Analysis
-
max time kernel
128s -
max time network
131s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system -
submitted
24/02/2025, 10:24
Static task
static1
Behavioral task
behavioral1
Sample
TikTok18.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
TikTok18.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral3
Sample
TikTok18.apk
Resource
android-x64-arm64-20240624-en
Behavioral task
behavioral4
Sample
deper.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral5
Sample
deper.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral6
Sample
deper.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
deper.apk
-
Size
7.0MB
-
MD5
29759b117a6ecbb109eb13b61eacc875
-
SHA1
e43ca6077982d51cac30cd400c667e9f49265945
-
SHA256
b35d3b94968603813ae26c35442b7d254c4d670aa299cb7439f083d46ff50bc9
-
SHA512
a21c4265b91fecc60886c3ebe48c47dd15890b6f451e4450e3ba2cc8ba595b3d2f4d8ef4864883d41cef65217f44e2d6a5d34df4bba69832ff77e0413673c0be
-
SSDEEP
196608:WJnJLjXIH/aMTuMkqM6rwii11a6mOt9XkRsCA/gex:EJv2aMT4qM0wiG15mOfis94ex
Malware Config
Extracted
trickmo
http://regtoyou.com/amvgaghabjvlamkmms
Signatures
-
TrickMo
TrickMo is an Android banking trojan with the capability to intercept 2FA codes first seen in September 2019.
-
Trickmo family
-
Loads dropped Dex/Jar 1 TTPs 8 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/anen.perd715.lia/app_south/oT.json 4274 /system/bin/dex2oat --debuggable --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --debuggable --generate-mini-debug-info --dex-file=/data/user/0/anen.perd715.lia/app_south/oT.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/anen.perd715.lia/app_south/oat/x86/oT.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/anen.perd715.lia/app_south/oT.json!classes2.dex 4274 /system/bin/dex2oat --debuggable --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --debuggable --generate-mini-debug-info --dex-file=/data/user/0/anen.perd715.lia/app_south/oT.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/anen.perd715.lia/app_south/oat/x86/oT.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/anen.perd715.lia/app_south/oT.json!classes3.dex 4274 /system/bin/dex2oat --debuggable --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --debuggable --generate-mini-debug-info --dex-file=/data/user/0/anen.perd715.lia/app_south/oT.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/anen.perd715.lia/app_south/oat/x86/oT.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/anen.perd715.lia/app_south/oT.json!classes4.dex 4274 /system/bin/dex2oat --debuggable --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --debuggable --generate-mini-debug-info --dex-file=/data/user/0/anen.perd715.lia/app_south/oT.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/anen.perd715.lia/app_south/oat/x86/oT.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/anen.perd715.lia/app_south/oT.json 4248 anen.perd715.lia /data/user/0/anen.perd715.lia/app_south/oT.json!classes2.dex 4248 anen.perd715.lia /data/user/0/anen.perd715.lia/app_south/oT.json!classes3.dex 4248 anen.perd715.lia /data/user/0/anen.perd715.lia/app_south/oT.json!classes4.dex 4248 anen.perd715.lia -
Makes use of the framework's Accessibility service 4 TTPs 1 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId anen.perd715.lia -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone anen.perd715.lia -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver anen.perd715.lia -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule anen.perd715.lia -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal anen.perd715.lia -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo anen.perd715.lia -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo anen.perd715.lia
Processes
-
anen.perd715.lia1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4248 -
/system/bin/dex2oat --debuggable --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --debuggable --generate-mini-debug-info --dex-file=/data/user/0/anen.perd715.lia/app_south/oT.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/anen.perd715.lia/app_south/oat/x86/oT.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4274
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Scheduled Task/Job
1Defense Evasion
Download New Code at Runtime
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.9MB
MD5df041a8b4b8be53cfcc72536c6d96a92
SHA1489c40b44337ec4734e6cb9c90b82e62725f8ef2
SHA25637ddcf18c9c2b6f9985027831046eee204c33e2ecb629d4495acfdd95b0497c6
