Analysis
-
max time kernel
299s -
max time network
300s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system -
submitted
20/02/2025, 13:10
Static task
static1
Behavioral task
behavioral1
Sample
11af0da9a7c5f65bb098ed52973e814b12eba492fb3615a5fada5d4cc390928d.apk
Resource
android-x86-arm-20240624-en
General
-
Target
11af0da9a7c5f65bb098ed52973e814b12eba492fb3615a5fada5d4cc390928d.apk
-
Size
8.5MB
-
MD5
4ac484f345acdf8890166cbfeaa83768
-
SHA1
dc2e2796fabb883ca0c78248bb9c04ed1011f3a9
-
SHA256
11af0da9a7c5f65bb098ed52973e814b12eba492fb3615a5fada5d4cc390928d
-
SHA512
98baff804466a3b02a9e1b333f58018664369f054cd5ae21869527ba63e0527e1b40e4b4edadd41abb2a34a244f6d49b0b6d827f29fdd6d9b89c63009ae1dd34
-
SSDEEP
196608:nHEhsSiVt8gibdDYcAIUGVwrAWH5PVc78KSg:nHc/irIDYAUGVgAWH9O78K9
Malware Config
Extracted
trickmo
http://starnow.cn.com/c
Signatures
-
TrickMo
TrickMo is an Android banking trojan with the capability to intercept 2FA codes first seen in September 2019.
-
Trickmo family
-
Loads dropped Dex/Jar 1 TTPs 8 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/consnews.matt960.can/app_erase/MAtN.json 4329 /system/bin/dex2oat --debuggable --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --debuggable --generate-mini-debug-info --dex-file=/data/user/0/consnews.matt960.can/app_erase/MAtN.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/consnews.matt960.can/app_erase/oat/x86/MAtN.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/consnews.matt960.can/app_erase/MAtN.json!classes2.dex 4329 /system/bin/dex2oat --debuggable --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --debuggable --generate-mini-debug-info --dex-file=/data/user/0/consnews.matt960.can/app_erase/MAtN.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/consnews.matt960.can/app_erase/oat/x86/MAtN.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/consnews.matt960.can/app_erase/MAtN.json!classes3.dex 4329 /system/bin/dex2oat --debuggable --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --debuggable --generate-mini-debug-info --dex-file=/data/user/0/consnews.matt960.can/app_erase/MAtN.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/consnews.matt960.can/app_erase/oat/x86/MAtN.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/consnews.matt960.can/app_erase/MAtN.json!classes4.dex 4329 /system/bin/dex2oat --debuggable --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --debuggable --generate-mini-debug-info --dex-file=/data/user/0/consnews.matt960.can/app_erase/MAtN.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/consnews.matt960.can/app_erase/oat/x86/MAtN.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/consnews.matt960.can/app_erase/MAtN.json 4270 consnews.matt960.can /data/user/0/consnews.matt960.can/app_erase/MAtN.json!classes2.dex 4270 consnews.matt960.can /data/user/0/consnews.matt960.can/app_erase/MAtN.json!classes3.dex 4270 consnews.matt960.can /data/user/0/consnews.matt960.can/app_erase/MAtN.json!classes4.dex 4270 consnews.matt960.can -
Makes use of the framework's Accessibility service 4 TTPs 1 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId consnews.matt960.can -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone consnews.matt960.can -
Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
description ioc Process Framework API call android.hardware.SensorManager.registerListener consnews.matt960.can -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver consnews.matt960.can -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule consnews.matt960.can -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal consnews.matt960.can -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo consnews.matt960.can -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo consnews.matt960.can
Processes
-
consnews.matt960.can1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Queries the mobile country code (MCC)
- Listens for changes in the sensor environment (might be used to detect emulation)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4270 -
/system/bin/dex2oat --debuggable --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --debuggable --generate-mini-debug-info --dex-file=/data/user/0/consnews.matt960.can/app_erase/MAtN.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/consnews.matt960.can/app_erase/oat/x86/MAtN.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4329
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Scheduled Task/Job
1Defense Evasion
Download New Code at Runtime
1Hide Artifacts
1User Evasion
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Discovery
Software Discovery
1Security Software Discovery
1System Information Discovery
2System Network Configuration Discovery
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.1MB
MD545bd2884cc0cf2d05b1b78cff9ae11b4
SHA1e8e29baabf5b0aad58475d9681abb49a05bdbd9d
SHA2565e3feb133a56c075ce9cb3f8dbe3ab445fd9541884a6712418c5d007e73a3aaa
SHA5124d3f33d46adf49ea5ead847f392a1436e9ec5b14f47f1d90f86b0c8b25fce20b0d35ab0724c884e9a9c11c4c49ee043961bff817b70270d7beb250c9702ff640
-
Filesize
5.1MB
MD59550548fdae0a7b2c03acfc776431f5c
SHA1ee10833e07a7384e4c656aefffa29799473b94f7
SHA25606a282bfd0d0b8e6f3e236650faa1bd13b54cb112f7748d0763b8031d2ae6621
SHA512ea3d500689888e39d8fb1b6697b8c601f3cdacd304b12db176418b38ab95b04235337e0da734f12a6724d655d23edd437de3efa822df98712be308b9a6382b0e
-
Filesize
17KB
MD5d780f836fe54e51872bf31220a4dcb77
SHA15136aa7fe35fb70c9bf0ab00bbe7f79cf65705ae
SHA25632abf05fd8eb1edb10fd93e2c0bd9b308d109e5686c06b39f4d173847a0efe17
SHA51262842bd62ea2f1a71880415d84501bc2cde8eb857d4baec4e357f3c4c4a74d2d0418bfcc6431789cce207d5290ceb4b1fee31f206ac527a8727176523c0bc635
-
Filesize
512B
MD56fb6ac5d87bd9e55716d52d89dc49fcd
SHA10545916fe8028202d03e48c6225ac33c51402f7d
SHA25637ab49b90832e9c6747d3b52c1d74748f59c51b25994e049415314b3eb2253d7
SHA5120890780cbf19dd35a090d567b0e7f69f7a9846f1e375fcff0c419d5898e633c08849616c561bd3de54fcbae404535fe62a309d3818c7da1e45d305b8c63d65cb
-
Filesize
32KB
MD5066529ec5602c9f71fd4ea1838a28d2c
SHA12b0a10386c22066769041dcb684e8ebc397168ad
SHA2564f513c9921c0364e1e56074e9697cc4af6c731de8908351767d667cf02c9ae9c
SHA5122d8e6d90e847845555d4debd4bfeb7bda757bf2e7a1ddd35add763c2d309a1b3b481503b32a8b30647fbf51d25116ea2ddc7fcfe297a98fb2ecfc2f1accb760f
