Analysis
-
max time kernel
29s -
max time network
30s -
platform
android-13_x64 -
resource
android-33-x64-arm64-20240910-en -
resource tags
arch:arm64arch:x64arch:x86image:android-33-x64-arm64-20240910-enlocale:en-usos:android-13-x64system -
submitted
21/03/2025, 23:50
Static task
static1
Behavioral task
behavioral1
Sample
353e47a046b3af6212f98844b18a2ae79963cb8d2b98eb6bd5184296299ec372.apk
Resource
android-33-x64-arm64-20240910-en
Behavioral task
behavioral2
Sample
353e47a046b3af6212f98844b18a2ae79963cb8d2b98eb6bd5184296299ec372.apk
Resource
android-x86-arm-20240910-en
Behavioral task
behavioral3
Sample
deper.apk
Resource
android-33-x64-arm64-20240910-en
Behavioral task
behavioral4
Sample
deper.apk
Resource
android-x86-arm-20240910-en
General
-
Target
deper.apk
-
Size
8.1MB
-
MD5
720c616bd3e4f7fadde344194a5cd7a4
-
SHA1
001fea85badda450146082038c6a5ce8b9878fd2
-
SHA256
42009a836376a2ca77ca8fc1dad73eca3634df7b6c5ac2091ee0ea53661dd725
-
SHA512
282e2a9256318201caeeff668f4fcd1e93bae0b63d708ac99fb267369299b4b128338b727d55f2d7ef3460295b75e3be0dbd0710beca4c3d5bfdc9bc166ffd3e
-
SSDEEP
196608:lyiCDijCX0oAES/KCmxU7UBnBsXmpF56Wf2GGUTx:q6dE8KRgUFBs2pF5bYUTx
Malware Config
Extracted
trickmo
http://mikejprdanorg.com/c
Signatures
-
TrickMo
TrickMo is an Android banking trojan with the capability to intercept 2FA codes first seen in September 2019.
-
Trickmo family
-
Loads dropped Dex/Jar 1 TTPs 4 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/landtual.pomf70.ta/app_suggest/EdZ.json 4447 landtual.pomf70.ta /data/user/0/landtual.pomf70.ta/app_suggest/EdZ.json!classes2.dex 4447 landtual.pomf70.ta /data/user/0/landtual.pomf70.ta/app_suggest/EdZ.json!classes3.dex 4447 landtual.pomf70.ta /data/user/0/landtual.pomf70.ta/app_suggest/EdZ.json!classes4.dex 4447 landtual.pomf70.ta -
Makes use of the framework's Accessibility service 4 TTPs 1 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId landtual.pomf70.ta -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
description ioc Process Framework service call android.content.IClipboard.addPrimaryClipChangedListener landtual.pomf70.ta -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
description ioc Process Framework API call android.hardware.SensorManager.registerListener landtual.pomf70.ta -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule landtual.pomf70.ta -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal landtual.pomf70.ta -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo landtual.pomf70.ta -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo landtual.pomf70.ta
Processes
-
landtual.pomf70.ta1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Listens for changes in the sensor environment (might be used to detect emulation)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4447
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Hide Artifacts
1User Evasion
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Information Discovery
2System Network Configuration Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.9MB
