Resubmissions
18/02/2025, 20:08
250218-ywn8bsxrc1 1024/01/2025, 04:44
250124-fcwh7azqas 1024/01/2025, 04:37
250124-e8zp2sznay 10Analysis
-
max time kernel
37s -
max time network
154s -
platform
android_x64 -
resource
android-x64-20240624-en -
resource tags
androidarch:x64arch:x86image:android-x64-20240624-enlocale:en-usos:android-10-x64system -
submitted
18/02/2025, 20:08
Static task
static1
Behavioral task
behavioral1
Sample
4fcce7c445d89d7de943ec0e0c2fc285d4b25a67950ad7d6bcb50dbcbc4ac29b.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
4fcce7c445d89d7de943ec0e0c2fc285d4b25a67950ad7d6bcb50dbcbc4ac29b.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral3
Sample
4fcce7c445d89d7de943ec0e0c2fc285d4b25a67950ad7d6bcb50dbcbc4ac29b.apk
Resource
android-x64-arm64-20240910-en
Behavioral task
behavioral4
Sample
deper.apk
Resource
android-x86-arm-20240910-en
Behavioral task
behavioral5
Sample
deper.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral6
Sample
deper.apk
Resource
android-x64-arm64-20240910-en
General
-
Target
deper.apk
-
Size
6.8MB
-
MD5
2d34dbb4167ebb371e33f3ce700fdbc8
-
SHA1
4a20849866f90262f9a0b2793f84cc7d5e057656
-
SHA256
c00419b21d10a236b47b43bb1eed3dbc5298e471cf9616848a84da5baae8e611
-
SHA512
20365af814427670ea62987e750657a04d03c509382abe655f87952d6794981e7811c0b7aa9dede998263c2e2a98c5c008848324c4e653eba77517fc6c7c034b
-
SSDEEP
196608:Lh1ZR29n2MKoRk+bB5fKnQgO5SS4xx3Dajo:9BgnzRL5fKnQgkSl3Dajo
Malware Config
Extracted
trickmo
http://traktortany.org/c
Signatures
-
TrickMo
TrickMo is an Android banking trojan with the capability to intercept 2FA codes first seen in September 2019.
-
Trickmo family
-
Loads dropped Dex/Jar 1 TTPs 4 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/lansa.sis722.sers/app_cigar/dZxFW.json 5058 lansa.sis722.sers /data/user/0/lansa.sis722.sers/app_cigar/dZxFW.json!classes2.dex 5058 lansa.sis722.sers /data/user/0/lansa.sis722.sers/app_cigar/dZxFW.json!classes3.dex 5058 lansa.sis722.sers /data/user/0/lansa.sis722.sers/app_cigar/dZxFW.json!classes4.dex 5058 lansa.sis722.sers -
Makes use of the framework's Accessibility service 4 TTPs 1 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId lansa.sis722.sers -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
description ioc Process Framework service call android.content.IClipboard.addPrimaryClipChangedListener lansa.sis722.sers -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone lansa.sis722.sers -
Reads information about phone network operator. 1 TTPs
-
Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
description ioc Process Framework API call android.hardware.SensorManager.registerListener lansa.sis722.sers -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver lansa.sis722.sers -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule lansa.sis722.sers -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal lansa.sis722.sers -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo lansa.sis722.sers -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo lansa.sis722.sers
Processes
-
