
/storage/emulated/0/Android/data/aner.fos540.ex/cache/records/com.android.settings_2025-02-05-11-04-41.txt
Filesize259KB
MD5d25373c62b094cf609552d9e869ad46b
SHA132f2dcb6bbafe4517c518d2c28deb08a21e4358b
SHA25625b5567575e383a65c0b6592e4bc7331aabeb44273c0965fcee2126a8133cbd1
SHA5124af8bbd45a35ad28e368f7740996b6e5a11b1a3225331a14af51f340e381ac6d775ce2028f36e983bf62d66e111ef7452ce5fdc4935536e7d1a675b103ecc5f7
-
/storage/emulated/0/Android/data/aner.fos540.ex/cache/records/com.android.settings_2025-02-05-11-04-41.txt.zip
Filesize4KB
MD57fbc1ca2871666ce3d69eca4c6d2f8d5
SHA1fcd4b93314c6ee2a4af84e780d80582264d7dfbc
SHA2566a2b5d89a6167deb0bab7251ebe03f9d2d2e8a5f3d654a6dba3bfe11ca51671d
SHA5125e7d79f88df79a06ac70ff6b95c6c996e4552f87b882146f13edd094ad3087b6edc98b1100252cb89f2b48c4260533adf5ca4a7fadf573f7118446fdb4ca5844