MD57eda39fb990a24bac58f5d6e955ee667
SHA1e90608e181ac701ddf0b7898a588a4788d62a2f3
SHA256e1ac88df0be2b14ff34eab4e9150fcb075987e47cc3bc8b4660d5c7e43f5b328
SHA512ce741115cc895767eba73712ca5bc82416cd16226a666611a623f1b4c876d19472c01289842ecaf74528763b8d8a61149fcca67da138b31cf42cf99b1ae5dee4
-
Filesize
4.9MB
MD573b51fb51a7c1838642325dd9aa03732
SHA1f1963286c4e4fae80593fa5555613bfce95c9f51
SHA256a612724a99d62d5bce2470e91cb7d114ff90dea5c722fad0559eb3ab310b80cb
SHA512c0d2201da10c0817b608c881263557432c88864fb97c5ce67d2d7ab7a257f3f7ca979555eaac33322c96e09f08ea1ed002c0ada0f624864ae01c7dd37f5141cf
-
Filesize
17KB
MD5d780f836fe54e51872bf31220a4dcb77
SHA15136aa7fe35fb70c9bf0ab00bbe7f79cf65705ae
SHA25632abf05fd8eb1edb10fd93e2c0bd9b308d109e5686c06b39f4d173847a0efe17
SHA51262842bd62ea2f1a71880415d84501bc2cde8eb857d4baec4e357f3c4c4a74d2d0418bfcc6431789cce207d5290ceb4b1fee31f206ac527a8727176523c0bc635
-
Filesize
20KB
MD591af32c14839a2828ca58297e0861362
SHA1bd758cc0bb47b570da2061d4633aa998a87ed971
SHA2565d8e556cf9230390a2ea6e8fe0300bf0d3c28397a75d4d5d1138cf25713d5923
SHA5129810060201633366b6d13e9b81a2d9fe1adb61e027a215cd05454bbefaa7f6e1a17aae3781eedd8095a398a05f3c7cf03b589f29d1ac4789dfbf61bce25b9fb7
-
Filesize
20KB
MD5551c1efc95e5c1584d4ba9b09906a724
SHA1f96bd153481c607e4c33e127c0e61003a7ad6b55
SHA2569d5c9d0653e5caac8ce7b54fa338e009744faae7b0f890321eb00c35dbcd7c07
SHA512d21464400d3f9a969ccaa113839ca4973ed01b8ac21d20085f8fd32a7f9b42fbb9171f3de5f8d9f20788aafee495a30783b24fc462badef0dc89432766890f66
-
Filesize
512B
MD588010b310fe0461f94384cbed9ce2ed5
SHA12ef718a63db4a7e94df95935de9f8fa4a30cc460
SHA256755cd64a0f510153b651da9b04dca71617847be5a379ab901bf5fee9216eaad2
SHA512f3bc93a823773c1758ef59ff56de1c63b1d6fe548bb60661549302d63f642aa207c6ddf5a51b72c430951223957eabf8a5044f49d1778997a50a2a6193e3072d
-
Filesize
8KB
MD5e7781138d8a762ece532aa8826a9de63
SHA11be44b95bdc889acf6a589306ea66b8d3790a45c
SHA256dc0ec584984a07e208f5cb2aa7806cad7fd3ad2aad42dbce0d11f21397fd3dd7
SHA51245ff8f3906de410ad062572753b5791d5e8e05a00a44ffddc85d68da79ec042f5143ee7998b701bf86728435c3908c78cdfc186ba248fed5cfa86c3f0fe26025
-
Filesize
8KB
MD527073517cfd4787db88e48c4fd42ad4b
SHA1fd07a971658eb9a66b9fa6606b7d32689397451f
SHA256c6ac743b2e78444f2ddf504537fedd5027adf92f67cd8e4c789b8b9e3649c5bb
SHA512364370f85b8dfb5ee9718a31d780d861d388516119c6bab6ebc405eb1d9e700dec63ac1fa4861d1902dc4ebefd704357e1267971ca6cab04fe146a9dd8f3bdc2
-
Filesize
12KB
MD53d483de43baba93e9ca0754b1b3bd23b
SHA15ee8a8ca3d4ff7e19eb30d681651347c8b37ab7e
SHA2562ce16b36d8c213fb596d79f29eb84b4d6343fb94be1b02a6849b63330650358f
SHA5122b5bb545b1fd11feab4e56153d1812bfd773f06b8d3c4deb439554ff9115a9e9afa86fa7ca45ee3b64e2f768c604e803472b6ffaa56fd20a95eba255e2c79d67
-
Filesize
256B
MD59f491424028a3681d168ef5e790612c2
SHA1d681e20a7d5e82167fc2d09a93bc1de14efdb0b0
SHA256f402d51bd6fe6e2d10dff74373e7a3a935cb9a95999e683234df6d01c3a2e871
SHA512e157d35fec175692f2e5bafc6836be265629342126a5720496235915f978eeed0f66a3bd15371bccc00dd7eabfe57f949df701ed4a79aa598f7fe5c5cda5d816
-
Filesize
4KB