lansa.sis722.sers1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Queries the mobile country code (MCC)
- Listens for changes in the sensor environment (might be used to detect emulation)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:5058
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Scheduled Task/Job
1Defense Evasion
Download New Code at Runtime
1Hide Artifacts
1User Evasion
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Information Discovery
2System Network Configuration Discovery
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.9MB
MD59f765bbbb28171e35f6f17ee95ebdb90
SHA17bfb941907bea2a41e20f38e31c07566d8d3f7ef
SHA256c552d3c465661b4bf87bac3eeb7a9000569a5b19cdc05094713076b89a776c83
SHA512144b72da338daa9b520d181934fc63f65165e8415085efeb1fbe32aee33ac1b35305d7040829c725300ce54342ddc62bbb601bfa2ad383da3b4007bb8760c4c5
-
Filesize
4.9MB
MD5cd652200aa24e4da945fcca01cf402ce
SHA1ec15238d8fa5f5906b1725965bb5eaef3f977172
SHA2566296249f78b601b6d29c26e49f59a99ba4074358d82e4229d1b0eb137bd03408
SHA5127d4aa9255ba25ffe1b07cefdc0ca05daa13c12d22974c050b17ef83f07f49eebe62fd125e3f9ef96524c345e4882d6eade3220a4b2243ebeddfe63a5366aad9d
-
Filesize
20KB
MD5e48ae2e98ea5b39dd12819b5cceb7dc3
SHA1219af8ebe9bb26b76eaa53356a613e5fbb806dea
SHA2566e954b8f3df47f2444f1877d8b714e7baa19a1fa4eeca749943eadee1661eac9
SHA512443960bd2d2d0c9a57fd5d2bd75d7efe78071ece69f020260065ae0fffae70e5559c31476156fff62b7f24f4e72b953885a0ea1a858d9205d658e9738bb181a1
-
Filesize
20KB
MD544ed3cc60039b2552ae11a53458cdfe6
SHA19808a7657e37c8324900430809efdf2a07688b38
SHA256d4509574a4f7ffb8f1e35b36ecf526731426610d258a5aa726f465cbc4d5e3fb
SHA5123a51f089d9875e1a2274b3a53702811ca40f8e509082ef891d16c45db4e526bc21089a27ee74771e777d5a6c68fb39b5865780b3370d3f2c94a594ee8691d196
-
Filesize
512B
MD5740af4177f7cbe3de8e881594a84fe3e
SHA1a0868f5e51f98436c0412671a7ef5f4470f53e67
SHA256570c8647049021a5ba1fcf94f2c5649fb2ddedcc237d3d4f20466fb1aa53c5e0
SHA5123bbde19c00c285442cd0c55184de909a1be1b157a8e1a5ad5eaebeb543d54f647cbe415c940a5d3e3cb3ecf7c60feaab3f8199cc553135d4d2d4fdf9b3680408
-
Filesize
8KB
MD547df991c2aee1e4473e2752a714b150f
SHA17328a82be8e1e2dd5404cd9dfc2736e29c4caffb
SHA25656411f285774b3cd13bfc99177c298989979600a373fd1ee151df4e82056115f
SHA51267190d225aff6bbf921c6f7147f7164725973270c021b04d2a1361f4ffc39bc7cf47f3a11b86d9b58adeb5ac3a7a46bbd610ce8132bc7507d00b9ae1b50926cb
-
Filesize
8KB
MD529b24aba19e5260b5f8f6153cfbe5576
SHA16fdc18bcde671d99e6edce7aa034a3bf3c2a92b8
SHA2564d758f687d1205fe44ee67dae574443904604d94042f0265af549082cafcc070
SHA512064db9752a959bb4e6f572c5337523e3a1edb68101b59380f9b2c5a2106f7d48803feff11cea46512e89f850895f2de0a5ccc3a81850e28733d341c682de571d
-
Filesize
12KB
MD5e1a93234119629863da27c382671a62e
SHA159b845faf3daa621cc2215b03262a90344bb2052
SHA25661554bb02f439975b133df45a7a18e966ad4fc4dd22a821377bd95c828b1ace3
SHA51289f2aabca24ddb56a8df75598fc6081ac89348fc6033cfd9473728eb6f7856b516ef9980c4a9e0350c655132df76412386e32f0550f7446e1755228c81f15cf0
-
Filesize
256B
MD51eb22d63d38b2173f775f978d6218b4f
SHA19a19141626a6db9b30cf5a7c676a4338f83cee00