-
Filesize
256B
MD5afa0fdfa69b5db6418be42a0001ade4e
SHA1c1a56aa916944b6a161bc4af601f0ba13a2b3067
SHA2562ac78fb8e56b66a8227abcac739333d87e5639677ac8fb080585fd54bdb45a1d
SHA512bcb17fd6536767f46a88efa137fbe760522e3ee6186d7be80a149b44607d8617bc1f8c7b4ec965bd6f5c4a926e2b345d690290b5354b9480e685e4773fd2f645
-
Filesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
Filesize
512B
MD52613180ba28845cab3f085236a7addf8
SHA18189644e1203a09da464eebd2809c5c3138240c3
SHA2567de213e2bc3c84a48a8f7927e988b1d643b17c6680c21f020948a03a5cc13c36
SHA512a0f1b62dff87408fbed5ac96ac7aeb9a39bf8a5ccb14640179c15b962dcbe16ae24ea2b4902618d75d2490096d091f753a6657d1c491d61dac8d40c2ca7e9c18
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
108KB
MD5a5f3c09b7417b06f9b13d5ceb882ee2c
SHA1cfc7489b8e19ea99e7fde11931d06e6cff576645
SHA25675091ba78f064eef136aca29eb5ef3cad552cbe33c231710656dab0d81865d59
SHA5126af2c2c72eebb635aedce57d6aaa25bd785cbc0beff411547b896daa8ca3dd66cc4f9fa8f84d977c6570530ab7aed8ca4741dad16e9edbeaadc85b26f04292bb
-
Filesize
173KB
MD580baffa346691e74e2de0bc6189e39ba
SHA13b0375eb4cac8e4c6c717fece3dd1e712ee955f4
SHA2562778169ab39200c6c6b039321e548f6147646fd7cb2867b9e62cb6815c2ae74b
SHA512e531248bbe1e7bc98850401a1eefff7759bf8b191f9c11c62159c350915ab0fcf5f432434a0dab0cae0f15bb2ecb7a16ea7d2e7e32b802104d3b4a0d55a588f4
-
Filesize
16KB
MD5559e012a243eb05233773e6febeae4e1
SHA1968b4667819941b3a54b1675fbe237f256b66d02
SHA256c0198eccca722823fcb5229ec559c115224dc5042691a008ac1cdce0061f97c5
SHA5124e69d570778ef802bb1376264f25f6351d52fc6d9b5165a61950873af64a51821c71942d2edf6ab2de2165d1668bfdda18b60743bbb4f7d2300623c1c5e04cbf
-
Filesize
11.1MB
MD5b2dd75b19e82fd1b6f8c1bbd80b00d43
SHA1fbcc0c095a6951f1c268c3534e80182275cf56dd
SHA25657b7c8e0879f6b3cd3bb169533f8069072322b178dd2efb8cedf5d77761e32e0
SHA512078089605d533d1d8dddae498383e79eb37275bb034666cfc5d2b2df13883f9fa417374f1461d091fe0d5d37d09a5d18a2f9c42228e72b68ac8dff01de380395
-
Filesize
354KB
MD581f38c51436583b57b99da62a839ad7f
SHA13719a8aa29af2656ffb554863f3f4ff36039acce
SHA256d69d7a5de42fd2219b81e57d5f4cd328e54f9efb9c98dc7977ecca30fea50abd
SHA5126d673091df3b7d2538fbe1da035847c88cdfd85eaf4243fd00917ed7335ebced008a24a9bf3c0ba2b71543998e23ea550dd9846d8ed78996d1c9420374630669
-
Filesize
254KB
MD5e43a2e60e043ee737a1705cf8c36278a
SHA166a82c6d614798c5dde92788e974239765d9c366
SHA256c23054ed69284e961a6d6af8cf762cead12f720031fa527c6f28fe3168c01f81
SHA512103d93ef3273f08cc8b94ea05fb79af5cf2ec51d6201722f44c2b3285f3f29dda1b251e818e65148f13833b627604f4f55a8a1ec1528da70ddf0a204893f0d76
-
Filesize
1.9MB
MD532579b28ea9ce1c5fa1f35bd4f9818bd
SHA18a262963232c8e2e43d755281f46ad7565e62a9f
SHA256217bb9f5b5728b6373d10962cffa93c3b263049601ce4bfdc30f1b89c0e69c53
SHA512dfb21bbe5a06aa760e412d05e9a91dc14b44928b8f88e6e01f96bfbd3d9a6637c33e8cf5d02dddb038cbd8dba5dd0cc382debb31c66f8f7d6ce3f176b2a6873e
-
Filesize
223B
MD51b6458c1aec02b4deb2718917e05e0ef
SHA17143c0c141334b7b35d891d5845211c3dfd5a4fe
SHA2561419429991250e32740955ead0e9b82a2e658783eb898b095e80fb59e26e6c86
SHA512241d548bc53d34cac297a6ada85c9ccae013c95cc8923dfae90135423fa51da50d0d0952daf8b98b6548874ecc5411566ee7a97775e9d041ffe5abf02899c268