MD50eb157e1a86d4d00aa601dd2f6ff3ee3
SHA1fee434f784e73cc7916322e949f727caf8363102
SHA256b9a8194b71a046e8c0eb30995827b582b4bea834f630a5df2483b778a7d7d8a4
SHA512b9b79b8c3af8a3f140df230fd89e95206358ba50ff214e7323a2dbbe2937b795f970e588302ffd5d721318bd597ce0a27af26d6cdb07f45569c30209845082a8
-
Filesize
512B
MD59981db5dc2a3d69eb010c0c2d3c419de
SHA14cf5a16501c4a7fd107e49d639600d5e630ca227
SHA2565313bb2303b883ca58bb9e44b927b9a8d4020821fd3e842afb86f957f3c8ef84
SHA5124fc9d013e8d23206c78eb7cc8b0c1de95937767b76d428b9efc402045245bc851928a92572ff6a39e85700483bb57e073e06ec62ab557e39e7048bef9e6e9a23
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
173KB
MD55c4a43f547d9d62443884b0fa70e1036
SHA1526373c25ebb0e94fe486d975181df0dce6bc98b
SHA256a50886313852e3a8ed9938470fa8a797330a2e01977f8827add1939703853459
SHA51286126891469bb01446a1c632a04b9554beee1f98dc510dbac9e93dba6c7f32101e85fbe49956049fba79af4dd5df01db79e49e94d7be39590db14e4b2e1b5e3e
-
Filesize
16KB
MD5a07690dbf38b4b445e169a58a4b2f9c9
SHA16f7de8e7cb7ca374cafb51393a90dacf6556dab3
SHA256416218f66a24b4af01929124aede72213481aaaf29a3eb87fad36ae6f73902ae
SHA5126e8b596cc402a57f075123b6680458496f8e800816af545048008bfb269351d626ad6efb01301c1a785a7e13ccd8802bbb17f5a809788a8215db1a5c603d4802
-
Filesize
108KB
MD5990d1dccd58340060d40c0f379cd0b36
SHA1789e654960f7bcd974b7d0d821eeed71ca5424cd
SHA256f151581ceeccc16dd3dd64eb71a5ccf1a552573b5e4f7aeba46b6656bd27a420
SHA512b3bf7579cdc906977e7d4aa03dcef187dca10aec4457515b502ec74cc53f799231d5f839c190db9786a0aab2f5ec03be11482d146bec2681fbad10c0d93bbdeb
-
Filesize
10.9MB
MD535d4cda95e19e9be467673c78e1e2fa2
SHA13868d4dda794c360f57ba650c332b39ce5c68d8e
SHA2566c84643bdddc36a15b515e72e8b768ba64ff6b8966492db9bce6660934f09746
SHA512577272d92633303f248c8545b67a5205489623ce44d746fcdc906ca29c0cdb26f83140f013510c356b709ead230da79fdd8b04654370a2c18275a3ac98344dd7
-
Filesize
308KB
MD57f553f50925945c7d7138227ae983377
SHA1d7d3afcd10dd4e03daefa0e8e242c1a7b77a7162
SHA25610d07387bd954b877c1d1205814d36bf526108b16f8fc55fe48398d350166637
SHA5122202dad0a09b8359f4b07f2f5da2777f4d3a70931825440da3d4bb13639b981917616f6fe394dc093aab044bd6ec7e47e363d2665b47aea21a0540008083ec1b
-
Filesize
265KB
MD59be81be1b34d2c5b45f8ca690fbcdfb6
SHA110300ac02fd9b57f4de8edda3f68ccc1bfab9e6f
SHA256a9081622945a79c3a4209e8d84c8cdeeb30a6b4ac5e8c4c80703d04fd1841b04
SHA5126969fd501aedfce16d2f1d3c2381765687f8f978072a7fa81ead3e1d9e5dec3cf98bcf6403fec47772fd01d137232fd645deddf8c7d640af887f896c2087658d
-
Filesize
1.7MB
MD530465152db261852e3a226a666ec4304
SHA1442a188e07db85653022734d0a8537d4312aef38
SHA256c79795ea1d8f93d6471a6a10ae92f079fa7c79b0736de04edb53c5c5ae4862e4
SHA5123b9b75f7030fa9280130172a7b1f17766b3399270ec49b899d7f4223e68ce7ee728a0ccd5217b98d276da8f84968f4d436b4e61c7fcd378c3be0a57f906dfa63
-
Filesize
83B
MD58d7a07d896e675e10efc37527453119b
SHA174bf7f4e10d0ecb8f249971a731ced03a90646db
SHA256769a8bd5fd0583c0a16a983f086a9cab96ae6f59f08d4096b15ee3f21777d37b
SHA5129615c3cd426fa1908c96b45ae93bc353c9f35fd2434ec83e503ada470e4835f7727595806341b5bb6a205a7b7293791c826bd3114dc95838dfcd5a14da82d04f