SHA256fc020062f9fb9fcc0830a48bc25e0566f9ab2361a6cfd7063e9a2b00bf5c022b
SHA512e24658d76fe9bf203854e3e158f4b86167ccbde1b53878e17c7579699e1d8d3ecc011ad1c826ae5c6d54d9be68b9f749d95fa408b2f097d18dab4e6aa710ce5a
-
Filesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
Filesize
512B
MD5aa35bd051f93b02eff95eae83cfc10dc
SHA1d12825b9fd00cd1079c94beaed09f1918f229252
SHA256584eb50c937c6d19e4ed1d067462227ae96d266ec5fa66a3783de28fdb094765
SHA512924dd344cb7b392621c146edac18729661e5125fcccd2f1a1046abdd1115c1797ee1911ef8be265307dae68c80d99fbc56a116fe30982bd7ff5786d95bca7a1e
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
173KB
MD50c1697c3be0d3d9fd14c1da9462256d7
SHA1878ac4ba63a8417fe57a39e2f18d7fef5343af54
SHA25613579bbb010f38f3b03c3066e877eba0fd798fc33aa7ba27dfb2596dbbcfdd96
SHA512759f1fd0c2c10eeade7a43b3c1d7e07c5f68c8807a3a41fbdb4f632da59097de1320a1333d31cf7395648c039390bb9bda796915b439d3902ebccc1e0fce088d
-
Filesize
16KB
MD51637616533b7dabdb2b513c9ddf8d664
SHA16a821a6d3bd83ae79bc456baa5b14c95ad71f58a
SHA25685c76cd3b7ab09c05994d31483663a65f820ee0510abef6d8190db87fb590dc8
SHA51236fd122c5fc98a58ea3bf4e3fa1ee45bc25f82ac9c284858fa97214ac254c8be8732e0b3e152784ed09d1042848ebc8b6df191544d7a3edc7581378da16c54a1
-
Filesize
108KB
MD513587cb59b5666bc5b80b43482c7da5d
SHA13bcef29e1aff84e02656bc73d523264f3f7db7dd
SHA2563515bf84e16be37f21abef44a38a2c58f1e894be81b3b9c87af1cfaea68c9f54
SHA512ebf57ddb2e870e8c6ea9b8d08974f94ab51d1993c63fcffd479ce636932115dbce7bd520140d26f7cf3176e05c3243812faf2219f36b962f725ce75820069b46
-
Filesize
10.9MB
MD535d4cda95e19e9be467673c78e1e2fa2
SHA13868d4dda794c360f57ba650c332b39ce5c68d8e
SHA2566c84643bdddc36a15b515e72e8b768ba64ff6b8966492db9bce6660934f09746
SHA512577272d92633303f248c8545b67a5205489623ce44d746fcdc906ca29c0cdb26f83140f013510c356b709ead230da79fdd8b04654370a2c18275a3ac98344dd7
-
Filesize
308KB
MD55e58845043089ee3b37392fec0f23992
SHA15e8290a1e9b734ae423aaa5f49bef8041545ebbc
SHA256ad60aece05f500cada31b766831e2fa87aaf6fba58b9dca20c9152f16605faba
SHA51284387a9add5b7ea6220ecfab5773b62d9d0db6ebce799f5a090817a04d0862158e1acafccabbe99bc2dc7abb30b5ade111bd6b4769ef929f3d57e962bcb656a3
-
Filesize
265KB
MD5cc92d248d0c568e5351842d103bce7a9
SHA11d4950fe500f0789ca77fa4858ab8ebc3cb2441f
SHA2560201c5566b578cf5ec8237dc7970a5a3b63afd2e035d8e94ee82230c8a2a691d
SHA512a49aa848d7544e20d33de320faf7169c82669438394d861814fb832d8984fafe86c955484654d55cff7d5ff45e0c60d09b7b6e7c4602ef8ef312c0cafbacdfa7
-
Filesize
1.7MB
MD530465152db261852e3a226a666ec4304
SHA1442a188e07db85653022734d0a8537d4312aef38
SHA256c79795ea1d8f93d6471a6a10ae92f079fa7c79b0736de04edb53c5c5ae4862e4
SHA5123b9b75f7030fa9280130172a7b1f17766b3399270ec49b899d7f4223e68ce7ee728a0ccd5217b98d276da8f84968f4d436b4e61c7fcd378c3be0a57f906dfa63
-
Filesize
83B
MD5d8ea8aeb98f6ad9d6178cbf1945a1bd7
SHA1ac8ba1238034c6ee7a507816df5afa8e8cefe7a6
SHA256f4910a95b641a1278fee5b34a50ecf2c4140c7290c93045d3fdcca607f1b88c6
SHA512fd149f11a30a4369a660750912f9616b9d31fbfdd6e5d2ad11131aa894e0e17f4e3c004067d770bea57316a2fe4b2c59e71dff8c9005d2c7446fecc9ee15165a