SHA5124600203722bd25cbef3a9f3810230f9f57ff54cf424c773ea433d11a489d875a0367b8ed724a03a5731e41a3fb62badc6b4bc9d1a96cf2a61395aa76627db1ac
-
Filesize
4.9MB
MD55689572b41191ff3f4bfc5b9bdd86733
SHA121f9eb38562b198ef29663f900c1fe092b535b0e
SHA25649bff12769e22bbfe99d4a369ab3b7e20ed2b7b6783a1585c2bb551b28e202e8
SHA51294a058a2d53f5ba59317eac25bb295b12ad4159f484322cef203dd4413a5b474bfee5536e4a9e185484d76a6ad4ac5bd51b12656dc77f3846eb7427179a1a2ab
-
Filesize
17KB
MD5d780f836fe54e51872bf31220a4dcb77
SHA15136aa7fe35fb70c9bf0ab00bbe7f79cf65705ae
SHA25632abf05fd8eb1edb10fd93e2c0bd9b308d109e5686c06b39f4d173847a0efe17
SHA51262842bd62ea2f1a71880415d84501bc2cde8eb857d4baec4e357f3c4c4a74d2d0418bfcc6431789cce207d5290ceb4b1fee31f206ac527a8727176523c0bc635
-
Filesize
512B
MD5b8c39c24144cc556c81d84211461896b
SHA1346d2273cf14cb67623d53197fe22fbafa15f4f2
SHA256761bed12609078da4f720fc8ab43e02859eef9cce3513045af8088d7114fceb5
SHA5127acb878fce8880aff3f82b0fe7b4ed6de88b3eb5ebba736da17e4f7c61fca4849cc1bea1593c4d21b7e4e11b3d1cf746ec0759ca00eeaa4aa91f9f218cdf53f3
-
Filesize
32KB
MD566550e505df2257b89481868d9347387
SHA17e9155ab3bfeecdef35538081e6e15bf89e143e3
SHA256f5775568d7bdc445849bf42e15af3ef991f3291d39f73d229917368fa69742b6
SHA512e939e97f6b79dd54b5f191a9bf819a415458bd9107d18e0288fae4852519c6524f59b9bed1d261dfcaeaf1578fd86376aa435734ba1c6bca11891f80ee99a864
-
Filesize
256B
MD581929a5caa7cd2cdf95b6af68593408a
SHA1c8da9ada8d7139571555cda42ef992cd2973397e
SHA256fe2e3d0282417245730de0eb77c197d83656d63e1fa486152c54f0739cbfcfb4
SHA5121769b3eab34464f9a965123eb1961f6799eb8ee68c6441e9928633e07cf5523a07f908f62f11c50a9597d9ae33e5b16bbbaba98ec1d18f199db100e8542c89de
-
Filesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
Filesize
512B
MD513014099689dfe838aa8d6aaf12ee84d
SHA10192779aa3e15e2d3160e2ae1dc22d1bed491f9e
SHA2564545fb06d8e01561f22e27e978e7d1da92bf3fe098b589cd875678b0756ea5d4
SHA512349e2dcddfb4fe57818060c6d0586ad09da0a328ac37f55e4443365d4ff584b79ebb4709676711c785f72f15731766158cf84d1f205cdf4fae4a2c13ebfcbc0f
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
108KB
MD529bd5a0bf73d3fb0f72ecbad7621869f
SHA1f505d34c1f9a083bd82f8efaf4f6c96f7c813cb2
SHA256dcaa0deb85fb2d3517ef2cb929505ed049c4d0b87f12c1c0b75c05e99f3d7405
SHA5123f97db798b6ac0ae12ffe2cd9afa3da2fdea8fc83087ed184c20f42baaf1f88e46ac11b2d519bcce2d87a032124a7fa51c9ea76533334a394887d5898bdf64d3
-
Filesize
173KB
MD5b91a36fb9abe11cdf065662016626043
SHA1e4b8e858c8e32efcbe2c4ae7dfba61464b65c58b
SHA2563f3b095ed9f932bad0aefcf4ea1b0b0014eb2a39187c9d2f4a9370e4593d3a43
SHA51295260d43e292e0b125f3b9a953645c7e64d57e748041b07d786ee13db803f9bc043de683d27d57dd39eefa40b26e2d0628d273bdcac846ab2792f249e41d8760
-
Filesize
16KB
MD5272ce063c65ea1359b00be50bc0fc9ff
SHA1555f84cf7f655a3c2dc8c156580f004acad3c7cf
SHA256f81e988a15208492fa18d60ee372984545d0d4dfcd2408bca4694f8862c9d77a
SHA5128795b20b6f730a858ffa534d716ec298874dcf99432d3c484f3403034300f0c3ccdb07106293a340267979613b7ba2268b3c3790687da793618f0648b6859560
-
Filesize
10.9MB
MD535d4cda95e19e9be467673c78e1e2fa2
SHA13868d4dda794c360f57ba650c332b39ce5c68d8e
SHA2566c84643bdddc36a15b515e72e8b768ba64ff6b8966492db9bce6660934f09746
SHA512577272d92633303f248c8545b67a5205489623ce44d746fcdc906ca29c0cdb26f83140f013510c356b709ead230da79fdd8b04654370a2c18275a3ac98344dd7
-
Filesize
308KB
MD55e8b8d85e4b5abf31857c6618050164e
SHA1e9c800a10f757e519187af91dc443734a1d538f5
SHA2566f8a442a4a28ce83261fd78fb45cf3d1e129b5055fb15f55b07135e9dbf326b8
SHA512ba5eb4209cad4d7208df6508b6f895bc17afcea33bb61fcfbfb273a68bf6ba2caab7bf022882f609de826efaceb8ae2cbdb3cc900c6ed9dd2616ec18b8d239a0
-
Filesize
265KB
MD5f8d81c318c06e43a94f0c0408dcfa62b
SHA1fba0a337aa78cbc76d4dc67d39afb6008d512f8b
SHA25657f3c23be7d15bc7593643e92a13aa631bc86d60a29939d3c04370059287c616
SHA5125421d7bee46dbfa37d886f8baf16822536cc46236034575d3f93d25687c57c116403244eb294f44212df2b1436ca9129f9d743626fa02d12f90ba6195a61d97a
-
Filesize
1.7MB
MD530465152db261852e3a226a666ec4304
SHA1442a188e07db85653022734d0a8537d4312aef38
SHA256c79795ea1d8f93d6471a6a10ae92f079fa7c79b0736de04edb53c5c5ae4862e4
SHA5123b9b75f7030fa9280130172a7b1f17766b3399270ec49b899d7f4223e68ce7ee728a0ccd5217b98d276da8f84968f4d436b4e61c7fcd378c3be0a57f906dfa63
-
Filesize
83B
MD5c00a5852d7827befdfe356b0372ffb28
SHA1557c7428e3b86553e1fde93ebfcf60a5e3c632ab
SHA2565a7e1efd56061f3abf921935e91ffd1b3922d4073bad1d7bede4666b8ad2d1e6
SHA5124223673b61d40b0d6e1cb14de4f3682fb544f2ce08da511e1bc2ea0fe0b78306f338bee46f302796b034b67398b0321168f5ae83dd6338a87b716df3e7c83635